Loading ...
Sorry, an error occurred while loading the content.

postfix: milter socket: permission denied

Expand Messages
  • rosenfield@users.sourceforge.net
    Hi list Has anyone else seen this? ===== syslog ===== warning: connect to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
    Message 1 of 7 , Nov 1, 2007
    • 0 Attachment
      Hi list

      Has anyone else seen this?

      ===== syslog =====
      warning: connect to Milter service
      unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
      ================

      All email is then tempfailed.

      This didn't help:
      $ chown -R defang:postfix /var/spool/MIMEDefang
      $ chmod -R g+rx /var/spool/MIMEDefang

      Neither did this:
      $ chown -R postfix:postfix /var/spool/MIMEDefang
      $ chmod -R 1777 /var/spool/MIMEDefang
    • Matteo D'Alfonso
      Il giorno gio, 01/11/2007 alle 14.23 +0100, ... Yes, I see with spamass-milter, because my postfix/smtpd run chrooted and I didn t read the README QUOTE FROM:
      Message 2 of 7 , Nov 2, 2007
      • 0 Attachment
        Il giorno gio, 01/11/2007 alle 14.23 +0100,
        rosenfield@... ha scritto:
        > Hi list
        >
        > Has anyone else seen this?
        >
        > ===== syslog =====
        > warning: connect to Milter service
        > unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
        > ================

        Yes, I see with spamass-milter, because my postfix/smtpd run chrooted
        and I didn't read the README

        QUOTE FROM: http://www.postfix.org/MILTER_README.html#smtp-only-milters
        unix:pathname

        Connect to the local UNIX-domain server that is bound to the
        specified pathname. If the smtpd(8) or cleanup(8) process runs
        chrooted, an absolute pathname is interpreted relative to the
        Postfix queue directory.


        > All email is then tempfailed.

        http://www.postfix.org/postconf.5.html#milter_default_action

        Hope this help,
        Matteo.
      • rosenfield@users.sourceforge.net
        ... Aah, great hint. Thanks. ... No comments :-). ... Beautiful. I don t think the server runs chrooted though, because I ve just fixed the problem by
        Message 3 of 7 , Nov 2, 2007
        • 0 Attachment
          >> ===== syslog =====
          >> warning: connect to Milter service
          >> unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
          >> ================
          >
          > Yes, I see with spamass-milter, because my postfix/smtpd
          > run chrooted

          Aah, great hint. Thanks.

          > and I didn't read the README

          No comments :-).

          > If the smtpd(8) or cleanup(8) process runs chrooted,
          > an absolute pathname is interpreted relative to the
          > Postfix queue directory

          Beautiful.

          I don't think the server runs chrooted though, because I've just fixed
          the problem by upgrading mimedefang from the Linux distributors
          default version to the newest stable release.

          Doing an strace revealed that the permission denied error message from
          Postfix was completely bogus, in fact it communicated fine through the
          socket.

          The problem was that Postfix was sending something and expecting the
          filter to reply with something else, which the filter obviously did
          not honour. It was a fill into a 4096-byte buffer which came back
          with an empty result after a second or two, if I remember correctly.

          Anyway, I'm guessing that the mimedefang folks have updated their
          milter to work with Postfix, so problem solved :-).

          (For me, at least - I've filed a bug with gentoo, asking them to keep
          up with upstream :-p.)
        • Wietse Venema
          ... The warning: warning: connect to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied was reported BEFORE the socket was opened. No
          Message 4 of 7 , Nov 2, 2007
          • 0 Attachment
            rosenfield@...:
            > Doing an strace revealed that the permission denied error message from
            > Postfix was completely bogus, in fact it communicated fine through the
            > socket.

            The warning:

            warning: connect to Milter service
            unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied

            was reported BEFORE the socket was opened.

            No communication is possible without an open socket.

            Wietse
          • rosenfield@users.sourceforge.net
            ... You d think so. But according to strace the socket opened fine and Postfix wrote about 20 characters to it. At least that s how I interpret it. Here s a
            Message 5 of 7 , Nov 2, 2007
            • 0 Attachment
              >> Doing an strace revealed that the permission denied error message from
              >> Postfix was completely bogus, in fact it communicated fine through the
              >> socket.
              >
              > The warning:
              >
              > warning: connect to Milter service
              > unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
              >
              > was reported BEFORE the socket was opened.

              You'd think so. But according to strace the socket opened fine and
              Postfix wrote about 20 characters to it. At least that's how I
              interpret it.

              Here's a snippet of the strace output - I've marked interesting lines
              with asterix:

              =========
              sendto(7, "<22>Nov 1 21:33:23 postfix/smtp"..., 114, MSG_NOSIGNAL,
              NULL, 0) = 114
              * socket(PF_FILE, SOCK_STREAM, 0) = 17
              fcntl(17, F_GETFL) = 0x2 (flags O_RDWR)
              fcntl(17, F_SETFL, O_RDWR|O_NONBLOCK) = 0
              * connect(17, {sa_family=AF_FILE,
              path="/var/run/defang/mimedefang.sock"}, 110) = 0
              fcntl(17, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
              fcntl(17, F_SETFL, O_RDWR) = 0
              gettimeofday({1193949203, 381172}, NULL) = 0
              time([1193949203]) = 1193949203
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              sendto(7, "<22>Nov 1 21:33:23 postfix/smtp"..., 73, MSG_NOSIGNAL, NULL, 0) = 73
              time([1193949203]) = 1193949203
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              sendto(7, "<22>Nov 1 21:33:23 postfix/smtp"..., 147, MSG_NOSIGNAL,
              NULL, 0) = 147
              time([1193949203]) = 1193949203
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              sendto(7, "<22>Nov 1 21:33:23 postfix/smtp"..., 166, MSG_NOSIGNAL,
              NULL, 0) = 166
              select(18, NULL, [17], [17], {30, 0}) = 1 (out [17], left {30, 0})
              * write(17, "\0\0\0\rO\0\0\0\2\0\0\0=\0\0\0\177", 17) = 17
              gettimeofday({1193949203, 409834}, NULL) = 0
              select(18, [17], NULL, [17], {30, 0}) = 1 (in [17], left {30, 0})
              * read(17, "", 4096) = 0
              time([1193949203]) = 1193949203
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
              * sendto(7, "<20>Nov 1 21:33:23 postfix/smtp"..., 148, MSG_NOSIGNAL,
              NULL, 0) = 148
              * close(17) = 0
              ======

              Then again, maybe I wasn't paying enough attention. The error message
              could have been different between me seeing it initially, and me
              running the strace to diagnose it, I guess.
            • Bill Cole
              ... Just a data point: I was seeing this happen intermittently with Postfix 2.4.5 and MD 2.63 on MacOS 10.4.x in conjunction with the rather ugly daily
              Message 6 of 7 , Nov 2, 2007
              • 0 Attachment
                At 2:23 PM +0100 11/1/07, rosenfield@... wrote:
                >Hi list
                >
                >Has anyone else seen this?
                >
                >===== syslog =====
                >warning: connect to Milter service
                >unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
                >================
                >
                >All email is then tempfailed.

                Just a data point: I was seeing this happen intermittently with
                Postfix 2.4.5 and MD 2.63 on MacOS 10.4.x in conjunction with the
                rather ugly daily housekeeping that includes a 'postfix reload' line.
                I never diagnosed the root cause beyond determining that it is fixed
                by stopping and restarting MD, with care taken to ALL MD processes
                being gone.



                --
                Bill Cole
                bill@...
              • Wietse Venema
                ... Postfix does not write on a socket before it is open. ... The connect operation is SUCCESSFUL. ... And this is supposed to be proof that postfix reports
                Message 7 of 7 , Nov 2, 2007
                • 0 Attachment
                  rosenfield@...:
                  > >> Doing an strace revealed that the permission denied error message from
                  > >> Postfix was completely bogus, in fact it communicated fine through the
                  > >> socket.
                  > >
                  > > The warning:
                  > >
                  > > warning: connect to Milter service
                  > > unix:/var/spool/MIMEDefang/mimedefang.sock: Permission denied
                  > >
                  > > was reported BEFORE the socket was opened.
                  >
                  > You'd think so. But according to strace the socket opened fine and
                  > Postfix wrote about 20 characters to it. At least that's how I
                  > interpret it.

                  Postfix does not write on a socket before it is open.

                  > Here's a snippet of the strace output - I've marked interesting lines
                  > with asterix:
                  >
                  > * connect(17, {sa_family=AF_FILE,
                  > path="/var/run/defang/mimedefang.sock"}, 110) = 0

                  The connect operation is SUCCESSFUL.

                  > fcntl(17, F_SETFL, O_RDWR) = 0
                  > gettimeofday({1193949203, 381172}, NULL) = 0
                  > time([1193949203]) = 1193949203
                  > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
                  > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
                  > stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2134, ...}) = 0
                  > sendto(7, "<22>Nov 1 21:33:23 postfix/smtp"..., 73, MSG_NOSIGNAL, NULL, 0) = 73

                  And this is supposed to be "proof" that postfix reports a connect error.

                  Wieytse
                Your message has been successfully submitted and would be delivered to recipients shortly.