Yahoo Groups archive
Thread
2005-11-28 by c.r.p.
I'm gettting ready to replace 'graymilter' (btw: anyone know how to unintstall it? it does not show up in the rpm query) on the pc running RH9 and sendmail 8.13 The README contains a note about running "under an unprivileged UID" . I'm not really sure what it is saying. Does it mean that unless another user is specified that the milter-greylist will run as root ?
2005-11-29 by Emmanuel Dreyfus
On Mon, Nov 28, 2005 at 11:04:55PM -0000, c.r.p. wrote: > The README contains a note about running "under an unprivileged UID" . > I'm not really sure what it is saying. Does it mean that unless > another user is specified that the milter-greylist will run as root ? That's right: the user directive in the config file or the -u flag are here for that. -- Emmanuel Dreyfus manu@...
2005-11-30 by c.r.p.
--- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...> wrote: > > On Mon, Nov 28, 2005 at 11:04:55PM -0000, c.r.p. wrote: > > The README contains a note about running "under an unprivileged UID" > > I'm not really sure what it is saying. Does it mean that unless > > another user is specified that the milter-greylist will run as root > That's right: the user directive in the config file or the -u flag are > here for that. well is that a good thing - should it run as root ? or should i have it run as , oh clamav , instead ? Basically, is there no valid security concern with running milter-greylist as a superuser ?
2005-11-30 by Emmanuel Dreyfus
On Wed, Nov 30, 2005 at 04:01:22AM -0000, c.r.p. wrote: > well is that a good thing - should it run as root ? or should i have > it run as , oh clamav , instead ? Basically, is there no valid > security concern with running milter-greylist as a superuser ? There is *known* security problem in milter-greylist, but it's always a good idea to avoid running as root. -- Emmanuel Dreyfus manu@...
2005-11-30 by leloup
Am Mittwoch, 30. November 2005 08:01 schrieb Emmanuel Dreyfus: > On Wed, Nov 30, 2005 at 04:01:22AM -0000, c.r.p. wrote: > > well is that a good thing - should it run as root ? or should i have > > it run as , oh clamav , instead ? Basically, is there no valid > > security concern with running milter-greylist as a superuser ? > > There is *known* security problem in milter-greylist, but it's always > a good idea to avoid running as root. I guess you meant "There is _no_ *known* security problem..." ;-) Leloup
2005-11-30 by Emmanuel Dreyfus
On Wed, Nov 30, 2005 at 09:59:55AM +0100, leloup wrote: > > There is *known* security problem in milter-greylist, but it's always > > a good idea to avoid running as root. > > I guess you meant "There is _no_ *known* security problem..." ;-) Yes, of course. :-) -- Emmanuel Dreyfus manu@...
2005-11-30 by c.r.p.
--- In milter-greylist@yahoogroups.com, Emmanuel Dreyfus <manu@n...> wrote: > > On Wed, Nov 30, 2005 at 09:59:55AM +0100, leloup wrote: > > > There is *known* security problem in milter-greylist, but it's always > > > a good idea to avoid running as root. > > > > I guess you meant "There is _no_ *known* security problem..." ;-) > > Yes, of course. :-) > > -- > Emmanuel Dreyfus > manu@n... > Well , which one is it? They are not exactly saying the same thing:-) Anyway - ARGH! Where is the FAQ? Here is how I setup the sendmail.mc MAILER(smtp)dnl MAILER(procmail)dnl Cwlocalhost.localdomain HACK(`milter-greylist') dnl added clamav 12/25/03 INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/clamav/clamav-milter.sock, F=,T=S:4m;R:4m;E:10m')dnl define(`confINPUT_MAIL_FILTERS', `clamav-milter') sendmail did not complain about anything upon rebuilding and restarting. I ran usr/local/bin/milter-greylist -u root -p /var/milter-greylist/milter-greylist.sock and the maillog shows the milter-greylist starting and whitelisting the entries at the bottom of the conf file. (btw: -u smmsp did not work, but i'll leave that for later) The conf file has: # recipient envelope address to achieve that. acl whitelist rcpt nbry@... acl whitelist rcpt ric@...m acl greylist rcpt rpol@... acl greylist rcpt tsma@... acl greylist default Yet nothing is getting delayed :(
2005-12-01 by c.r.p.
--- In milter-greylist@yahoogroups.com, "c.r.p." <shcv34c@y...> wrote: > > Anyway - ARGH! Where is the FAQ? Here is how I setup the sendmail.mc > > MAILER(smtp)dnl > MAILER(procmail)dnl > Cwlocalhost.localdomain > HACK(`milter-greylist') > dnl added clamav 12/25/03 > INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/clamav/clamav-milter.sock, > F=,T=S:4m;R:4m;E:10m')dnl > define(`confINPUT_MAIL_FILTERS', `clamav-milter') > > > sendmail did not complain about anything upon rebuilding and > restarting. I ran > usr/local/bin/milter-greylist -u root -p > /var/milter-greylist/milter-greylist.sock > > and the maillog shows the milter-greylist starting and whitelisting > the entries at the bottom of the conf file. > (btw: -u smmsp did not work, but i'll leave that for later) > > The conf file has: > # recipient envelope address to achieve that. > acl whitelist rcpt nbry@f... > acl whitelist rcpt ric@f... > acl greylist rcpt rpol@f... > acl greylist rcpt tsma@f... > acl greylist default > > > Yet nothing is getting delayed :( > here is what the maillog has for milter-greylist: Nov 29 23:23:43 net milter-greylist: cannot read dumpfile "/var/milter-greylist/greylist.db Nov 29 23:23:43 net milter-greylist: starting with an empty greylist Nov 29 23:23:43 net milter-greylist: Access list dump: Nov 29 23:23:43 net milter-greylist: acl whitelist addr 127.0.0.0/255.0.0.0 Nov 29 23:23:43 net milter-greylist: acl whitelist addr 10.49.201.0/255.255.255.192 nothing further and /var/milter-greylist]# ls -al total 19 drwxr-xr-x 2 root root 1024 Dec 1 10:15 . drwxr-xr-x 30 root root 1024 Nov 29 22:44 .. srwxr-xr-x 1 root root 0 Nov 30 15:33 milter-greylist.sock
2005-12-01 by Matt Kettler
c.r.p. wrote: >>The conf file has: >># recipient envelope address to achieve that. >>acl whitelist rcpt nbry@f... >>acl whitelist rcpt ric@f... >>acl greylist rcpt rpol@f... >>acl greylist rcpt tsma@f... >>acl greylist default >> >> >>Yet nothing is getting delayed :( >> > > > here is what the maillog has for milter-greylist: > Nov 29 23:23:43 net milter-greylist: cannot read dumpfile > "/var/milter-greylist/greylist.db > Nov 29 23:23:43 net milter-greylist: starting with an empty greylist > Nov 29 23:23:43 net milter-greylist: Access list dump: > Nov 29 23:23:43 net milter-greylist: acl whitelist addr > 127.0.0.0/255.0.0.0 > Nov 29 23:23:43 net milter-greylist: acl whitelist addr > 10.49.201.0/255.255.255.192 From the looks of that, it looks like milter-greylist is reading a completely different conf file than the one you're quoting above. Check around and make sure there's not two greylist.conf's on your box. (ie: one in /usr/local/etc/mail/ and one in /etc/mail/)
2005-12-01 by Ken Serrine
Also, check your greylist.conf carefully for syntax errors. Nothing will be read past a syntax error. For example, if you had a line like "acl whilelist rcpt whatever@...", then nothing after that line would be processed. Notice the syntax error since "whilelist" is not a valid action. c.r.p. wrote:
>--- In milter-greylist@yahoogroups.com, "c.r.p." <shcv34c@y...> wrote: > > >>Anyway - ARGH! Where is the FAQ? Here is how I setup the sendmail.mc >> >>MAILER(smtp)dnl >>MAILER(procmail)dnl >>Cwlocalhost.localdomain >>HACK(`milter-greylist') >>dnl added clamav 12/25/03 >> >> >> >INPUT_MAIL_FILTER(`clamav-milter',`S=local:/var/clamav/clamav-milter.sock, > > >>F=,T=S:4m;R:4m;E:10m')dnl >>define(`confINPUT_MAIL_FILTERS', `clamav-milter') >> >> >>sendmail did not complain about anything upon rebuilding and >>restarting. I ran >>usr/local/bin/milter-greylist -u root -p >>/var/milter-greylist/milter-greylist.sock >> >>and the maillog shows the milter-greylist starting and whitelisting >>the entries at the bottom of the conf file. >>(btw: -u smmsp did not work, but i'll leave that for later) >> >>The conf file has: >># recipient envelope address to achieve that. >>acl whitelist rcpt nbry@f... >>acl whitelist rcpt ric@f... >>acl greylist rcpt rpol@f... >>acl greylist rcpt tsma@f... >>acl greylist default >> >> >>Yet nothing is getting delayed :( >> >> >> > >here is what the maillog has for milter-greylist: >Nov 29 23:23:43 net milter-greylist: cannot read dumpfile >"/var/milter-greylist/greylist.db >Nov 29 23:23:43 net milter-greylist: starting with an empty greylist >Nov 29 23:23:43 net milter-greylist: Access list dump: >Nov 29 23:23:43 net milter-greylist: acl whitelist addr >127.0.0.0/255.0.0.0 >Nov 29 23:23:43 net milter-greylist: acl whitelist addr >10.49.201.0/255.255.255.192 > > >nothing further and >/var/milter-greylist]# ls -al >total 19 >drwxr-xr-x 2 root root 1024 Dec 1 10:15 . >drwxr-xr-x 30 root root 1024 Nov 29 22:44 .. >srwxr-xr-x 1 root root 0 Nov 30 15:33 >milter-greylist.sock > > > > >
2005-12-01 by c.r.p.
--- In milter-greylist@yahoogroups.com, Matt Kettler <mkettler@e...> wrote: > > c.r.p. wrote: > >>The conf file has: > >># recipient envelope address to achieve that. > >>acl whitelist rcpt nbry@f... > >>acl whitelist rcpt ric@f... > >>acl greylist rcpt rpol@f... > >>acl greylist rcpt tsma@f... > >>acl greylist default > >> > >> > >>Yet nothing is getting delayed :( > >> > > > > > > here is what the maillog has for milter-greylist: > > Nov 29 23:23:43 net milter-greylist: cannot read dumpfile > > "/var/milter-greylist/greylist.db > > Nov 29 23:23:43 net milter-greylist: starting with an empty greylist > > Nov 29 23:23:43 net milter-greylist: Access list dump: > > Nov 29 23:23:43 net milter-greylist: acl whitelist addr > > 127.0.0.0/255.0.0.0 > > Nov 29 23:23:43 net milter-greylist: acl whitelist addr > > 10.49.201.0/255.255.255.192 > > From the looks of that, it looks like milter-greylist is reading a completely > different conf file than the one you're quoting above. Check around and make > sure there's not two greylist.conf's on your box. (ie: one in > /usr/local/etc/mail/ and one in /etc/mail/) > Just the one: /var/log]# locate greylist.conf /home/tngo/milter-greylist-2.0.2/greylist.conf /home/tngo/milter-greylist-2.0.2/greylist.conf.5 /usr/local/man/man5/greylist.conf.5 /etc/mail/greylist.conf
2005-12-01 by c.r.p.
--- In milter-greylist@yahoogroups.com, Ken Serrine <kserrine@c...> wrote: > > Also, check your greylist.conf carefully for syntax errors. Nothing > will be read past a syntax error. > For example, if you had a line like "acl whilelist rcpt > whatever@e...", then nothing after that line would be processed. > Notice the syntax error since "whilelist" is not a valid action. > hmm, I don't see anything amiss. Here are the uncommented lines: acl whitelist addr 127.0.0.0/8 acl whitelist addr xx.yy.101.1/26 acl whitelist rcpt nbr@... acl whitelist rcpt ric@... acl greylist rcpt rpol@... acl greylist rcpt tsma@... acl greylist default report none lazyaw greylist 7m autowhite 5d quiet pidfile "/var/run/milter-greylist.pid" socket "/var/milter-greylist/milter-greylist.sock" dumpfile "/var/milter-greylist/greylist.db" user "smmsp"
2005-12-01 by Ken Serrine
In one of your previous posts, you showed the access list dump had: Nov 29 23:23:43 net milter-greylist: acl whitelist addr > 10.49.201.0/255.255.255.192 Where did the 10.49.201 come from? I don't see that in the list of uncommented lines. c.r.p. wrote:
>--- In milter-greylist@yahoogroups.com, Ken Serrine <kserrine@c...> wrote: > > >>Also, check your greylist.conf carefully for syntax errors. Nothing >>will be read past a syntax error. >>For example, if you had a line like "acl whilelist rcpt >>whatever@e...", then nothing after that line would be processed. >>Notice the syntax error since "whilelist" is not a valid action. >> >> >> > hmm, I don't see anything amiss. Here are the uncommented lines: >acl whitelist addr 127.0.0.0/8 >acl whitelist addr xx.yy.101.1/26 > >acl whitelist rcpt nbr@... >acl whitelist rcpt ric@... >acl greylist rcpt rpol@... >acl greylist rcpt tsma@... >acl greylist default > >report none > >lazyaw > >greylist 7m > >autowhite 5d > >quiet > >pidfile "/var/run/milter-greylist.pid" > >socket "/var/milter-greylist/milter-greylist.sock" > >dumpfile "/var/milter-greylist/greylist.db" > >user "smmsp" > > > > >
2005-12-01 by c.r.p.
--- In milter-greylist@yahoogroups.com, Ken Serrine <kserrine@c...> wrote: > > In one of your previous posts, you showed the access list dump had: > > Nov 29 23:23:43 net milter-greylist: acl whitelist addr > > 10.49.201.0/255.255.255.192 > > Where did the 10.49.201 come from? I don't see that in the list of uncommented lines. > sorry for the confusion, I was masking our IP. It came from: xx.yy.101.1/26 so you can 'change' the maillog to read net milter-greylist: acl whitelist addr xx.yy.101.1/255.255.255.192
2005-12-01 by Ken Serrine
c.r.p. wrote: >--- In milter-greylist@yahoogroups.com, Ken Serrine <kserrine@c...> wrote: > > >>In one of your previous posts, you showed the access list dump had: >> >>Nov 29 23:23:43 net milter-greylist: acl whitelist addr >> >> >>>10.49.201.0/255.255.255.192 >>> >>> >>Where did the 10.49.201 come from? I don't see that in the list of >> >> >uncommented lines. > > >sorry for the confusion, I was masking our IP. It came from: >xx.yy.101.1/26 > >so you can 'change' the maillog to read >net milter-greylist: acl whitelist addr xx.yy.101.1/255.255.255.192 > > > > ah. well, one last attempt at the simple syntax possibility... I'm not sure how picky the milter is about spaces and tabs in the conf file, so just to make sure... If you have any comment lines, but the # is not the very first character, then make it so. Make sure your empty lines are really empty (I know this probably won't matter, but I haven't studied the parser code, so I'm trying to be safe.) Are there any tabs in odd places? Using vi, you can do a ":set list" to see all your tabs. Of course, the simplest thing to do is create a new greylist.conf with just 2 or 3 lines in it. Turn on verbose mode also, and make sure your getting log entries that end with "is matched by entry acl greylist default"
2005-12-02 by c.r.p.
ok, problem half solved. At issue was the line in sendmail.mc of define(`confINPUT_MAIL_FILTERS', `clamav-milter') I changed it to define(`confINPUT_MAIL_FILTERS', `greylist, clamav-milter') and started seeing things in the maillog. UNFORTUNATELY, what i saw was : error connecting to filter Connection refused by /var/milter-greylist/milter-greylist.sock Now this puzzles me. I am using the greylist-milter provided HACK and am running the program via the command line of: /usr/local/bin/milter-greylist -u root -p /var/milter-greylist/milter-greylist.sock -v so, went and tried /usr/local/bin/milter-greylist -p /var/milter-greylist/milter-greylist.sock which now did not blow up. Restarted sendmail and whala - it seems to be doing something :)