Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Help
SPF and Postfix2
dkoobs at dkoobs
Sep 15, 2004, 1:17 PM
Post #1 of 12 (5098 views)
Permalink
I'm trying to get the SPF perl script from Meng Wong working with Postfix2
on Mandrake 10. Postfix is running chrooted in var/spool/postfix.

master.cf entry:
policy unix - n y - - spawn
user=nobody argv=/usr/local/libexec/postfix/smtpd-policy.pl

main.cf entries:
smtpd_recipient_restrictions =
reject_unknown_sender_domain
permit_mynetworks
reject_unauth_destination
check_policy_service unix:private/policy
policy_time_limit = 3600

Postfix logs this error:
Sep 15 16:02:23 www spawn[28341]: fatal: spawn_comand: execvp
/usr/local/libexec/postfix/smtpd-policy.pl: No such file or directory

The smtpd-policy.pl script is on both real and chroot locations:
/usr/local/libexec/postfix/smtpd-policy.pl
/var/spool/postfix/usr/local/libexec/postfix/smtpd-policy.pl

Both files are readable and executable by all. What am I missing?

Thanks!

Doug

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF and Postfix2 [ In reply to ]
dkoobs at dkoobs
Sep 15, 2004, 1:24 PM
Post #2 of 12 (5004 views)
Permalink
> main.cf entries:
> smtpd_recipient_restrictions
> reject_unknown_sender_domain
> permit_mynetworks
> reject_unauth_destination
> check_policy_service unix:private/policy
> policy_time_limit = 3600
>

The formatting got a little mangled, there is an "=" after the
reject_unknown_sender_domain paramater in my file...

Doug

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF and Postfix2 [ In reply to ]
bortzmeyer at nic
Sep 15, 2004, 2:13 PM
Post #3 of 12 (5137 views)
Permalink
On Wed, Sep 15, 2004 at 04:17:53PM -0400,
Doug Koobs <dkoobs@dkoobs.com> wrote
a message of 34 lines which said:

> Sep 15 16:02:23 www spawn[28341]: fatal: spawn_comand: execvp
> /usr/local/libexec/postfix/smtpd-policy.pl: No such file or directory

The Linux kernel also displays this error when the *interpreter* (the
thing after #! at the beginning of smtpd-policy.pl, probably
/usr/bin/perl) is not available.

> The smtpd-policy.pl script is on both real and chroot locations:
> /usr/local/libexec/postfix/smtpd-policy.pl
> /var/spool/postfix/usr/local/libexec/postfix/smtpd-policy.pl
>
> Both files are readable and executable by all. What am I missing?

There is probably no Perl in the chroot.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Re: SPF and Postfix2 [ In reply to ]
dkoobs at dkoobs
Sep 15, 2004, 4:09 PM
Post #4 of 12 (5034 views)
Permalink
> There is probably no Perl in the chroot.

DOH! There certainly isn't. I did some Googling about this, but can't
really find a definite solution. Do I need to install a second instance of
Perl in the chroot??? Has anyone else come across this?

Doug

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Re: SPF and Postfix2 [ In reply to ]
patric at usa
Sep 15, 2004, 5:40 PM
Post #5 of 12 (5030 views)
Permalink
Wouldnt a symlink with appropriately limited permissions serve, rather
than installing a second instance?

Assuming you arent spanning NSF volumes of course. :)

Patric



Date sent: Wed, 15 Sep 2004 19:09:18 -0400 (EDT)
Subject: Re: [spf-help] Re: SPF and Postfix2
From: "Doug Koobs" <dkoobs@dkoobs.com>
To: spf-help@v2.listbox.com
Send reply to: spf-help@v2.listbox.com
Date forwarded: Wed, 15 Sep 2004 16:58:32 -0500

> > There is probably no Perl in the chroot.
>
> DOH! There certainly isn't. I did some Googling about this, but can't
> really find a definite solution. Do I need to install a second
> instance of Perl in the chroot??? Has anyone else come across this?
>
> Doug
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription, please go to
> http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Re: SPF and Postfix2 [ In reply to ]
bortzmeyer at nic
Sep 16, 2004, 5:39 AM
Post #6 of 12 (5092 views)
Permalink
On Wed, Sep 15, 2004 at 05:40:17PM -0700,
Patric Michael <patric@usa.net> wrote
a message of 38 lines which said:

> Wouldnt a symlink with appropriately limited permissions serve,

Of course not, if it is a real chroot. (Or if you put the real Perl in
the chroot, with the symlink starting from the outside.)


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Re: SPF and Postfix2 [ In reply to ]
dkoobs at dkoobs
Sep 16, 2004, 5:55 AM
Post #7 of 12 (5032 views)
Permalink
Patric Michael said:
> Wouldnt a symlink with appropriately limited permissions serve, rather
> than installing a second instance?
>
> Assuming you arent spanning NSF volumes of course. :)
>
> Patric

No NSF volumes here. I've tried symbolic links, hard links, and even
copied /usr/bin/perl* to the chroot'd /var/spool/postfix/usr/bin/
It still gives the error:

fatal: spawn_comand: execvp /usr/bin/perl: No such file or directory

The only thing I can think of is to install another instance of perl in
the chroot. Is anyone else running Postfix chroot'd and having problems?

Doug

>
>> > There is probably no Perl in the chroot.
>>
>> DOH! There certainly isn't. I did some Googling about this, but can't
>> really find a definite solution. Do I need to install a second
>> instance of Perl in the chroot??? Has anyone else come across this?
>>
>> Doug
>>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF and Postfix2 [ In reply to ]
bortzmeyer at nic
Sep 16, 2004, 6:03 AM
Post #8 of 12 (5005 views)
Permalink
On Thu, Sep 16, 2004 at 08:55:34AM -0400,
Doug Koobs <dkoobs@dkoobs.com> wrote
a message of 34 lines which said:

> The only thing I can think of is to install another instance of perl
> in the chroot. Is anyone else running Postfix chroot'd and having
> problems?

Other solutions:

1) run the SPF policy server as a regular daemon (not spawned by
Postfix), like you typically do with the greylisting policy server.

2) do not use chroot (my case).

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Re: SPF and Postfix2 [ In reply to ]
dkoobs at dkoobs
Sep 16, 2004, 6:22 AM
Post #9 of 12 (5050 views)
Permalink
>> The only thing I can think of is to install another instance of perl
>> in the chroot. Is anyone else running Postfix chroot'd and having
>> problems?
>
> Other solutions:
>
> 1) run the SPF policy server as a regular daemon (not spawned by
> Postfix), like you typically do with the greylisting policy server.
>
> 2) do not use chroot (my case).

Stephane,

Option one sounds good to me. But I've never set up the greylisting policy
server, so I'm not sure how it interfaces with Postfix. I'll go read up on
greylisting...

Doug

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Re: SPF and Postfix2 [ In reply to ]
nkadel at merl
Sep 16, 2004, 2:25 PM
Post #10 of 12 (5055 views)
Permalink
----- Original Message -----
From: "Doug Koobs" <dkoobs@dkoobs.com>
To: <spf-help@v2.listbox.com>
Sent: Wednesday, September 15, 2004 7:09 PM
Subject: Re: [spf-help] Re: SPF and Postfix2


> > There is probably no Perl in the chroot.
>
> DOH! There certainly isn't. I did some Googling about this, but can't
> really find a definite solution. Do I need to install a second instance of
> Perl in the chroot??? Has anyone else come across this?
>
> Doug

Yup. Anything done inside a chroot cage should probably be re-writen in
something much lighter weight, especially Perl tools. There's just too much
potential security fun and games you can do with such a flexible language at
your disposal.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: Re: SPF and Postfix2 [ In reply to ]
nkadel at merl
Sep 16, 2004, 3:54 PM
Post #11 of 12 (5001 views)
Permalink
----- Original Message -----
From: "Patric Michael" <patric@usa.net>
To: <spf-help@v2.listbox.com>
Sent: Wednesday, September 15, 2004 8:40 PM
Subject: Re: [spf-help] Re: SPF and Postfix2


> Wouldnt a symlink with appropriately limited permissions serve, rather
> than installing a second instance?
>
> Assuming you arent spanning NSF volumes of course. :)
>
> Patric

Chrooting to an NFS mounted directory? B-r-r-r-r-r-r!

Chroot is usually done to a local disk directory. You *can* make hard-links
to that, as long as it's on the same partition, but that's a bad idea for a
bunch of reasons involving ways to break out of the chroot cage.

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
Re: SPF and Postfix2 [ In reply to ]
bortzmeyer at nic
Sep 17, 2004, 2:06 AM
Post #12 of 12 (5042 views)
Permalink
On Thu, Sep 16, 2004 at 09:22:06AM -0400,
Doug Koobs <dkoobs@dkoobs.com> wrote
a message of 25 lines which said:

> Option one sounds good to me. But I've never set up the greylisting
> policy server, so I'm not sure how it interfaces with Postfix.

1) You put nothing in master.cf

2) You take care of the way it starts and runs (you can use postgrey
as an exemple, a regular daemon is a bit more work than a "postfix"
daemon).

3) main.cf is typically not modified

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal