On modern systems, there are issues with get-token calling itself when
invoked as root. Update routers to normalize where get-token is called
so that it is always called after seteuid() in the delivery process.
This is still not ideal: exim has to run without a PAG, and there's no
guarantee the directory / environment options will be run after
changing to the delivery user in the future.
Add `check_owner = false' to appendfile routers. We have patched exim
to support delivery into afs because it is overly paranoid about
chown() failures. Patch uses check_owner flag to allow chown() failure
since exim will ignore the owner in other cases anyway when it is
enabled.
Move tokens stashes to /var/local/mail-tokens rather than storing in
/tmp.
Leave some extra debugging in get-token for now.
current_directory = /
# hcoop-change: Try 20 times rather than 10 before deferring.
maildir_retries = 20
current_directory = /
# hcoop-change: Try 20 times rather than 10 before deferring.
maildir_retries = 20
+ check_owner = false
\ No newline at end of file
# or .forward files if the path ends in "/", which causes it to be treated
# as a directory name rather than a file name.
# or .forward files if the path ends in "/", which causes it to be treated
# as a directory name rather than a file name.
-# hcoop-change: Add bogus group line to make sure get-token gets executed
+# hcoop-change: Add bogus group line to make sure get-token gets
+# executed and ignore owner
address_directory:
debug_print = "T: address_directory for $local_part@$domain"
driver = appendfile
address_directory:
debug_print = "T: address_directory for $local_part@$domain"
driver = appendfile
- group = mail${run{/etc/exim4/get-token ${local_part}}{}}
+ directory = ${address_file}${run{/etc/exim4/get-token ${local_part}}{}}
+# group = mail${run{/etc/exim4/get-token ${local_part}}{}}
delivery_date_add
envelope_to_add
return_path_add
check_string = ""
escape_string = ""
delivery_date_add
envelope_to_add
return_path_add
check_string = ""
escape_string = ""
+ current_directory = /
+ maildir_retries = 20
+ mode_fail_narrower = false
\ No newline at end of file
group = nogroup
mode = 0600
mode_fail_narrower = false
group = nogroup
mode = 0600
mode_fail_narrower = false
envelope_to_add
return_path_add
directory = ${extract{mail}{$address_data}}${run{/etc/exim4/get-token \
envelope_to_add
return_path_add
directory = ${extract{mail}{$address_data}}${run{/etc/exim4/get-token \
REALUSER=$(whoami)
USER=$1
REALUSER=$(whoami)
USER=$1
-LOGFILE=/tmp/exim4/weird-error.log
+LOGFILE=/var/local/mail-tokens/weird-error.log
+
+echo "`date` $REALUSER $USER (`groups`): $@" >> $LOGFILE
+#ps -eo euser,ruser,suser,fuser,comm,pid --ppid=$PPID --pid=$PPID --forest >> $LOGFILE
if test "$REALUSER" = "root"; then
if test "$2" = "norecurse"; then
if test "$REALUSER" = "root"; then
if test "$2" = "norecurse"; then
# Make sure USER exists, and resolve UIDs to a login name
USER=$(getent passwd "$USER" | cut -d':' -f 1)
# Make sure USER exists, and resolve UIDs to a login name
USER=$(getent passwd "$USER" | cut -d':' -f 1)
-LOGFILE=/tmp/exim4/get-token-log.$USER
+LOGFILE=/var/local/mail-tokens/get-token-log.$USER
if test -z "$USER"; then
echo "$USER is not a local user, so ignoring them" \
if test -z "$USER"; then
echo "$USER is not a local user, so ignoring them" \
- >> /tmp/exim4/weird-error.log
+ >> /var/local/mail-tokens/weird-error.log
echo "Debugging output: $*"
fi
echo "Debugging output: $*"
fi
# set the credentials cache
# set the credentials cache
-export KRB5CCNAME=FILE:/tmp/exim4/krb5cc_$USER.email
+export KRB5CCNAME=FILE:/var/local/mail-tokens/krb5cc_$USER.email
# eliminate any previous tokens
# eliminate any previous tokens
KEYTAB=/etc/keytabs/user.daemon/$USER
# display command-to-be-invoked as a sanity check
KEYTAB=/etc/keytabs/user.daemon/$USER
# display command-to-be-invoked as a sanity check
-echo kinit -kt $KEYTAB $USER/daemon@HCOOP.NET
-kinit -kt $KEYTAB $USER/daemon@HCOOP.NET
-aklog
+(
+flock -s 666
+krenew -vtH 30 || kinit -V -kt $KEYTAB $USER/daemon@HCOOP.NET
+#aklog
# list tokens, for the sake of debugging
# list tokens, for the sake of debugging
+tokens
+
+) 666>/var/local/mail-tokens/lock.$USER