[exim] Re: Unable to deliver mail to localuser: local_delive…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Zacchaeus Scheffer
Dátum:  
Címzett: exim-users
Tárgy: [exim] Re: Unable to deliver mail to localuser: local_delivery defer (-1) Frozen
> Something is nonstandard about your installation or system.
>
> Has it ever worked? What changed?
>
> Or is this a new setup?
> If so you might want to start from scratch.
> --
> Cheers,
> Jeremy


I'm running the Exim version packaged for Guix. This is the first time I
am trying to get it to work. I tried to start from scratch as much as
possible. Here is the diff between my exim config and the default one
(other than adding ACL messages, domain redacted as my.domain):

70c70
< domainlist local_domains = @
---
> domainlist local_domains = @ : localhost : my.domain

167a168,169
> tls_certificate = /etc/letsencrypt/live/my.domain/fullchain.pem
> tls_privatekey = /etc/letsencrypt/live/my.domain/privkey.pem

304,305c306,308
< log_selector = +smtp_protocol_error +smtp_syntax_error \
<         +tls_certificate_verified
---

> log_selector = +all

824a835,840
> dkim_domain = my.domain
> dkim_selector = my_ed_sel : my_rsa_sel
> dkim_private_key = /etc/exim/dkim_$dkim_selector.private
> dkim_identity = my.domain
> dkim_strict = true


Because of the way exim is packaged in Guix, my config actually gets
wrapped in the following config:

exim_user = exim
exim_group = exim
.include /gnu/store/88px88wqr7lbwlhxxlf4nl8pd1m00x63-exim.conf

I looked at the package definition in Guix, and it seems pretty minimal.
Mostly just sets paths to work on Guix.

> > Seems like when running as root, exim refuses to keep root
> > permissions, but when running as exim, it has insufficient
> > privileges?
>
> Is your exim binary setuid root?
>
> I have very recently had a similar problem, and mine is not -- but I
> know what I am doing.
>
> --
> Ian


Should it be? Currently, it is:

-r-xr-xr-x 2 root root 1165112 Dec 31 1969
/gnu/store/14ymh0d8xk0089wbnm0xmjz4kw6yzvln-exim-4.96/bin/exim-4.96-1

so no. The exim service is launched by root with "/path/to/exim -bV -C
/path/to/wrapper/config.conf" which, to my knowledge, is quickly changed to
running as exim:exim by the exim executable itself. There is only one file
in /var/spool/exim not owned by exim:

$ ls -ld /var/spool/exim/exim-daemon.pid
-rw-r--r-- 1 root exim 5 May 9 19:30 /var/spool/exim/exim-daemon.pid

I tried ensuring the file was owned by exim, but the "exim: debugging
permission denied" issue persists.


Thanks for the responses!
-Zacchae

On Thu, May 9, 2024 at 4:58 PM Zacchaeus Scheffer <zaccysc@???> wrote:

> > Try a manual delivery of the spooled message, with debug enabled :-
> >
> > # exim -d+all -M 1s1rwf-00034B-0B 2>&1 | tee debuglog
> >
> > and inspect the detailed debug output. Find the part where
> > it starts running the transport, specifically.
> > --
> > Cheers,
> > Jeremy
>
> Thanks Jeremy!  At first, when I tried to run that command as root, it
> gave some output ending with:
>
> 18:56:50   825 LOG: PANIC DIE
> 18:56:50   825   Cannot open main log file "/var/spool/exim/log/mainlog":
> Permission denied: euid=0 egid=0
> 18:56:50   825 2024-05-09 18:56:50 Warning: purging the environment.
> 18:56:50   825  Suggested action: use keep_environment.
> 18:56:50   825 2024-05-09 18:56:50 Cannot open main log file
> "/var/spool/exim/log/mainlog": Permission denied: euid=0 egid=0
> 18:56:50   825 exim: could not open panic log - aborting: see message(s)
> above
> 18:56:50   825 search_tidyup called
> 18:56:50   825 >>>>>>>>>>>>>>>> Exim pid=825 (fresh-exec) terminating with
> rc=1 >>>>>>>>>>>>>>>>
>
> However, when I ran it inside "su - exim -s /bin/sh" (exim user:group is
> exim:exim), I get the full following output:
>
> 19:01:24   888 Exim version 4.96.1 uid=979 gid=974 pid=888 D=fff9ffff
> 19:01:24   888 Support for: crypteq iconv() GnuTLS TLS_resume DANE DKIM
> DNSSEC Event OCSP PIPECONNECT PRDR Queue_Ramp TCP_Fast_Open
> 19:01:24   888 Lookups (built-in): lsearch wildlsearch nwildlsearch
> iplsearch dbm dbmjz dbmnz dnsdb
> 19:01:24   888 Authenticators: cram_md5 dovecot external plaintext spa tls
> 19:01:24   888 Routers: accept dnslookup ipliteral manualroute
> queryprogram redirect
> 19:01:24   888 Transports: appendfile autoreply pipe smtp
> 19:01:24   888 Configure owner: 0:0
> 19:01:24   888 Size of off_t: 8
> 19:01:24   888 Compiler: GCC [11.3.0]
> 19:01:24   888 Library version: Glibc: Compile: 2.35
> 19:01:24   888                         Runtime: 2.35
> 19:01:24   888 Library version: BDB: Compile: Berkeley DB 5.3.28:
> (September  9, 2013)
> 19:01:24   888                       Runtime: Berkeley DB 5.3.28:
> (September  9, 2013)
> 19:01:24   888 Library version: GnuTLS: Compile: 3.7.7
> 19:01:24   888                          Runtime: 3.8.3
> 19:01:24   888 Library version: PCRE2: Compile: 10.40
> 19:01:24   888                         Runtime: 10.40 2022-04-14
> 19:01:24   888 Total 9 lookups
> 19:01:24   888 WHITELIST_D_MACROS unset
> 19:01:24   888 TRUSTED_CONFIG_LIST unset
> 19:01:24   888 Exim has no root privilege: uid=979 gid=974 euid=979
> egid=974
> 19:01:24   888 changed uid/gid: forcing real = effective
> 19:01:24   888   uid=979 gid=974 pid=888
> 19:01:24   888   auxiliary group list: 974 1000
> 19:01:24   888 seeking password data for user "root": cache not available
> 19:01:24   888 getpwnam() succeeded uid=0 gid=0
> 19:01:24   888 LOG: MAIN
> 19:01:24   888   Warning: purging the environment.
> 19:01:24   888  Suggested action: use keep_environment.
> 2024-05-09 19:01:24 Warning: purging the environment.
>  Suggested action: use keep_environment.
> 19:01:24   888 configuration file is
> /gnu/store/076bissc2g84ic1lcb5jw9hx3wnvl7j7-exim-4.96.1/etc/exim.conf
> 19:01:24   888 log selectors = 0000cffc 64205022 0000000c
> 19:01:24   888 cwd=/var/empty 4 args: exim -d+all -M 1s1rwf-00034B-0B
> exim: debugging permission denied
>
> Seems like when running as root, exim refuses to keep root permissions,
> but when running as exim, it has insufficient privileges?  I have the
> following local_delivery section:
>
> local_delivery:
>   driver = appendfile
>   file = /var/mail/$local_part_data
>   delivery_date_add
>   envelope_to_add
>   return_path_add
>   #group = exim
>   #mode = 0660
>
> and I have the /var/mail directory set like so:
>
> # ls -la /var/mail
> total 0
> drwxrwxrwt 1 exim exim  0 Apr 30 17:10 ./
> drwxr-xr-x 1 root root 88 May  9 18:39 ../
>
>
> Thanks for the help,
> -Zacchae
>


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/