CentOS - Aug 2008 - Sendmail with TLS, permission problem

Hello, list,

I have a problem with Sendmail configuration.

I'm building (on CentOS 5) a "dual-MTA" setup with amavisd-new (as
specified
in amavisd-new documentation, file README.sendmail-dual).

So far so good. But when I tried to add server SMTP-AUTH and TLS, I get a
strange, permission-related error, and STARTTLS will not start.

In my .mc conf, the Sendmail user is now the usual - mail:mail
    define(`confDEF_USER_ID', ``8:12'')dnl
...though when I have cleared this problem, I'm going to add a definition
for a non-privileged Sendmail user like this (for the receiving Sendmail
daemon): 
    define(`confRUN_AS_USER', `smmsp:smmsp')dnl

Ok, when I try to start Sendmail, I get this in the maillog:

Aug 11 15:25:24 mail sm-mta-tx[12782]: starting daemon (8.13.8):
SMTP+queueing at 00:01:00
Aug 11 15:25:24 mail sm-mta-rx[12785]: starting daemon (8.13.8):
SMTP+persistent-queueing at 00:00:01
Aug 11 15:25:24 mail sm-mta-rx[12785]: STARTTLS=server: file
/etc/mail/certs/sendmail.pem unsafe: Permission denied

This is strange, because the permissions should be ok - right?

[root at mail ~]# ls -ld / /etc /etc/mail /etc/mail/certs
drwxr-xr-x 24 root root  4096 Mar 29  2007 /
drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
drwxr-xr-x  5 root root  4096 Aug 11 15:44 /etc/mail
dr-xr-xr-x  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs

[root at mail ~]# ls -l /etc/mail/certs
-rw------- 1 mail mail    1371 Aug 11 12:15 cacert.pem
-rw------- 1 mail mail     963 Aug 11 12:15 cakey.pem
-rw-r--r-- 1 root root 1952422 Aug 11 14:26 revoke.crl
-rw------- 1 mail mail    2258 Aug 11 12:16 sendmail.pem

Any ideas, what I should check next?

This might be a Sendmail bug - it resembles this Debian bug, which also
gives a "unsafe - no permission" error as a symptom.

http://www.mail-archive.com/debian-bugs-closed at lists.debian.org/msg01560.htm
l

. Jussi Hirvi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi at greenspot.fi * http://www.greenspot.fi

Jussi Hirvi wrote:
> Aug 11 15:25:24 mail sm-mta-rx[12785]: STARTTLS=server: file
> /etc/mail/certs/sendmail.pem unsafe: Permission denied
> dr-xr-xr-x  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
         ^^^

Even allowing group to read there and enter there might be too much.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:
<http://lists.centos.org/pipermail/centos/attachments/20080812/c4c04143/attachment.sig>

Ralph Angenendt (ra+centos at br-online.de) kirjoitteli (12.8.2008
11:24):
> Jussi Hirvi wrote:
>> Aug 11 15:25:24 mail sm-mta-rx[12785]: STARTTLS=server: file
>> /etc/mail/certs/sendmail.pem unsafe: Permission denied
> 
>> dr-xr-xr-x  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs
> ^^^
> 
> Even allowing group to read there and enter there might be too much.
Thanks for quick reply. That didn't help yet. The error message in maillog
is still the same: "sendmail.pem unsafe: Permission denied". The
directory
perms are now: 
[root at mail mail]# ls -ld / /etc /etc/mail /etc/mail/certs
drwxr-xr-x 24 root root  4096 Mar 29  2007 /
drwxr-xr-x 96 root root 12288 Aug 12 04:02 /etc
drwxr-xr-x  5 root root  4096 Aug 12 12:14 /etc/mail
dr-x------  2 mail mail  4096 Aug 11 14:42 /etc/mail/certs

- Jussi

--
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. & fax +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi at greenspot.fi * http://www.greenspot.fi