search

d--j / srs-milter

Mail filter handling SRS address rewriting
BSD 2-Clause "Simplified" License
4 stars 1 forks source link

Configuration file issue #7

Open locutius opened 3 weeks ago

locutius commented 3 weeks ago

Thank you for creating this SRS milter. I installed it using the amd64 rpm on Rocky Linux 9.4 with sendmail 8.16 but I have been facing two issues.

The first issue is minor and related to finding the configuration file. I kept getting the error:

Jun 9 10:45:02 server1 srs-milter[1520879]: lvl=crit msg="error reading config file" err="Config File \"srs-milter\" Not Found in \"[/etc/srs-milter /]\"

But the file, provided by the rpm, did exist at /etc/srs-milter/srs-milter.yml

Initially I thought the issue was related to selinux permissions (because there were many selinux messages) so I set selinux to permissive mode and yet the configuration file issue persists.

Permissions were 750 so I decided to try 755 as an experiment. This worked, although I now get the warning:

Jun 9 10:58:51 server1 systemd[1523231]: ConfigurationDirectory 'srs-milter' already exists but the mode is different. (File system: 755 ConfigurationDirectoryMode: 750)

The second issue is more serious and relates to which messages have their return paths rewritten. I am using the default srs-milter.yml file except that I changed logLevel to 4 (srsDomain and srsKeys are the only other options set). Locally delivered e-mails are having their returns paths rewritten but forwarded messages are not. Of course, it's the forwarded messages that need to be rewritten. As a result forwarded messages to GMail are still bouncing back.

Please advise. Am happy to perform additional debugging steps with guidance. I would love to get this milter working.

d--j commented 1 week ago

Hello @locutius

first issue:

Sorry I have not tested the RPMs myself. What does systemctl cat srs-milter output?

It might be that your systemd does not handle the DynamicUser=true https://github.com/d--j/srs-milter/blob/52f7d0f5d72d62ab4188cf4b86368b6c3a8a5d8d/packaging/srs-milter.service#L6 or SupplementaryGroups https://github.com/d--j/srs-milter/blob/52f7d0f5d72d62ab4188cf4b86368b6c3a8a5d8d/packaging/srs-milter.service#L9 they are needed so that srs-milter can read the configuration file (since it can be accessed by the group nogroup/nobody)

The ConfigurationDirectory settings are commented out in the service: https://github.com/d--j/srs-milter/blob/52f7d0f5d72d62ab4188cf4b86368b6c3a8a5d8d/packaging/srs-milter.service#L13-L14

second issue:

increase the log level to 4 https://github.com/d--j/srs-milter/blob/52f7d0f5d72d62ab4188cf4b86368b6c3a8a5d8d/packaging/srs-milter.yml#L19-L21 and provide the log output

locutius commented 1 week ago

Hello @d--j

Thank you very much for the suggestions. While I was waiting for your reply, I made the decision to migrate from sendmail to postfix in order to use the postsrsd package. But, if you feel solving the couple issues I found would be beneficial to other users of srs-milter, I am happy to keep debugging with you. I provide the details you requested below.

For Issue #1, here are the settings you requested, followed by the configuration file details:

[root@server1 postfix]# systemctl cat srs-milter
# /usr/lib/systemd/system/srs-milter.service
[Unit]
Description=Mail filter handling SRS address rewriting
After=network.target

[Service]
DynamicUser=true
User=srsmilter
Group=srsmilter
SupplementaryGroups=nobody
ExecStart=/usr/bin/srs-milter -systemd
Restart=always
RestartSec=10
ConfigurationDirectory=srs-milter
ConfigurationDirectoryMode=750
#ProtectProc=invisible
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
LockPersonality=true
RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target
[root@server1 postfix]# ls -l /etc/srs-milter/srs-milter.yml
-rw-r--r-x. 1 root nobody 1481 Jun 10 11:03 /etc/srs-milter/srs-milter.yml

For Issue #2, I had already set the logLevel to 4. The messages log was quite large so I have provided the last 1000 lines matching "srs-milter" (domains redacted). The result is attached here: zz2.txt

Let me know if this information helps and/or if there is any other information you require. Again, I'm moving to postfix with postsrsd but I'm happy to help if you think it is worthwhile.

d--j commented 1 week ago

here is one gmail destination mail:

Jun 20 09:01:55 server1 srs-milter[856]: lvl=dbug msg=start sub=milter qid=45KD1tYR1972485 user= ofrom=user@domain1.domain
Jun 20 09:01:55 server1 srs-milter[856]: lvl=dbug msg="to is not one of our SRS addresses" sub=milter qid=45KD1tYR1972485 user= to=user@gmail.com
Jun 20 09:01:55 server1 srs-milter[856]: lvl=dbug msg="to is remote" sub=milter qid=45KD1tYR1972485 user= to=user@gmail.com transport=esmtp
Jun 20 09:01:55 server1 srs-milter[856]: lvl=dbug msg=SRS sub=milter qid=45KD1tYR1972485 user= ofrom=user@domain1.domain from=user@domain1.domain
Jun 20 09:01:55 server1 srs-milter[856]: lvl=dbug msg="did not touch MIME headers because of DKIM" sub=milter qid=45KD1tYR1972485 user=
Jun 20 09:01:55 server1 srs-milter[856]: lvl=info msg=done sub=milter qid=45KD1tYR1972485 user= dur=639.259µs actions=sender:user@domain1.com:user@domain1.com

This mails return path does not get rewritten because domain1.com is the srsDomain. It is assumed that the srsDomain actually is a local domain that does not need rewriting. Your mail server should accept emails to the srsDomain (otherwise you would not get any bounces).

locutius commented 1 week ago

Thank you for your reply. Unfortunately, I am having difficulty following your reasoning because it doesn't seem to match our setup. Perhaps it will help if I provide some more details ...

You are correct that domain1.domain is the srsDomain and that it doesn't need rewriting. Our setup is as follows. domain1.domain receives e-mails that are both delivered to the domain1.domain mailbox AND forwarded to user@gmail.com. The return paths for the domain1.domain e-mails are being rewritten by srs-milter but the ones forwarded to gmail.com are not. This seems backwards to me.

I have a perfect example to share because I received your last comment as an e-mail from github. I received the e-mail both at domain1.domain AND at gmail.com. Here are the two return paths in the headers I received

On domain1.domain I received:

Return-Path: <SRS0=Bz0j=NW=github.com=noreply@domain1.domain>

On gmail.com I received:

Return-Path: <user@domain1.domain>

Although Gmail accepts the forwarded e-mails from github, e-mails from other domains (which presumably have more stringent requirements) are rejected by Gmail. My hope is that SRS will solve this problem.

I really do appreciate your efforts on this but, if any any point, you think it's too much work let me know. If I'm the only one to have brought this to your attention, perhaps it's not an issue for the majority of your users. Still, if you want to solve this mystery, I'm happy to work through it.