[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1068
  • Last Modified:

EXIM configuration - setup permissions problem

Hi,

We've just set a Linux box (Slackware 10.0).

We have lots of domains, some delivered by SMTP, some by POP3 which are presently downloaded onto an aging MS SBS 4.5 server with Exchange 5.5.  We don't want to change that just yet because we're moving offices and will be getting new IP addresses and servers.

The Linux box has two NICs, one of which is connected to the LAN, the other to a DSL firewall/router.  We're already using it as a proxy server.

What I'd like to also do is to configure fetchmail and Exim on the box to relay the POP3 accounts to our existing Exchange 5.5 server - we have to do this quickly because it uses the MS pop3 connector which will not be available after we retire the small business server 4.5 box.  I'm also very scared of rebooting that machine (from several nasty past experiences), so I don't really want to open it up to put a second LAN card in it.

Here comes the problem:

We've downloaded Exim 4.4 and compiled it up with the following options:

EXIM_USER=exim
EXIM_GROUP is unspecified.

I've created a user called exim.  Exim is just a normal user in the "users" group, because it's the only one on the box apart from me and root.

make install has to be executed as root, so the files in the installation directories all have -rwxr-xr-x root root permissions.

This is probably all down to some stupid permissions problem because I've been working with MS for too long and almost forgotten *nix.

I've read this section on the Exim help, but it doesn't seem to make sense to me - see section 5.2.  http://www.exim.org/exim-html-4.40/doc/html/spec.html

If I chown/chgrp all the files (which surely I have to because I don't want to run as root) to exim/users, su to exim and then ./exim -bd I get the following error (3 times):

"Exim configuration file /usr/exim/configure has the wrong owner group or mode"

Can somebody with a running Exim please let me know how you have set the compile options/ user permissions/groups  because this is getting really frustrating.

If I try to run it as root (which I shouldn't) it does get a lot further, but won't relay because of the "never_users" of root - this isn't really the right way to do it so fixing the permissions is really the answer I'm looking for.

0
wesbird
Asked:
wesbird
  • 5
  • 3
1 Solution
 
owensleftfootCommented:
From section 4.13 of the above doc -

The install script copies files only if they are newer than the files they are going to replace. The Exim binary is required to be owned by root and have the setuid bit set, for normal configurations. Therefore, you must run make install as root so that it can set up the Exim binary in this way. However, in some special situations (for example, if a host is doing no local deliveries) it may be possible to run Exim without making the binary setuid root (see chapter 4.8 for details).

4.8 says

It is not necessary to be root to do any of the other things Exim does, such as receiving messages and delivering them externally over SMTP, and it is obviously more secure if Exim does not run as root except when necessary. For this reason, a user and group for Exim to use must be defined in Local/Makefile.


I guess you need to set an Exim group at compile or use it setuid root.
0
 
wesbirdAuthor Commented:
Hi,

I tried recompiling it with an "exim" group, and the daemon won't even start as exim or root now.  Exim -bP shows the following (if this means anything to anyone?):

no_accept_8bitmime
acl_not_smtp =
acl_smtp_auth =
acl_smtp_connect =
acl_smtp_data =
acl_smtp_etrn =
acl_smtp_expn =
acl_smtp_helo =
acl_smtp_mail =
acl_smtp_mailauth =
acl_smtp_predata =
acl_smtp_quit =
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_vrfy =
admin_groups =
no_allow_domain_literals
no_allow_mx_to_ip
no_allow_utf8_domains
auth_advertise_hosts = *
auto_thaw = 0s
bi_command =
bounce_message_file =
bounce_message_text =
bounce_return_body
bounce_return_message
bounce_return_size_limit = 100K
bounce_sender_authentication =
callout_domain_negative_expire = 3h
callout_domain_positive_expire = 1w
callout_negative_expire = 2h
callout_positive_expire = 1d
callout_random_local_part = $primary_hostname-$tod_epoch-testing
check_log_inodes = 0
check_log_space = 0
check_spool_inodes = 0
check_spool_space = 0
daemon_smtp_ports = smtp
delay_warning = 1d
delay_warning_condition = ${if match{$h_precedence:}{(?i)bulk|list|junk}{no}{yes
}}
no_deliver_drop_privilege
deliver_queue_load_max =
delivery_date_remove
dns_again_means_nonexist =
dns_check_names_pattern = (?i)^(?>(?(1)\.|())[^\W_](?>[a-z0-9-]*[^\W_])?)+$
dns_ipv4_lookup =
dns_retrans = 0s
dns_retry = 0
no_drop_cr
envelope_to_remove
errors_copy =
errors_reply_to =
exim_group = exim
exim_path = /usr/exim/bin/exim
exim_user = exim
extra_local_interfaces =
extract_addresses_remove_arguments
finduser_retries = 0
freeze_tell =
gecos_name =
gecos_pattern =
header_line_maxsize = 0
header_maxsize = 1048576
headers_charset = ISO-8859-1
helo_accept_junk_hosts =
helo_allow_chars =
helo_lookup_domains = @ : @[]
helo_try_verify_hosts =
helo_verify_hosts =
hold_domains =
host_lookup =
host_lookup_order = bydns:byaddr
host_reject_connection =
hosts_connection_nolog =
hosts_treat_as_local =
ignore_bounce_errors_after = 2d
ignore_fromline_hosts =
no_ignore_fromline_local
keep_malformed = 4d
local_from_check
local_from_prefix =
local_from_suffix =
local_interfaces = 0.0.0.0
local_scan_timeout = 5m
no_local_sender_retain
localhost_number =
log_file_path =
log_selector =
no_log_timezone
lookup_open_max = 25
max_username_length = 0
message_body_visible = 500
message_id_header_domain =
message_id_header_text =
message_logs
message_size_limit = 50M
no_mua_wrapper
never_users =
percent_hack_domains =
pid_file_path =
pipelining_advertise_hosts = *
no_preserve_message_logs
primary_hostname = xxxx.co.uk
no_print_topbitchars
process_log_path =
prod_requires_admin
qualify_domain = xxxx.co.uk
qualify_recipient = xxxx.co.uk
queue_domains =
queue_list_requires_admin
no_queue_only
queue_only_file =
queue_only_load =
queue_only_override
no_queue_run_in_order
queue_run_max = 5
queue_smtp_domains =
receive_timeout = 0s
received_header_text = Received: ${if def:sender_rcvhost {from $sender_rcvhost\n
\t}{${if def:sender_ident {from $sender_ident }}${if def:sender_helo_name {(helo
=$sender_helo_name)\n\t}}}}by $primary_hostname ${if def:received_protocol {with
 $received_protocol}} (Exim $version_number)\n\tid $message_id${if def:received_
for {\n\tfor $received_for}}
received_headers_max = 30
recipient_unqualified_hosts =
recipients_max = 0
no_recipients_max_reject
remote_max_parallel = 2
remote_sort_domains =
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
rfc1413_hosts = *
rfc1413_query_timeout = 30s
sender_unqualified_hosts =
smtp_accept_keepalive
smtp_accept_max = 20
smtp_accept_max_nonmail = 10
smtp_accept_max_nonmail_hosts = *
smtp_accept_max_per_connection = 1000
smtp_accept_max_per_host =
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 10
smtp_accept_reserve = 0
smtp_active_hostname =
smtp_banner = $primary_hostname ESMTP Exim $version_number $tod_full
smtp_check_spool_space
smtp_connect_backlog = 20
smtp_enforce_sync
smtp_etrn_command =
smtp_etrn_serialize
smtp_load_reserve =
smtp_max_synprot_errors = 3
smtp_max_unknown_commands = 3
smtp_ratelimit_hosts =
smtp_ratelimit_mail =
smtp_ratelimit_rcpt =
smtp_receive_timeout = 5m
smtp_reserve_hosts =
no_smtp_return_error_details
no_split_spool_directory
spool_directory = /var/spool/exim
no_strip_excess_angle_brackets
no_strip_trailing_dot
syslog_duplication
syslog_facility =
syslog_processname = exim
syslog_timestamp
system_filter =
system_filter_directory_transport =
system_filter_file_transport =
system_filter_group = exim
system_filter_pipe_transport =
system_filter_reply_transport =
system_filter_user = exim
tcp_nodelay
timeout_frozen_after = 1w
timezone =
trusted_groups =
trusted_users =
unknown_login =
unknown_username =
untrusted_set_sender =
uucp_from_pattern = ^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|
\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
warn_message_file =
write_rejectlog

 
0
 
owensleftfootCommented:
What error messages do you get?
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
wesbirdAuthor Commented:
None I've noticed in the /var/spool/exim... - mainlog logfiles. (Will not be back at site for at least 10hrs - and have firewalled it without a way tunnel in from home yet! [it's only a 10 minute walk - but not at this time of night] )  Do you know the paths to system logifles I may have to check (slackware 10)?

0
 
wesbirdAuthor Commented:
(since the recompile that is) - let's freeze this thread until I'm back in the office.
0
 
wesbirdAuthor Commented:
For your information, we did get fetchmail working today - it saved the company. This town got ADSL only three weeks ago [and I'm rushing around all my small clients and this biggest client getting it working for them], and the big client is growing very fast; in the last two weeks they've been getting over 250MB email traffic per day, through a single 64K ISDN channel.  

It would have been ISDN meltdown - if the MS SBS 4.5 POP3 connector goes, it's 6 or 7 hours to catch up with the mail (they handle shedloads of digital photographs).  1MB/s link with fetchmail saved the day, but fetchmail bombs out if the SMTP receiver is not available (I tested this today) which is why I need Exim as a fallback.  I know this is small for what Exim can handle, because it's what a lot of ISPs use - but it's our story ;-), and I really need it!!

Wes
0
 
owensleftfootCommented:
Stupid question perhaps, but why exim? I would recommend postfix.
0
 
wesbirdAuthor Commented:
Because I don't know anything about postfix!

Besides which, I've got exim working now - another recompile, and changed

EXIM_GROUP = exim
to # EXIM_GROUP

The problem was in fact that I had not put a '#' in front the first time I compiled it (but had just left it as a blank group name), but you were right about the issue being around there so pts for your help will be awarded shortly.

P.S. for anybody else with setup problems, try running

exim -bd -d

which will write all logfile info to the console instead of the logfile.  Very helpful if your logfile permissions are wrong.



0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now