Mailing List Archive: Qmail: users

New to qmail install. Op not permitted

Index | Next | Previous | View Threaded

nyctelecomm at gmail

Nov 13, 2009, 9:27 AM

Post #1 of 8 (2152 views)
Permalink

New to qmail install. Op not permitted

Have worked with qmail in the past, love and now building a rock solid gentoo server and qmail just made sense.
Did the gentoo handbook (with other systems, the emerge management system is wonderful normally).
Got all the way through the installation process. All the tentative checks show system is ready for DNS transfer on first test domain. I could even see the local test emails hit users. I was real excited that everything was going so smooth.

Check, re check, reboot ....... And it has been all downhill from there.

Server rebooted there were zero errors in any log.

The gentoo handbook has you install vpopmail and imapd both from emerge. Outside of scanner and antivirus, it is a very lean installation.

With all appropriate listen ports up and running, I tried to login my first outlook client. Added the new user, went to client station, point the ssl setting etc, after one or two silly mistakes, outlook flashed a certificate authorization and I thought I was home free.
Auth failed:
Jumped to the logs
Operation not permitted???
Huh?
I tried every possible user and user combination including root and the default install user.
Always "operation not permitted".
Hit the man pages;
Found in the man pages how qmail interacts authd.
Tried authtest username
Operation not permitted!

Life with qmail is not much help. The qmailctl does not even exist on the emerge version, so I am dealing with a few different tools.

Any suggestions would REALLY be appreciated.
Sent via BlackBerry from T-Mobile

clive at serendipita

Nov 13, 2009, 10:03 AM

Post #2 of 8 (2063 views)
Permalink

Re: New to qmail install. Op not permitted [In reply to]

On 13/11/2009 17:27, nyctelecomm [at] gmail wrote:
> Have worked with qmail in the past, love and now building a rock solid gentoo server and qmail just made sense.
> Did the gentoo handbook (with other systems, the emerge management system is wonderful normally).
> Got all the way through the installation process. All the tentative checks show system is ready for DNS transfer on first test domain. I could even see the local test emails hit users. I was real excited that everything was going so smooth.
>
> Check, re check, reboot ....... And it has been all downhill from there.
>
> Server rebooted there were zero errors in any log.
>
> The gentoo handbook has you install vpopmail and imapd both from emerge. Outside of scanner and antivirus, it is a very lean installation.
>
> With all appropriate listen ports up and running, I tried to login my first outlook client. Added the new user, went to client station, point the ssl setting etc, after one or two silly mistakes, outlook flashed a certificate authorization and I thought I was home free.
> Auth failed:
> Jumped to the logs
> Operation not permitted???
> Huh?
> I tried every possible user and user combination including root and the default install user.
> Always "operation not permitted".
> Hit the man pages;
> Found in the man pages how qmail interacts authd.
> Tried authtest username
> Operation not permitted!
>
> Life with qmail is not much help. The qmailctl does not even exist on the emerge version, so I am dealing with a few different tools.
>
> Any suggestions would REALLY be appreciated.
> Sent via BlackBerry from T-Mobile

Wild guess - is SELINUX enabled?

--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

nyctelecomm at gmail

Nov 13, 2009, 10:31 AM

Post #3 of 8 (2056 views)
Permalink

Re: New to qmail install. Op not permitted [In reply to]

Nope!
------Original Message------
From: Clive Eisen
To: nyctelecomm [at] gmail
Cc: qmail [at] list
Subject: Re: New to qmail install. Op not permitted
Sent: Nov 13, 2009 1:03 PM

On 13/11/2009 17:27, nyctelecomm [at] gmail wrote:
> Have worked with qmail in the past, love and now building a rock solid gentoo server and qmail just made sense.
> Did the gentoo handbook (with other systems, the emerge management system is wonderful normally).
> Got all the way through the installation process. All the tentative checks show system is ready for DNS transfer on first test domain. I could even see the local test emails hit users. I was real excited that everything was going so smooth.
>
> Check, re check, reboot ....... And it has been all downhill from there.
>
> Server rebooted there were zero errors in any log.
>
> The gentoo handbook has you install vpopmail and imapd both from emerge. Outside of scanner and antivirus, it is a very lean installation.
>
> With all appropriate listen ports up and running, I tried to login my first outlook client. Added the new user, went to client station, point the ssl setting etc, after one or two silly mistakes, outlook flashed a certificate authorization and I thought I was home free.
> Auth failed:
> Jumped to the logs
> Operation not permitted???
> Huh?
> I tried every possible user and user combination including root and the default install user.
> Always "operation not permitted".
> Hit the man pages;
> Found in the man pages how qmail interacts authd.
> Tried authtest username
> Operation not permitted!
>
> Life with qmail is not much help. The qmailctl does not even exist on the emerge version, so I am dealing with a few different tools.
>
> Any suggestions would REALLY be appreciated.
> Sent via BlackBerry from T-Mobile

Wild guess - is SELINUX enabled?

--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.

Sent via BlackBerry from T-Mobile

mducharme at cybergeneration

Nov 13, 2009, 11:20 AM

Post #4 of 8 (2061 views)
Permalink

RE: New to qmail install. Op not permitted [In reply to]

> -----Message d'origine-----
> De�: nyctelecomm [at] gmail [mailto:nyctelecomm [at] gmail]
> Envoy�: 13 novembre 2009 12:28
> ��: qmail [at] list
> Objet�: New to qmail install. Op not permitted
>
> Have worked with qmail in the past, love and now building a rock solid
> gentoo server and qmail just made sense.
> Did the gentoo handbook (with other systems, the emerge management system
> is wonderful normally).
> Got all the way through the installation process. All the tentative checks
> show system is ready for DNS transfer on first test domain. I could even
> see the local test emails hit users. I was real excited that everything
> was going so smooth.
>
> Check, re check, reboot ....... And it has been all downhill from
> there.
>
> Server rebooted there were zero errors in any log.
>
> The gentoo handbook has you install vpopmail and imapd both from emerge.
> Outside of scanner and antivirus, it is a very lean installation.
>
> With all appropriate listen ports up and running, I tried to login my
> first outlook client. Added the new user, went to client station, point
> the ssl setting etc, after one or two silly mistakes, outlook flashed a
> certificate authorization and I thought I was home free.
> Auth failed:
> Jumped to the logs
> Operation not permitted???
> Huh?
> I tried every possible user and user combination including root and the
> default install user.
> Always "operation not permitted".
> Hit the man pages;
> Found in the man pages how qmail interacts authd.
> Tried authtest username
> Operation not permitted!

Hi

I remember seeing this message while a local firewall prohibited local
processes from accessing local ports.

Maybe a look at iptables boot configuration could help.

Maxime

>
> Life with qmail is not much help. The qmailctl does not even exist on the
> emerge version, so I am dealing with a few different tools.
>
> Any suggestions would REALLY be appreciated.
> Sent via BlackBerry from T-Mobile

nyctelecomm at gmail

Nov 13, 2009, 12:01 PM

Post #5 of 8 (2072 views)
Permalink

Re: New to qmail install. Op not permitted [In reply to]

One of the things I love about gentoo is that it comes with little security with most systems turned off to be lean like bsd.
No firewall, no iptables and the cisco router on the network has only nat.
Were doing security last since this is a new network.
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Maxime Ducharme" <mducharme [at] cybergeneration>
Date: Fri, 13 Nov 2009 14:20:20
To: <qmail [at] list>
Cc: <nyctelecomm [at] gmail>
Subject: RE: New to qmail install. Op not permitted

> -----Message d'origine-----
> De�: nyctelecomm [at] gmail [mailto:nyctelecomm [at] gmail]
> Envoy�: 13 novembre 2009 12:28
> ��: qmail [at] list
> Objet�: New to qmail install. Op not permitted
>
> Have worked with qmail in the past, love and now building a rock solid
> gentoo server and qmail just made sense.
> Did the gentoo handbook (with other systems, the emerge management system
> is wonderful normally).
> Got all the way through the installation process. All the tentative checks
> show system is ready for DNS transfer on first test domain. I could even
> see the local test emails hit users. I was real excited that everything
> was going so smooth.
>
> Check, re check, reboot ....... And it has been all downhill from
> there.
>
> Server rebooted there were zero errors in any log.
>
> The gentoo handbook has you install vpopmail and imapd both from emerge.
> Outside of scanner and antivirus, it is a very lean installation.
>
> With all appropriate listen ports up and running, I tried to login my
> first outlook client. Added the new user, went to client station, point
> the ssl setting etc, after one or two silly mistakes, outlook flashed a
> certificate authorization and I thought I was home free.
> Auth failed:
> Jumped to the logs
> Operation not permitted???
> Huh?
> I tried every possible user and user combination including root and the
> default install user.
> Always "operation not permitted".
> Hit the man pages;
> Found in the man pages how qmail interacts authd.
> Tried authtest username
> Operation not permitted!

Hi

I remember seeing this message while a local firewall prohibited local
processes from accessing local ports.

Maybe a look at iptables boot configuration could help.

Maxime

>
> Life with qmail is not much help. The qmailctl does not even exist on the
> emerge version, so I am dealing with a few different tools.
>
> Any suggestions would REALLY be appreciated.
> Sent via BlackBerry from T-Mobile

lists-qmail at maexotic

Nov 13, 2009, 12:26 PM

Post #6 of 8 (2058 views)
Permalink

Re: New to qmail install. Op not permitted [In reply to]

Nice story, but:

- how is the imapd started (show us the startline)
- which id is the imapd run under?
- how are the users and password configured?
- where is the location of these?
- does the process the imapd is run under have access to it
- how does imapd verify?
- show us the configuratrion of the verifier?
- which logfile do you get the error message from
- show us the full line of the error message (and maybe 2 lines above and below)

\Maex

nyctelecomm at gmail

Nov 14, 2009, 10:17 AM

Post #7 of 8 (2037 views)
Permalink

RE: New to qmail install. Op not permitted [In reply to]

Qmail is started with a run '/var/qmail/supervise/qmail-send/run'
I was expecting qmailctl, but that file does not exist on my system.

Here is a section of output from ps -aux
root 6209 0.0 0.0 3836 456 ? Ss Nov11 0:02
/usr/bin/svscan /service
root 6212 0.0 0.0 3664 404 ? S Nov11 0:00 supervise
qmail-send
root 6213 0.0 0.0 3664 404 ? S Nov11 0:00 supervise
log
qmails 6214 0.0 0.0 3848 500 ? S Nov11 0:00 qmail-send
qmaill 6216 0.0 0.0 3676 396 ? S Nov11 0:00
/usr/bin/multilog t s2500000 n10 /var/log/qmail/qmail-send
root 6220 0.0 0.0 3664 408 ? S Nov11 0:00 supervise
qmail-qmtpd
root 6222 0.0 0.0 3664 404 ? S Nov11 0:00 supervise
qmail-pop3d
root 6233 0.0 0.0 3664 408 ? S Nov11 0:00 supervise
qmail-qmqpd
qmaild 6237 0.0 0.0 3696 408 ? S Nov11 0:00
/usr/bin/tcpserver -p -v -R -x qmaild 6242 0.0 0.0 5924 608 ?
S Nov11 0:02 /usr/bin/tcpserver -p -v -R -x
/etc/tcprules.d/tcp.qmail-smtp.cdb -c 40 -u 201 -g 200 0.0.0.0 smtp
/var/qmail/bin/qmail-smtpd /var/vpopmail/bin/vchkpw /bin/true
qmaill 6262 0.0 0.0 3808 464 ? S Nov11 0:01
/usr/bin/multilog t s2500000 n10 /var/log/qmail/qmail-smtpd
root 6263 0.0 0.0 3808 420 ? S Nov11 0:00
qmail-lspawn # Uncomment the next line for .forward support?#|dot-forward
.forward?./.maildir/
qmailr 6267 0.0 0.0 3804 440 ? S Nov11 0:00
qmail-rspawn

my test user was created with vadduser and also tried creating a system
account and all failed. Even tried root. I had a short stroke of genius to
grab a packet capture of the auth exchange and then it hit me during the
capture that SSL would hide the entire conversation but, it did raise an
interesting question. Could authd be miscommunicating ssl? My cert look in
order.

The location of the users goes to the vpopmail dir.
'/var/vpopmail/domains/blah.com/testuser'

The permissions look correct:
/var/vpopmail/domains/blah.com:
total 16
drwx------ 3 vpopmail 4096 Nov 11 09:03 .
drwxr-xr-x 6 vpopmail 4096 Nov 11 09:03 ..
-rw------- 1 vpopmail 54 Nov 11 09:03 .qmail-default
drwx------ 3 vpopmail 4096 Nov 11 09:03 postmaster

I am not sure how it verifies or its method to be honest with you. Looked
into this for a while but never found the answer.

Log output:
Nov 14 11:28:32 Gentoo-DC1 imapd-ssl: Connection, ip=[::ffff:192.168.0.53]
Nov 14 11:28:32 Gentoo-DC1 imapd-ssl: LOGIN FAILED, user=testuser [at] blah,
ip=[::ffff:192.168.0.53]

And

/usr/sbin/authtest brads [at] blah
Authentication FAILED: Operation not permitted

-----Original Message-----
From: Markus Stumpf [mailto:lists-qmail [at] maexotic]
Sent: Friday, November 13, 2009 3:26 PM
To: nyctelecomm [at] gmail
Cc: qmail [at] list
Subject: Re: New to qmail install. Op not permitted

Nice story, but:

- how is the imapd started (show us the startline)
- which id is the imapd run under?
- how are the users and password configured?
- where is the location of these?
- does the process the imapd is run under have access to it
- how does imapd verify?
- show us the configuratrion of the verifier?
- which logfile do you get the error message from
- show us the full line of the error message (and maybe 2 lines above and
below)

\Maex

lists-qmail at maexotic

Nov 17, 2009, 11:47 AM

Post #8 of 8 (2001 views)
Permalink

Re: New to qmail install. Op not permitted [In reply to]

Sorry gfor the late answer.

On Sat, Nov 14, 2009 at 01:17:41PM -0500, Brad Sumrall wrote:
[ ... processlist ... ]

None of those shoed the imapd process.

> I am not sure how it verifies or its method to be honest with you. Looked
> into this for a while but never found the answer.

The auth with vpopmail is done with vchkpw: /var/vpopmail/bin/vchkpw

As you are using authd I guess you want passwordless user auth simply
by user cetificates. This means that besides adding the users with
vpopmail you would need to give signed certificates to the user that they
have to install in their clients.
This also means that somehow the authd would have to know about your
vpopmail setup, so that imapd can access the correct mailboxes for the
users.

> Log output:
> Nov 14 11:28:32 Gentoo-DC1 imapd-ssl: Connection, ip=[::ffff:192.168.0.53]
> Nov 14 11:28:32 Gentoo-DC1 imapd-ssl: LOGIN FAILED, user=testuser [at] blah,
> ip=[::ffff:192.168.0.53]

you have to find where imapd gets its configuration from.
It would also be probably helpful to find out which imapd you are using.

> /usr/sbin/authtest brads [at] blah
> Authentication FAILED: Operation not permitted

you could try doing a
# strace -f /usr/sbin/authtest brads [at] blah
and maybe you get a clue what causes the "Operation not permitted".

\Maex

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads