Open antwan opened 8 years ago
See @patrakov's notes here https://github.com/vstakhov/rspamd/issues/295
You could use socat
to test connectivity to UNIX sockets.
On Trusty you can set listen address in /etc/rmilter.conf.sysvinit
. On Debian 8 rmilter uses systemd socket activation and listening address must be configured in the systemd socket file.
Antwan86, you should know that Postfix's smtpd is chrooted, and the socket it is looking for does not exist in its chroot! You should configure rmilter to listen to a socket inside Postfix's chroot, or let smtpd run unchrooted.
I'm pretty sure that we just need to stop proposing unix sockets and switch to tcp sockets by default. That's how it is done in rpm based builds.
Vsevolod Stakhov, 2015-09-24 05:35-0700:
I'm pretty sure that we just need to stop proposing unix sockets and switch to tcp sockets by default. That's how it is done in rpm based builds.
That would be a pity. Unix socket are easier to identify (I can easily determine what is /var/run/opendkim/opendkim.sock in my Postfix configuration, but for localhost:4212 I would have to use netstat) and to secure (no access but from localhost, by nature, and using Unix permissions).
Personally, when searching for something to filter my email, I start by only considering milters (and consider non-milters only if there exist no milter that would do the job), and, when I found a milter, if it does not support Unix sockets, search for an alternative that would…
What could be useful however, is to add a warning for Postfix users, perhaps a comment in the configuration for instance, indicating that their smtpd may be chrooted, and that if it is, the socket should be put inside that chroot.
That's not about milter. That's about punny model of libmilter work, when you have absolutely no control of who creates a socket, with what permissions and who is responsible for recycling. That's one of the reasons why I'm going to replace libmilter some day: https://github.com/vstakhov/librmilter
It's working when setting the socket location to /var/spool/postfix/run/rmilter/rmilter.sock
.
I'm leaving this issue open because:
postfix
user can use it (this is the smtpd
user).Are there any security implications by setting SocketGroup=postfix
in rmilter.socket?
I don't think so. It would be still more secure than TCP socket (if you are not using some non-generic security policies).
Update on this :
rmilter socket can be accessed by postfix for incoming emails, as smtpd
is chrooted and looks into the right folder, but that's not the case for outgoing emails (smtpd
is not chrooted when authenticated via SASL and looks into the real /run/rmilter
...)
Any configuration workaround for this ? Maybe create a socket in both folders, or link them ?
TCP sockets.
It also works when the postfix
user is added to the _rmilter
group:
adduser postfix _rmilter
In /etc/rmilter.conf.local
:
bind_socket = unix:/var/spool/postfix/var/run/rmilter/rmilter.sock;
(don't forget to create that dir and chown it to _rmilter:_rmilter
)
Then use in /etc/postfix/main.cf
:
smtpd_milters = unix:/var/run/rmilter/rmilter.sock
Hey,
I installed rmilter to use it with postfix + rspamd. I never managed to make it work, the socket created cannot be listened/written by postfix, or any other program.
Postfix mail.log
Sep 23 17:29:15 new postfix/smtpd[6361]: warning: connect to Milter service unix:/run/rmilter/rmilter.sock: No such file or directory
Direct IO with shell
I tried with the latest rmilter version from this morning (1.6.5) as well as the previous one. Environment : Ubuntu trusty x64 with very latest updates.
Can you provide notes/fix/documentation on how to proceed ? Thanks for your awesome job !
Side notes :
inet:port:ip
)._rmilter
(but ATM even with root it doesn't work anyway).Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.