| 1 |
On 14/12/16 10:44, Robert Sharp wrote: |
| 2 |
> On 12/12/16 20:03, Sven Vermeulen wrote: |
| 3 |
>> It's been a while that I did some Postfix work, which might be necessary to |
| 4 |
>> debug this properly. The socket is owned by ddclient, is it possible that |
| 5 |
>> "postdrop -r" input and/or output is redirected to a ddclient socket? From a |
| 6 |
>> quick Google ddclient is shown as a Perl client, so some code scanning might |
| 7 |
>> help to find out what the socket is about. |
| 8 |
> |
| 9 |
> Yes, ddclient is one long perl script. I am not a perl diver myself |
| 10 |
> but it is not difficult to track down the code. The "sub" routine |
| 11 |
> "sendmail" uses the subroutine "pipecmd" to run /usr/bin/sendmail with |
| 12 |
> command line parameters and a few lines of input. Pipecmd uses the |
| 13 |
> open function, prefixing the command ("sendmail" in this case) with a |
| 14 |
> pipe: open(*FD, "| sendmail"). Ddclient doesn't attempt to read stdout |
| 15 |
> from the sendmail/postdrop call so presumably this is postdrop trying |
| 16 |
> to read the pipe passed to it by sendmail? |
| 17 |
> |
| 18 |
> Clearly sendmail is running in the ddclient domain (mta_sendmail_exec |
| 19 |
> for some curious reason and not the sendmail interface) and presumably |
| 20 |
> postdrop transitions to its own domain. This is where I think the |
| 21 |
> problem lies and I am hoping it was my fault. At some point in trying |
| 22 |
> to get sendmail to work I added |
| 23 |
> "postfix_domtrans_user_mail_handler(ddclient_t)" but then found the |
| 24 |
> answer was hiding in mta.if. This domtrans interface adds ddclient_t |
| 25 |
> to the postfix_user_domtrans type attribute, which sesearch reveals to |
| 26 |
> be one of the few ways of transitioning to the postfix_postdrop_t |
| 27 |
> domain. That explains why postdrop has transitioned from sendmail |
| 28 |
> (ddclient_t) and why it cannot access sendmail's pipe? |
| 29 |
> |
| 30 |
> I am testing the policy without the domtrans call and with my fingers |
| 31 |
> crossed. |
| 32 |
> |
| 33 |
> Robert |
| 34 |
> |
| 35 |
Okay - just to apologise for rushing off down a complete rabbit hole. I |
| 36 |
ended up having to grant ddclient not much less the postfix admin |
| 37 |
rights, which rang a large alarm bell and caused me to reconsider the |
| 38 |
whole thing. I had started out trying to get sendmail into its own |
| 39 |
domain but failed. Looking harder at the various interfaces (there are |
| 40 |
3: postfix, sendmail and mta) I realised the answer was staring straight |
| 41 |
at me: "mta_send_mail". Seems to be working without any AVCs now. I will |
| 42 |
file a bug to request this simple addition. |
| 43 |
|
| 44 |
Robert |
Archives