1 |
On 14/12/16 10:44, Robert Sharp wrote: |
2 |
> On 12/12/16 20:03, Sven Vermeulen wrote: |
3 |
>> It's been a while that I did some Postfix work, which might be necessary to |
4 |
>> debug this properly. The socket is owned by ddclient, is it possible that |
5 |
>> "postdrop -r" input and/or output is redirected to a ddclient socket? From a |
6 |
>> quick Google ddclient is shown as a Perl client, so some code scanning might |
7 |
>> help to find out what the socket is about. |
8 |
> |
9 |
> Yes, ddclient is one long perl script. I am not a perl diver myself |
10 |
> but it is not difficult to track down the code. The "sub" routine |
11 |
> "sendmail" uses the subroutine "pipecmd" to run /usr/bin/sendmail with |
12 |
> command line parameters and a few lines of input. Pipecmd uses the |
13 |
> open function, prefixing the command ("sendmail" in this case) with a |
14 |
> pipe: open(*FD, "| sendmail"). Ddclient doesn't attempt to read stdout |
15 |
> from the sendmail/postdrop call so presumably this is postdrop trying |
16 |
> to read the pipe passed to it by sendmail? |
17 |
> |
18 |
> Clearly sendmail is running in the ddclient domain (mta_sendmail_exec |
19 |
> for some curious reason and not the sendmail interface) and presumably |
20 |
> postdrop transitions to its own domain. This is where I think the |
21 |
> problem lies and I am hoping it was my fault. At some point in trying |
22 |
> to get sendmail to work I added |
23 |
> "postfix_domtrans_user_mail_handler(ddclient_t)" but then found the |
24 |
> answer was hiding in mta.if. This domtrans interface adds ddclient_t |
25 |
> to the postfix_user_domtrans type attribute, which sesearch reveals to |
26 |
> be one of the few ways of transitioning to the postfix_postdrop_t |
27 |
> domain. That explains why postdrop has transitioned from sendmail |
28 |
> (ddclient_t) and why it cannot access sendmail's pipe? |
29 |
> |
30 |
> I am testing the policy without the domtrans call and with my fingers |
31 |
> crossed. |
32 |
> |
33 |
> Robert |
34 |
> |
35 |
Okay - just to apologise for rushing off down a complete rabbit hole. I |
36 |
ended up having to grant ddclient not much less the postfix admin |
37 |
rights, which rang a large alarm bell and caused me to reconsider the |
38 |
whole thing. I had started out trying to get sendmail into its own |
39 |
domain but failed. Looking harder at the various interfaces (there are |
40 |
3: postfix, sendmail and mta) I realised the answer was staring straight |
41 |
at me: "mta_send_mail". Seems to be working without any AVCs now. I will |
42 |
file a bug to request this simple addition. |
43 |
|
44 |
Robert |