From 3c15d410a9221d212193d386bcb2dbd9b723c62d Mon Sep 17 00:00:00 2001 From: "Daniel F. Dickinson" Date: Tue, 27 Aug 2019 01:53:51 -0400 Subject: [PATCH 1/3] msmtp-scripts: Make conn_test default nc On OpenWrt nc (netcat) connectivity test makes more sense than ping because a) for non-root users ping is not permitted, and b) nc is a default binary included with OpenWrt. We do, however, have to change the upstream default from using `nc -vz` to `printf ""|nc` (with openwrt nc if text is sent then nc closes after a response and fails if no connection is made; the response is already thrown away (to /dev/null) by the existing code). Signed-off-by: Daniel F. Dickinson --- mail/msmtp-scripts/Makefile | 3 ++- mail/msmtp-scripts/files/msmtpq-ng-mta.rc | 6 +++--- mail/msmtp-scripts/files/msmtpq-ng.rc | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/mail/msmtp-scripts/Makefile b/mail/msmtp-scripts/Makefile index 42ed208ed..34242434e 100644 --- a/mail/msmtp-scripts/Makefile +++ b/mail/msmtp-scripts/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=msmtp-scripts PKG_VERSION:=1.2.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://launchpad.net/$(PKG_NAME)/1.2/$(PKG_VERSION)/+download @@ -116,6 +116,7 @@ define Package/msmtpq-ng/install $(INSTALL_DATA) ./files/msmtpq-ng.rc $(1)/etc/msmtpq-ng.rc $(INSTALL_DIR) $(1)/usr/bin $(CP) $(PKG_BUILD_DIR)/src/usr/bin/msmtpq-ng $(1)/usr/bin/ + $(SED) "s,nc -vz,printf \"HEAD / HTTP/1.1\\\\r\\\\nHost: \$$$${EMAIL_CONN_TEST_SITE}\\\\r\\\\n\\\\r\\\\n\"|nc," $(1)/usr/bin/msmtpq-ng $(CP) $(PKG_BUILD_DIR)/src/usr/bin/msmtpq-ng-queue $(1)/usr/bin/ endef diff --git a/mail/msmtp-scripts/files/msmtpq-ng-mta.rc b/mail/msmtp-scripts/files/msmtpq-ng-mta.rc index f4637ff42..bb1536adb 100644 --- a/mail/msmtp-scripts/files/msmtpq-ng-mta.rc +++ b/mail/msmtp-scripts/files/msmtpq-ng-mta.rc @@ -14,9 +14,9 @@ #MSMTPQ_NG=msmtpq-ng #MSMTPQ_NG_QUEUE=msmtpq-ng-queue #MSMTP_CONF=/etc/msmtprc -#EMAIL_CONN_TEST=p -EMAIL_CONN_TEST_PING=openwrt.org +EMAIL_CONN_TEST=n +#EMAIL_CONN_TEST_PING=openwrt.org #EMAIL_CONN_TEST_IP=8.8.8.8 -#EMAIL_CONN_TEST_SITE=www.debian.org +EMAIL_CONN_TEST_SITE=openwrt.org #MSMTP_HOLD_SMTP_MAIL=true #MSMTP_HOLD_CLI_MAIL=false diff --git a/mail/msmtp-scripts/files/msmtpq-ng.rc b/mail/msmtp-scripts/files/msmtpq-ng.rc index 33d721c28..ef8c0f051 100644 --- a/mail/msmtp-scripts/files/msmtpq-ng.rc +++ b/mail/msmtp-scripts/files/msmtpq-ng.rc @@ -4,10 +4,10 @@ #LOG=~/log/.msmtp.queue.log #MAXLOGLEVEL=7 #MSMTP_LOCK_DIR=~/.msmtp.lock -EMAIL_CONN_TEST=p -EMAIL_CONN_TEST_PING=openwrt.org +EMAIL_CONN_TEST=n +#EMAIL_CONN_TEST_PING=openwrt.org #EMAIL_CONN_TEST_IP=8.8.8.8 -#EMAIL_CONN_TEST_SITE=www.debian.org +EMAIL_CONN_TEST_SITE=openwrt.org #MSMTP_UMASK=077 #MSMTP_LOG_UMASK=077 #MSMTP_QUEUE_QUIET=false From b9cc3cf269cac6e2a50e47e63c557533f91dee4d Mon Sep 17 00:00:00 2001 From: "Daniel F. Dickinson" Date: Tue, 27 Aug 2019 05:57:51 -0400 Subject: [PATCH 2/3] msmtp-scripts: Fix spool/lock dir permissions If the spool or lock dir exist before msmtp's initscript runs we need to modify the permisions to be appropriate instead of just bailing, otherwise non-root can't send mail. Signed-off-by: Daniel F. Dickinson --- mail/msmtp-scripts/files/msmtpq-ng-mta.init | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/mail/msmtp-scripts/files/msmtpq-ng-mta.init b/mail/msmtp-scripts/files/msmtpq-ng-mta.init index 3012a28cb..1636d58bf 100644 --- a/mail/msmtp-scripts/files/msmtpq-ng-mta.init +++ b/mail/msmtp-scripts/files/msmtpq-ng-mta.init @@ -4,12 +4,16 @@ START=90 boot() { - [ ! -d /var/spool/msmtp ] && { + if [ ! -d /var/spool/msmtp ]; then mkdir -m1777 -p /var/spool/msmtp - } + else + chmod 1777 /var/spool/msmtp + fi - [ ! -d /var/lock/msmtp ] && { + if [ ! -d /var/lock/msmtp ]; then mkdir -m1777 -p /var/lock/msmtp - } + else + chmod 1777 /var/spool/msmtp + fi } From f76408af486fa7bdfd4cd8ddef2fcc76ab0fd9c4 Mon Sep 17 00:00:00 2001 From: "Daniel F. Dickinson" Date: Tue, 27 Aug 2019 07:38:51 -0400 Subject: [PATCH 3/3] msmtp-scripts: Add msmtprc permission docs There is a wrinkle in terms of sending mail immediately when using msmtpq-ng-mta instead of a typical mail server. We document that in the package description. Signed-off-by: Daniel F. Dickinson --- mail/msmtp-scripts/Makefile | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/mail/msmtp-scripts/Makefile b/mail/msmtp-scripts/Makefile index 34242434e..f965ebb83 100644 --- a/mail/msmtp-scripts/Makefile +++ b/mail/msmtp-scripts/Makefile @@ -74,6 +74,40 @@ define Package/msmtpq-ng-mta/description and postsuper symlinks to wrappers that configure msmtpq-ng for use as the system mail transport agent via the sendmail command. + +**NB**: In order for msmtpq-ng-mta aka sendmail to +send mail for non-root users (not just queue it +after failing), the user must have permissions to +access /etc/msmtprc -- package msmtp sets msmtprc +to rw only by root by default as a security measure +(it _can_ contain information like passwords with +which to send mail through your email server). + +There are a couple of choices. One is to leave +the default permissions (in which cases the mail +will queue and fail to send until the mailq -q +runner which runs in a root crontab sends the mail). +Another is to give any non-root daemon users (or +any other users) group access (i.e. create a +group for all the users who should be able to +send mail, add the users to it, and give the +group read-only permissions on the msmtrpc). +A final option (which is only resonable if you +have no secrets in msmtprc because you are +sending unauthenticated mail to a server that +accepts mail directly for the intended user -- +usually that means a self-hosted system mail +server, rather than trying to send mail to +public servers (which don't typically accept +mail from normal user IP addresses, even if +you ISP doesn't block the traffic) is to +make msmtprc world readable. + +The first option is probably the best choice +for most users, as it just means a 15 +minute delay in the mail getting off the +system, and doesn't involve special permissions +for non-root daemons or users. endef define Package/msmtpq-ng-mta-smtpd