ListMailPRO Email Marketing Software Forums
ListMailPRO Email Marketing Software Forums => General Help & How-To => Topic started by: scitools on December 18, 2006, 10:07:17 am
-
Hi,
Our mail server uses Postfix. But when I test bouncing, I get this back:
<lmp-bounce@scitools.com>: Command died with status 1:
"/virtual/scitools.com/ListMail/cgi/bounce.cgi". Command output: local:
fatal: execvp /web/scitools.com/ListMail/cgi/bounce.cgi: No such file
or directory
Now, I know that that path exists. I can paste it out of this message into a more command and see the file:
more /web/scitools.com/ListMail/cgi/bounce.cgi
works.
And I know the mod is "0755".
Is there some magic to making ListMail work with Postfix that I'm not aware of? I notice the help says it only supports Sendmail and Qmail. Am I just out of luck?
I've searched the forums and found nothing on this.
Thanks,
Ken
-
I figured this out. It had to do with Postfix not liking #!/usr/bin/perl at the top of the script.
I'm a bit disappointed by the slow support response. Or lack of response.
-
I'm a bit disappointed by the slow support response. Or lack of response.
i agree... response times appear to be long but its also the holidays so who knows ...... :?:
-
Sorry about the delay - remember this is 100% free support :) - for high-priority hands-on assistance please order Tech Support (http://listmailpro.com/support). I'm glad you were able to get the problem sorted out! I would have suggested that your site could have been running in a 'chroot' environment and the mailer might not have been able to reach the file.
Sometimes bash or sh shells will not like the shebang (#!/usr/bin/perl) line at the top of the script if the file contains DOS line breaks instead of Linux ones. Try using a text editor that can save Linux "bare LF" line feeds.
Please let me know if I can be of further assistance!
Regards
-
Hi Dean and Merry Christmas,
I have a similiar problem, but I don't think shebang has anything to do with it. My shebang is correct and error log doesn't complain about that. Actually, I don't understand how a cgi script could run without shebang.
However, when I send a email to signup to list 1 it bounces with with the following message:
status=bounced (Command died with status 1: "/home/useralias/public_html/cgi-bin/signup-list1.cgi"
It looks like the .forward file, located in the useralias directory, with the above pipe in it can't send the email message to the cgi-bin or perhaps when it gets there perl can't parse the email message.
At any rate when I use the command setenforce 0 everything works just great. FYI I have previously set the correct context label recursively for the cgi-bin so signup-list1.cgi will execute under selinux, and chmod 755.
Is there anything I can do to get everything working without using the command setenforce 0.
I've been hacked so many times this year I don't want to turn off the security enhanced linux, i.e. selinux. Perhaps I need to change a policy file?
Any suggestions would be greatly appreciated. Thank your very much for all your help!
-
Greetings,
Do you have the same problem setting up the bounce.cgi script?
Are you using the pipe character before the path to the .cgi script? ie, in your /etc/aliases or /etc/postfix/aliases (or /etc/postfix/virtual - sadly I'm not a postfix expert yet :( )
bounce@example.com: "|/home/useralias/public_html/cgi-bin/signup-list1.cgi"
You might want to try adding /usr/bin/perl, as follows:
bounce@example.com: "|/usr/bin/perl /home/useralias/public_html/cgi-bin/signup-list1.cgi"
Do you know if your server supports a .forward.postfix file similar to DreamHost so we might use procmail instead of aliases? (see here (http://www.listmailpro.com/help/cgi_dreamhost.html)).
My suggestions likely won't help but maybe you've figured it out by now or have some new ideas. :) Please let me know if you still can't get it and/or have a new error message.
Regards, DW
-
Greetings,
Thank you for you prompt and helpful remarks.
I will try using your examples in the .forward file, however as I mentioned just as soon as I turn off selinux everything works like a charm.
I changed some context labels and tried different directories now I get the following error:
Permission denied: exec of '/home/domain.net/public_html/cgi-bin/support4u/signup-list1.cgi' failed
[Thu Dec 21 16:13:23 2006] [error] Premature end of script headers: signup-list1.cgi
Remember, as soon as I turn off selinux, ie setenforce=0, everything works just fine.
This is a permission problem with security enhanced linux. Postfix works fine with .forward but it looks like I may have to create sort of a throw away domain just so I can use the cgi-bin exclusively for ListMail, since I feel compelled to continue using selinux.
Right now it looks like nested or subdirctories in the cgi-bin are no longer permitted with selinux, i.e. only stuff in the /cgi-bin/ not /cgi-bin/support4u/, unless of course you change the ScriptAlias specifically in the Apache <VirtualHost directives.
I have created a ScriptAlias for the useralias directory in Apache configuration, but so far selinux still complains, perhaps because there is no DNS assciated with it. Apache doesn't complain about the change in configuration so something may be right.
At any rate I will let you know if I find a work around for selinux and using ListMail. It's a tough nut to crack, but thats what I need. Hacked twice from Brazil this year.
Merry Christmas and thank you very much for your response. I can't believe that a few actually complain about response times. I would wait for days to get expert help, especially for free! Thanks again
Kind Regards,
Frank Eckdall
PD & FYI:
I use "chcon -h -t system_u:object_r:httpd_sys_script_exec_t -R cgi-bin" to set the context label for cgi-bin and its scripts.
-
Hi Dean,
I lament to tell you I have failed trying to get signup-list1.cgi to execute successfully with selinux turned on, even though I have changed the extended attribute or context label to system_u:object_r:httpd_sys_script_exec_t for the cgi script. I have also used chmod 755 and 777
I used your suggestion and included the path to perl inside the .forward file and got the following error message:
Diagnostic-Code: X-Postfix; Command died with status 13: " /usr/bin/perl
/home/domain.net/public_html/cgi-bin/signup-list1.cgi". Command output:
Can't open perl script
"/home/domain.net/public_html/cgi-bin/signup-list1.cgi": Permission denied
All of the php seems to be working just fine. Would it be possible to use a php script to parse and send the email information to signup.php, instead of signup-list1.cgi?
Please let me know if you or someone else can potentially figure this out because keeping selinux turned on is a must after so many attacks.
Tanks beforehand,
Frank Eckdall
P.D. I'm using Fedora Core 4 downgraded form php 5 to php4, essentially the same thing as Red Hat Enterprise Linux 4 upgrade 3.
-
Hi Frank,
Thanks for your kind comment and for forwarding so many details. I have a good understanding of Linux systems but little experience with selinux and postfix, which makes for some difficult troubleshooting. Perhaps I can help by pointing out something obvious:
Command output:
Can't open perl script
"/home/domain.net/public_html/cgi-bin/signup-list1.cgi": Permission denied
For the most part I manage Plesk/qmail servers. On these servers in order for the mailer to be able to reach CGI scripts in the users' cgi-bin folder, the cgi-bin folder must be chmod +x to be accessible by the mailer or a similar Permission denied error happens. You could try making sure that all parent folders to your cgi-bin folder are +x to be sure all users (particularly the mail-forwarding user) can browse to it.
What is the error with the new signup-list1.cgi location and without the /usr/bin/perl command-line prefix? Do you get the same "Permission denied" message?
All of the php seems to be working just fine. Would it be possible to use a php script to parse and send the email information to signup.php, instead of signup-list1.cgi?
No, at this time ListMail's signup-by-email feature can only be set up using email forwarding/aliases - a mailbox that is checked by PHP script is currently not supported.
Regards
-
Merry Christmas Dean!
I have used chmod 755 and 777 on the signup-list1.cgi script plus chmod 755 and 777 on the cgi-bin. I think that's what you are asking me to do.
Also, I removed the /usr/bin/perl from inside the ".forward" file leaving the following "| /home/domain.net/public_html/cgi-bin/signup-list1.cgi" inside the .forward file.
A space between the pipe and the path doesn't seem to make any difference,i.e. "| /path/to/signup-list1.cgi" or "|/path/to/signup-list1.cgi" both work when selinux is turned off. Is a space between the pipe symbol and the path incorrect?
Removal of the /usr/bin/perl in forward file returns the following error message:
Command died with status 1: "
/home/domain.net/public_html/cgi-bin/signup-list1.cgi"
The error_log says the following:
local[3965]: fatal: execvp /home/domain.net/public_html/cgi-bin/signup-list1.cgi: Permission denied
postfix/smtpd[3962]: disconnect from
postfix/local[3964]: 5428E4FD: to=<support@domain.net>, relay=local, delay=1, status=bounced (Command died with status 1: " /home/domain.net/public_html/cgi-bin/signup-list1.cgi")
The message log reveals the following message:
kernel: audit(1166996009.315:18): avc: denied { getattr } for pid=3962 comm="smtpd" name="/" dev=hda1 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:boot_t tclass=dir
kernel: audit(1166996009.315:19): avc: denied { getattr } for pid=3962 comm="smtpd" name="/" dev=hda2 ino=2 scontext=system_u:system_r:postfix_smtpd_t tcontext=system_u:object_r:home_root_t tclass=dir
kernel: audit(1166996009.387:20): avc: denied { search } for pid=3965 comm="local" name="domain.net" dev=hda2 ino=1505 scontext=system_u:system_r:postfix_local_t tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
I think that the audit daemon in the message log reveals what's wrong,i.e. getattr for pid denied instead of granted. However, I have the correct extended attributes applied to the cgi script and the cgi-bin, ie chcon system_u:object_r:httpd_sys_script_exec_t -R cgi-bin
When I turn off selinux using setenforce=0 everything works, i.e. signup is successful and get a welcome message.
Do you know anyone who could help me with this selinux policy attribute permission problem? I am willing to pay someone to help me with this. All of the attacks have wasted precious years of hard work and the black hats will take me out of the ball game sooner or later again if I turn selinux off.
Kind regards,
Frank Eckdall
P.D. I should add that I can run a simple test.cgi from the browser that reveals the message "Success!", even with selinux turned on. I hope that helps. Here is the code for the test.cgi that works with security enhanced linux turned on. Using http://domain.net/cgi-bin/test.cgi
#!/usr/bin/perl
# CGI Script "test.cgi"
print qq(
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html">
<title>Linux Home Networking</title>
</head>
<body>
Success!
</body>
</html>
-
You might want to try adding /usr/bin/perl, as follows:
bounce@example.com: "|/usr/bin/perl /home/useralias/public_html/cgi-bin/signup-list1.cgi"
Do you know if your server supports a .forward.postfix file similar to DreamHost so we might use procmail instead of aliases? (see here (http://www.listmailpro.com/help/cgi_dreamhost.html)).
I had tried that first, but with no joy. Instead I now have two scripts for each signup. The first simply cats standard output through the second script. Apparently, Postfix on our system didn't like #!/usr/bin/perl as a shell.
Ken N.
-
Greetings,
I have used chmod 755 and 777 on the signup-list1.cgi script plus chmod 755 and 777 on the cgi-bin. I think that's what you are asking me to do.
The permissions should be 755 at most, I believe. I remember something about CGI scripts not being executable with chmod 777, but that may be an apache restriction only relevant when browsing to the script.
I removed the /usr/bin/perl from inside the ".forward" file leaving the following "| /home/domain.net/public_html/cgi-bin/signup-list1.cgi" inside the .forward file.
From the information available (http://www.listmailpro.com/help/cgi_dreamhost.html) this file may require double-quotes to surround the commandline. Also, make sure there is not a space between the pipe character and the path to the CGI script.
"|/home/domain.net/public_html/cgi-bin/signup-list1.cgi"
A space between the pipe and the path doesn't seem to make any difference,i.e. "| /path/to/signup-list1.cgi" or "|/path/to/signup-list1.cgi" both work when selinux is turned off. Is a space between the pipe symbol and the path incorrect?
I am not 100% sure but as above it may be incorrect to have a space. What you report indicates it may not matter, however.
local[3965]: fatal: execvp /home/domain.net/public_html/cgi-bin/signup-list1.cgi: Permission denied
Lets Google this, "fatal: execvp ". Interesting results: #1 (http://search.cpan.org/src/ASKSH/glist-0.9.17a10/FAQ) The second Q&A indicates the Postfix configuration may need to be updated to "allow execution" of either a specific program or in general. #2 (http://mla.libertine.org/tmda-users/2005-05/msg00047.html) This question highlights one of my first suggestions where all parent folders of /path/to/the/signup-list1.cgi (ie. /path and /path/to and /path/to/the should all be executable for all) should be able to be reached by the mailer-daemon user. Link #3 (http://www.redhat.com/archives/fedora-selinux-list/2006-March/msg00000.html) is very interesting and includes specific details about selinux - this one may be the gold mine. :)
Reading the rest of your reply I'm reassured you have extensive knowledge with configuring and troubleshooting Linux. You may have already covered everything mentioned in the links I suggested... I'm still digging... Have you seen anything like this (http://www.startcom.org/docs/en/SELinux%20Guide%20StartCom%20Enterprise%20Linux%204.0.x/selg-section-0120.html)? Perhaps you can and need to modify the selinux rules.
Regards, DW
-
Hi Ken,
Thanks for you imput. What system are you using? Fedora Core, Debian,
CentOS, SUSE, Ubuntu? With selinux or without selinux?
My system Fedora Core 4 , with php downgrade, doeen't like the file called .forward.postfix although I am using postfix. Everything works beautifully using just .forward, as long as selinux is turned off.
I have to admit I don't understand how you fixed your problem but it sounds very creative.
My problem, from looking at the message log and the audit daemon log, is a extended attribute problem or incorrect context label. That is to say either the cgi script signup-list1.cgi has a incorrect context label or .forward has a incorrect context label. I feel sure that I have a applied the correct context label to the cgi script signup-list1.cgi which is done running the following command: chcon system_u:object_r:httpd_sys_script_exec_t -R cgi-bin
So, that only leaves the .forward file without the correct context label or extended attribute.
Kind Regards,
Frank Eckdall
P.D. To find out your current context label just run ls -al --context
-
This is a little bit over my head! :D I'm hoping for some luck with a solution soon.
-
Frank,
Here is signup-list1a:
----------------
#/bin/sh
cat | /usr/bin/perl /mywebroot/ListMail/cgi/signup-list1.cgi
-----------------------
It simply calls the script as provided by ListMail.
In my aliases file I have:
signup-list1: |/mywebroot/ListMail/cgi/signup-list1a.cgi
Now, it may be that somewhere in Postfix or SELLinux (which we run as well) that I can authorize PERL to be a valid shell for e-mail or whatever restriction is hitting but won't bother to inform me of, but since this got me past it, and we don't have very many lists (so doubling the scripts isn't too bad), I was happy to move on.
Ken N.
-
Hi Dean,
Thank you for your help those were interesting leads.
If I was using Fedora Core 5 I could use a utility application called audit2allow to analyze the audit log to see which SELinux policies are blocking me, e.g. audit2allow -i /var/log/audit/audit.log -l, audit2allow -l -i /var/log/messages and especially the command, audit2allow -d (i.e. denials from avc or access vector cache)
This command will add the proper resources if using Fedora Core 4 or below:
yum install selinux-policy-targeted-sources selinux-policy-strict-sources
Add the output lines from the audit2allow commands above inside the local.te file located here: /etc/selinux/targeted/src/policy/domains/misc/local.te
then make and activate the new policy:
cd /etc/selinux/targeted/src/policy/
# make load
Repeat the process until audit2allow produces no output.
Be carefull not to use allow for everything, just the stuff that is blocking you. dontaudit command can be used instead of allow, so it doesn't complain anymore about that particular denial.
Example of how to use dontaudit stead of allow: dontaudit httpd_sys_script_t httpd_sys_script_ro_t:dir { write };
so as to silence the complaint if it's dangerous to allow.
Kind Regards,
Frank Eckdall :wink:
P.D. Sometimes you have to run setenforce 0 to change a context label. Just don't forget to run setenforce 1 after changing a context label.
-
Thank you Dean!
and
Thank you Ken!
A solution has been found.
Thank you for all your help!
Yours very sincerely and respectfully,
Frank F Eckdall
P.D. Happy New Year
-
Hi Dean,
The solution I found here suddenly stopped working. I have no idea why, so I studied up on tuning the policy file with audit2allow etc..
I have changed the policy so that I have no more denied pid, services or daemons, with respect to postfix.
Here is what the maillog says:
postfix/local[23561]: 9DC8D530: to=<useraliase@mydomain.net>, relay=local, delay=1, status=sent (delivered to command: /home/useralias/public_html/cgi-bin/signup-list1.cgi)
As you can see there are no more permssion problems and the email user is indeed signed up to the list, in fact to any list I choose, however now the problem is that a Welcome Email is not sent.
I need a clue here. Do you have any idea why I am able to signup successfully,i.e. by sending a email to signup-list1.cgi via the following ccde: useraliase: "|/home/useralias/public_html/cgi-bin/signup-list1.cgi" inside the /etc/postfix/aliases file? Yet no Welcome Email is ever sent!
Tanks Beforehand.
Regards,
Frank Eckdall
P.D. Perhaps I should add that I can go into ListMail Pro and manually send the welcome email to the newly signed up user. I hope that helps. FYI Turning off SELinux does not resolve this problem :)
-
Hi Frank,
If the user is added to ListMail they should be sent the welcome message, if enabled for that list, immediately afterwards from the same script. The message is sent with the PHP mail() function and I don't see a reason why that wouldn't be able to run... You report the welcome message works when manually adding users - what about from a standard signup form? (Or right from the "List Settings" -> "Signup Code" preview) If manual addition and signup both work, and the signup.cgi scripts used to work, I'm stumped. :(
Regards
-
Hi Dean,
Thank you for your response.
Yes, the "Send welcome email on signup or when confirmed" is checked ie activated.
No, when I add a user manually MailList Pro doesn't send the Welcome Mail. However, I can Quick Load a welcome message and I can then send welcome message and send it manually, and it arrives at its destination.
Also, double opt in no longer works.
Yes then no, the signup code or signup.php or Signup Form produces the following message and the user is signed up to the user database successfully. However no introductory email is received.:
Thanks for signing up, .
Your email address useralias@mydomain.net will be kept safe!
You will receive an introductory email in a moment.
When I use the double opt in I get the following message but no email message is sent, and thus not able to signup to list.
Before we add you to our database, we must verify your email address. Please check your email for the
confirmation message and click the link provided to finalize your subscription.
I hope this clarifies what I said earlier and answers what you asked me.
Regards,
Frank Eckdall
-
Frank,
Welcome, confirmation and some notification emails are sent with internal PHP mail() regardless of whether SMTP is enabled or not. I suspect there may be a problem with this function.
The PHP code found on this page (http://listmailpro.com/misc/mailtest.php.txt), when copied into a file named test.php, uploaded to your server and browsed to, should result in an email to your (preferably remote) account.
Regards
-
Dean,
When I browse to the script it reveals this:
Friday, January 5th 10:32am CST
testing mail() function..
sending mail..
The mailtest.php script fails to send a email to my remote address.
Here is my php info:
http://www.maestrodigital.net/test.php
Is my php broken? Does php.ini need a change in it's configuration?
Thank you for your help
Regards
Frank
-
Frank,
I don't see anything out of the ordinary in your phpinfo()... There must be a problem somewhere between initiation and delivery of the message. It looks like PHP calls "/usr/sbin/sendmail -t -i" for all instances of email. I would check the existence and permissions of the /usr/sbin/sendmail binary/symlink Maybe you can find the process and do a trace, although it would only be running for a second...
Regards
-
Dean,
Could you be more explicit here? I'm not sure what you want me to do.
thanks
Regards,
Frank Eckdall
-
Hi Frank,
I haven't experienced this problem or done what I suggested before... I'm just trying to figure out ways to figure out where the process is failing. Basically, if my understanding is correct, you have a problem with PHP mail(). The PHP -> sendmail symlink -> postfix connection may need to be investigated or packages could simply need to be reinstalled. I was suggesting trying to somehow do a complicated "strace" so you could see what's happening behind the scenes with the running program (that is, when PHP loads the connection to postfix). For me, troubleshooting this particular connection is new and my knowledge is not advanced enough to know whether or not it is possible to figure out what's wrong with this method. It is very difficult for me to offer any more suggestions or advice without direct access (http://listmailpro.com/support) to the server... Do you have anyone else, such as at your server provider, who might be familiar with the system and willing to investigate?
Regards
-
Hi Dean,
Thank you for your reply.
What I have done is run a backup I made on 24 Dec 2006 when everything seemed to be working. Then basically reproduced the audit2allow procedure mentioned above and re-read my change log notes.
Using audit2allow. a better understanding of the message and error logs plus information from my last analysis of the necessary lines needed inside the local.te file I got it working again, this time I got the Welcome message. I can't tell you what a relief it was to get the Welcome message after the successful signup. I don't know how the php mail got broken.
At any rate everything associated with ListMail Pro is working now, except link tracking that I know is coming from Venezuela. Link tracking just shows question marks instead of their emails for my Venezuelan friends.
Maybe I was to aggressive while learning how to tune the policy file and somehow broke the php or sendmail to postfix. Or, unwittingly changed some context labels late at night and got tired.
It was worth the effort to learn how to modify the policy file for SELinux. I have no one to help me here in Emporia Kansas. Mostly just hicks here and my dog. My dog refuses to study.
Thanks again for all your help.
Kind regards,
Frank Eckdall :wink: