[Exim] local delivery and $home

Etusivu
Poista viesti
Vastaa
Lähettäjä: T. Horsnell (tsh)
Päiväys:  
Vastaanottaja: exim-users
Aihe: [Exim] local delivery and $home
We have a periodic clearout of users who have left.
Part way through this procedure I disable the home
directories of such users, in order to flag up anyone
else who may be inadvertently using their files.
This caused exim to complain that it couldnt check
for the presence of a .forward file in that user's
home directory, and so I added a

require_files = $home/.forward

condition to the userforward router so that it would be
skipped if the home directory was unreadable.

This seems to work OK, but when the localdelivery transport
runs, it seems to want to access the user's home directory
even though delivery is directed to /usr/spool/mail/$local_part
This generates a 'permission-denied' error.

Any suggestions? (Apologies for the length of the attached bumpf)

Terry.



-------------------------------------------------------------------
Configfile excerpt:

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe

userforward:
#the 'require_files' is to prevent delivery errors when users on
#the hitlist have had their directories disabled prior to clearout
require_files = $home/.forward
driver = redirect
domains = @
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
# allow_filter
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply

localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user

begin transports

remote_smtp:
driver = smtp

local_delivery:
driver = appendfile
file = /usr/spool/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add
# group = mail
# mode = 0660

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

-------------------------------------------------------------------

Debug-output excerpt:

Exim version 4.30 uid=0 gid=1 pid=457418 D=fbb95cfd
Probably ndbm
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch dbm dmbnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
changed uid/gid: forcing real = effective
  uid=0 gid=1 pid=457418
  auxiliary group list: <none>
configuration file is /usr/local/exim/configure.test
log selector = 040d99d8
trusted user
admin user
user name "system PRIVILEGED account" extracted from gecos field "system PRIVILEGED account"
originator: uid=0 gid=1 login=root name=system PRIVILEGED account
457418 listening on all interfaces (IPv4) port 26
457418 pid written to /var/run/sendmail.pid
457418 changed uid/gid: running as a daemon
457418   uid=10000 gid=10000 pid=457418
457418   auxiliary group list: 10000
457418 LOG: MAIN
457418   exim 4.30 daemon started: pid=457418, no queue runs, listening for SMTP on port 26 (IPv4)
457418 set_process_info: 457418 daemon: no queue runs, listening for SMTP on port 26 (IPv4)
457418 daemon running with uid=10000 gid=10000 euid=10000 egid=10000
457418 Listening...
457418 Connection request from 10.1.0.1 port 3304
136471 sender host name required, to match against *.mrc-lmb.cam.ac.uk
136471 looking up host name for 10.1.0.1
457418 1 SMTP accept process running
457418 Listening...
136471 DNS lookup of 1.0.1.10.in-addr.arpa (PTR) succeeded
136471 IP address lookup yielded alf1.lmb.internal
136471 gethostbyname looked up these IP addresses:
136471   name=alf1.lmb.internal address=10.1.0.1
136471 checking addresses for alf1.lmb.internal
136471   10.1.0.1 OK
136471 sender_fullhost = alf1.lmb.internal [10.1.0.1]
136471 sender_rcvhost = alf1.lmb.internal ([10.1.0.1])
136471 host in rfc1413_hosts? no (matched "! *.lmb.internal")
136471 sender_fullhost = alf1.lmb.internal [10.1.0.1]
136471 sender_rcvhost = alf1.lmb.internal ([10.1.0.1])
136471 Process 136471 is handling incoming connection from alf1.lmb.internal [10.1.0.1]
136471 checking for IP options
136471 no IP options found
136471 host in host_lookup? no (matched "! *.lmb.internal")
136471 set_process_info: 136471 handling incoming connection from alf1.lmb.internal [10.1.0.1]
136471 host in host_reject_connection? no (option unset)
136471 host in sender_unqualified_hosts? yes (matched "*.lmb.internal")
136471 host in recipient_unqualified_hosts? yes (matched "*.lmb.internal")
136471 host in helo_verify_hosts? no (option unset)
136471 host in helo_try_verify_hosts? no (option unset)
136471 host in helo_accept_junk_hosts? no (option unset)
136471 SMTP>> 220 alf1.lmb.internal ESMTP Exim 4.30 Tue, 10 Feb 2004 16:10:04 +0000
136471 Process 136471 is ready for new message
136471 smtp_setup_msg entered
136471 SMTP<< mail from: tsh@???
136471 SMTP>> 250 OK
136471 SMTP<< rcpt to: bridget@???
136471 using ACL "acl_check_rcpt"
136471 processing "accept"
136471 check hosts = :
136471 host in ":"? no (end of list)
136471 accept: condition test failed
136471 processing "deny"
136471 check domains = +local_domains
136471 alf1.lmb.internal in "@"? yes (matched "@")
136471 alf1.lmb.internal in "+local_domains"? yes (matched "+local_domains")
136471 check local_parts = ^[.] : ^.*[@%!/|]
136471 bridget in "^[.] : ^.*[@%!/|]"? no (end of list)
136471 deny: condition test failed
136471 processing "deny"
136471 check domains = !+local_domains
136471 cached yes match for +local_domains
136471 cached lookup data = NULL
136471 alf1.lmb.internal in "!+local_domains"? no (matched "!+local_domains" - cached)
136471 deny: condition test failed
136471 processing "accept"
136471 check local_parts = postmaster
136471 bridget in "postmaster"? no (end of list)
136471 accept: condition test failed
136471 processing "accept"
136471 check domains = +local_domains
136471 cached yes match for +local_domains
136471 cached lookup data = NULL
136471 alf1.lmb.internal in "+local_domains"? yes (matched "+local_domains" - cached)
136471 check verify = recipient
136471 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
136471 Verifying bridget@???
136471 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
136471 Considering bridget@???
136471 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
136471 routing bridget@???
136471 --------> send_to_smart_host router <--------
136471 local_part=bridget domain=alf1.lmb.internal
136471 checking domains
136471 cached yes match for +local_domains
136471 cached lookup data = NULL
136471 alf1.lmb.internal in "! +local_domains"? no (matched "! +local_domains" - cached)
136471 send_to_smart_host router skipped: domains mismatch
136471 --------> system_aliases router <--------
136471 local_part=bridget domain=alf1.lmb.internal
136471 calling system_aliases router
136471 rda_interpret (string): ${lookup{$local_part}lsearch{/etc/aliases}}
136471 search_open: lsearch "/etc/aliases"
136471 search_find: file="/etc/aliases"
136471   key="bridget" partial=-1 affix=NULL starflags=0
136471 LRU list:
136471   9/etc/aliases
136471   End
136471 internal_search_find: file="/etc/aliases"
136471   type=lsearch key="bridget"
136471 file lookup required for bridget
136471   in /etc/aliases
136471 lookup failed
136471 expanded:
136471 file is not a filter file
136471 parse_forward_list:
136471 system_aliases router declined for bridget@???
136471 --------> userforward router <--------
136471 local_part=bridget domain=alf1.lmb.internal
136471 userforward router skipped: verify 2 0 0
136471 --------> localuser router <--------
136471 local_part=bridget domain=alf1.lmb.internal
136471 checking for local user
136471 calling localuser router
136471 localuser router called for bridget@???
136471   domain = alf1.lmb.internal
136471 set transport local_delivery
136471 queued for local_delivery transport: local_part = bridget
136471 domain = alf1.lmb.internal
136471   errors_to=NULL
136471   domain_data=NULL localpart_data=NULL
136471 routed by localuser router
136471   envelope to: bridget@???
136471   transport: local_delivery
136471 ----------- end verify ------------
136471 accept: condition test succeeded
136471 SMTP>> 250 Accepted
136471 SMTP<< data
136471 SMTP>> 354 Enter message, ending with "." on a line by itself
136471 search_tidyup called
136471 >>Headers received:
136471
136471 search_tidyup called
136471 >>Headers after rewriting and local additions:
136471 P Received: from alf1.lmb.internal ([10.1.0.1])
136471     by alf1.lmb.internal with smtp (Exim 4.30)
136471     id 1AqaT1-000ZV9-J4
136471     for bridget@???; Tue, 10 Feb 2004 16:10:34 +0000
136471
136471 Data file written for message 1AqaT1-000ZV9-J4
136471 calling local_scan(); timeout=300
136471 local_scan() returned 0 NULL
136471 Writing spool header file
136471 Size of headers = 175
136471 LOG: MAIN
136471   <= tsh@??? H=alf1.lmb.internal [10.1.0.1] P=smtp S=195
136471 SMTP>> 250 OK id=1AqaT1-000ZV9-J4
136471 search_tidyup called
136471 Sender: tsh@???
136471 Recipients:
136471   bridget@???
136471 forked delivery process 89501
136471 Process 136471 is ready for new message
136471 smtp_setup_msg entered
89501 exec /usr/local/exim/bin/exim -C /usr/local/exim/configure.test -d=0xfbbd5cfd -Mc 1AqaT1-000ZV9-J4
89501 Exim version 4.30 uid=10000 gid=10000 pid=89501 D=fbbd5cfd
Probably ndbm
Support for: iconv()
Lookups: lsearch wildlsearch nwildlsearch dbm dmbnz
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
89501 changed uid/gid: forcing real = effective
89501   uid=0 gid=10000 pid=89501
89501   auxiliary group list: <none>
89501 configuration file is /usr/local/exim/configure.test
89501 log selector = 040d99d8
89501 trusted user
89501 admin user
89501 skipping ACL configuration - not needed
89501 set_process_info: 89501 delivering specified messages
89501 set_process_info: 89501 delivering 1AqaT1-000ZV9-J4
89501 reading spool file 1AqaT1-000ZV9-J4-H
89501 user=root uid=0 gid=1 sender=tsh@???
89501 sender_fullhost = alf1.lmb.internal [10.1.0.1]
89501 sender_rcvhost = alf1.lmb.internal ([10.1.0.1])
89501 sender_local=0 ident=unset
89501 Non-recipients:
89501 Empty Tree
89501 ---- End of tree ----
89501 recipients_count=1
89501 body_linecount=1 message_linecount=4
89501 Delivery address list:
89501   bridget@???
89501 locking /var/spool/exim/db/retry.lockfile
89501 locked /var/spool/exim/db/retry.lockfile
89501 opened hints database /var/spool/exim/db/retry: flags=0
89501 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
89501 Considering: bridget@???
89501 unique = bridget@???
89501 dbfn_read: key=R:alf1.lmb.internal
89501 dbfn_read: key=R:bridget@???
89501 no domain retry record
89501 no address retry record
89501 bridget@???: queued for routing
89501 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
89501 routing bridget@???
89501 --------> send_to_smart_host router <--------
89501 local_part=bridget domain=alf1.lmb.internal
89501 checking domains
89501 alf1.lmb.internal in "@"? yes (matched "@")
89501 alf1.lmb.internal in "! +local_domains"? no (matched "! +local_domains")
89501 send_to_smart_host router skipped: domains mismatch
89501 --------> system_aliases router <--------
89501 local_part=bridget domain=alf1.lmb.internal
89501 calling system_aliases router
89501 rda_interpret (string): ${lookup{$local_part}lsearch{/etc/aliases}}
89501 search_open: lsearch "/etc/aliases"
89501 search_find: file="/etc/aliases"
89501   key="bridget" partial=-1 affix=NULL starflags=0
89501 LRU list:
89501   9/etc/aliases
89501   End
89501 internal_search_find: file="/etc/aliases"
89501   type=lsearch key="bridget"
89501 file lookup required for bridget
89501   in /etc/aliases
89501 lookup failed
89501 expanded:
89501 file is not a filter file
89501 parse_forward_list:
89501 system_aliases router declined for bridget@???
89501 --------> userforward router <--------
89501 local_part=bridget domain=alf1.lmb.internal
89501 checking domains
89501 alf1.lmb.internal in "@"? yes (matched "@")
89501 checking for local user
89501 checking require_files
89501 file check: $home/.forward
89501 expanded file: /nb0/bridget/.forward
89501 stat() yielded -1
89501 errno = 2
89501 userforward router skipped: file check


result of 'require_files = $home/.forward'


89501 --------> localuser router <--------
89501 local_part=bridget domain=alf1.lmb.internal
89501 checking for local user
89501 finduser used cached passwd data for bridget
89501 calling localuser router
89501 localuser router called for bridget@???
89501   domain = alf1.lmb.internal
89501 set transport local_delivery
89501 queued for local_delivery transport: local_part = bridget
89501 domain = alf1.lmb.internal
89501   errors_to=NULL
89501   domain_data=NULL localpart_data=NULL
89501 routed by localuser router
89501   envelope to: bridget@???
89501   transport: local_delivery
89501 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
89501 After routing:
89501   Local deliveries:
89501     bridget@???
89501   Remote deliveries:
89501   Failed addresses:
89501   Deferred addresses:
89501 search_tidyup called
89501 >>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>
89501 --------> bridget@??? <--------
89501 locking /var/spool/exim/db/retry.lockfile
89501 locked /var/spool/exim/db/retry.lockfile
89501 opened hints database /var/spool/exim/db/retry: flags=0
89501 dbfn_read: key=T:bridget@???
89501 retry record exists: age=99 (max=604800)
89501   time to retry = -21501 expired = 1
89501 search_tidyup called
124918 changed uid/gid: local delivery to bridget <bridget@???> transport=local_delivery
124918   uid=774 gid=774 pid=124918
124918   auxiliary group list: <none>
124918   home=/nb0/bridget current=/nb0/bridget
124918 search_tidyup called
89501 local_delivery transport returned DEFER for bridget@???
89501 added retry item for T:bridget@???: errno=13 0 flags=0



Is the appendfile transport trying to access $home here?
If so, why, when it has been configured to append to
/usr/spool/mail/$local_part ??

# ls -l /usr/spool/mail/bridget
-rw-------   1 bridget  mail     6839214 Jan 26 17:04 /usr/spool/mail/bridget




89501 post-process bridget@??? (1)
89501 LOG: MAIN
89501 == bridget@??? R=localuser T=local_delivery defer (13): Permission denied: failed to chdir to /nb0/bridget
89501 >>>>>>>>>>>>>>>> deliveries are done >>>>>>>>>>>>>>>>
89501 changed uid/gid: post-delivery tidying
89501 uid=10000 gid=10000 pid=89501
89501 auxiliary group list: <none>
89501 set_process_info: 89501 tidying up after delivering 1AqaT1-000ZV9-J4
89501 Processing retry items
89501 Succeeded addresses:
89501 Failed addresses:
89501 Deferred addresses:
89501 bridget@???


etc
etc