rmilter socket cannot be used on Ubuntu/Debian

[antwan]

Hey,

I installed rmilter to use it with postfix + rspamd.
I never managed to make it work, the socket created cannot be listened/written by postfix, or any other program.

$ ls -la /var/run/rmilter/rmilter.sock
srwxrwx--- 1 _rmilter adm 0 Sep 23 17:42 /var/run/rmilter/rmilter.sock

Postfix mail.log
Sep 23 17:29:15 new postfix/smtpd[6361]: warning: connect to Milter service unix:/run/rmilter/rmilter.sock: No such file or directory

Direct IO with shell

$ cat /var/run/rmilter/rmilter.sock
cat: /var/run/rmilter/rmilter.sock: No such device or address

$ echo "test" > /var/run/rmilter/rmilter.sock
bash: /var/run/rmilter/rmilter.sock: No such device or address

I tried with the latest rmilter version from this morning (1.6.5) as well as the previous one.
Environment : Ubuntu trusty x64 with very latest updates.

Can you provide notes/fix/documentation on how to proceed ?
Thanks for your awesome job !

Side notes :

1. The configuration does not have any impact on the socket file name, and it is not possible to bind on a port instead (inet:port:ip).
2. The socket permissions as they are currently set seem to be incompatible with users other than _rmilter (but ATM even with root it doesn't work anyway).

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[fatalbanana]

See @patrakov's notes here rspamd/rspamd#295

You could use socat to test connectivity to UNIX sockets.

On Trusty you can set listen address in /etc/rmilter.conf.sysvinit. On Debian 8 rmilter uses systemd socket activation and listening address must be configured in the systemd socket file.

[ortolot]

Antwan86, you should know that Postfix's smtpd is chrooted, and the socket it is looking for does not exist in its chroot! You should configure rmilter to listen to a socket inside Postfix's chroot, or let smtpd run unchrooted.

[vstakhov]

I'm pretty sure that we just need to stop proposing unix sockets and switch to tcp sockets by default. That's how it is done in rpm based builds.

[ortolot]

Vsevolod Stakhov, 2015-09-24 05:35-0700:

I'm pretty sure that we just need to stop proposing unix sockets and switch to tcp sockets by default. That's how it is done in rpm based builds.

That would be a pity. Unix socket are easier to identify (I can
easily determine what is /var/run/opendkim/opendkim.sock in my Postfix
configuration, but for localhost:4212 I would have to use netstat) and
to secure (no access but from localhost, by nature, and using Unix
permissions).

Personally, when searching for something to filter my email, I start by
only considering milters (and consider non-milters only if there exist
no milter that would do the job), and, when I found a milter, if it does
not support Unix sockets, search for an alternative that would…

What could be useful however, is to add a warning for Postfix users,
perhaps a comment in the configuration for instance, indicating that
their smtpd may be chrooted, and that if it is, the socket should be put
inside that chroot.

[vstakhov]

That's not about milter. That's about punny model of libmilter work, when you have absolutely no control of who creates a socket, with what permissions and who is responsible for recycling. That's one of the reasons why I'm going to replace libmilter some day: https://github.com/vstakhov/librmilter

[antwan]

It's working when setting the socket location to /var/spool/postfix/run/rmilter/rmilter.sock.
I'm leaving this issue open because:

1. The file needs to be chmod'ed go+rw so postfix user can use it (this is the smtpd user).
2. Maybe the project needs some documentation, ubuntu trusty is far from being an anecdotical audience, and it's quite impossible to use rspamd/rmilter on this OS without looking into issues/code for now... :/

[skibbipl]

Are there any security implications by setting SocketGroup=postfix in rmilter.socket?

[vstakhov]

I don't think so. It would be still more secure than TCP socket (if you are not using some non-generic security policies).

[antwan]

Update on this :
rmilter socket can be accessed by postfix for incoming emails, as smtpd is chrooted and looks into the right folder, but that's not the case for outgoing emails (smtpd is not chrooted when authenticated via SASL and looks into the real /run/rmilter...)

Any configuration workaround for this ? Maybe create a socket in both folders, or link them ?

[vstakhov]

TCP sockets.

[julienschmidt]

It also works when the postfix user is added to the _rmilter group:

adduser postfix _rmilter

In /etc/rmilter.conf.local:
bind_socket = unix:/var/spool/postfix/var/run/rmilter/rmilter.sock;
(don't forget to create that dir and chown it to _rmilter:_rmilter)

Then use in /etc/postfix/main.cf:
smtpd_milters = unix:/var/run/rmilter/rmilter.sock