Postfixadmin cannot create or delete maildirs
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
Hello,
I'm having trouble getting postfixadmin to create the maildirs for new users and domains. I have given the www user the right to execute the scripts and changed "base_dir" inside the 3 scripts.
/usr/local/etc/sudoers:
www ALL=(ALL) NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postcreation.sh
www ALL=(ALL) NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh
www ALL=(ALL) NOPASSWD: /usr/local/bin/postfixadmin-domain-postdeletion.sh
/usr/local/bin/postfixadmin-mailbox-postcreation.sh:
basedir=/var/vmail
That's the only line I changed in all three scripts.
Now this is what config.inc.php contains:
$CONF['mailbox_postcreation_script']='/usr/local/bin/sudo -u vmail /usr/local/bin/postfixadmin-mailbox-postcreation.sh';
$CONF['mailbox_postdeletion_script']='/usr/local/bin/sudo -u vmail /usr/local/bin/postfixadmin-mailbox-postdeletion.sh';
$CONF['domain_postdeletion_script']='/usr/local/bin/sudo -u vmail /usr/local/bin/postfixadmin-domain-postdeletion.sh';
Now when I add a user I get this error in postfixadmin:
Unable to add the mailbox to the mailbox table!
(test@domain.tld)
But the user IS added to the SQL table. It is actually the postfixadmin-mailbox-postcreation.sh that fails to execute and this is what httpd-errorlog.log shows:
[Fri Oct 10 15:49:53 2008] [error] [client 62.30.56.80] Running /usr/local/bin/sudo -u vmail /usr/local/bin/postfixadmin-mailbox-postcreation.sh 'test@domain.tld' 'domain.tld' 'domain.tld/test/' '20480000' yielded return value=1, first line of output=Bailing out., referer: http://mx0.anotherdomain.tld/postfixadmin/create-mailbox.php?domain=domain.tld
I don't know much about php5 security but I suspect that it has something to do with that, I might be wrong. Hopefully someone else has had this problem and solved it. :)
My system is FreeBSD 7.0-STABLE with apache2.0 and PHP5
your problem is most likely with sudo...
Are you able to login as the apache user, and then run the command manually to confirm it works as expected?
As long as you've not got safe_mode enabled, there isn't really security in PHP5.
I changed the www user so it could log in and then I logged in and tried the sudo command shown in the errorlog and it worked. The maildir got created. Then I used PostfixAdmin to delete the user and that command worked. The maildir got deleted by PostfixAdmin so it's not my apache setup, it's not the sudoers file and I don't see anything wrong with config.inc.php.
Could there be something wrong with the script itself?
I found the problem, changed the script and made a patch. The problem was that "maildirmake" was not in Apache's path. I also made a few changes to the error messages to make it easier to debug because Apache only shows one line of error message output, by default.
patch:
--- postfixadmin-mailbox-postcreation.sh.orig 2008-10-19 00:31:18.000000000 +0000
+++ postfixadmin-mailbox-postcreation.sh 2008-10-19 01:41:23.000000000 +0000
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/local/bin/bash
# Example script for adding a Maildir to a Courier-IMAP virtual mail
# hierarchy.
@@ -22,6 +22,9 @@
# Change this to where you keep your virtual mail users' maildirs.
basedir=/var/spool/maildirs
+# Change this to the full path to the maildirmake executable
+maildirmakebin=/usr/local/bin/maildirmake
+
if [ ! -e "$basedir" ]; then
echo "basedir '$basedir' does not exist; bailing out."
exit 1
@@ -36,8 +39,7 @@
parent=`dirname "$maildir"`
if [ ! -d "$parent" ]; then
if [ -e "$parent" ]; then
- echo "Strainge - directory '$parent' exists, but is not a directory."
- echo "Bailing out."
+ echo "Strainge - directory '$parent' exists, but is not a directory. Bailing out."
exit 1
else
mkdir -p "${parent}"
@@ -53,10 +55,9 @@
exit 1
fi
-maildirmake "$maildir"
+$maildirmakebin "$maildir"
if [ ! -d "$maildir" ]; then
- echo "maildirmake didn't produce a directory"
- echo "Bailing out."
+ echo "maildirmake didn't produce a directory: $maildir; bailing out"
exit 1
fi
See changeset 467; thank you.
Hello Julius n Ginger,
i have trouble in getting postfixAdmin to create mailbox
here is the error in http log
(after i tried to add mailbox at postfixAdmin. PostfixAdmin successfully added account at mysql record for the added user but it failed to add the mailbox folder in maildir):
[Fri Oct 31 11:13:23 2008] [error] Running sudo -u postfix /usr/local/bin/postfixadmin-mailbox-postcreation
.sh 'ryanto@griyakami.com' 'griyakami.com' 'griyakami.com/ryanto/' '0' yielded return value=127, first line
of output=
i have:
/-rwx------ 1 postfix postfix 1801 Oct 30 12:45 /usr/local/bin/postfixadmin-mailbox-postcreation.sh
# vi /var/www/htdocs/postfixadmin-2.2.1.1/config.inc.php
$CONF['mailbox_postcreation_script']='sudo -u postfix /usr/local/bin/postfixadmin-mailbox-postcreation.sh';
#visudo (/etc/sudoers)
www ALL=(ALL) NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postcreation.sh
php_safe is off
i like to test login as www to test sudo. But i dont know how..
any idea?
i executed simple shell script to echo 'ls -lart' in test.php at command line:
# php the_script.php and it worked.
but when i accessed test.php with browser, it didn't work!
i assume that apache cannot execute shell script because of didn't have permission to execute /usr/local/bin/postfixadmin-mailbox-postcreation.sh or because of something else.
thanks in advance
I /think/ that script was updated in subversion a few weeks ago (by me) to have better error messages; would you be able to try the above again - with the latest version of the script (from subversion). It should log in a better manner which might help pinpoint where your problem is.
If you want to test the script via sudo, try :
1. login to the box
2. become root (sudo -s, su - etc)
3. su - www-data
4. sudo /path/to/script -with -parameters
(observe result)
Thank you for your reply and hints.
Sorry, which script? all script?
# sudo -s
# su - www
This account is currently not available.
# userinfo www
login www
passwd *
uid 67
groups www
change NEVER
class
gecos HTTP Server
dir /var/www
shell /sbin/nologin
expire NEVER
# sudo /usr/local/bin/postfixadmin-mailbox-postcreation.sh
Directory '/var/mail/vhosts/' already exists! Bailing out
#
i'm sorry, i overlooked an important log in error.log(i guess), which is
sh: sudo: not found
what did it mean that 'sudo -s' produced 'this account is currently not available' for 'userinfo www' displayed that user www existed?
Should i copy /usr/bin/sudo to /var/www/usr/bin/sudo so that file.php can execute line with sudo command because that apache was chrooted(by default) caused file php could not find the sudo?
(but to copy /usr/bin/sudo was not mentioned in postfix INSTALL.txt. will it create security leak?)
> Should i copy /usr/bin/sudo to /var/www/usr/bin/sudo so that file.php can execute line with sudo command
> because that apache was chrooted(by default) caused file php could not find the sudo?
If you run your apache chrooted, then yes, sudo must be reachable inside the chroot. I never tested it, but I guess you'll need even more things inside the chroot:
- maildirmake etc. - in short all commands that are called inside the scripts
- the mailboxes - maildirmake etc. must be able to reach them
This means that you basically have to put all your mail stuff inside the chroot, which makes the chroot quite pointless.
You should think about alternative ways you could use instead of the scripts. Options are:
- let maildrop/whatever create the mailboxes by sending a welcome mail
- write some scripts that write the jobs that need to be done to a file (or fifo) inside the chroot, and have a small daemon or cronjob (outside the chroot) that polls this file and does the actual mailbox creation.
> (but to copy /usr/bin/sudo was not mentioned in postfix INSTALL.txt.
IIRC this is the first time someone comes up with a chrooted apache _and_ wants to use the scripts ;-)
> will it create security leak?)
Having a suid program inside a chroot is always a potential security risk - but only if it has a security bug ;-)
It's my fault to say so early that my apache was chrooted, i just concluded it due to some reasons.
would you tell me if i have chrooted apache or not by seeing the following:
I just did something like pkg_add http to add apache.. and made simple configuration as:
# vi /var/www/conf/httpd.conf
ServerRoot "/var/www"
User www
Group www
DocumentRoot "/var/www/htdocs"
(Does it mean that apache is chrooted?)
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
(Is this configuration which make apache/php cannot execute .sh through system's sudo? what
should i do to the ScriptAlias so that apache/php could find sudo? i forget whether the ScriptAlias is
on it's default value or not.)
another test that make me feel that my apache/php is in chrooted settings, i made this file:
/var/www/htdocs/cgi-bin/first.php, (chown www, chmod 777, there is file /var/www/bin/sh)
#!/bin/sh
# get today's date
OUTPUT="$(date)"
# You must add following two lines before
# outputting data to the web browser from shell
# script
echo "Content-type: text/html"
echo ""
echo "<html><head><title>Demo</title></head><body>"
echo "Today is $OUTPUT<br>"
echo "Current directory is $(pwd) <br>"
echo "Shell Script name is $0"
echo "</body></html>"
i called it from browser, produced:
"Today is
Current directory is /cgi-bin
Shell Script name is /cgi-bin/first.sh "
Please tell me, I wonder if Apache is chrooted by default. How to make it be not chrooted?
"IIRC this is the first time someone comes up with a chrooted apache _and_ wants to use the scripts ;-) :
Do I? :-) How does anyone do it with non-chrooted apache? I guess i didn't install apache in a special way to make it chrooted, except i feel that apache chrooted itself by "ServerRoot "/var/www"".
Thank you christian_boltz for your time and idea, Your answer helps me understand chroot more :-)
for information, i use openbsd. My friend said that apache is chrooted by default by openbsd.
has anyone ever install postfixadmin on openbsd? It must be ever..
i would like to try
"You should think about alternative ways you could use instead of the scripts. Options are:
- let maildrop/whatever create the mailboxes by sending a welcome mail
- write some scripts that write the jobs that need to be done to a file (or fifo) inside the chroot, and have a small daemon or cronjob (outside the chroot) that polls this file and does the actual mailbox creation. "
The decision about which of the two options you want to use bases on two questions:
1. Do you need any scripts besides autocreation of a mailbox?
Maildrop is the easiest way to implement, but it does only mailbox creation, but no deletion etc.
2. how good are your programming skills?
For the solution with scripts and a fifo (BTW, a database table might be easier to handle), you'll need to do some programming. If you decide to use a database, PHP or perl would be a good language choice. You should make sure that your script does some sanity checks (mailbox really deleted from database? Does the mailbox look like a mail address? Or does it contain invalid characters that would cause big data loss?) before passing parameters to the "real" scripts.
If you want to use maildrop, ask me for a maildroprc that automatically creates the mailboxes (I don't have it at hand right now).
i have copied from
http://postfixadmin.svn.sourceforge.net/viewvc/postfixadmin/trunk/ADDITIONS/postfixadmin-mailbox-postcreation.sh?revision=467&view=markup
made change:
basedir=/var/mail/vhosts
i tried to add a user
a record in table 'mailbox' was created, but still the folder mailbox was not created,
i check error_log:
"[Tue Nov 4 14:15:45 2008] [error] Running sudo -u postfix /usr/local/bin/postfixadmin-mailbox-postcreation.sh 'byanto@griyakami.com' 'griyakami.com' 'griyakami.com/byanto/' '0' yielded return value=127, first line of output="
(no output AT ALL at 'first line of output=')
i made some tests like these:
# su www
This account is currently not available.
(why the system's respon was like this?)
# su -m www
ksh: Cannot determine current working directory
$_
$ /usr/local/bin/postfixadmin-mailbox-postcreation.sh
ksh: /usr/local/bin/postfixadmin-mailbox-postcreation.sh: cannot execute - Permission denied
(it meant that /usr/local/bin/postfixadmin-mailbox-postcreation.sh had permission 700 and owned by
postfix, so that www could not execute it, am i right?)
$ sudo /usr/local/bin/postfixadmin-mailbox-postcreation.sh
/usr/local/bin/postfixadmin-mailbox-postcreation.sh: Directory '/var/mail/vhosts/' already exists! bailing out
(Did this command mean that user www check /etc/sudoers if www had sudo ability as postfix to run
the script. and it(www) had then it could execute /usr/local/bin/postfixadmin-mailbox-postcreation.sh?)
These testing sign that www can execute the postfixadmin-mailbox-postcreation.sh, right?
any hint to solve this? thanks