Re: postfix 2.5.1 breaks with tls

To: Takahiro Kambe <taca%back-street.net@localhost>
Subject: Re: postfix 2.5.1 breaks with tls
From: Water NB <netbsd78%126.com@localhost>
Date: Thu, 6 Mar 2008 13:05:56 +0800

I meet the same problem.
I think /var/run/postfix is not a good place. Once system reboot, these
files will be deleted. new file created is root own. the problem is
still there.

On Tue, Mar 04, 2008 at 11:46:49AM +0900, Takahiro Kambe wrote:
> Hi,
> 
> In message <rmiir036zlt.fsf%fnord.ir.bbn.com@localhost>
>       on Mon, 03 Mar 2008 20:34:54 -0500,
>       Greg Troxel <gdt%ir.bbn.com@localhost> wrote:
> > The problem is tlsmgr failing to create the PRNG exchange file.
> > 
> > Mar  3 20:26:54 foo postfix/tlsmgr[20577]: fatal: tls_prng_exch_open: 
> > cannot open PRNG exchange file /var/lib/postfix/prng_exch: Permission 
> > denied uid 0 12 0 12 /var/spool/postfix
> > 
> > (I added uid and: uid euid gid egid getcwd.)
> I don't know the right solution but tlsmgr(8) says in SECURITY section:
> 
>        The tlsmgr(8) can be run chrooted  and  with  reduced  privileges.   At
>        process  startup  it  connects to the entropy source and exchange file,
>        and creates or truncates the optional TLS session cache files.
> 
>        With Postfix version 2.5 and later, the tlsmgr(8) no longer  uses  root
>        privileges  when  opening cache files. These files should now be stored
>        under the Postfix-owned data_directory.  As a migration aid, an attempt
>        to open a cache file under a non-Postfix directory is redirected to the
>        Postfix-owned data_directory, and a warning is logged.
> 
> And /var/lib/postfix comes from this "data_directory".
> 
> % /usr/pkg/sbin/postconf | egrep data_dir
> data_directory = /var/lib/postfix
> tls_random_exchange_name = ${data_directory}/prng_exch
> 
> I don't think /var/lib/postfix isn't goog default for data_directory
> and it should be "/var/run/postfix" or "/var/db/postfix".
> 
> > I can't figure out if it's in a chroot - seems not to be in master.cf.
> > And I can't figure out how to ktrace an intermediate process.
> # ktrace -di -p <qmgr's pid>
> 
> is one of brute force method.  ;-p
> 
> -- 
> Takahiro Kambe <taca%back-street.net@localhost>

Follow-Ups:
- Re: postfix 2.5.1 breaks with tls
  - From: Takahiro Kambe

References:
- postfix 2.5.1 breaks with tls
  - From: Greg Troxel
- Re: postfix 2.5.1 breaks with tls
  - From: Takahiro Kambe

Prev by Date: Re: to compile x11/tk under Mac OS X 10.5.2 (for math/maxima)
Next by Date: Re: Updating time/sunbird to 0.7
Previous by Thread: Re: postfix 2.5.1 breaks with tls
Next by Thread: Re: postfix 2.5.1 breaks with tls
Indexes:

Home | Main Index | Thread Index | Old Index