Milter-greylist

Hi,

I would like to use milter-greylist as an extension of sendmail. My  
distro is RHEL7. I have used EPEL-repo to install the milter-greylist  
package.
My problem is that the dumpfile option in the configuration file does  
not work. I mean nothing has been dumped until now.

You can find the related row  below in the conf file.
dumpfile "/var/lib/milter-greylist/db/greylist.db" 600

Designated file exists and its permission is as shown. Also grmilter  
user can read and write this file.
[root@localhost ~]# ll /var/lib/milter-greylist/db/greylist.db
-rw------- 1 grmilter grmilter 0 Tem 25 17:07  
/var/lib/milter-greylist/db/greylist.db

By the way I am using milter-greylist as a ratelimiter. What should I  
check else?

Thanks.

Can

Il giorno lun, 25/07/2016 alle 17.23 +0300, Can Şirin
sirincan@....tr [milter-greylist] ha scritto:
>   
> Hi,
> 
> I would like to use milter-greylist as an extension of sendmail. My 
> distro is RHEL7. I have used EPEL-repo to install the milter-greylist 
> package.
> My problem is that the dumpfile option in the configuration file does 
> not work. I mean nothing has been dumped until now.
> 

Same problem here, using v4.4.3. I've workaround the issue setting
"dumpfreq 0".

Few days ago I've upgraded to 4.6.1 but I haven't tested if anything
changed.

Cheers

/Leo

You may have to check your audit file (SELinux)

# put SELinux into permissive mode
$ setenforce permissive
# create custom policy (view result)
$ grep greylist /var/log/audit/audit.log | audit2allow -m milter-greylist_additions

If you something shows up in the result file, you’ll need to apply it

# create custom policy and implement (note this creates a .pp and .te file)
grep greylist /var/log/audit/audit.log | audit2allow -M milter-greylist_additions
cat milter-greylist_additions.te
semodule -i milter-greylist_additions.pp

Bill

> On Jul 25, 2016, at 8:36 AM, Leonardo Arena rnalrd@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
> 
> Il giorno lun, 25/07/2016 alle 17.23 +0300, Can Şirin
> sirincan@itu.edu.tr [milter-greylist] ha scritto:
>> 
>> Hi,
>> 
>> I would like to use milter-greylist as an extension of sendmail. My 
>> distro is RHEL7. I have used EPEL-repo to install the milter-greylist 
>> package.
>> My problem is that the dumpfile option in the configuration file does 
>> not work. I mean nothing has been dumped until now.
>> 
> 
> Same problem here, using v4.4.3. I've workaround the issue setting
> "dumpfreq 0".
> 
> Few days ago I've upgraded to 4.6.1 but I haven't tested if anything
> changed.
> 
> Cheers
> 
> /Leo
>

Mauricio Teixeira mauricio.teixeira@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> It's possible that the database API is trying to create a temporary file on
> that directory, and the permissions are blocking it.

Indeed it does. dump.c says;

        /*
         * Dump the database in a temporary file and
         * then replace the old one by the new one.
         * On decent systems, rename(2) garantees that
         * even if the machine crashes, we will not
         * loose both files.
         */
        mkparentdir(conf.c_dumpfile, 0755);
        snprintf(newdumpfile, MAXPATHLEN,
            "%s-XXXXXXXX", conf.c_dumpfile);

        if ((dumpfd = mkstemp(newdumpfile)) == -1) {
                mg_log(LOG_ERR, "mkstemp(\"%s\") failed: %s",
                    newdumpfile, strerror(errno));
                close(dumpfd);
                unlink(newdumpfile);            /* clean up ... */
                exit(EX_OSERR);
        }



-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Thanks for your replies. But the directory has the proper permissions  
for grmilter user to write the temporary dump file.
On the other hand, in my greylist.conf, dumpfreq option has already  
been set to 0. But still dump file is empty.

The version that I try to use is : milter-greylist-4.5.16-3.el7.x86_64
It has been installed from the epel repo.
I am very sure that the problem is not related with the permissions.  
It could be probably a compilation problem, bug or missing  
configuration.

This is my conf file:
##############################################################
socket "/run/milter-greylist/milter-greylist.sock"
dumpfile "/var/lib/milter-greylist/db/greylist.db" 640
geoipdb "/usr/share/GeoIP/GeoIP.dat"
dumpfreq 0
user "grmilter"
quiet
list "my network" addr { 127.0.0.1/8 }
ratelimit "high_limit" rcpt 6 / 1h key "%M{auth_authen}"
sm_macro "user1_macro" "{auth_authen}" "user1"
racl blacklist \
  sm_macro "user1_macro" \
  ratelimit "high_limit" \
  msg "You are in the exception list but limit exceeded."
ratelimit "standart_limit" rcpt 2 / 1h key "%M{auth_authen}"
sm_macro "null" "{auth_authen}" unset
racl blacklist \
  not sm_macro "null" \
  not sm_macro "user1_macro" \
  ratelimit "standart_limit" msg "Ratelimit exceeded."
list "server_ip" addr { \
  160.75.150.0/25 \
  160.75.170.0/24 \
}
ratelimit "server_limit" rcpt 5 / 1h key "%i %M{auth_authen}"
racl blacklist \
  sm_macro "null" \
  list "server_ip" \
  ratelimit "server_limit" \
  msg "Ratelimit for internal servers exceeded."
racl continue from /.*/ addheader "X-Greylist: inspected by %V for  
IP:'%i' DOMAIN:'%d' HELO:'%h' FROM:'%f' RCPT:'%r'"
racl whitelist list "my network"
racl whitelist default
noauth
timeout 6h
##############################################################

Is there anyone else issuing the same problem?

Thank
Can

Quoting "manu@... [milter-greylist]" <milter-greylist@yahoogroups.com>:

> Mauricio Teixeira mauricio.teixeira@... [milter-greylist]
> <milter-greylist@yahoogroups.com> wrote:
>
>> It's possible that the database API is trying to create a temporary file on
>> that directory, and the permissions are blocking it.
>
> Indeed it does. dump.c says;
>
>         /*
>          * Dump the database in a temporary file and
>          * then replace the old one by the new one.
>          * On decent systems, rename(2) garantees that
>          * even if the machine crashes, we will not
>          * loose both files.
>          */
>         mkparentdir(conf.c_dumpfile, 0755);
>         snprintf(newdumpfile, MAXPATHLEN,
>             "%s-XXXXXXXX", conf.c_dumpfile);
>
>         if ((dumpfd = mkstemp(newdumpfile)) == -1) {
>                 mg_log(LOG_ERR, "mkstemp(\"%s\") failed: %s",
>                     newdumpfile, strerror(errno));
>                 close(dumpfd);
>                 unlink(newdumpfile);            /* clean up ... */
>                 exit(EX_OSERR);
>         }
>
>
>
> --
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...

On Tue, Jul 26, 2016 at 11:15:57AM +0300, Can ??irin sirincan@... [milter-greylist] wrote:
> Thanks for your replies. But the directory has the proper permissions  
> for grmilter user to write the temporary dump file.
> On the other hand, in my greylist.conf, dumpfreq option has already  
> been set to 0. But still dump file is empty.
[..]

In such cases I tend to go "low-level" where I eventually using "strace
-fp PID" on the running process (redirect stdout/stderr to a file, do
not leave it on the terminal).
This provides more insight to things happen. My last suprise was an
ativated Linux security extension (SE-Linux) which prevented a slightly
reconfigured daemon from accessing a directory not known to SE-Linux.
SE-Linux still allows a program to check if it is allowed to access a
filesystem object (access() systemcall) but on the actual operation the
access has been denied.

Just one thought ... not necessarilly connected to to the stated problem.

Regards,

Johann

Thanks again. I have already tried to set the dumpfreq option 1 or  
other value. But the problem still goes on.

Also I have compiled the latest version and used the new binary.  
Nothing changed.

Thanks for your replies again. I am no going further to solve the  
problem because of consuming too much time. If anyone solves please  
keep us up to date.

Bye

Can

Quoting "Mauricio Teixeira mauricio.teixeira@...  
[milter-greylist]" <milter-greylist@yahoogroups.com>:

> Use dumpfreq 1. Zero is too little, and most likely will cause file
> creation clashes.
>
> On Tue, Jul 26, 2016 at 5:15 AM, Can \u015eirin sirincan@...
> [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
>
>>
>>
>> Thanks for your replies. But the directory has the proper permissions
>> for grmilter user to write the temporary dump file.
>> On the other hand, in my greylist.conf, dumpfreq option has already
>> been set to 0. But still dump file is empty.
>>
>> The version that I try to use is : milter-greylist-4.5.16-3.el7.x86_64
>> It has been installed from the epel repo.
>> I am very sure that the problem is not related with the permissions.
>> It could be probably a compilation problem, bug or missing
>> configuration.
>>
>> This is my conf file:
>> ##############################################################
>> socket "/run/milter-greylist/milter-greylist.sock"
>> dumpfile "/var/lib/milter-greylist/db/greylist.db" 640
>> geoipdb "/usr/share/GeoIP/GeoIP.dat"
>> dumpfreq 0
>> user "grmilter"
>> quiet
>> list "my network" addr { 127.0.0.1/8 }
>> ratelimit "high_limit" rcpt 6 / 1h key "%M{auth_authen}"
>> sm_macro "user1_macro" "{auth_authen}" "user1"
>> racl blacklist \
>> sm_macro "user1_macro" \
>> ratelimit "high_limit" \
>> msg "You are in the exception list but limit exceeded."
>> ratelimit "standart_limit" rcpt 2 / 1h key "%M{auth_authen}"
>> sm_macro "null" "{auth_authen}" unset
>> racl blacklist \
>> not sm_macro "null" \
>> not sm_macro "user1_macro" \
>> ratelimit "standart_limit" msg "Ratelimit exceeded."
>> list "server_ip" addr { \
>> 160.75.150.0/25 \
>> 160.75.170.0/24 \
>> }
>> ratelimit "server_limit" rcpt 5 / 1h key "%i %M{auth_authen}"
>> racl blacklist \
>> sm_macro "null" \
>> list "server_ip" \
>> ratelimit "server_limit" \
>> msg "Ratelimit for internal servers exceeded."
>> racl continue from /.*/ addheader "X-Greylist: inspected by %V for
>> IP:'%i' DOMAIN:'%d' HELO:'%h' FROM:'%f' RCPT:'%r'"
>> racl whitelist list "my network"
>> racl whitelist default
>> noauth
>> timeout 6h
>> ##############################################################
>>
>> Is there anyone else issuing the same problem?
>>
>> Thank
>> Can
>>
>> Quoting "manu@... [milter-greylist]" <
>> milter-greylist@yahoogroups.com>:
>>
>> > Mauricio Teixeira mauricio.teixeira@... [milter-greylist]
>> > <milter-greylist@yahoogroups.com> wrote:
>> >
>> >> It's possible that the database API is trying to create a temporary
>> file on
>> >> that directory, and the permissions are blocking it.
>> >
>> > Indeed it does. dump.c says;
>> >
>> > /*
>> > * Dump the database in a temporary file and
>> > * then replace the old one by the new one.
>> > * On decent systems, rename(2) garantees that
>> > * even if the machine crashes, we will not
>> > * loose both files.
>> > */
>> > mkparentdir(conf.c_dumpfile, 0755);
>> > snprintf(newdumpfile, MAXPATHLEN,
>> > "%s-XXXXXXXX", conf.c_dumpfile);
>> >
>> > if ((dumpfd = mkstemp(newdumpfile)) == -1) {
>> > mg_log(LOG_ERR, "mkstemp(\"%s\") failed: %s",
>> > newdumpfile, strerror(errno));
>> > close(dumpfd);
>> > unlink(newdumpfile); /* clean up ... */
>> > exit(EX_OSERR);
>> > }
>> >
>> >
>> >
>> > --
>> > Emmanuel Dreyfus
>> > http://hcpnet.free.fr/pubz
>> > manu@...
>>
>>
>>
>
>
>
> --
> Mauricio Teixeira
> Sao Paulo/SP/BR
> http://mteixeira.wordpress.com
> mauricio.teixeira{at}gmail.com
> (irc: netmask on freenode)

Mauricio Teixeira mauricio.teixeira@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> Use dumpfreq 1. Zero is too little, and most likely will cause file
> creation clashes.

Can it clash? The dump is done in a file created with mkstemp(3) and is
rename(2)'d to its final distination. rename(2) mandated to be atomic by
standards. 

Since dumps locks things, it would be very inefficient, but I do not
expect clashes.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...