opendmarc.dat Permission denied issues

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

opendmarc.dat Permission denied issues

lists-3
i'm trying to setup DKIM & DMARC, set it few days ago, it seemed to be
working ok(?), well, I did'nt notice errors

noticed today multiple "Permission denied" errors since last night, across
multiple domains

grep " Permission denied" /var/log/maillog | wc
   1943   19430  200491

May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied

# grep AAADD4E821C9 /var/log/maillog
May 29 13:41:41 geko postfix/smtpd[30596]: AAADD4E821C9:
client=mail01.hello.zendesk.com[142.0.163.127]
May 29 13:41:42 geko postfix/cleanup[30785]: AAADD4E821C9:
message-id=<32f4e19952284dd89d4be9c71563d796@2136619493>
May 29 13:41:42 geko opendmarc[27677]: AAADD4E821C9: SPF(mailfrom):
[hidden email] pass
May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9: zendesk.com pass
May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied
May 29 13:41:43 geko postfix/cleanup[30785]: AAADD4E821C9: milter-reject:
END-OF-MESSAGE from mail01.hello.zendesk.com[142.0.163.127]: 4.7.1 Service
unavailable - try again later; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mail01.hello.zendesk.com>


and, I don't have any such:

# ls /var/run/open*
/var/run/opendkim:
opendkim.pid

/var/run/opendmarc:
opendmarc.pid

in conf i have it as:

# grep opendmarc.dat opendmarc.conf
# HistoryFile /var/spool/opendmarc/opendmarc.dat
HistoryFile /var/run/opendmarc.dat

(the write up I was using suggested "/var/run/opendmarc.dat"


do I need to... re-create opendmarc.dat ..?
should it go in conf default path /var/spool/opendmarc ?

what did I screw up this time ?

meantime, removed dmarc from postfix main.cf

V

Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

Dominic Raferd


On Wed, 29 May 2019 at 05:11, <[hidden email]> wrote:
i'm trying to setup DKIM & DMARC, set it few days ago, it seemed to be
working ok(?), well, I did'nt notice errors

noticed today multiple "Permission denied" errors since last night, across
multiple domains

grep " Permission denied" /var/log/maillog | wc
   1943   19430  200491

May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied

# grep AAADD4E821C9 /var/log/maillog
May 29 13:41:41 geko postfix/smtpd[30596]: AAADD4E821C9:
client=mail01.hello.zendesk.com[142.0.163.127]
May 29 13:41:42 geko postfix/cleanup[30785]: AAADD4E821C9:
message-id=<32f4e19952284dd89d4be9c71563d796@2136619493>
May 29 13:41:42 geko opendmarc[27677]: AAADD4E821C9: SPF(mailfrom):
[hidden email] pass
May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9: zendesk.com pass
May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied
May 29 13:41:43 geko postfix/cleanup[30785]: AAADD4E821C9: milter-reject:
END-OF-MESSAGE from mail01.hello.zendesk.com[142.0.163.127]: 4.7.1 Service
unavailable - try again later; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<mail01.hello.zendesk.com>


and, I don't have any such:

# ls /var/run/open*
/var/run/opendkim:
opendkim.pid

/var/run/opendmarc:
opendmarc.pid

in conf i have it as:

# grep opendmarc.dat opendmarc.conf
# HistoryFile /var/spool/opendmarc/opendmarc.dat
HistoryFile /var/run/opendmarc.dat

(the write up I was using suggested "/var/run/opendmarc.dat"


do I need to... re-create opendmarc.dat ..?
should it go in conf default path /var/spool/opendmarc ?

what did I screw up this time ?

meantime, removed dmarc from postfix main.cf

I think you need to use a suitable UMask setting in /etc/opendmarc.conf e.g. 0002 - see UMask in man opendmarc.conf. And I don't think /var/run is a logical place to put the history file. /var/log maybe?
Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

lists-3
On Wed, May 29, 2019 4:51 pm, Dominic Raferd wrote:
> On Wed, 29 May 2019 at 05:11, <[hidden email]> wrote:

>
> I think you need to use a suitable UMask setting in /etc/opendmarc.conf
> e.g. 0002 - see UMask in man opendmarc.conf. And I don't think /var/run is
>  a logical place to put the history file. /var/log maybe?
>

Dominic, thanks

I've used
https://www.stevejenkins.com/blog/2015/03/installing-opendmarc-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

I can see now there is inconsistency in that writeup, with location of the
.dat

I currently have like:


UMask 007

UserID opendmarc:mail

what about default path /var/run/opendmarc.dat, maybe I'll try that

I'll try UMask 0002

thanks,

V


Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

Benny Pedersen-2
In reply to this post by lists-3
[hidden email] skrev den 2019-05-29 06:09:

> May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
> /var/run/opendmarc.dat: fopen(): Permission denied

change /var/run to /var/tmp

if you reboot with your config you will loose data

/var/tmp must not be cleaned after boots, /tmp will be cleaned on boot

permission denied comes from that opendmarc starts as root, and drops
privelges to user later, and that makes it permision denied for the dat
file, show ls -l /var/run/ if need more help

if the dat file is owned or created by root, delete it and restart
opendmarc
Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

lists-3
On Thu, May 30, 2019 12:52 am, Benny Pedersen wrote:
> [hidden email] skrev den 2019-05-29 06:09:

> change /var/run to /var/tmp
>
> if you reboot with your config you will loose data
>
> /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot
>
>
> permission denied comes from that opendmarc starts as root, and drops
> privelges to user later, and that makes it permision denied for the dat
> file, show ls -l /var/run/ if need more help
>
> if the dat file is owned or created by root, delete it and restart
> opendmarc
>

Benny, thanks

following Dominic advice I've set "UMask 0002" as , and, also reverted to
default path, restarted some 10 hours ago, so far, so good, no more fopen
errors

I'll change to /var/tmp next

thanks for explanation,

Voytek


# ls -l /var/run/
total 32
....
drwxr-xr-x  3 root      root         80 May 28 22:09 NetworkManager
drwx------  2 opendkim  opendkim     60 May 28 22:09 opendkim
drwx------  2 opendmarc opendmarc    60 May 29 18:25 opendmarc
drwxr-xr-x  2 root      root         40 May 28 22:08 plymouth
...

# ls -l /var/run/opendmarc
total 4
-rw-rw-r-- 1 opendmarc opendmarc 6 May 29 18:25 opendmarc.pid

# grep istory  /etc/opendmarc.conf
HistoryFile /var/spool/opendmarc/opendmarc.dat
# HistoryFile /var/run/opendmarc.dat

# ls -l /var/spool/opendmarc/
total 44
-rw-rw-r-- 1 opendmarc opendmarc 41543 May 30 06:42 opendmarc.dat


Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

Kris Deugau
> On Thu, May 30, 2019 12:52 am, Benny Pedersen wrote:
>> [hidden email] skrev den 2019-05-29 06:09:
>
>> change /var/run to /var/tmp
>>
>> if you reboot with your config you will loose data
>>
>> /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot

/tmp and /var/tmp may be emptied at any time;  they are not intended for
persistent data.  Sockets and temporary working files are fine;  I
wouldn't put anything in either one that I expected to keep around for
very long.

The exact default policy may also vary from *nix to *nix (either across
Linux/*BSD/"real"-UNIX divisions, or between Linux distributions), and
will almost certainly vary from system to system according to local
administrator preference/policy.

The default /var/spool/opendmarc/opendmarc.dat sounds reasonable;
/var/lib/opendmarc/opendmarc.dat is probably another good choice.  Files
in these trees are expected to hang around.


[hidden email] wrote:
> following Dominic advice I've set "UMask 0002" as , and, also reverted to
> default path, restarted some 10 hours ago, so far, so good, no more fopen
> errors
>
> I'll change to /var/tmp next

I'd just leave it in the default location;  unless you have some strong
reason to put it elsewhere.

-kgd
Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

@lbutlr
In reply to this post by Benny Pedersen-2
On 29 May 2019, at 08:52, Benny Pedersen <[hidden email]> wrote:
> /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot

I've never heard that. Is that a real thing or just your own 'rule'?


--
Lobotomy means never having to say you're sorry -- or anything else.


Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

Bastian Blank-3
On Thu, May 30, 2019 at 04:44:13AM -0600, @lbutlr wrote:
> On 29 May 2019, at 08:52, Benny Pedersen <[hidden email]> wrote:
> > /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot
> I've never heard that. Is that a real thing or just your own 'rule'?

https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s15.html

Bastian

--
Hailing frequencies open, Captain.
Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

Matus UHLAR - fantomas
In reply to this post by @lbutlr
>On 29 May 2019, at 08:52, Benny Pedersen <[hidden email]> wrote:
>> /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot

On 30.05.19 04:44, @lbutlr wrote:
>I've never heard that. Is that a real thing or just your own 'rule'?

it's standard FHS:

https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard

/tmp

Temporary files (see also /var/tmp). Often not preserved between system reboots, and may be severely size restricted.

/var/tmp

Temporary files to be preserved between reboots.



--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

@lbutlr
On 30 May 2019, at 06:32, Matus UHLAR - fantomas <[hidden email]> wrote:

>> On 29 May 2019, at 08:52, Benny Pedersen <[hidden email]> wrote:
>>> /var/tmp must not be cleaned after boots, /tmp will be cleaned on boot
>
> On 30.05.19 04:44, @lbutlr wrote:
>> I've never heard that. Is that a real thing or just your own 'rule'?
>
> it's standard FHS:
>
> https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard
>
> /tmp
>
> Temporary files (see also /var/tmp). Often not preserved between system reboots, and may be severely size restricted.
> /var/tmp
>
> Temporary files to be preserved between reboots.

But can still be deleted at any time, just "less frequently than /tmp"; certainly not a place to store necessary files. I don't see this anywhere for *BSD, thankfully, so I can safely ignore it.

The only files in /var/tmp on my system are the database for pkg provides and a directory for vi.recovery containing a single file from April 2018.


--
Two, Four, Six, Eight! Time to Transubstantiate!


Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

@lbutlr
On 30 May 2019, at 07:24, @lbutlr <[hidden email]> wrote:
> But can still be deleted at any time, just "less frequently than /tmp"; certainly not a place to store necessary files. I don't see this anywhere for *BSD, thankfully, so I can safely ignore it.

Goops, forgot to past this:


/var/tmp/ Temporary files which are usually preserved across a system reboot, unless /var is a memory-based file system.

which is much weaker than "…must not be deleted when the system is booted."


--
"Two years from now, spam will be solved," -- Bill Gates, January, 2004


Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

Matus UHLAR - fantomas
On 30.05.19 07:27, @lbutlr wrote:
>On 30 May 2019, at 07:24, @lbutlr <[hidden email]> wrote:
>> But can still be deleted at any time, just "less frequently than /tmp"; certainly not a place to store necessary files. I don't see this anywhere for *BSD, thankfully, so I can safely ignore it.
>
>Goops, forgot to past this:
>
>
>/var/tmp/ Temporary files which are usually preserved across a system reboot, unless /var is a memory-based file system.
>
>which is much weaker than "…must not be deleted when the system is booted."

and what exxactly are you complaining about?

btw the OP used /var/run, which is also designed to be cleaned upon boot.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
Reply | Threaded
Open this post in threaded view
|

Re: opendmarc.dat Permission denied issues

@lbutlr


> On 30 May 2019, at 07:37, Matus UHLAR - fantomas <[hidden email]> wrote:
>
> On 30.05.19 07:27, @lbutlr wrote:
>> On 30 May 2019, at 07:24, @lbutlr <[hidden email]> wrote:
>>> But can still be deleted at any time, just "less frequently than /tmp"; certainly not a place to store necessary files. I don't see this anywhere for *BSD, thankfully, so I can safely ignore it.
>>
>> Goops, forgot to past this:
>>
>>
>> /var/tmp/ Temporary files which are usually preserved across a system reboot, unless /var is a memory-based file system.
>>
>> which is much weaker than "…must not be deleted when the system is booted."
>
> and what exxactly are you complaining about?

Nothing. Just commenting out the difference between Linux and *BSD in how they view this directory.

> btw the OP used /var/run, which is also designed to be cleaned upon boot.

That's not even part of the defined hierarchy for BSD, though it is often used for storing PID files and some sockets. Storing real data there seems like a bad idea, but sure enough, some programs seem to have put stuff there on my system, and some of it is quite old.  Of course, without a specific policy in  https://www.freebsd.org/doc/handbook/dirstructure.html it's hard to predict what will happen, though I would hope it is untouched.


--
Far away, across the fields, the tolling of the iron bell calls the
faithful to their knees to hear the softly spoken magic spells.