On 2007-08-09, at 1724, Daniel Mahoney wrote:
I've gotten pretty well through the lifewithqmail install
instructions, but I've got a problem. When I try to start qmail
via /var/qmail/rc I get a message reading "alert: cannot start:
unable to read controls".
that error message appears in two programs: qmail-send, and qmail-
smtpd. since it's appearing when qmail-send is starting up, i'm
guessing the message coming from qmail-send.
i would suggest you read qmail-send.c, find the "getcontrols()"
function, and read the files it's trying to read (i.e.
"queuelifetime", "concurrencylocal", "concurrencyremote",
"envnoathost", etc.) then look in /var/qmail/control and check the
ownership and permissions of each file. make sure the "qmails" user,
which is a member of the "qmail" group, has permission to read each
of these files. obviously the error means that it's not able to read
at least one of them- check the list, figure out which file it is,
and fix that file.
from the list below, the only things which aren't world-readable are
the "dh*.pem" and "rsa*.pem" files, which would make me guess that
these files are causing the problem. i would grep through the source
code, find the program(s) which are reading these filenames, find out
what userid those programs run under, and set the permissions on
those files so that the appropriate programs are able to read them,
but not every userid on the machine.
...
[root@ce qmail]# ls -Al control
total 64
-rw-r--r-- 1 root qmail 22 Feb 16 2006 badmailfrom
lrwxrwxrwx 1 root qmail 33 Aug 9 08:55
clientcert.pem -> /var/qmail/control/servercert.pem
-rw-r--r-- 1 root qmail 3 Aug 9 15:09
concurrencyincoming
-rw-r--r-- 1 root qmail 11 Aug 9 15:29
defaultdelivery
-rw------- 1 qmaild qmail 245 Apr 23 2005 dh1024.pem
-rw------- 1 qmaild qmail 156 Apr 23 2005 dh512.pem
-rw-r--r-- 1 root qmail 10 Apr 23 2005 locals
-rw-r--r-- 1 root qmail 18 May 4 2005 me
-rw-r--r-- 1 root qmail 5 Dec 14 2005 queuelifetime
-rw-r--r-- 1 root qmail 5335 Aug 8 12:58 rcpthosts
-rw-r--r-- 1 root qmail 118 Aug 8 12:54 rejectnonexist
-rw------- 1 qmaild qmail 497 Apr 23 2005 rsa512.pem
-rw-r--r-- 1 root qmail 3295 Apr 23 2005 servercert.pem
-rw-r--r-- 1 root qmail 25 May 6 2005 smtpplugins
-rw-r--r-- 1 root qmail 6467 Aug 8 12:58 virtualdomains
i see a few other problems here as well, or at least a few things
which i know would be problems if you were using my combined patch-
and since my patch is a combination of a lot of the same patches that
others are using, there's a good chance they may be affecting you as
well.
the "*.pem" files are used by different programs. under my patch, the
"servercert.pem" file is only used by the qmail-smtpd program, which
runs as qmaild, which is a member of the "nofiles" group, which means
that "servercert.pem" needs to be owned by root, with the nofiles
group, and have permissions 0640... and the "clientcert.pem" file is
only used by qmail-remote, which runs as qmailr, which is a member of
the "qmail" group, so it should be owned by root, group qmail,
permissions 0640. which means that "clientcert.pem" should NOT be a
symlink to "servercert.pem". (this is one of the most common errors
that "qmailrocks" users make, because the brain-dead qmailrocks
scripts set things up this way.)
i would suggest you review which programs actually use these files,
figure out what userid they run under, and set their permissions
appropriately. and remember that these ".pem" files contain the
encryption keys which are used to secure the mail coming into or out
of your server- if they fall into the hands of the wrong process, you
could potentially lose the benefit of encrypting your connections.
----------------------------------------------------------------
| John M. Simpson --- KG4ZOW --- Programmer At Large |
| http://www.jms1.net/ <jms1@jms1.net> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------
PGP.sig
Description: This is a digitally signed message part
|