Milter-greylist

I made some progress installing milter-greylist with yum on Fedora 9,
but I couldn't get the dumpfile working.

I decided to get the latest stable version from the website and try a
different route.

The long story of how I got it working is here:

<http://moleski.net/dokuwiki/doku.php/blog/milter-greylist-and-fedora-9>

Short story: what worked for me was to use user="mail" and "daemon
--user=$user /usr/local/bin/milter-greylist $OPTIONS" in
/etc/init.d/milter-greylist got me off the schneid.

Marty

Would it be okay, to distill this down a bit and post it on the wiki?

Bill

On Feb 11, 2009, at 2:20 PM, mxmsj wrote:

> I made some progress installing milter-greylist with yum on Fedora 9,
> but I couldn't get the dumpfile working.
>
> I decided to get the latest stable version from the website and try a
> different route.
>
> The long story of how I got it working is here:
>
> <http://moleski.net/dokuwiki/doku.php/blog/milter-greylist-and-fedora-9 
> >
>
> Short story: what worked for me was to use user="mail" and "daemon
> --user=$user /usr/local/bin/milter-greylist $OPTIONS" in
> /etc/init.d/milter-greylist got me off the schneid.
>
> Marty
>
>
>
> ------------------------------------
>
> Yahoo! Groups Links
>
>
>

Bill Levering wrote:

> Would it be okay, to distill this down a bit and post it on the wiki?

Yup.

For the wiki, I would recommend leaving out all of the drama.  And 
humor.  :o(

When I started working on it, I had intended to sum up what
worked.  But I made such a mess of everything that I don't
know what someone starting fresh (and doing things right)
would need to care about.  I don't remember what the
ownership or permissions were that came out of the build.

Right now, I can't see the forest for the trees.  It's been a long
couple of days.  I didn't re-edit greylist.conf or milter-greylist.
They've got some comments in them born of frustration.  And I
forgot to uncomment a section (putting it back the way it
was in the original).  It's in milter-greylist:

======= hacked up code ======
#OPTIONS="-P $pidfile -p $socket"
#if [ -f /etc/sysconfig/milter-greylist ]
#then
#    . /etc/sysconfig/milter-greylist
#
# MXM: looking in all the wrong places?
#  didn't make any difference
OPTIONS="-P $pidfile -p $socket"
if [ -f /etc/mail/milter-greylist ]
then
     . /etc/mail/milter-greylist
fi
======= end hacked code ========

The original reads:

OPTIONS="-P $pidfile -p $socket"
if [ -f /etc/sysconfig/milter-greylist ]
then
     . /etc/sysconfig/milter-greylist
fi

My bad.  I'll fix it on my own wiki after dinner.  If
you want to put it on the wiki, it might be nice to
make the change back to the original.

				Marty

On Wed, Feb 11, 2009 at 11:29 PM, Bill Levering <idbill@...> wrote:
> Would it be okay, to distill this down a bit and post it on the wiki?

Man, that was one detailed tutorial, some fun stuff in there as well. :-)

I have just approved Martin's application to the wiki so he can both
create new pages and edit existing ones.

This would fit in under "OS specific notes", Martin can create a new
page for Fedora there and extract only the good stuff to it, I think
we should be short and more reference than tutorial for the average
stressed sysadmin. A link to his own page may be helpful though for
those who want the full story.

http://milter-greylist.wikidot.com/os-specific-notes

Otherwise, he has already made some notes here:

http://milter-greylist.wikidot.com/sendmail

-- 
/peter

shuttlebox wrote:

> Man, that was one detailed tutorial, some fun stuff in there as well. :-)

Heh heh.  People always enjoy seeing someone else slipping on
a banana peel.  :-O

> I have just approved Martin's application to the wiki so he can both
> create new pages and edit existing ones.

Thanks.  Got the notice.

> This would fit in under "OS specific notes", Martin can create a new
> page for Fedora there and extract only the good stuff to it ...

I'll give it a go.

The beauty of the wiki is that anyone who wants to improve
it CAN do so.  So if the first version isn't satisfactory
(or accurate), it can be fixed up later.

> ... I think
> we should be short and more reference than tutorial for the average
> stressed sysadmin.

Agreed 100%.

> A link to his own page may be helpful though for
> those who want the full story.

"Helpful" isn't the word that springs to mind just now.

> http://milter-greylist.wikidot.com/os-specific-notes
> <http://milter-greylist.wikidot.com/os-specific-notes>

> Otherwise, he has already made some notes here:

> http://milter-greylist.wikidot.com/sendmail
> <http://milter-greylist.wikidot.com/sendmail>

Yes.  That was my first clue that Fedora is different
from the rest of the world.  Not my last.

And I'm not complaining.  Just sayin'.  I'm indebted to
all of the folks who made Fedora available--and to
all created, improved, and documented milter-greylist.
It's not anyone else's fault that I don't know what
I'm doing.  ;o)

				Marty

shuttlebox wrote:

> This would fit in under "OS specific notes"  ...

OK.  First draft up:

http://milter-greylist.wikidot.com/fedora-9-and-sendmail

					Marty

mxmsj <moleski@...> wrote:

> The long story of how I got it working is here:
> <http://moleski.net/dokuwiki/doku.php/blog/milter-greylist-and-fedora-9>

I had a quick look at it. It seems there are a few problems in the
fedora package, but appart from the mode 755 stuff for the dump file,
are there fixes to be committed upstream?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

manu@... wrote:

> I had a quick look at it. It seems there are a few problems in the
> fedora package, but appart from the mode 755 stuff for the dump file,
> are there fixes to be committed upstream?

I'm not qualified to say.

I think what I was doing wrong was not getting things
lined up right (not your fault or Fedora's).

user="grmilter" -- Fedora RPM
user="smmsp" -- in the .tgz
user="mail" -- what I stumbled toward

I really wasn't paying enough attention after ANY of my
installations to make sure that everything was consistent.
There were some numeric owners and groups.  400-something?
I didn't stop to ask who they were or where they came from.
(My bad.)

At any rate, here are the things that need to line up
right:

* user defined in /etc/init.d/milter-greylist
* user defined in /etc/mail/greylist.conf
* owner/group and proper permissions for:

/etc/mail/greylist.conf
/etc/init.d/milter-greylist
/usr/local/bin/milter-greylist
/var/milter-greylist
/var/milter-greylist/greylist.db
/var/milter-greylist/milter-greylist.pid
/var/milter-greylist/milter-greylist.sock

I never had any trouble with this:
/var/lock/subsys/milter-greylist

It's about the only system file I didn't stumble over. :o(

I haven't had time to double back and see who owns what
and what the permissions are that I ended up with that
got the system working for me.

Sometime in the middle of all this, I was getting error
messages from sendmail about unsafe directories.  I found
a magic bullet on the internet:

chmod go-w / /etc /etc/mail /usr /var /var/spool /var/spool/mqueue /private

Apart from the fact that there is no /private on my system,
it worked like a charm.

I was going to mess around and see whether I could come up with
something comparable to that that would just guarantee all
was well.

I think I switched to "mail" as user because I got some error about
not being able to write to /var/spool/mqueue (I think).  Stuff
started falling into place then.  But it doesn't make good sense
to me.  Seems that smmsp should have worked.  I'm sure I broke
something before it had a chance to do so.

				Marty

OK.  Here's another mistake I made.  I plucked rc-redhat.sh.in
from the tarball.  But the makefile creates a nicely transformed
version in usr/src.  And it comes out with user="root", which
(if I understand it correctly) may not be a good strategy.
sendmail seems to have moved away from that to tighten
up security (hence the whole smmsp thing).

The makefile fills in the daemon line correctly:

daemon --user=$user /usr/local/bin/milter-greylist $OPTIONS

I guess permissions would not be a problem if milter-greylist
were running as root.

It looks as though the makefile has to decide on a user
at build time:

install-db:
	${INSTALL} -d -m 755 -o ${USER} ${DESTDIR}/var/milter-greylist

Yes. USER= root.

But there are evidently different approaches to what the
daemon user should be (grmilter, smmsp, root).  With the
sock and the dumpfile in the same folder, not having
the right owner and permissions if you're not running
as root is going to cause problems, isn't it?

I have a Fedora 10 sandbox I can play in.  I'll install
milter-greylist on it, obeying the README, and NOT
TOUCH ANYTHING.

The Fedora RPM was still using /db/ for the dumpfile.
It's not current with the present structure--and, of
course, it differs with its preference for /var/run/milter-greylist
over /var/milter-greylist.

				Marty

I have not had any issues using the stock milter-greylist package  
provided by Fedora.

Granted, I'm using F8 right now, I haven't had a window to upgrade.
I can't imagine

The packages I have installed :

milter-greylist-4.0-0.2.rc1.fc8
milter-greylist-sysv-4.0-0.2.rc1.fc8

Here are the files and permissions :

[xxxxxx@xxxxx]# for i in `rpm -ql milter-greylist`; do ls -l $i;done

-rw-r--r-- 1 root root 18496 2009-02-12 10:28 /etc/mail/greylist.conf
-rwxr-xr-x 1 root root 211736 2008-02-07 16:05 /usr/sbin/milter-greylist
total 60
-rw-r--r-- 1 root root 18350 2007-10-12 06:07 ChangeLog
-rw-r--r-- 1 root root 30811 2008-02-07 16:05 README
-rw-r--r-- 1 root root 18350 2007-10-12 06:07 /usr/share/doc/milter- 
greylist-4.0/ChangeLog
-rw-r--r-- 1 root root 30811 2008-02-07 16:05 /usr/share/doc/milter- 
greylist-4.0/README
-rw-r--r-- 1 root root 11012 2008-02-07 16:05 /usr/share/man/man5/ 
greylist.conf.5.gz
-rw-r--r-- 1 root root 4322 2008-02-07 16:05 /usr/share/man/man8/ 
milter-greylist.8.gz
total 8
drwxrwx--- 2 grmilter grmilter 4096 2009-02-12 11:42 db
total 856
-rw------- 1 grmilter grmilter 863258 2009-02-12 11:42 greylist.db
-rw------- 1 grmilter grmilter      0 2008-12-09 15:51 greylist.db- 
XX8HyKk7
total 4
srwxr-xr-x 1 grmilter grmilter 0 2009-02-12 11:55 milter-greylist.sock
-rw-r--r-- 1 grmilter grmilter 6 2009-02-12 11:55 /var/run/milter- 
greylist.pid
srwxr-xr-x 1 grmilter grmilter 0 2009-02-12 11:55 /var/run/milter- 
greylist/milter-greylist.sock

The socket is specified in the greylist.conf file -

>

socket "/var/run/milter-greylist/milter-greylist.sock"

WFM

I don't use the logging feature, that may be broken for all I know.

My /var/lib/milter-greylist/db/greylist.db gets dumped fine.

The list of bugs against the Fedora package of milter-greylist is at :

<https://bugzilla.redhat.com/buglist.cgi?component=milter- 
greylist&product=Fedora>

This bug got auto-closed -

<https://bugzilla.redhat.com/show_bug.cgi?id=246982>

it may be related to your problem.
If you want to get this fixed in Fedora, I recommend you file a bug  
there.
You'll have to get a RH bugzilla account, but it isn't hard.


-- 
Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline  IL  61265

chasd wrote:

> Granted, I'm using F8 right now, I haven't had a window to upgrade.

I doubt it would make any difference.

> -rw-r--r-- 1 root root 18496 2009-02-12 10:28 /etc/mail/greylist.conf
> -rwxr-xr-x 1 root root 211736 2008-02-07 16:05 /usr/sbin/milter-greylist
> total 60
> -rw-r--r-- 1 root root 18350 2007-10-12 06:07 ChangeLog
> -rw-r--r-- 1 root root 30811 2008-02-07 16:05 README
> -rw-r--r-- 1 root root 18350 2007-10-12 06:07 /usr/share/doc/milter-
> greylist-4.0/ChangeLog
> -rw-r--r-- 1 root root 30811 2008-02-07 16:05 /usr/share/doc/milter-
> greylist-4.0/README
> -rw-r--r-- 1 root root 11012 2008-02-07 16:05 /usr/share/man/man5/
> greylist.conf.5.gz
> -rw-r--r-- 1 root root 4322 2008-02-07 16:05 /usr/share/man/man8/
> milter-greylist.8.gz
> total 8
> drwxrwx--- 2 grmilter grmilter 4096 2009-02-12 11:42 db
> total 856
> -rw------- 1 grmilter grmilter 863258 2009-02-12 11:42 greylist.db
> -rw------- 1 grmilter grmilter 0 2008-12-09 15:51 greylist.db-
> XX8HyKk7
> total 4
> srwxr-xr-x 1 grmilter grmilter 0 2009-02-12 11:55 milter-greylist.sock
> -rw-r--r-- 1 grmilter grmilter 6 2009-02-12 11:55 /var/run/milter-
> greylist.pid
> srwxr-xr-x 1 grmilter grmilter 0 2009-02-12 11:55 /var/run/milter-
> greylist/milter-greylist.sock

> The socket is specified in the greylist.conf file -
> socket "/var/run/milter-greylist/milter-greylist.sock"

Here's what I got from a clean yum install on an isolated Fedora 10
installation:

/etc/mail/greylist.conf 	user \ufffdgrmilter\ufffd
/etc/init.d/milter-greylist 	no user specified

/etc/init.d/milter-greylist	root.root	755
/usr/sbin/milter-greylist	root.root	755
/etc/mail/greylist.conf	root.grmilter	640

/var/lib/milter-greylist	grmilter.grmilter	751
/var/lib/milter-greylist/db/	root.grmilter	770
/var/lib/milter-greylist/db/greylist.db	(not created)

/var/lock/subsys/milter-greylist	root.root	644

/var/run/milter-greylist/	grmilter.root	700
/var/run/milter-greylist.pid	grmilter.grmilter	644
/var/run/milter-greylist/milter-greylist.sock	grmilter.grmilter	755

I just ran it straight out of the box and didn't try to
turn on logging or the dumpfile.

> I don't use the logging feature, that may be broken for all I know.

> My /var/lib/milter-greylist/db/greylist.db gets dumped fine.

> The list of bugs against the Fedora package of milter-greylist is at :

> <https://bugzilla.redhat.com/buglist.cgi?component=milter-
> <https://bugzilla.redhat.com/buglist.cgi?component=milter->
> greylist&product=Fedora>
>
> This bug got auto-closed -

> <https://bugzilla.redhat.com/show_bug.cgi?id=246982
> <https://bugzilla.redhat.com/show_bug.cgi?id=246982>>

> it may be related to your problem.

Not that I can tell.  I don't think it was related to
LSB or the proper result to report in different conditions.

> If you want to get this fixed in Fedora, I recommend you file a bug
> there.
> You'll have to get a RH bugzilla account, but it isn't hard.

I'm not sure there IS any bug in Fedora.

I think I just shot myself in the foot a couple of dozen
times.  It's something beyond the powers of the bugzillarists
to fix.  :o(

					Marty

While this may have been frustrating and/or amusing, I have installed 
milter-greylist on a CentOS version 4.5, 4.7, and 5.2 which should be 
similar to installing on Fedora and it is a pretty painless thing.  I 
am sure part of it may depend on the add-ins you want compiled in, but 
the rpmbuild command in the readme did most of the work for me.  

The biggest thing it didn't do was change the ownership of 
the /var/milter-greylist folder to be owned by smmsp.