10:16 a.m.
Sendmail works.
Mailman works.
Mailman's wrapper under sendmail doesn't work.
What I get is:
----- The following addresses had permanent fatal errors -----
"|/usr/lib/mailman/mail/mailman post mailman"
(reason: 2)
(expanded from: <mailman(a)baron.benjammin.net>)
----- Transcript of session follows -----
Group mismatch error. Mailman expected the mail wrapper script to be
executed as one of the following groups:
[mail, postfix, mailman, nobody, daemon],
but the system's mail server executed the mail script as group:
"mailnull".
Try tweaking the mail server to run the script as one of these groups:
[mail, postfix, mailman, nobody, daemon],
or re-run configure providing the command line option:
'--with-mail-gid=mailnull'.
554 5.3.0 unknown mailer error 2
Now, I would normally know how to fix the problem - but I thought to myself..
Do the developers know that out of the "yum" box - Sendmail and Mailman as
RPM'd don't work with each other or am I missing a README somewhere.
I'm more than happy to recompile both programs, but that's bypassing the point
of using RPM's in the first place. It would be nice to see the RPM work, not
have to go recompile anyway.
So, I'm sure this is a common question, but this is the first problem I've had
making sense of a Fedora distribution and the included docs in the mailman
docs directory don't talk about how the "run as GID" settings for mailman
were set on compile.
Little help? (and thanks!)
-Ben
--
Ben Kamen - O.D.T., S.P.
======================================================================
Email: bkamen AT benjammin DOT net Web: http://www.benjammin.net
2:10 p.m.
Ben Kamen wrote:
Sendmail works.
Mailman works.
Mailman's wrapper under sendmail doesn't work.
Do you have SELinux in enforcing mode?
What I get is:
> ----- The following addresses had permanent fatal errors -----
> "|/usr/lib/mailman/mail/mailman post mailman"
> (reason: 2)
> (expanded from: <mailman(a)baron.benjammin.net>)
>
> ----- Transcript of session follows -----
> Group mismatch error. Mailman expected the mail wrapper script to be
> executed as one of the following groups:
> [mail, postfix, mailman, nobody, daemon],
> but the system's mail server executed the mail script as group:
"mailnull".
> Try tweaking the mail server to run the script as one of these groups:
> [mail, postfix, mailman, nobody, daemon],
> or re-run configure providing the command line option:
> '--with-mail-gid=mailnull'.
> 554 5.3.0 unknown mailer error 2
Hmmm, on an F8 box with a fresh install of mailman and everything else
up to date (including the updates-testing repository), I don't see
this particular error. I do get a failed delivery with SELinux in
enforcing mode though. The bounce in my case is:
----- The following addresses had permanent fatal errors -----
"|/usr/lib/mailman/mail/mailman post test-list"
(reason: 1)
(expanded from: <test-list(a)localhost.localdomain>)
----- Transcript of session follows -----
post script, list not found: test-list
554 5.3.0 unknown mailer error 1
Setting SELinux to permissive lets the mail go through. So there
appear to be some policy tweaks needed.
Now, I would normally know how to fix the problem - but I thought to
myself..
Do the developers know that out of the "yum" box - Sendmail and
Mailman as RPM'd don't work with each other or am I missing a README
somewhere.
It's likely that testing with SELinux in enforcing mode hasn't been
tested well. Since mailman can be used with a variety of MTA's and
involves a bit of work after installing the rpm to finish the setup, I
can undertstand this. I hadn't tested mailman with sendmail in many
years until today. I typically use Postfix since it integrates with
mailman much nicer IMO.
I'm more than happy to recompile both programs, but that's
bypassing
the point of using RPM's in the first place. It would be nice to see
the RPM work, not have to go recompile anyway.
So, I'm sure this is a common question, but this is the first
problem I've had making sense of a Fedora distribution and the
included docs in the mailman docs directory don't talk about how the
"run as GID" settings for mailman were set on compile.
Little help? (and thanks!)
See if running "setenforce 0" as root changes the behavior. If it
does, then we should gather up the AVC messages from SELinux and
report them to bugzilla so Dan Walsh can push out a corrected SELinux
policy that allows mailman to operate with sendmail.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
People who make history know nothing about history. You can see that
in the sort of history they make.
-- G. K. Chesterton
3:25 p.m.
Todd Zullinger wrote:
Do you have SELinux in enforcing mode?
I have it completely disabled since the installation. (and I doubled checked the
sysconfig/selinux file for this email. ;) )
Hmmm, on an F8 box with a fresh install of mailman and everything else
up to date (including the updates-testing repository), I don't see
this particular error. I do get a failed delivery with SELinux in
enforcing mode though. The bounce in my case is:
I'm using FC-7 not 8... so I don't know what diff's might exist there...
but..
moving along.
Setting SELinux to permissive lets the mail go through. So there
appear to be some policy tweaks needed.
Hmmm, and in my case where it's disabled?
It's likely that testing with SELinux in enforcing mode
hasn't been
tested well. Since mailman can be used with a variety of MTA's and
involves a bit of work after installing the rpm to finish the setup, I
can undertstand this. I hadn't tested mailman with sendmail in many
years until today. I typically use Postfix since it integrates with
mailman much nicer IMO.
I would offer the argument that this is a matter of what user/group sendmail is
running as vs. what user/group mailman was built to run with.
As for Postfix, I'm a sendmail fan and use it with all the other goodies
one might use with sendmail to control spam (mimedefang, spamassassin) so
moving from sendmail won't happen in the near future just as I'm comfy with
it and have my plate filled with other things (that are part of my j-o-b).
Anyway...
See if running "setenforce 0" as root changes the behavior. If it
does, then we should gather up the AVC messages from SELinux and
report them to bugzilla so Dan Walsh can push out a corrected SELinux
policy that allows mailman to operate with sendmail.
again, my SElinux is disabled, so what might you recommend?
Thanks for the fast reply!
-Ben
--
Ben Kamen - O.D.T., S.P.
======================================================================
Email: bkamen AT benjammin DOT net Web: http://www.benjammin.net
3:31 p.m.
Oh,
I'd also like to point out that mailman's Default.py points to sendmail
in /usr/lib/sendmail when sendmail is actually living in /usr/sbin/sendmail per
the yum installed package of sendmail 8.14.1 (oops?)
-Ben
--
Ben Kamen - O.D.T., S.P.
======================================================================
Email: bkamen AT benjammin DOT net Web: http://www.benjammin.net
3:43 p.m.
Ben Kamen schrieb:
Oh,
I'd also like to point out that mailman's Default.py points to sendmail
in /usr/lib/sendmail when sendmail is actually living in
/usr/sbin/sendmail per the yum installed package of sendmail 8.14.1
(oops?)
-Ben
No problem, no fault, no oops.
This is intended as Fedora comes with the MTA switching mechanism
through alternatives. Just check out that /usr/lib/sendmail is a
symlink. And the "sendmail" binary could be postfix
(/usr/lib/sendmail.postfix instead of /usr/lib/sendmail.sendmail as the
true binary).
Alexander
4:20 p.m.
Ben Kamen wrote:
I'd also like to point out that mailman's Default.py points
to
sendmail in /usr/lib/sendmail when sendmail is actually living in
/usr/sbin/sendmail per the yum installed package of sendmail 8.14.1
(oops?)
There is a sendmail link in /usr/lib/sendmail though, so it would be
fine if that's the path that mailman used.
But it's irrelevant anyway, since that setting only applies if you set
the DELIVERY_MODULE to Sendmail. And if you check the comments in
Defaults.py about that, you'll see that you are warned against this:
# WARNING: Sendmail has security holes and should be avoided. In
# fact, you must read the Mailman/Handlers/Sendmail.py file before it
# will work for you.
#
#DELIVERY_MODULE = 'Sendmail'
DELIVERY_MODULE = 'SMTPDirect'
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is a weed? A plant whose virtues have not been discovered.
-- Ralph Waldo Emerson, Fortune of the Republic
5:28 p.m.
Todd Zullinger wrote:
There is a sendmail link in /usr/lib/sendmail though, so it would be
fine if that's the path that mailman used.
I did a locate, but now I just did a specific ls -l.. wow - talk about softlink
hell. What has FC come to? (sigh)
But it's irrelevant anyway, since that setting only applies if
you set
the DELIVERY_MODULE to Sendmail. And if you check the comments in
Defaults.py about that, you'll see that you are warned against this:
Which I don't.
# WARNING: Sendmail has security holes and should be avoided. In
# fact, you must read the Mailman/Handlers/Sendmail.py file before it
# will work for you.
#
#DELIVERY_MODULE = 'Sendmail'
DELIVERY_MODULE = 'SMTPDirect'
Yea, I saw that...
and to the notes earlier about sendmail integration, there's an .MC file to
handle list(a)mailman.your.domain which reroutes all those though the mailer in
sendmail rather than through aliases... I'm not needing the former, so I'm using
the latter. I run like < 10 lists, so aliases are fine with me.
-Ben
--
Ben Kamen - O.D.T., S.P.
======================================================================
Email: bkamen AT benjammin DOT net Web: http://www.benjammin.net
9:09 p.m.
Ben Kamen wrote:
> There is a sendmail link in /usr/lib/sendmail though, so it
would
> be fine if that's the path that mailman used.
I did a locate, but now I just did a specific ls -l.. wow - talk
about softlink hell. What has FC come to? (sigh)
FWIW, those symlinks are from the alternatives system, which was
ported from Debian. Between that and the odd history that leaves
programs to expect to find sendmail in /usr/lib, it is a tangled web.
(BTW, if you do file a bug, would you mind posting it back to this
thread? I'm curious to follow it. Thanks.)
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Philosophy: A route of many roads leading from nowhere to nothing.
-- Ambrose Bierce
4:15 p.m.
Ben Kamen wrote:
Todd Zullinger wrote:
>
> Do you have SELinux in enforcing mode?
I have it completely disabled since the installation. (and I doubled
checked the sysconfig/selinux file for this email. ;) )
Well, then there should be no SELinux issues. Forget I even mentioned
it. :)
I'm using FC-7 not 8... so I don't know what diff's might
exist
there... but.. moving along.
It could be relevant, though I doubt there are significant
differences. You could poke the spec files and patches in Fedora's
CVS: http://cvs.fedoraproject.org/viewcvs/rpms/mailman/
I would offer the argument that this is a matter of what user/group
sendmail is running as vs. what user/group mailman was built to run
with.
The Fedora mailman package is patched so that it can run as multiple
mail groups. The upstream mailman source makes you choose one group
at build time and would make it rough to have one mailman rpm that
worked with postfix, sendmail, or other MTA's.
As for Postfix, I'm a sendmail fan and use it with all the other
goodies one might use with sendmail to control spam (mimedefang,
spamassassin) so moving from sendmail won't happen in the near
future just as I'm comfy with it and have my plate filled with other
things (that are part of my j-o-b).
No problem. I'm not here to try and persuade you to switch. :)
There are some tools to make adding the aliases when new lists are
created more automatic when using sendmail. I'm not sure what they
are or how well they integrate with the mailman rpms from Fedora. But
that's something to worry about after the basic functionality is
working, for sure.
I know with postfix, it's possible to get the gid errors if you add
the aliases directly to the main /etc/aliases file. This is because
postfix will run the commands in the aliases as the owner/group of the
alias file. So for mailman, you create an alias file just for the
mailman aliases, with group mailman.
Now, for sendmail I don't think this same thing applies. In the test
I did I added the aliases to /etc/aliases and things worked (once
SELinux was set to permissive). I only mention this in case there's
something different about how you setup the aliases that may jump out
at you as a potential cause for sendmail running the mailman wrapper
script with group mailnull.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
life, n.: A whim of several billion cells to be you for a while.
4:39 p.m.
Todd Zullinger wrote:
Now, for sendmail I don't think this same thing applies. In the test
I did I added the aliases to /etc/aliases and things worked (once
SELinux was set to permissive). I only mention this in case there's
something different about how you setup the aliases that may jump out
at you as a potential cause for sendmail running the mailman wrapper
script with group mailnull.
I'm way out of date on how this works, but the last time I looked, the
mailman wrapper was setgid mailman which should work regardless of what
starts it.
--
Les Mikesell
lesmikesell(a)gmail.com
5:28 p.m.
Les Mikesell wrote:
Todd Zullinger wrote:
>
> Now, for sendmail I don't think this same thing applies. In the test
> I did I added the aliases to /etc/aliases and things worked (once
> SELinux was set to permissive). I only mention this in case there's
> something different about how you setup the aliases that may jump out
> at you as a potential cause for sendmail running the mailman wrapper
> script with group mailnull.
I'm way out of date on how this works, but the last time I looked, the
mailman wrapper was setgid mailman which should work regardless of what
starts it.
Yeeaa... one would think. ;) But it doesn't.
Again, I'm using the supplied RPM's and it's currently broken.
I could always recompile to my own needs... but that breaks the point of
using the RPM's and that's what I wanted to really mention more than anything.
Check it out, you'll be surprised (or shocked)
-Ben
--
Ben Kamen - O.D.T., S.P.
======================================================================
Email: bkamen AT benjammin DOT net Web: http://www.benjammin.net
5:33 p.m.
Todd Zullinger wrote:
Now, for sendmail I don't think this same thing applies. In the test
I did I added the aliases to /etc/aliases and things worked (once
SELinux was set to permissive). I only mention this in case there's
something different about how you setup the aliases that may jump out
at you as a potential cause for sendmail running the mailman wrapper
script with group mailnull.
Yea, maybe it's fixed on FC8.. but it's broke for FC7. I'll see if I can get
smrsh (which is what calls mailman's wrapper anyway in /etc/smrsh) to run
as a different user without a recompile. I see it as: Sendmail's been put
together kind of funny and the sendmail-devel package yields nothing useful..
worst come to worst, I'll just recompile sendmail and cross my fingers.
I recently switched my web/email server from AIX to Linux... in the past I
just compiled everything as I needed it since I liked setting all my options
anyway.
Otherwise, I just wanted to let the potential developer folks out there
something seems amiss. I'd be happy to offer someone to ssh to the box if they
wanna see for themselves...
-Ben
--
Ben Kamen - O.D.T., S.P.
======================================================================
Email: bkamen AT benjammin DOT net Web: http://www.benjammin.net
7:38 p.m.
After fiddling some more - I found the easiest fix is to just run
/usr/sbin/smrsh at user mail:mail (which can be configured via the MAILERs
config in sendmail)
Not as elegant for now, but works just fine and most of the other limited shell
item's I've written can handle running as the same. Right now I'm only
running mailman and vacation.
Just thought I would share with everyone.
-Ben
--
Ben Kamen - O.D.T., S.P.
======================================================================
Email: bkamen AT benjammin DOT net Web: http://www.benjammin.net
9:05 p.m.
Ben Kamen wrote:
After fiddling some more - I found the easiest fix is to just run
/usr/sbin/smrsh at user mail:mail (which can be configured via the
MAILERs config in sendmail)
Not as elegant for now, but works just fine and most of the other
limited shell item's I've written can handle running as the same.
Right now I'm only running mailman and vacation.
Just thought I would share with everyone.
Glad you found a work around. I had hoped to setup an F7 install to
verify this, but haven't had a chance to do that yet. It seems like a
problem that should be bugzilla'd. I know the mailman maintainer is
usually on top of things (though sometimes busy and thus slow to
respond). But he may have better insights as to what's wrong and/or
how to fix it.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The secret of life is honesty and fair dealing. If you can fake that,
you've got it made.
-- Groucho Marx
5961
days inactive
5964
days old
13 comments
4 participants
participants (4)
-
Alexander Dalloz -
Ben Kamen -
Les Mikesell -
Todd Zullinger