Sendmail works.
Mailman works.
Mailman's wrapper under sendmail doesn't work.
What I get is:
----- The following addresses had permanent fatal errors ----- "|/usr/lib/mailman/mail/mailman post mailman" (reason: 2) (expanded from: mailman@baron.benjammin.net)
----- Transcript of session follows ----- Group mismatch error. Mailman expected the mail wrapper script to be executed as one of the following groups: [mail, postfix, mailman, nobody, daemon], but the system's mail server executed the mail script as group: "mailnull". Try tweaking the mail server to run the script as one of these groups: [mail, postfix, mailman, nobody, daemon], or re-run configure providing the command line option: '--with-mail-gid=mailnull'. 554 5.3.0 unknown mailer error 2
Now, I would normally know how to fix the problem - but I thought to myself..
Do the developers know that out of the "yum" box - Sendmail and Mailman as RPM'd don't work with each other or am I missing a README somewhere.
I'm more than happy to recompile both programs, but that's bypassing the point of using RPM's in the first place. It would be nice to see the RPM work, not have to go recompile anyway.
So, I'm sure this is a common question, but this is the first problem I've had making sense of a Fedora distribution and the included docs in the mailman docs directory don't talk about how the "run as GID" settings for mailman were set on compile.
Little help? (and thanks!)
-Ben
Ben Kamen wrote:
Sendmail works.
Mailman works.
Mailman's wrapper under sendmail doesn't work.
Do you have SELinux in enforcing mode?
What I get is:
----- The following addresses had permanent fatal errors ----- "|/usr/lib/mailman/mail/mailman post mailman" (reason: 2) (expanded from: mailman@baron.benjammin.net)
----- Transcript of session follows ----- Group mismatch error. Mailman expected the mail wrapper script to be executed as one of the following groups: [mail, postfix, mailman, nobody, daemon], but the system's mail server executed the mail script as group: "mailnull". Try tweaking the mail server to run the script as one of these groups: [mail, postfix, mailman, nobody, daemon], or re-run configure providing the command line option: '--with-mail-gid=mailnull'. 554 5.3.0 unknown mailer error 2
Hmmm, on an F8 box with a fresh install of mailman and everything else up to date (including the updates-testing repository), I don't see this particular error. I do get a failed delivery with SELinux in enforcing mode though. The bounce in my case is:
----- The following addresses had permanent fatal errors ----- "|/usr/lib/mailman/mail/mailman post test-list" (reason: 1) (expanded from: test-list@localhost.localdomain)
----- Transcript of session follows ----- post script, list not found: test-list 554 5.3.0 unknown mailer error 1
Setting SELinux to permissive lets the mail go through. So there appear to be some policy tweaks needed.
Now, I would normally know how to fix the problem - but I thought to myself..
Do the developers know that out of the "yum" box - Sendmail and Mailman as RPM'd don't work with each other or am I missing a README somewhere.
It's likely that testing with SELinux in enforcing mode hasn't been tested well. Since mailman can be used with a variety of MTA's and involves a bit of work after installing the rpm to finish the setup, I can undertstand this. I hadn't tested mailman with sendmail in many years until today. I typically use Postfix since it integrates with mailman much nicer IMO.
I'm more than happy to recompile both programs, but that's bypassing the point of using RPM's in the first place. It would be nice to see the RPM work, not have to go recompile anyway.
So, I'm sure this is a common question, but this is the first problem I've had making sense of a Fedora distribution and the included docs in the mailman docs directory don't talk about how the "run as GID" settings for mailman were set on compile.
Little help? (and thanks!)
See if running "setenforce 0" as root changes the behavior. If it does, then we should gather up the AVC messages from SELinux and report them to bugzilla so Dan Walsh can push out a corrected SELinux policy that allows mailman to operate with sendmail.
Todd Zullinger wrote:
Do you have SELinux in enforcing mode?
I have it completely disabled since the installation. (and I doubled checked the sysconfig/selinux file for this email. ;) )
Hmmm, on an F8 box with a fresh install of mailman and everything else up to date (including the updates-testing repository), I don't see this particular error. I do get a failed delivery with SELinux in enforcing mode though. The bounce in my case is:
I'm using FC-7 not 8... so I don't know what diff's might exist there... but.. moving along.
Setting SELinux to permissive lets the mail go through. So there appear to be some policy tweaks needed.
Hmmm, and in my case where it's disabled?
It's likely that testing with SELinux in enforcing mode hasn't been tested well. Since mailman can be used with a variety of MTA's and involves a bit of work after installing the rpm to finish the setup, I can undertstand this. I hadn't tested mailman with sendmail in many years until today. I typically use Postfix since it integrates with mailman much nicer IMO.
I would offer the argument that this is a matter of what user/group sendmail is running as vs. what user/group mailman was built to run with.
As for Postfix, I'm a sendmail fan and use it with all the other goodies one might use with sendmail to control spam (mimedefang, spamassassin) so moving from sendmail won't happen in the near future just as I'm comfy with it and have my plate filled with other things (that are part of my j-o-b).
Anyway...
See if running "setenforce 0" as root changes the behavior. If it does, then we should gather up the AVC messages from SELinux and report them to bugzilla so Dan Walsh can push out a corrected SELinux policy that allows mailman to operate with sendmail.
again, my SElinux is disabled, so what might you recommend?
Thanks for the fast reply!
-Ben
Oh,
I'd also like to point out that mailman's Default.py points to sendmail in /usr/lib/sendmail when sendmail is actually living in /usr/sbin/sendmail per the yum installed package of sendmail 8.14.1 (oops?)
-Ben
Ben Kamen schrieb:
Oh,
I'd also like to point out that mailman's Default.py points to sendmail in /usr/lib/sendmail when sendmail is actually living in /usr/sbin/sendmail per the yum installed package of sendmail 8.14.1 (oops?)
-Ben
No problem, no fault, no oops.
This is intended as Fedora comes with the MTA switching mechanism through alternatives. Just check out that /usr/lib/sendmail is a symlink. And the "sendmail" binary could be postfix (/usr/lib/sendmail.postfix instead of /usr/lib/sendmail.sendmail as the true binary).
Alexander
Ben Kamen wrote:
I'd also like to point out that mailman's Default.py points to sendmail in /usr/lib/sendmail when sendmail is actually living in /usr/sbin/sendmail per the yum installed package of sendmail 8.14.1 (oops?)
There is a sendmail link in /usr/lib/sendmail though, so it would be fine if that's the path that mailman used.
But it's irrelevant anyway, since that setting only applies if you set the DELIVERY_MODULE to Sendmail. And if you check the comments in Defaults.py about that, you'll see that you are warned against this:
# WARNING: Sendmail has security holes and should be avoided. In # fact, you must read the Mailman/Handlers/Sendmail.py file before it # will work for you. # #DELIVERY_MODULE = 'Sendmail' DELIVERY_MODULE = 'SMTPDirect'
Todd Zullinger wrote:
There is a sendmail link in /usr/lib/sendmail though, so it would be fine if that's the path that mailman used.
I did a locate, but now I just did a specific ls -l.. wow - talk about softlink hell. What has FC come to? (sigh)
But it's irrelevant anyway, since that setting only applies if you set the DELIVERY_MODULE to Sendmail. And if you check the comments in Defaults.py about that, you'll see that you are warned against this:
Which I don't.
# WARNING: Sendmail has security holes and should be avoided. In # fact, you must read the Mailman/Handlers/Sendmail.py file before it # will work for you. # #DELIVERY_MODULE = 'Sendmail' DELIVERY_MODULE = 'SMTPDirect'
Yea, I saw that...
and to the notes earlier about sendmail integration, there's an .MC file to handle list@mailman.your.domain which reroutes all those though the mailer in sendmail rather than through aliases... I'm not needing the former, so I'm using the latter. I run like < 10 lists, so aliases are fine with me.
-Ben
Ben Kamen wrote:
There is a sendmail link in /usr/lib/sendmail though, so it would be fine if that's the path that mailman used.
I did a locate, but now I just did a specific ls -l.. wow - talk about softlink hell. What has FC come to? (sigh)
FWIW, those symlinks are from the alternatives system, which was ported from Debian. Between that and the odd history that leaves programs to expect to find sendmail in /usr/lib, it is a tangled web.
(BTW, if you do file a bug, would you mind posting it back to this thread? I'm curious to follow it. Thanks.)
Ben Kamen wrote:
Todd Zullinger wrote:
Do you have SELinux in enforcing mode?
I have it completely disabled since the installation. (and I doubled checked the sysconfig/selinux file for this email. ;) )
Well, then there should be no SELinux issues. Forget I even mentioned it. :)
I'm using FC-7 not 8... so I don't know what diff's might exist there... but.. moving along.
It could be relevant, though I doubt there are significant differences. You could poke the spec files and patches in Fedora's CVS: http://cvs.fedoraproject.org/viewcvs/rpms/mailman/
I would offer the argument that this is a matter of what user/group sendmail is running as vs. what user/group mailman was built to run with.
The Fedora mailman package is patched so that it can run as multiple mail groups. The upstream mailman source makes you choose one group at build time and would make it rough to have one mailman rpm that worked with postfix, sendmail, or other MTA's.
As for Postfix, I'm a sendmail fan and use it with all the other goodies one might use with sendmail to control spam (mimedefang, spamassassin) so moving from sendmail won't happen in the near future just as I'm comfy with it and have my plate filled with other things (that are part of my j-o-b).
No problem. I'm not here to try and persuade you to switch. :)
There are some tools to make adding the aliases when new lists are created more automatic when using sendmail. I'm not sure what they are or how well they integrate with the mailman rpms from Fedora. But that's something to worry about after the basic functionality is working, for sure.
I know with postfix, it's possible to get the gid errors if you add the aliases directly to the main /etc/aliases file. This is because postfix will run the commands in the aliases as the owner/group of the alias file. So for mailman, you create an alias file just for the mailman aliases, with group mailman.
Now, for sendmail I don't think this same thing applies. In the test I did I added the aliases to /etc/aliases and things worked (once SELinux was set to permissive). I only mention this in case there's something different about how you setup the aliases that may jump out at you as a potential cause for sendmail running the mailman wrapper script with group mailnull.
Todd Zullinger wrote:
Now, for sendmail I don't think this same thing applies. In the test I did I added the aliases to /etc/aliases and things worked (once SELinux was set to permissive). I only mention this in case there's something different about how you setup the aliases that may jump out at you as a potential cause for sendmail running the mailman wrapper script with group mailnull.
I'm way out of date on how this works, but the last time I looked, the mailman wrapper was setgid mailman which should work regardless of what starts it.
Les Mikesell wrote:
Todd Zullinger wrote:
Now, for sendmail I don't think this same thing applies. In the test I did I added the aliases to /etc/aliases and things worked (once SELinux was set to permissive). I only mention this in case there's something different about how you setup the aliases that may jump out at you as a potential cause for sendmail running the mailman wrapper script with group mailnull.
I'm way out of date on how this works, but the last time I looked, the mailman wrapper was setgid mailman which should work regardless of what starts it.
Yeeaa... one would think. ;) But it doesn't.
Again, I'm using the supplied RPM's and it's currently broken.
I could always recompile to my own needs... but that breaks the point of using the RPM's and that's what I wanted to really mention more than anything.
Check it out, you'll be surprised (or shocked)
-Ben
Todd Zullinger wrote:
Now, for sendmail I don't think this same thing applies. In the test I did I added the aliases to /etc/aliases and things worked (once SELinux was set to permissive). I only mention this in case there's something different about how you setup the aliases that may jump out at you as a potential cause for sendmail running the mailman wrapper script with group mailnull.
Yea, maybe it's fixed on FC8.. but it's broke for FC7. I'll see if I can get smrsh (which is what calls mailman's wrapper anyway in /etc/smrsh) to run as a different user without a recompile. I see it as: Sendmail's been put together kind of funny and the sendmail-devel package yields nothing useful..
worst come to worst, I'll just recompile sendmail and cross my fingers.
I recently switched my web/email server from AIX to Linux... in the past I just compiled everything as I needed it since I liked setting all my options anyway.
Otherwise, I just wanted to let the potential developer folks out there something seems amiss. I'd be happy to offer someone to ssh to the box if they wanna see for themselves...
-Ben
After fiddling some more - I found the easiest fix is to just run /usr/sbin/smrsh at user mail:mail (which can be configured via the MAILERs config in sendmail)
Not as elegant for now, but works just fine and most of the other limited shell item's I've written can handle running as the same. Right now I'm only running mailman and vacation.
Just thought I would share with everyone.
-Ben
Ben Kamen wrote:
After fiddling some more - I found the easiest fix is to just run /usr/sbin/smrsh at user mail:mail (which can be configured via the MAILERs config in sendmail)
Not as elegant for now, but works just fine and most of the other limited shell item's I've written can handle running as the same. Right now I'm only running mailman and vacation.
Just thought I would share with everyone.
Glad you found a work around. I had hoped to setup an F7 install to verify this, but haven't had a chance to do that yet. It seems like a problem that should be bugzilla'd. I know the mailman maintainer is usually on top of things (though sometimes busy and thus slow to respond). But he may have better insights as to what's wrong and/or how to fix it.