Problem(s) receiving mail via rt-mailgate

I’m running RT 3.0.2 on OS X 10.2.6 with perl 5.8.0 and have been trying
to the RT’s email gateway to receive emails (everything else has been
running smoothly for a while now).

I have the server on an Intranet and have poked a hole in the firewall to
allow email to be sent directly to the address of the system, not wanting
RT to be generally accessible. After much fiddling with (aka
configuring) sendmail, sendmail is finally sending and receiving emails.
Although the system recieves emails as a user, I am now trying to get
emails received and injected into RT (which is a very nice product, BTW).

What my research has led me to do, thus far:

  • I’ve put a link in /usr/adm/sm.bin to /opt/rt3/bin/rt-mailgate
  • I’ve also enabled RunProgramInUnsafeDirPath in sendmail (ugh!)

What’s currently happening:
Received emails are bounced with the following (sanitized) diagnostics:

<yada … yada … yada …>
The following addresses had permanent fatal errors:
“|/opt/rt3/bin/rt-mailgate --queue general --action correspond --url
http://mumble.foo.com/
(reason: Service unavailable)
(expanded from: <rt@[xxx.xxx.xxx.25]>)

Transcript of session follows:
smrsh: “rt-mailgate” not available for sendmail programs (stat failed)
554 5.0.0 Service unavailable

<snip’d stuff …>

Final-Recipient: RFC822; rt@[xxx.xxx.xxx.25]
X-Actual-Recipient: X-Unix; |/opt/rt3/bin/rt-mailgate --queue general
–action correspond --url http://mumble.foo.com/
Action: failed
Status: 5.5.0
Diagnostic-Code: X-Unix; 69

I’m also not getting any errors logged (or displayed) from RT, which may
or may not be another issue (currently, it looks like rt-mailgate never
gets invoked so I’m guessing that no error log just means that everything
in RT is running smoothly?).

I’ve run Mr. Google ragged trying to solve this one (when I was young, in
addition to having to walk 5 miles to school in 30-below weather, we not
only didn’t have Google … we didn’t have an Internet! #;-))

Anyone have any ideas that might send me in the right direction?

Bryan Derman wrote:

  • I’ve put a link in /usr/adm/sm.bin to /opt/rt3/bin/rt-mailgate

smrsh: “rt-mailgate” not available for sendmail programs (stat failed)

Are you sure that /usr/adm/sm.bin is the correct directory
for your smrsh, and that the permissions on it are correct?
Phil Homewood, Systems Janitor, http://www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances

Can one ever be sure when it’s software for which one does not have the
source? #;-))

I did the strings | grep “thingie” as suggested on www.sendmail.org and
looked a the smrsh man page. Both of these “tests” would indicate that
/usr/adm/sm.bin is the directory used by OS X. [Can anyone confirm or
deny this?]

As for permissions, I have:

/usr/adm/sm.bin
drwxr-xr-x 4 root wheel 136 May 29 17:28 ./
drwxr-xr-x 4 root wheel 136 May 29 17:28 …/
lrwxr-xr-x 1 root wheel 24 May 29 17:28 rt-mailgate →
/opt/rt3/bin/rt-mailgate

and

/opt/rt3/bin
drwxr-xr-x 8 root admin 272 May 19 03:09 ./
drwxr-xr-x 10 root admin 340 May 19 03:09 …/
-rwxr-xr-x 1 root rt 18487 May 12 17:31 rt-mailgate

That makes everything executable and I’m not aware of any other
conditions that need to be satisfied for Sendmail+smrsh … but that
doesn’t mean there aren’t any. [Anyone know whether there’s a flaw in
this setup?]

I guess I could actually turn off the smrsh feature and see what happens,
but I’d not want to run it without smrsh and it does seem pretty clear
that that’s where the issue is.

Any ideas?

Previous message from Phil Homewood on 2003-05-30 at 5:26 PM +1000

Bryan Derman wrote:

I guess I could actually turn off the smrsh feature and see what happens,
but I’d not want to run it without smrsh and it does seem pretty clear
that that’s where the issue is.

Another long shot:- can you execute /usr/adm/sm.bin/rt-mailgate
from the commandline?

Phil Homewood, Systems Janitor, http://www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances

Since I see that there are other people having problems with this, I
thought I’d summarize what I (think I) learned during the process of
getting my rt-mailgate working. The real problem was configuring the
system for proper operation via smrsh (sendmail’s restricted shell).

As per the install instructions, I’d setup a pair of user aliases to
receive mail into RT:

rt: “|/opt/rt3/bin/rt-mailgate --queue general --action
correspond --url http://blah.blah.com/
rt-comment: “|/opt/rt3/bin/rt-mailgate --queue general --action comment
–url http://blah.blah.com/

Sending email to the user “rt” resulted in the “service unavailable”
status (see detail in history messages, copied below). As indicated,
this was issued by smrsh (which is valid as I have
“FEATURE(smrsh',/usr/libexec/smrsh’)dnl” specified for my sendmail
configuration).

I used (both)

man smrsh
strings /usr/libexec/smrsh | fgrep ‘/’

to verify that the location of smrsh’s command directory is
“/usr/adm/sm.bin” (this is the strategy suggested somewhere on
http://www.sendmail.org/).

I tried placing a symbolic link to /opt/rt3/bin/rt-mailgate in
/usr/adm/sm.bin, but that just gave the same results.

Next I created the pass-through shell script /usr/adm/sm.bin/rt-mailgate,
as follows (and set it to permissions 755):

#!/bin/sh
/opt/rt3/bin/rt-mailgate $*

I also changed the email aliases’ command from “|/opt/rt3/bin/rt-mailgate
…” to “|rt-mailgate …”

At that point, I received a permissions error from the pass-through shell
script. Since much of RT runs as “set group ID on execution,” I used
(both)

chown root:rt /usr/adm/sm.bin/rt-mailgate
chmod 2755 /usr/adm/sm.bin/rt-mailgate

to change the /usr/adm/sm.bin/rt-mailgate shell script to run as the
group “rt” (the “2” in 2755 permissions mean “set group id on execution”).

At this point, RT is receiving emails via the rt-mailgate. #;-))

Hope this helps some other people (it seems so simple when one looks back
on it!).
Forwarded message from Bryan Derman on 2003-05-29 at 5:47 PM -0700

Delivered-To: rt-users@pallas.eruditorum.org
To: rt-users@lists.fsck.com
From: Bryan Derman bderm@derman.com
Subject: [rt-users] Problem(s) receiving mail via rt-mailgate
Sender: rt-users-admin@lists.fsck.com
Date: Thu, 29 May 2003 17:47:26 -0700

I’m running RT 3.0.2 on OS X 10.2.6 with perl 5.8.0 and have been trying
to the RT’s email gateway to receive emails (everything else has been
running smoothly for a while now).

I have the server on an Intranet and have poked a hole in the firewall to
allow email to be sent directly to the address of the system, not wanting
RT to be generally accessible. After much fiddling with (aka
configuring) sendmail, sendmail is finally sending and receiving emails.
Although the system recieves emails as a user, I am now trying to get
emails received and injected into RT (which is a very nice product, BTW).

What my research has led me to do, thus far:

  • I’ve put a link in /usr/adm/sm.bin to /opt/rt3/bin/rt-mailgate
  • I’ve also enabled RunProgramInUnsafeDirPath in sendmail (ugh!)

What’s currently happening:

Received emails are bounced with the following (sanitized) diagnostics:

<yada … yada … yada …>
The following addresses had permanent fatal errors:
“|/opt/rt3/bin/rt-mailgate --queue general --action correspond --url
http://mumble.foo.com/
(reason: Service unavailable)
(expanded from: <rt@[xxx.xxx.xxx.25]>)

Transcript of session follows:
smrsh: “rt-mailgate” not available for sendmail programs (stat failed)
554 5.0.0 Service unavailable

<snip’d stuff …>

Final-Recipient: RFC822; rt@[xxx.xxx.xxx.25]
X-Actual-Recipient: X-Unix; |/opt/rt3/bin/rt-mailgate --queue general
–action correspond --url http://mumble.foo.com/
Action: failed
Status: 5.5.0
Diagnostic-Code: X-Unix; 69

========

I’m also not getting any errors logged (or displayed) from RT, which may
or may not be another issue (currently, it looks like rt-mailgate never
gets invoked so I’m guessing that no error log just means that everything
in RT is running smoothly?).

I’ve run Mr. Google ragged trying to solve this one (when I was young, in
addition to having to walk 5 miles to school in 30-below weather, we not
only didn’t have Google … we didn’t have an Internet! #;-))

Anyone have any ideas that might send me in the right direction?


End of forwarded message from Bryan Derman

Forwarded message from Bryan Derman on 2003-05-30 at 1:30 AM -0700

Delivered-To: rt-users@pallas.eruditorum.org
To: Phil Homewood pdh@snapgear.com
From: Bryan Derman bderm@derman.com
Subject: Re: [rt-users] Problem(s) receiving mail via rt-mailgate
Cc: rt-users@lists.fsck.com
Sender: rt-users-admin@lists.fsck.com
Date: Fri, 30 May 2003 01:30:50 -0700

Can one ever be sure when it’s software for which one does not have the
source? #;-))

I did the strings | grep “thingie” as suggested on www.sendmail.org and
looked a the smrsh man page. Both of these “tests” would indicate that
/usr/adm/sm.bin is the directory used by OS X. [Can anyone confirm or
deny this?]

As for permissions, I have:

/usr/adm/sm.bin
drwxr-xr-x 4 root wheel 136 May 29 17:28 ./
drwxr-xr-x 4 root wheel 136 May 29 17:28 …/
lrwxr-xr-x 1 root wheel 24 May 29 17:28 rt-mailgate →
/opt/rt3/bin/rt-mailgate

and

/opt/rt3/bin
drwxr-xr-x 8 root admin 272 May 19 03:09 ./
drwxr-xr-x 10 root admin 340 May 19 03:09 …/
-rwxr-xr-x 1 root rt 18487 May 12 17:31 rt-mailgate

That makes everything executable and I’m not aware of any other
conditions that need to be satisfied for Sendmail+smrsh … but that
doesn’t mean there aren’t any. [Anyone know whether there’s a flaw in
this setup?]

I guess I could actually turn off the smrsh feature and see what happens,
but I’d not want to run it without smrsh and it does seem pretty clear
that that’s where the issue is.

Any ideas?


Previous message from Phil Homewood on 2003-05-30 at 5:26 PM +1000


Bryan Derman wrote:

  • I’ve put a link in /usr/adm/sm.bin to /opt/rt3/bin/rt-mailgate

smrsh: “rt-mailgate” not available for sendmail programs (stat failed)

Are you sure that /usr/adm/sm.bin is the correct directory
for your smrsh, and that the permissions on it are correct?

Phil Homewood, Systems Janitor, http://www.SnapGear.com
pdh@snapgear.com Ph: +61 7 3435 2810 Fx: +61 7 3891 3630
SnapGear - Custom Embedded Solutions and Security Appliances


End of forwarded message from Bryan Derman
Bryan Derman Derman Enterprises Incorporated
bderm@derman.com http://www.derman.com/