rmilter icon indicating copy to clipboard operation
rmilter copied to clipboard

Published 20 hours ago verified publisher icon vstakhov

rmilter socket cannot be used on Ubuntu/Debian

Open antwan opened this issue 8 years ago • 11 comments

Hey,

I installed rmilter to use it with postfix + rspamd. I never managed to make it work, the socket created cannot be listened/written by postfix, or any other program.

$ ls -la /var/run/rmilter/rmilter.sock
srwxrwx--- 1 _rmilter adm 0 Sep 23 17:42 /var/run/rmilter/rmilter.sock

Postfix mail.log Sep 23 17:29:15 new postfix/smtpd[6361]: warning: connect to Milter service unix:/run/rmilter/rmilter.sock: No such file or directory

Direct IO with shell

$ cat /var/run/rmilter/rmilter.sock
cat: /var/run/rmilter/rmilter.sock: No such device or address

$ echo "test" > /var/run/rmilter/rmilter.sock
bash: /var/run/rmilter/rmilter.sock: No such device or address

I tried with the latest rmilter version from this morning (1.6.5) as well as the previous one. Environment : Ubuntu trusty x64 with very latest updates.

Can you provide notes/fix/documentation on how to proceed ? Thanks for your awesome job !

Side notes :

  1. The configuration does not have any impact on the socket file name, and it is not possible to bind on a port instead (inet:port:ip).
  2. The socket permissions as they are currently set seem to be incompatible with users other than _rmilter (but ATM even with root it doesn't work anyway).

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

antwan avatar Sep 23 '15 16:09 antwan

See @patrakov's notes here https://github.com/vstakhov/rspamd/issues/295

You could use socat to test connectivity to UNIX sockets.

On Trusty you can set listen address in /etc/rmilter.conf.sysvinit. On Debian 8 rmilter uses systemd socket activation and listening address must be configured in the systemd socket file.

fatalbanana avatar Sep 23 '15 18:09 fatalbanana

Antwan86, you should know that Postfix's smtpd is chrooted, and the socket it is looking for does not exist in its chroot! You should configure rmilter to listen to a socket inside Postfix's chroot, or let smtpd run unchrooted.

ortolot avatar Sep 24 '15 12:09 ortolot

I'm pretty sure that we just need to stop proposing unix sockets and switch to tcp sockets by default. That's how it is done in rpm based builds.

vstakhov avatar Sep 24 '15 12:09 vstakhov

Vsevolod Stakhov, 2015-09-24 05:35-0700:

I'm pretty sure that we just need to stop proposing unix sockets and switch to tcp sockets by default. That's how it is done in rpm based builds.

That would be a pity. Unix socket are easier to identify (I can easily determine what is /var/run/opendkim/opendkim.sock in my Postfix configuration, but for localhost:4212 I would have to use netstat) and to secure (no access but from localhost, by nature, and using Unix permissions).

Personally, when searching for something to filter my email, I start by only considering milters (and consider non-milters only if there exist no milter that would do the job), and, when I found a milter, if it does not support Unix sockets, search for an alternative that would…

What could be useful however, is to add a warning for Postfix users, perhaps a comment in the configuration for instance, indicating that their smtpd may be chrooted, and that if it is, the socket should be put inside that chroot.

ortolot avatar Sep 24 '15 12:09 ortolot

That's not about milter. That's about punny model of libmilter work, when you have absolutely no control of who creates a socket, with what permissions and who is responsible for recycling. That's one of the reasons why I'm going to replace libmilter some day: https://github.com/vstakhov/librmilter

vstakhov avatar Sep 25 '15 11:09 vstakhov

It's working when setting the socket location to /var/spool/postfix/run/rmilter/rmilter.sock. I'm leaving this issue open because:

  1. The file needs to be chmod'ed go+rw so postfix user can use it (this is the smtpd user).
  2. Maybe the project needs some documentation, ubuntu trusty is far from being an anecdotical audience, and it's quite impossible to use rspamd/rmilter on this OS without looking into issues/code for now... :/

antwan avatar Oct 02 '15 08:10 antwan

Are there any security implications by setting SocketGroup=postfix in rmilter.socket?

skibbipl avatar Oct 07 '15 09:10 skibbipl

I don't think so. It would be still more secure than TCP socket (if you are not using some non-generic security policies).

vstakhov avatar Oct 07 '15 12:10 vstakhov

Update on this : rmilter socket can be accessed by postfix for incoming emails, as smtpd is chrooted and looks into the right folder, but that's not the case for outgoing emails (smtpd is not chrooted when authenticated via SASL and looks into the real /run/rmilter...)

Any configuration workaround for this ? Maybe create a socket in both folders, or link them ?

antwan avatar Mar 07 '16 18:03 antwan

TCP sockets.

vstakhov avatar Mar 07 '16 20:03 vstakhov

It also works when the postfix user is added to the _rmilter group:

adduser postfix _rmilter

In /etc/rmilter.conf.local: bind_socket = unix:/var/spool/postfix/var/run/rmilter/rmilter.sock; (don't forget to create that dir and chown it to _rmilter:_rmilter)

Then use in /etc/postfix/main.cf: smtpd_milters = unix:/var/run/rmilter/rmilter.sock

julienschmidt avatar May 25 '17 16:05 julienschmidt