Page 1 of 1

Issues with and RBAC Policy for Postfix

PostPosted: Fri Jul 10, 2015 5:09 am
by timbgo
EDIT 2015-07-21 09:01 CET:

IMPORTANT: This topic contains a lot of rambling in wrong direction. So take care not to follow blindly, lots of time lost.

I might however be succeeding at setting the RBAC policy for Postfix right, eventually.

title:
Issues with and RBAC Policy for Postfix
=============================================================
previous title:
A denied seteuid issue with Postfix (Role: root)

---
I have just studied:

The grsecurity Wiki
https://en.wikibooks.org/wiki/Grsecurity

for another bout of not so small number of hours (and I'd like to try and finish my today's posting with what amazed me the most. Because, to me, it's pure and sublime intellectual thrills the honest and capable, sophisticated and eye-opening, programs which there are a few available in the FOSS world, and among which programs, the grsecurity [including PaX] is the leader in the revealing and in the excellence. I'm reserving my telling to you about what amazed me the most in that wikibook, for the last paragraphs of the few posts that I, hopefully, plan to post today in this topic that I've opened on Grsecurity Forums.)

I needed to dedicate another almost a day (just as previously I had dedicated to reading that wikibooks at least a few weekends), because I had stumbled upon my Postfix installation throttling for some reason. And I needed to figure out that reason and resolve it.

The configuration current to the problem is posted complete on:

A no-poetteringware desktop RBAC policy
viewtopic.php?f=5&t=4153#p15354

The most striking issue that I have there, in comparison with what I hoped would be the setup that I would have been able to accomplish, and which is the simple solution that spender gave on:

How to tell what role a process has
viewtopic.php?f=3&t=3913#p13838

[The most striking issue that I have in my current policy available in that other topic in this Forum) is:

I have postfix in role root, and postfix in role postfix, and I don't seem to be able to resolve it and have only the role postfix to suffice for all, as spender has.

I am yet to learn and reduce my policy for postfix (in the role postfix), but I want to show my postfix throttling issue here, and how I'm trying to solve it.

My current postfix configuration has the ' -v's added to smtp, cleanup, qmgr, tlsmgr, trivial-rewrite, bounce and defer in the /etc/postfix/master.cnf according to the advice in the:

Postfix Debugging Howto
http://www.postfix.org/DEBUG_README.html

which I explained in my Gentoo Forum topic:

Postfix not working [to be re-titled]
https://forums.gentoo.org/viewtopic-t-1021456.html

And I'll post the problem as it occurred yesterday (as it did before many times, but understanding the logs is a mastery in itself, takes time too), just after noon, when I tried to send message via my MTA Postfix.

Code: Select all
Jul  9 12:07:11 g0n postfix/smtp[26191]: initializing the client-side TLS engine
Jul  9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:26192] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: name_mask: ipv4
Jul  9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/tlsmgr[tlsmgr:26192] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: name_mask: host
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: inet_addr_local: configured 3 IPv4 addresses
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: mynetworks_core: 127.0.0.1/32
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: process generation: 23 (23)
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: tls_prng_dev_open: opened entropy device /dev/urandom
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: set_eugid: euid 207 egid 207
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: tls_prng_exch_open: opened PRNG exchange file /var/lib/postfix/prng_exch
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: name_mask: 3
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: warning: request to update table btree:/etc/postfix/smtp_scache in non-postfix directory /etc/postfix
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: open smtp TLS cache btree:/var/lib/postfix/smtp_scache
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: Compiled against Berkeley DB: 6.0.30?
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: Run-time linked against Berkeley DB: 6.0.30?
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: dict_open: btree:/var/lib/postfix/smtp_scache
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: fatal: set_eugid: seteuid(0): Operation not permitted
Jul  9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) change to uid 0 denied for /usr/libexec/postfix/tlsmgr[tlsmgr:26192] uid/euid:0/207 gid/egid:0/207, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:12 g0n postfix/master[3006]: warning: process /usr/libexec/postfix/tlsmgr pid 26192 exit status 1
Jul  9 12:07:12 g0n postfix/master[3006]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
Jul  9 12:07:15 g0n postfix/qmgr[3008]: qmgr_scan_start: start deferred queue scan
Jul  9 12:07:15 g0n postfix/qmgr[3008]: done deferred queue scan
Jul  9 12:07:15 g0n postfix/qmgr[3008]: trigger_server_accept_local: trigger arrived
Jul  9 12:07:15 g0n postfix/qmgr[3008]: master_notify: status 0
Jul  9 12:07:15 g0n postfix/qmgr[3008]: request: 87 (W)
Jul  9 12:07:15 g0n postfix/qmgr[3008]: request: 0 (?)
Jul  9 12:07:15 g0n postfix/qmgr[3008]: request ignored
Jul  9 12:07:15 g0n postfix/qmgr[3008]: qmgr_scan_start: start incoming queue scan
Jul  9 12:07:15 g0n postfix/qmgr[3008]: master_notify: status 1
Jul  9 12:07:15 g0n postfix/qmgr[3008]: done incoming queue scan
Jul  9 12:07:16 g0n postfix/cleanup[26188]: rewrite stream disconnect
Jul  9 12:07:16 g0n postfix/trivial-rewrite[26190]: connection closed fd 128
Jul  9 12:07:16 g0n postfix/qmgr[3008]: rewrite stream disconnect
Jul  9 12:07:16 g0n postfix/trivial-rewrite[26190]: connection closed fd 129


And for the newbies reading this, who will need to delve more intently into it (till they become proficient and spread their wings for real in this arcane and intrigueing knowledge), the main lines are:

Code: Select all
Jul  9 12:07:11 g0n postfix/tlsmgr[26192]: fatal: set_eugid: seteuid(0): Operation not permitted
Jul  9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) change to uid 0 denied for /usr/libexec/postfix/tlsmgr[tlsmgr:26192] uid/euid:0/207 gid/egid:0/207, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:12 g0n postfix/master[3006]: warning: process /usr/libexec/postfix/tlsmgr pid 26192 exit status 1
Jul  9 12:07:12 g0n postfix/master[3006]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling

See the "throttling" just above?

And above that the "change to uid 0 denied for /usr/libexec/postfix/tlsmgr"?

And further above: "fatal: set_eugid: seteuid(0): Operation not permitted"?

Actually, all the details on the three lines are important!. The first and the third is postfix writing in my /var/log/messages.

And the second is grsec telling what it denied to whom.

The thing is, I had such mail not gets sent issues before, and I knew that sometimes it goes away just if I simply restart postfix, as I did this time too, and the e-mail was then sent, but...

But there may be issues with the restarting! Will try and tell in the next post.

Re: A denied seteuid issue with Postfix (Role: root)

PostPosted: Fri Jul 10, 2015 5:11 am
by timbgo
Since I have the:

Code: Select all
# cat /proc/sys/kernel/grsecurity/exec_logging
1
#


as well as:
Code: Select all
# cat /proc/sys/kernel/grsecurity/audit_chdir
1
#


(
as well as many other goodies the grsecurity patch to kernel empowers the kernel with; the kernel, the never-can-I-stop-wondering-what-mechanisms-the-kernel-has-allowed-or-deliberately-set-into-itself kernel, the mechanisms not good that only grsec can tame and bonify)...

So, since I have the executables logging (by now, grsec is my main logger of things that happen in my box; postfix is temporarily a more verbose logger, till I solve its issues, but the general system logger is mostly grsecurity; I'm not sure, but I fear there could be something strange of late with the development of the syslog-ng which Gentooers mostly use, no time to investigate, but I had to dedicate to the syslog-ng issue quite some ample time, long months ago now:

Syslog-ng from Delay Logging to BrokenPipe/no Logging
https://forums.gentoo.org/viewtopic-t-1001994.html
)

So, since I have the exec_logging by grsecurity, I can see in my logs exacly when which events took place, in what succession, and then I can often deduce the reasons and causes, esp. in cases of failure like this case.

This message:
Code: Select all
Jul  9 12:07:11 g0n kernel: grsec: (root:U:/usr/libexec/postfix) change to uid 0 denied for /usr/libexec/postfix/tlsmgr[tlsmgr:26192] uid/euid:0/207 gid/egid:0/207, parent /usr/libexec/postfix/master[master:3006] uid/euid:0/0 gid/egid:0/0

grsec would anyway write in the log, but in the next not so few lines (trimmed a little shorter then the complete real output), I get so much more. Exampli gratia, this line close to the top:
Code: Select all
Jul  9 12:07:38 g0n kernel: grsec: (admin:S:/) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:26340] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0

tells a lot, and that's grsecurity logging it, not postfix. That line is important. I'll return to it below.

Code: Select all
Jul  9 12:07:38 g0n postfix/smtp[26339]: initializing the client-side TLS engine
Jul  9 12:07:38 g0n kernel: grsec: (admin:S:/) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:26340] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: name_mask: ipv4
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: name_mask: host
Jul  9 12:07:38 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/tlsmgr[tlsmgr:26340] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: inet_addr_local: configured 3 IPv4 addresses
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: mynetworks_core: 127.0.0.1/32
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: process generation: 5 (5)
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: tls_prng_dev_open: opened entropy device /dev/urandom
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: set_eugid: euid 207 egid 207
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: tls_prng_exch_open: opened PRNG exchange file /var/lib/postfix/prng_exch
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: name_mask: 3
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: warning: request to update table btree:/etc/postfix/smtp_scache in non-postfix directory /etc/postfix
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: open smtp TLS cache btree:/var/lib/postfix/smtp_scache
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: Compiled against Berkeley DB: 6.0.30?
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: Run-time linked against Berkeley DB: 6.0.30?
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: dict_open: btree:/var/lib/postfix/smtp_scache
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: set_eugid: euid 0 egid 0
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: tls_prng_dev_read: read 32 bytes from entropy device /dev/urandom
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: tlsmgr_prng_exch_event: update PRNG exchange file
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: connection established fd 128
Jul  9 12:07:38 g0n postfix/tlsmgr[26340]: connection established fd 129
...
Jul  9 12:07:38 g0n postfix/qmgr[26334]: transport_event: smtp
Jul  9 12:07:38 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: status
Jul  9 12:07:38 g0n postfix/qmgr[26334]: input attribute name: status
Jul  9 12:07:38 g0n postfix/qmgr[26334]: input attribute value: 0
Jul  9 12:07:38 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: (list terminator)
Jul  9 12:07:38 g0n postfix/qmgr[26334]: input attribute name: (end)
Jul  9 12:07:38 g0n postfix/qmgr[26334]: qmgr_peer_select: C74B63805D2 smtp [mail.t-com.hr] (1 of 5)
Jul  9 12:07:38 g0n postfix/qmgr[26334]: qmgr_job_retire: C74B63805D2
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr flags = 3
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr queue_name = active
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr queue_id = C74B63805D2
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr offset = 277
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr size = 6021
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr nexthop = [mail.t-com.hr]
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr encoding =
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr smtputf8 = 0
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr sender = [email protected]

...
Code: Select all
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr original_recipient = [email protected]
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr recipient = [email protected]
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr offset = 254
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr dsn_orig_rcpt = rfc822;[email protected]
Jul  9 12:07:38 g0n postfix/qmgr[26334]: send attr notify_flags = 0
Jul  9 12:07:38 g0n postfix/qmgr[26334]: qmgr_deliver: site `[mail.t-com.hr]'
Jul  9 12:07:38 g0n postfix/qmgr[26334]: done incoming queue scan
Jul  9 12:07:38 g0n postfix/qmgr[26334]: mail_flow_put: 99 99
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 220 ls266.t-com.hr ESMTP Rock and Roll
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: EHLO g0n.localdomain
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-ls266.t-com.hr
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-PIPELINING
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-SIZE 15728640
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-ETRN
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-STARTTLS
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-ENHANCEDSTATUSCODES
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250 8BITMIME
Jul  9 12:07:39 g0n postfix/smtp[26339]: server features: 0x101f size 15728640
Jul  9 12:07:39 g0n postfix/smtp[26339]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: STARTTLS
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 220 2.0.0 Ready to start TLS
Jul  9 12:07:39 g0n postfix/smtp[26339]: setting up TLS connection to mail.t-com.hr[195.29.150.5]:25
Jul  9 12:07:39 g0n postfix/smtp[26339]: mail.t-com.hr[195.29.150.5]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jul  9 12:07:39 g0n postfix/smtp[26339]: looking for session smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5 in smtp cache
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr request = lookup
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr cache_type = smtp
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr cache_id = smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: master_notify: status 0
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: request
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: request
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: lookup
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: cache_type
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: cache_type
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: smtp
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: cache_id
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: cache_id
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: (list terminator)
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: (end)
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: lookup smtp session id=smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: send attr status = 4294967295
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: send attr session = [data 0 bytes]
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: master_notify: status 1
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: status
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: status
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute value: 4294967295
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: session
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: session
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: (list terminator)
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: (end)
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr request = seed
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr size = 32
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: master_notify: status 0
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: request
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: request
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: seed
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: size
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: size
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: 32
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: (list terminator)
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: (end)
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: send attr status = 0
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: send attr seed = [data 32 bytes]
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: master_notify: status 1
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: status
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: status
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute value: 0
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: seed
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: seed
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute value: 1KGs8ec2R2nOBRKNPyGBZZ3ouh3jsbNJRyooH4WuTZ8=
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: (list terminator)
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: (end)
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:before/connect initialization
Jul  9 12:07:39 g0n postfix/smtp[26339]: write to 6F62311730 [6F6231CC00] (517 bytes => 517 (0x205))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 16 03 01 02 00 01 00 01|fc 03 03 b7 e7 5b c6 e9  ........ .....[..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0010 b8 de 31 a8 f1 ba ef 6f|b3 ce 16 ad e8 01 87 fb  ..1....o ........

...[cuting out most of the mumbo-jumbo in canonical hex, IIUC]...
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0150 01 05 02 05 03 04 01 04|02 04 03 03 01 03 02 03  ........ ........
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0160 03 02 01 02 02 02 03 00|0f 00 01 01 00 15 00 95  ........ ........
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0170 - <SPACES/NULLS>
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv2/v3 write client hello A

Is this:
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322160] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))

the EOL? Only thinking loud...
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322160] (7 bytes => 7 (0x7))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 16 03 01 00 51 02                                ....Q.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0006 - <SPACES/NULLS>
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F6232216A] (79 bytes => 79 (0x4F))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 00 4d 03 01 55 9e 47 c8|c8 15 f9 06 09 d2 fa 3d  .M..U.G. .......=
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0010 72 f7 38 2c 57 5d 53 6a|e7 40 30 9a 47 cc 7d 82  r.8,W]Sj [email protected].}.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0020 f4 12 2d c7 20 15 57 14|d3 6d 0b 55 d7 77 9d 24  ..-. .W. .m.U.w.$
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0030 e9 1f 58 7c e6 09 2b 5c|de 31 ff 7c 1c a3 51 e6  ..X|..+\ .1.|..Q.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0040 6b 7a f1 18 e0 00 39 00|00 05 ff 01 00 01        kz....9. ......
Jul  9 12:07:39 g0n postfix/smtp[26339]: 004e - <SPACES/NULLS>
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 read server hello A

That is by no means the latest and meanest of SSL/TLS standards, but the old SSLv3 which Croatian T-com uses, IIUC. They should use TLSv2 instead.
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322163] (5 bytes => 5 (0x5))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 16 03 01 10 93                                   .....
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322168] (4243 bytes => 1277 (0x4FD))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 0b 00 10 8f 00 10 8c 00|04 79 30 82 04 75 30 82  ........ .y0..u0.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0010 03 5d a0 03 02 01 02 02|10 63 f4 44 19 e5 75 ad  .]...... .c.D..u.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0020 1d 9d 44 33 cb 0c 14 33|26 30 0d 06 09 2a 86 48  ..D3...3 &0...*.H
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0030 86 f7 0d 01 01 05 05 00|30 5e 31 0b 30 09 06 03  ........ 0^1.0...
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0040 55 04 06 13 02 55 53 31|15 30 13 06 03 55 04 0a  U....US1 .0...U..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0050 13 0c 54 68 61 77 74 65|2c 20 49 6e 63 2e 31 1d  ..Thawte , Inc.1.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0060 30 1b 06 03 55 04 0b 13|14 44 6f 6d 61 69 6e 20  0...U... .Domain
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0070 56 61 6c 69 64 61 74 65|64 20 53 53 4c 31 19 30  Validate d SSL1.0
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0080 17 06 03 55 04 03 13 10|54 68 61 77 74 65 20 44  ...U.... Thawte D
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0090 56 20 53 53 4c 20 43 41|30 1e 17 0d 31 34 30 39  V SSL CA 0...1409
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00a0 31 38 30 30 30 30 30 30|5a 17 0d 31 35 31 31 31  18000000 Z..15111
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00b0 37 32 33 35 39 35 39 5a|30 18 31 16 30 14 06 03  7235959Z 0.1.0...
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00c0 55 04 03 14 0d 6d 61 69|6c 2e 74 2d 63 6f 6d 2e  U....mai l.t-com.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00d0 68 72 30 82 01 22 30 0d|06 09 2a 86 48 86 f7 0d  hr0.."0. ..*.H...
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00e0 01 01 01 05 00 03 82 01|0f 00 30 82 01 0a 02 82  ........ ..0.....

Croatian T-com flaunting Thawte certificate here.
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: 04c0 53 65 72 76 69 63 65 73|20 44 69 76 69 73 69 6f  Services  Divisio
Jul  9 12:07:39 g0n postfix/smtp[26339]: 04d0 6e 31 21 30 1f 06 03 55|04 03 13 18 54 68 61 77  n1!0...U ....Thaw
Jul  9 12:07:39 g0n postfix/smtp[26339]: 04e0 74 65 20 50 72 65 6d 69|75 6d 20 53 65 72 76 65  te Premi um Serve
Jul  9 12:07:39 g0n postfix/smtp[26339]: 04f0 72 20 43 41 31 28 30 26|06 09 2a 86 48 86 f7 0d  r CA1(0& ..*.H...
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0500 01 09 01 16 19 70 72 65|6d 69 75 6d 2d 73 65 72  .....pre mium-ser
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0510 76 65 72 40 74 68 61 77|74 65 2e 63 6f 6d 30 1e  ver@thaw te.com0.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0520 17 0d 30 36 31 31 31 37|30 30 30 30 30 30 5a 17  ..061117 000000Z.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0530 0d 32 30 31 32 33 30 32|33 35 39 35 39 5a 30 81  .2012302 35959Z0.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0540 a9 31 0b 30 09 06 03 55|04 06 13 02 55 53 31 15  .1.0...U ....US1.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0550 30 13 06 03 55 04 0a 13|                         0...U...
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322BBD] (1598 bytes => -1 (0xFFFFFFFFFFFFFFFF))

Another EOL? Only thinking loud...
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322BBD] (1598 bytes => 1368 (0x558))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 0c 74 68 61 77 74 65 2c|20 49 6e 63 2e 31 28 30  .thawte,  Inc.1(0
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0010 26 06 03 55 04 0b 13 1f|43 65 72 74 69 66 69 63  &..U.... Certific
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0020 61 74 69 6f 6e 20 53 65|72 76 69 63 65 73 20 44  ation Se rvices D
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0030 69 76 69 73 69 6f 6e 31|38 30 36 06 03 55 04 0b  ivision1 806..U..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0040 13 2f 28 63 29 20 32 30|30 36 20 74 68 61 77 74  ./(c) 20 06 thawt
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0050 65 2c 20 49 6e 63 2e 20|2d 20 46 6f 72 20 61 75  e, Inc.  - For au
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0060 74 68 6f 72 69 7a 65 64|20 75 73 65 20 6f 6e 6c  thorized  use onl
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0070 79 31 1f 30 1d 06 03 55|04 03 13 16 74 68 61 77  y1.0...U ....thaw
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0080 74 65 20 50 72 69 6d 61|72 79 20 52 6f 6f 74 20  te Prima ry Root
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0090 43 41 30 82 01 22 30 0d|06 09 2a 86 48 86 f7 0d  CA0.."0. ..*.H...

...Cut out a huge lump of text here to spare the readers...
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00a0 f1 4a b0 28 46 c9 c3 c4|42 7d bc fa ab 59 6e d5  .J.(F... B}...Yn.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00b0 b7 51 88 11 e3 a4 85 19|6b 82 4c a4 0c 12 ad e9  .Q...... k.L.....
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00c0 a4 ae 3f f1 c3 49 65 9a|8c c5 c8 3e 25 b7 94 99  ..?..Ie. ...>%...
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00d0 bb 92 32 71 07 f0 86 5e|ed 50 27 a6 0d a6 23 f9  ..2q...^ .P'...#.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00e0 bb cb a6 07 14 42                                .....B
Jul  9 12:07:39 g0n postfix/smtp[26339]: mail.t-com.hr[195.29.150.5]:25: depth=3 verify=0 subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
Jul  9 12:07:39 g0n postfix/smtp[26339]: mail.t-com.hr[195.29.150.5]:25: depth=3 verify=1 subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
Jul  9 12:07:39 g0n postfix/smtp[26339]: mail.t-com.hr[195.29.150.5]:25: depth=2 verify=1 subject=/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
Jul  9 12:07:39 g0n postfix/smtp[26339]: mail.t-com.hr[195.29.150.5]:25: depth=1 verify=1 subject=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
Jul  9 12:07:39 g0n postfix/smtp[26339]: mail.t-com.hr[195.29.150.5]:25: depth=0 verify=1 subject=/CN=mail.t-com.hr
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 read server certificate A
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322163] (5 bytes => 5 (0x5))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 16 03 01 02 0d                                   .....
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322168] (525 bytes => 525 (0x20D))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 0c 00 02 09 00 80 b0 fe|b4 cf d4 55 07 e7 cc 88  ........ ...U....
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0010 59 0d 17 26 c5 0c a5 4a|92 23 81 78 da 88 aa 4c  Y..&...J .#.x...L
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0020 13 06 bf 5d 2f 9e bc 96|b8 51 00 9d 0c 0d 75 ad  ...]/... .Q....u.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0030 fd 3b b1 7e 71 4f 3f 91|54 14 44 b8 30 25 1c eb  .;.~qO?. T.D.0%..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0040 df 72 9c 4c f1 89 0d 68|3f 94 8e a4 fb 76 89 18  .r.L...h ?....v..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0050 b2 91 16 90 01 99 66 8c|53 81 4e 27 3d 99 e7 5a  ......f. S.N'=..Z
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0060 7a af d5 ec e2 7e fa ed|01 18 c2 78 25 59 06 5c  z....~.. ...x%Y.\
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0070 39 f6 cd 49 54 af c1 b1|ea 4a f9 53 d0 df 6d af  9..IT... .J.S..m.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0080 d4 93 e7 ba ae 9b 00 01|02 00 80 09 90 76 be fa  ........ .....v..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0090 cc 8c 41 73 ea 0d 0c ab|bf 30 5a 73 ae 3b 34 a0  ..As.... .0Zs.;4.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00a0 c6 ac fc 8c 0d 3b 3f e3|7f 6d 3d 09 63 6b cf 40  .....;?. .m=.ck.@
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00b0 f0 dd 65 ba bd f7 74 97|da c3 5b b1 e7 1d 2c a8  ..e...t. ..[...,.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00c0 bb eb f3 6a b1 1c 16 c8|cf de 53 54 1d 3d 41 66  ...j.... ..ST.=Af
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00d0 30 85 a9 35 ae 87 a4 5b|ff c5 70 4c 97 0f 50 45  0..5...[ ..pL..PE
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00e0 d3 37 2b 9b 08 ec 68 db|c3 ff 21 e2 09 d5 cb 76  .7+...h. ..!....v
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00f0 7a 06 3d 9d 06 d5 18 92|85 c8 7c 70 42 ad 15 49  z.=..... ..|pB..I
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0100 f0 a0 d4 e7 06 05 47 d4|aa 4b 9a 01 00 9b 8c 5b  ......G. .K.....[
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0110 b6 41 0f 6c 9f d2 8f 8e|d3 5c 0c e2 45 0f c8 59  .A.l.... .\..E..Y
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0120 d7 46 a7 27 05 c6 4f 62|c8 29 35 d3 e2 da 8a f7  .F.'..Ob .)5.....
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0130 a4 49 c3 6c 42 ec 76 96|ca e1 80 6b 0a 31 5a 80  .I.lB.v. ...k.1Z.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0140 cb 45 e1 cc c6 2c 07 29|6d e9 db 9a 88 fd 2e 7e  .E...,.) m......~
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0150 61 cd 8b 65 3e d8 9c 95|46 4e 4f 75 7a a7 9b 1b  a..e>... FNOuz...
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0160 f4 88 c2 1e 84 4c bd 7a|1f 24 06 88 08 fb 2e 8f  .....L.z .$......
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0170 3d da f9 89 22 0d 12 0b|f3 c5 8f 48 3a 4b 69 00  =..."... ...H:Ki.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0180 8d 51 53 62 50 a4 b0 c1|48 b2 2e c6 a1 ba b6 a4  .QSbP... H.......
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0190 f5 b7 82 a8 30 6b e0 76|b8 ee d6 5d 8b e2 57 1e  ....0k.v ...]..W.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 01a0 76 8f 6b 3a 74 4d ce a3|1d 83 0a fa 0a c4 c9 e3  v.k:tM.. ........
Jul  9 12:07:39 g0n postfix/smtp[26339]: 01b0 fb e2 cc 97 4a 59 99 0e|31 4e e9 7b ac 59 d1 4f  ....JY.. 1N.{.Y.O
Jul  9 12:07:39 g0n postfix/smtp[26339]: 01c0 ad dc d2 0d 45 72 60 67|af c2 09 c1 4b 9f 08 fe  ....Er`g ....K...
Jul  9 12:07:39 g0n postfix/smtp[26339]: 01d0 9c 32 12 98 96 e3 ec cc|28 02 3b f8 39 69 6e 1f  .2...... (.;.9in.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 01e0 0b 83 32 22 6f 9b fb 9d|f8 34 c3 55 c2 e6 ed d0  ..2"o... .4.U....
Jul  9 12:07:39 g0n postfix/smtp[26339]: 01f0 f2 f8 68 69 79 11 74 2a|e3 ac 39 91 ac c8 09 96  ..hiy.t* ..9.....
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0200 97 1d 46 df e5 42 08 bf|14 91 6c aa f8           ..F..B.. ..l..
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 read server key exchange A
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322163] (5 bytes => 5 (0x5))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 16 03 01 00 04                                   .....
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322168] (4 bytes => 4 (0x4))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 0e                                               .
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0001 - <SPACES/NULLS>
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 read server done A
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 write client key exchange A
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 write change cipher spec A
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 write finished A
Jul  9 12:07:39 g0n postfix/smtp[26339]: write to 6F62311730 [6F623300A0] (198 bytes => 198 (0xC6))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 16 03 01 00 86 10 00 00|82 00 80 03 10 82 a4 1d  ........ ........
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0010 29 6b a2 fd 84 5f 7d 47|c6 f9 ba f5 2e 4d 9a 76  )k..._}G .....M.v
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0020 ef 0e 6f b5 a4 b1 3a 85|b4 81 2a 2a 19 5f 3d 24  ..o...:. ..**._=$
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0030 41 a2 2c de ed ee c8 c2|bf 50 27 d2 91 8d e5 df  A.,..... .P'.....
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0040 fb 84 28 dd f2 35 66 09|e8 c0 79 c3 64 e2 1e 79  ..(..5f. ..y.d..y
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0050 1a ea d9 78 96 fe a1 d3|ea af ba 89 66 2f f9 74  ...x.... ....f/.t
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0060 a7 19 63 61 01 cd 8f 01|27 08 8b d6 a7 88 11 ac  ..ca.... '.......
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0070 09 b4 83 e0 c6 da 6b ed|17 87 5b c0 8b 78 31 b0  ......k. ..[..x1.
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0080 30 4d 76 a9 dd fc fb 93|ea 4b 45 14 03 01 00 01  0Mv..... .KE.....
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0090 01 16 03 01 00 30 46 7c|92 83 e2 22 50 a4 75 25  .....0F| ..."P.u%
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00a0 1b 74 07 ca 75 d6 5f 48|79 ea 21 9b a5 24 a4 4d  .t..u._H y.!..$.M
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00b0 3f f8 f1 64 33 31 5f 6d|d7 3c ee 1c 99 56 35 7a  ?..d31_m .<...V5z
Jul  9 12:07:39 g0n postfix/smtp[26339]: 00c0 e5 ef 65 74 4e 34                                ..etN4
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 flush data
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322163] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322163] (5 bytes => 5 (0x5))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 14 03 01 00 01                                   .....
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322168] (1 bytes => 1 (0x1))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 01                                               .
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322163] (5 bytes => 5 (0x5))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 16 03 01 00 30                                   ....0
Jul  9 12:07:39 g0n postfix/smtp[26339]: read from 6F62311730 [6F62322168] (48 bytes => 48 (0x30))
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0000 79 3e ef a9 79 05 54 80|4b 20 34 6d 7c 6b 1f 89  y>..y.T. K 4m|k..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0010 f4 3f 02 19 bc 0a 89 6a|ed 96 8a 74 42 76 0c 12  .?.....j ...tBv..
Jul  9 12:07:39 g0n postfix/smtp[26339]: 0020 40 b5 1e 57 53 f3 e6 6e|f9 24 dc 4b 14 7e 28 c4  @..WS..n .$.K.~(.
Jul  9 12:07:39 g0n postfix/smtp[26339]: SSL_connect:SSLv3 read finished A
Jul  9 12:07:39 g0n postfix/smtp[26339]: save session smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5 to smtp cache
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr request = update
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr cache_type = smtp
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr cache_id = smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5
Jul  9 12:07:39 g0n postfix/smtp[26339]: send attr session = [data 1271 bytes]
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: master_notify: status 0
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: request
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: request
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: update
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: cache_type
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: cache_type
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: smtp
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: cache_id
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: cache_id
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: session
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: session
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute value: MIIE8wIBAQICAwEEAgA5BCAVVxTTbQtV13edJOkfWHz

...I broke the string of the attribute value and cut out 1500 chars out, to spare the readers...
Code: Select all
SStAGlS7mvCWfGfeCFFQxk98vlV7Y2AVGxkuYTGyJYSkq9tyo0Bvxk+IgLAFWKYgcbuR5yfVWyzydYOoKN90Qq3Mz0p6nXWtbwj5uD65sJDmMl2lRgDV9Q4pPJ9AHdtJ0ffxN+GoAKikAgQApQMCARM=
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: tlsmgr socket: wanted attribute: (list terminator)
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: input attribute name: (end)
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: put smtp session id=smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5 [data 1271 bytes]
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: write smtp TLS cache entry smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5: time=1436436459 [data 1271 bytes]
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: send attr status = 0
Jul  9 12:07:39 g0n postfix/tlsmgr[26340]: master_notify: status 1
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: status
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: status
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute value: 0
Jul  9 12:07:39 g0n postfix/smtp[26339]: private/tlsmgr: wanted attribute: (list terminator)
Jul  9 12:07:39 g0n postfix/smtp[26339]: input attribute name: (end)
Jul  9 12:07:39 g0n postfix/smtp[26339]: mail.t-com.hr[195.29.150.5]:25: subject_CN=mail.t-com.hr, issuer_CN=Thawte DV SSL CA, fingerprint=57:11:8D:AB:B9:B1:47:66:F5:30:72:87:C8:DC:AD:9A, pkey_fingerprint=54:2F:63:8B:8E:F8:D2:48:3A:EF:73:11:49:78:02:A0
Jul  9 12:07:39 g0n postfix/smtp[26339]: Untrusted TLS connection established to mail.t-com.hr[195.29.150.5]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Untrusted? Because, as is usually the case, no auth keys on the client side? Or?
Code: Select all
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: EHLO g0n.localdomain
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-ls266.t-com.hr
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-PIPELINING
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-SIZE 15728640
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-ETRN
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250-ENHANCEDSTATUSCODES
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250 8BITMIME
Jul  9 12:07:39 g0n postfix/smtp[26339]: server features: 0x100f size 15728640
Jul  9 12:07:39 g0n postfix/smtp[26339]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: MAIL FROM:<[email protected]> SIZE=6021
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: RCPT TO:<[email protected]>
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: DATA
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250 2.1.0 Ok
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250 2.1.5 Ok
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=120 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 354 End data with <CR><LF>.<CR><LF>
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=180 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: .
Jul  9 12:07:39 g0n postfix/smtp[26339]: > mail.t-com.hr[195.29.150.5]:25: QUIT
Jul  9 12:07:39 g0n postfix/smtp[26339]: smtp_stream_setup: maxtime=600 enable_deadline=0
Jul  9 12:07:39 g0n postfix/smtp[26339]: < mail.t-com.hr[195.29.150.5]:25: 250 2.0.0 Ok: queued as F0DF3120274
Jul  9 12:07:39 g0n postfix/smtp[26339]: C74B63805D2: to=<[email protected]>, relay=mail.t-com.hr[195.29.150.5]:25, delay=28, delays=27/0.08/0.25/0.23, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as F0DF3120274)
Jul  9 12:07:39 g0n postfix/smtp[26339]: name_mask: resource
Jul  9 12:07:39 g0n postfix/smtp[26339]: name_mask: software
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: status
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: status
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: diag_type
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: diag_type
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: diag_text
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: diag_text
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: mta_type
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: mta_type
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: mta_mname
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: mta_mname
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: action
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: action
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: reason
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: reason
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: status
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: status
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute value: 0
Jul  9 12:07:39 g0n postfix/qmgr[26334]: private/smtp socket: wanted attribute: (list terminator)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: input attribute name: (end)
Jul  9 12:07:39 g0n postfix/qmgr[26334]: qmgr_queue_unthrottle: queue [mail.t-com.hr]
Jul  9 12:07:39 g0n postfix/qmgr[26334]: qmgr_active_done: C74B63805D2
Jul  9 12:07:39 g0n postfix/qmgr[26334]: C74B63805D2: removed
Jul  9 12:07:39 g0n postfix/qmgr[26334]: qmgr_job_free: C74B63805D2 smtp
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) exec of /usr/sbin/sendmail (mailq ) by /usr/sbin/sendmail[bash:26342] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/sendmail[mailq:26342] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -p ) by /usr/sbin/postqueue[mailq:26342] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:26342] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) exec of /usr/libexec/postfix/showq (showq -t unix -u ) by /usr/libexec/postfix/showq[master:26343] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/showq[showq:26343] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:43 g0n postfix/qmgr[26334]: rewrite stream disconnect
Jul  9 12:07:43 g0n postfix/trivial-rewrite[26338]: connection closed fd 128
Jul  9 12:07:44 g0n postfix/tlsmgr[26340]: connection closed fd 128
Jul  9 12:07:45 g0n kernel: 8139too 0000:04:06.0 eth1: link down
Jul  9 12:07:45 g0n dhcpcd[31589]: eth1: carrier lost

And the above "carrer lost" is because I plugged the connection out.

I know advanced users have noticed a few gross mistakes of mine in the logs above.

And that is what I promise I would explain, to newbies (and I hope advanced readers will allow my verbosity, as most of the big guys like to see new little hardened penguins around ;-) ...)

If you Ctrl-F (the shortcut key in most browsers for searching text), and input admin into the field and search this post to it, you will see all of these in this post:

Code: Select all
Jul  9 12:07:38 g0n kernel: grsec: (admin:S:/) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:26340] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:38 g0n kernel: grsec: (admin:S:/) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:26340] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:38 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/tlsmgr[tlsmgr:26340] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) exec of /usr/sbin/sendmail (mailq ) by /usr/sbin/sendmail[bash:26342] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/sendmail[mailq:26342] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -p ) by /usr/sbin/postqueue[mailq:26342] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:26342] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:31437] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) exec of /usr/libexec/postfix/showq (showq -t unix -u ) by /usr/libexec/postfix/showq[master:26343] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0
Jul  9 12:07:41 g0n kernel: grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/showq[showq:26343] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:26332] uid/euid:0/0 gid/egid:0/0

In other words, I have, because the message was sent after postfix restarted, have made it do all that work ad admin.

_That_ is not good. Running tasks at higher roles, with higher privileges, than is required., and in this case I ran it as the real superuser of the grsecurity controled system, as the admin. is dangerous. I can't look for quotes now, but I'm sure spender and PaX Team said that a number of times in many places, in the docs and elsewhere.

The actual mail that I sent is this one:

Github et alia login/cookies issue
http://lists.dillo.org/pipermail/dillo- ... 10594.html

I can tell so, because, together with the ample logging that I get from grsecurity and postfix, I also carefully screencast and capture traffic when I go online, with my:

The uncenz
http://github.com/miroR/uncenz

program, so, I just looked into my screencast of that bout online.

(
Regarding dillo and the issue of cookies, there is a topic dedicated to RBAC policy configuration for Dillo in Grsecurity Forums:

Deploy RBAC on Dillo browser
viewtopic.php?f=5&t=4228
)

In the next post, I try and correct this sending of messages in admin-role issue.

Re: A denied seteuid issue with Postfix (Role: root)

PostPosted: Fri Jul 10, 2015 5:12 am
by timbgo
However, in the logs you won't see much of grsecurity's writing...

Looing into the logs... Looking... into...

[[ The immediately following part is not what I planned, but I see that I have it on my hands. ]]

I don't see the future, and I didn't expect this... When I wrote about syslog-ng, I didn't expect to have to suspect of it again this day, no I didn't.

But I do suspect of something fishy, as something broke my grsecurity exec_logging.

Namely the last that grsec logged into my /var/log/messages is:

Code: Select all
Jul 10 03:10:22 g0n kernel: grsec: (root:U:/etc/cron.daily) chdir to /Cmn/dLo/gentoo/xml/htdocs/main/fr by /usr/bin/updatedb[updatedb:17886] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/mlocate[mlocate:17878] uid/euid:0/0 gid/egid:0/0

... [80 lines of similar content cut out here]...
Code: Select all
Jul 10 03:10:22 g0n kernel: grsec: (root:U:/etc/cron.daily) chdir to /Cmn/dLo/gentoo/xml/htdocs/news/ja/gmn by /usr/bin/updatedb[updatedb:17886] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/mlocate[mlocate:17878] uid/euid:0/0 gid/egid:0/0
Jul 10 03:10:22 g0n kernel: grsec: (root:U:/etc/cron.daily) chdir to /Cmn/dLo/gentoo/xml/htdocs/news/ja by /usr/bin/updatedb[updatedb:17886] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/mlocate[mlocate:17878] uid/euid:0/0 gid/egid:0/0
Jul 10 03:10:22 g0n kernel: grsec: (root:U:/etc/cron.daily) chdir to /Cmn/dLo/gentoo/xml/htdocs/news/ja/gwn by /usr/bin/updatedb[updatedb:17886] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/mlocate[mlocate:17878] uid/euid:0/0 gid/egid:0/0
Jul 10 03:10:22 g0n kernel: grsec: (root:U:/etc/cron.daily) chdir to /Cmn/dLo/gentoo/xml/htdocs/news/ja by /usr/bin/updatedb[updatedb:17886] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/mlocate[mlocate:17878] uid/euid:0/0 gid/egid:0/0
Jul 10 03:10:22 g0n syslog-ng[2332]: I/O error occurred while reading; fd='14', error='Broken pipe (32)'
Jul 10 03:10:22 g0n run-crons[17889]: (root) CMD (/etc/cron.daily/rkhunter)
Jul 10 03:11:14 g0n postfix/pickup[12365]: trigger_server_accept_local: trigger arrived
Jul 10 03:11:14 g0n postfix/pickup[12365]: master_notify: status 0
Jul 10 03:11:14 g0n postfix/pickup[12365]: master_notify: status 1
Jul 10 03:12:14 g0n postfix/pickup[12365]: trigger_server_accept_local: trigger arrived
Jul 10 03:12:14 g0n postfix/pickup[12365]: master_notify: status 0

... [20 lines cut out here]...
Code: Select all
Jul 10 03:14:14 g0n postfix/pickup[12365]: master_notify: status 1
Jul 10 03:15:05 g0n tripwire[10492]: Integrity Check Complete: /var/lib/tripwire/g0n.twd TWReport g0n 20150710031307 V:123 S:100 A:63 R:21 C:39
Jul 10 03:15:05 g0n run-crons[10499]: (root) CMD (/etc/cron.daily/yclamscan)
Jul 10 03:15:05 g0n postfix/pickup[12365]: trigger_server_accept_local: trigger arrived
Jul 10 03:15:05 g0n postfix/pickup[12365]: master_notify: status 0
Jul 10 03:15:05 g0n postfix/pickup[12365]: before input_transp_cleanup: cleanup flags = enable_bad_mail_bounce enable_header_body_filter enable_automatic_bcc enable_address_mapping enable_milters

... [30 lines cut out here]...
Code: Select all
Jul 10 03:15:05 g0n postfix/pickup[12365]: public/cleanup socket: wanted attribute: queue_id
Jul 10 03:15:05 g0n postfix/pickup[12365]: input attribute name: queue_id
Jul 10 03:15:05 g0n postfix/pickup[12365]: input attribute value: C462C3807F4
Jul 10 03:15:05 g0n postfix/pickup[12365]: public/cleanup socket: wanted attribute: (list terminator)
Jul 10 03:15:05 g0n postfix/pickup[12365]: input attribute name: (end)
Jul 10 03:15:05 g0n postfix/pickup[12365]: send attr flags = 627
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read T 1436490905 751528
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read A rewrite_context=local
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read F root
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read S root
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read M
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: uid=0 from=<root>
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N To: root
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Subject: cron for user root test -x /usr/sbin/run-crons && /usr/sbin/run-crons
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N error: error switching euid to 102 and egid to 104: Operation not permitted
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N error: error switching euid to 102 and egid to 104: Operation not permitted
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### Warning: File system error.
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### Filename: /dev/port
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### No such file or directory
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### Continuing...
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### Warning: File system error.
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### Filename: /proc/slabinfo
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### No such file or directory
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ### Continuing...
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Open Source Tripwire(R) 2.4.2.2 Integrity Check Report
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Report generated by:          root
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Report created on:            Fri 10 Jul 2015 03:13:07 CEST
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Database last updated on:     Never
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ===============================================================================
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Report Summary:
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N ===============================================================================
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Host name:                    g0n
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Host IP address:              127.0.0.1
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Host ID:                      None
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Policy file used:             /etc/tripwire/tw.pol
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Configuration file used:      /etc/tripwire/tw.cfg
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Database file used:           /var/lib/tripwire/g0n.twd
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Command line used:            /usr/sbin/tripwire --check --quiet

... [180 lines cut out here]...
Code: Select all
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Modified:
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N "/sbin/modinfo"
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N -------------------------------------------------------------------------------
Jul 10 03:15:05 g0n postfix/trivial-rewrite[10511]: inet_addr_local: configured 2 IPv4 addresses
Jul 10 03:15:05 g0n postfix/pickup[12365]: C462C3807F4: read N Rule Name: Boot, Kernel, and Init (/sbin/depmod)
Jul 10 03:15:05 g0n postfix/trivial-rewrite[10511]: mynetworks_core: 127.0.0.1/32

The above is just the message that tripwire is sending into /root/Maildir. That happens at 03:00 daily on my system, as cron is set to that time.

The important thing to notice is that grsecurity exec logging, as well as audit logging never happens after that time, let me check...



And, on top of that, the silent logger syslog-ng is:

What matters is, further above

Code: Select all
top - 10:39:21 up 1 day, 15:07,  2 users,  load average: 1.36, 1.35, 1.33
Tasks: 103 total,   1 running, 102 sleeping,   0 stopped,   0 zombie
%Cpu(s): 14.4 us, 16.2 sy,  0.0 ni, 69.4 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 s
KiB Mem : 16402284 total,   138876 free,   773956 used, 15489452 buff/cache
KiB Swap: 20971516 total, 20971488 free,       28 used. 15528424 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND   
 2332 root      20   0  355120   5452   4008 S 128.9  0.0 578:11.92 syslog-ng
 3593 root      20   0  199980  47600  18060 S   2.3  0.3  19:36.87 X         
 3599 miro      20   0  173304  17412  12632 S   0.3  0.1   0:19.20 openbox   
 6479 root      20   0   24960   3044   2524 R   0.3  0.0   1:59.14 top       
13912 miro      20   0  286884  35284  22052 S   0.3  0.2   0:14.70 mplayer   
    1 root      20   0    4268   1520   1416 S   0.0  0.0   0:03.13 init     
 2304 root      20   0    8792    116      0 S   0.0  0.0   0:00.00 lvmetad   
 2331 root      20   0   43164    636      0 S   0.0  0.0   0:00.00 syslog-ng
 2522 root      20   0   12840   1940   1704 S   0.0  0.0   0:00.25 rpcbind   


running like crazy for some reason.

I'll reopen that topic on Gentoo Forums, that I cited in the first post, but whether you can or can not believe me, I didn't know I would have to be suspectful of syslog-ng over again.

Yes, the syslog-ng seems to have killed some of my grsec funcionality, and is still running like crazy:
Code: Select all
top - 10:43:40 up 1 day, 15:12,  2 users,  load average: 1.20, 1.26, 1.29
Tasks: 103 total,   1 running, 102 sleeping,   0 stopped,   0 zombie
%Cpu(s): 14.1 us, 16.2 sy,  0.0 ni, 69.6 id,  0.1 wa,  0.0 hi,  0.0 si,  0.0 s
KiB Mem : 16402284 total,   131032 free,   781580 used, 15489672 buff/cache
KiB Swap: 20971516 total, 20971488 free,       28 used. 15520704 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND   
 2332 root      20   0  355120   5452   4008 S 129.2  0.0 583:45.68 syslog-ng
 3593 root      20   0  199836  47600  18060 S   1.3  0.3  19:37.92 X         
 6479 root      20   0   24960   3044   2524 R   0.3  0.0   1:59.81 top       
    1 root      20   0    4268   1520   1416 S   0.0  0.0   0:03.13 init     
 2304 root      20   0    8792    116      0 S   0.0  0.0   0:00.00 lvmetad   
 2331 root      20   0   43164    636      0 S   0.0  0.0   0:00.00 syslog-ng
 2522 root      20   0   12840   1940   1704 S   0.0  0.0   0:00.25 rpcbind   
 2543 root      20   0   17404   2312   1668 S   0.0  0.0   0:00.00 rpc.statd
 2585 root      20   0   23488    220      0 S   0.0  0.0   0:00.00 rpc.idmapd
 2649 root      20   0   28808   2184   1720 S   0.0  0.0   0:00.00 sshd     
 2671 root      20   0  272948  25084  19640 S   0.0  0.2   0:06.33 apache2   
 2675 apache    20   0  195008   5360   2296 S   0.0  0.0   0:00.00 apache2   
 2676 apache    20   0  196688   5136   2056 S   0.0  0.0   0:02.83 apache2   
 2679 apache    20   0  272948   7168   1716 S   0.0  0.0   0:00.47 apache2   
 2680 apache    20   0  272948   7168   1716 S   0.0  0.0   0:00.00 apache2   
 2681 apache    20   0  272948   7168   1716 S   0.0  0.0   0:00.00 apache2   

I can tell. because it's a silent logger (what's the point logging, where are they logging, in my system of from my system, if they're not telling me, about my system?)... The silent logger... C'mon!

Anyway, I may have to finish about the details of my talk of Postfix and the mistakes I made, and how I tried to correct it, some time in the future for good.

Since now I can only give you incomplete information of how the addition to my RBAC policy that I made looking into the logs, and studying Grsecurity on Wikibooks, worked.

The following is the addition that I made to my rules on postfix, after finally figuring out what I was doing wrong (and I accept that something is still not right being it that I have to have subject /usr/libexec/postfix in role root, as well as the same /usr/libexec/postfix in role postfix, yet to configure by grsec learning)...

...[The following] I added to /etc/grsec/policy:
Code: Select all
# Role: root
subject /usr/libexec/postfix/tlsmgr o {
   /            h
   /bin/bash      x
   /dev            h
   /dev/log         rw
   /etc/localtime         r
   /var/spool/postfix      rwcd
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family all
}

I cant' give myself nor less advanced users whether this addition works now completely correctly, because of the breakage that occurred for some reason (suspect cited above) in the system.

What I have to do now (and what I keep recommended to newbies because it is the only way to go for the non-advanced users fighting for freedom and privacy who have experienced intrusion of some kind (many, but few recognize, and fewer yet admit): the air-gapped way:

Air-Gapped Gentoo Install, Tentative
https://forums.gentoo.org/viewtopic-t-987268.html

or, as I explained in my:

Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
https://forums.gentoo.org/viewtopic-t-999436.html

I now have to clean the system the only way I know. Probably first revert to old, still non-breakage inducing syslog-ng version, and then reclone this online only system of mine from the air-gapped same hardware SOHO-only system.

Cheers! Do what you can to improve, and not damage the world like some programs do.

(Allow corrections at not immediate time at all pls, restoring from a broken system --albeit probaly just superficially-- is never quick.)

Re: A denied seteuid issue with Postfix (Role: root)

PostPosted: Mon Jul 13, 2015 1:11 pm
by timbgo
I think I only now have the policy for postfix right. And it's not the one last posted three days ago.

Here's the ample log, that I'll try and cut the most I can, keeping it still complete in all the more important, and some only more interesting, details (a very hard task).

Code: Select all
Jul 13 14:26:55 g0n kernel: [413957.821554] grsec: chdir to /var/spool/postfix by /usr/libexec/postfix/cleanup[cleanup:19411] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0

I'm at the old:
# emerge -s syslog-ng
...
* app-admin/syslog-ng
Latest version installed: 3.4.8
#
and logs just work. As you can see, no fishy behavior is breaking my grsec exec_logging nor autdit_chdir logging (the above).

Code: Select all
Jul 13 14:26:55 g0n postfix/cleanup[19411]: open incoming/281CF380FC9

That is the message to be sent. I had finished writing it in mutt, and sent it from mutt. As you will see it will go smoothly. But with the last posted RBAC policy it wouldn't (I like keeping my readers in suspense :-) . You'll learn at the end. I guess very few people would know now what is missing in the current policy).
Code: Select all
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Date: Mon, 13 Jul 2015 14:26:55 +0200
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N From: [email protected]
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N To: [email protected]
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Subject: Gentoo live ebuild, WAS: Github..cookies
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Message-ID: <20150713122654.GA19317@g0n>
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N References: <[email protected]>

See the subject line, the Message-ID and the References? It's this message:

Subject: Gentoo live ebuild, WAS: Github..cookies
http://lists.dillo.org/pipermail/dillo- ... 10600.html

Leaving just a few lines so the kind reader can see.
Code: Select all
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N MIME-Version: 1.0
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Content-Type: multipart/signed; micalg=pgp-sha512;
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N ?protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/"
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Content-Disposition: inline
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N In-Reply-To: <[email protected]>
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N User-Agent: Mutt/1.5.23 (2014-03-12)
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N --pWyiEgJYm5f9v55/
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Content-Type: text/plain; charset=us-ascii
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Content-Disposition: inline
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N Content-Transfer-Encoding: quoted-printable
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N On Wed, Jul 08, 2015 at 10:34:24AM -0400, Walter Dnes wrote:
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N >=20
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N > > And on Gentoo, it's the local overlay way for me to go. Studying to be
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N > > able to accomplish that.
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N >=20
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N >   I'm also a Gentoo user; not even a C programmer, let alone a
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N > developer.  I'd be interested in your ebuild.
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N A Tentative at dillo-3.1-dev ebuild
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N https://forums.gentoo.org/viewtopic-t-1021878.html
Jul 13 14:26:55 g0n postfix/pickup[5312]: 281CF380FC9: read N

You can see the address of my new topic on Gentoo just above (as you can see it in the dillo mailing-list archive message.

A few more of postfix logging, and then, what I like to see, and always have it on (it is cumbersome somtimes, such as with those Dillo cookies.dpi 1000s per minute lines, see in my other topic on Grsecurity Forusm:

Deploy RBAC on Dillo browser
viewtopic.php?f=5&t=4228

but such flooding is not usual, but rather only when some program misbehaves.

See the grse: exec line below? telling me the command trivial-rewrite, as uid/euid:0/0 gid/egid:0/0 which stands for (effective) user root and (effective) group root?

And, while in this log (even if were to post it in its entirety, which is:

-rw-r--r-- 1 root root 131703 2015-07-13 14:30 messages_150713_1430_g0n

as I pasted it over from /var/log/messages, and not very reduced to just the important/interesting info, you wouldn't find any:

grsec: (admin:S:/) exec of /usr/libexec/postfix/<and here tlsmgr or any other>

lines, which you can see quite a few, and not all in places where there were really needed and due, if you look in the previous posts of this topic,
Code: Select all
Jul 13 14:26:55 g0n postfix/cleanup[19411]: initial envelope S [email protected]
Jul 13 14:26:55 g0n postfix/cleanup[19411]: connect to subsystem private/rewrite
Jul 13 14:26:55 g0n postfix/cleanup[19411]: send attr request = rewrite
Jul 13 14:26:55 g0n postfix/cleanup[19411]: send attr rule = local
Jul 13 14:26:55 g0n postfix/cleanup[19411]: send attr address = [email protected]
Jul 13 14:26:55 g0n kernel: [413957.830626] grsec: exec of /usr/libexec/postfix/trivial-rewrite (trivial-rewrite -n rewrite -t unix -u -v ) by /usr/libexec/postfix/trivial-rewrite[master:19414] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: name_mask: ipv4
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: name_mask: host
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: inet_addr_local: configured 3 IPv4 addresses
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: mynetworks_core: 127.0.0.1/32

This line above is important to me to leave and point to it, because, while I know it reduces the service which is bound with that address to local only, so excluding anything remote, I'm still not completely at home with it. I have lines that contain 127.0.0.1 be they bind (for sockets) or connect (for remotes) lines, all having that /32 mask. I guess I'm doing right, because this is a lone for-online only host, that communicate with the rest of my SOHO in no may at all other than strictly controled air-gapped ways (see/search in my most read Gentoo topics for that).

Lots of lines I cut out here.
Code: Select all
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: input attribute value: [email protected]
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: rewrite socket: wanted attribute: (list terminator)
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: input attribute name: (end)
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: `local' `[email protected]' -> `[email protected]'
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: send attr flags = 0
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: send attr address = [email protected]

and a few lines cut out here.
Code: Select all
Jul 13 14:26:55 g0n postfix/cleanup[19411]: rewrite_clnt: local: [email protected] -> [email protected]
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'Subject: Gentoo live ebuild, WAS: Github..cookies'
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'Message-ID: <20150713122654.GA19317@g0n>'
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: master_notify: status 1
Jul 13 14:26:55 g0n postfix/cleanup[19411]: 281CF380FC9: message-id=<20150713122654.GA19317@g0n>
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'References: <[email protected]>'
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'MIME-Version: 1.0'
Jul 13 14:26:55 g0n postfix/cleanup[19411]: header_token: multipart / signed
Jul 13 14:26:55 g0n postfix/cleanup[19411]: header_token: micalg = pgp-sha512
Jul 13 14:26:55 g0n postfix/cleanup[19411]: header_token: protocol = application/pgp-signature
Jul 13 14:26:55 g0n postfix/cleanup[19411]: header_token: boundary = pWyiEgJYm5f9v55/
Jul 13 14:26:55 g0n postfix/cleanup[19411]: PUSH boundary pWyiEgJYm5f9v55/
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'Content-Type: multipart/signed; micalg=pgp-sha512;??protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/"'
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'Content-Disposition: inline'
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'In-Reply-To: <[email protected]>'
Jul 13 14:26:55 g0n postfix/cleanup[19411]: cleanup_header_callback: 'User-Agent: Mutt/1.5.23 (2014-03-12)'

90 lines cut out. See the ecec of ... smtp line below, and then the 'initializing the client-side TLS engine'.
Code: Select all
Jul 13 14:26:55 g0n postfix/qmgr[21709]: resolve_clnt: `[email protected]' -> `[email protected]' -> transp=`smtp' host=`[mail.t-com.hr]' rcpt=`[email protected]' flags= class=default
Jul 13 14:26:55 g0n postfix/qmgr[21709]: start sorted recipient list
Jul 13 14:26:55 g0n postfix/qmgr[21709]: qmgr_message_sort: [email protected]
Jul 13 14:26:55 g0n postfix/qmgr[21709]: end sorted recipient list
Jul 13 14:26:55 g0n postfix/qmgr[21709]: mail_flow_put: 1 1
Jul 13 14:26:55 g0n postfix/qmgr[21709]: qmgr_transport_select: smtp
Jul 13 14:26:55 g0n postfix/qmgr[21709]: qmgr_active_drain: allocate smtp
Jul 13 14:26:55 g0n postfix/qmgr[21709]: connect to subsystem private/smtp
Jul 13 14:26:55 g0n postfix/qmgr[21709]: done incoming queue scan
Jul 13 14:26:55 g0n postfix/trivial-rewrite[19414]: master_notify: status 1
Jul 13 14:26:55 g0n kernel: [413957.878629] grsec: exec of /usr/libexec/postfix/smtp (smtp -t unix -u ) by /usr/libexec/postfix/smtp[master:19415] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0
Jul 13 14:26:55 g0n kernel: [413957.907241] grsec: chdir to /var/spool/postfix by /usr/libexec/postfix/smtp[smtp:19415] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0
Jul 13 14:26:55 g0n postfix/smtp[19415]: initializing the client-side TLS engine
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: connection established fd 128
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: master_notify: status 0

50 line cut out. The talk with the Croatian T-com begins.
Code: Select all
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr sasl_username =
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr sasl_sender =
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr log_ident =
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr rewrite_context = local
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr recipient_count = 1
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr original_recipient = [email protected]
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr recipient = [email protected]
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr offset = 254
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr dsn_orig_rcpt = rfc822;[email protected]
Jul 13 14:26:55 g0n postfix/qmgr[21709]: send attr notify_flags = 0
Jul 13 14:26:55 g0n postfix/qmgr[21709]: qmgr_deliver: site `[mail.t-com.hr]'
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 220 ls265.t-com.hr ESMTP Rock and Roll
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: EHLO g0n.localdomain
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-ls265.t-com.hr
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-PIPELINING
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-SIZE 15728640
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-ETRN
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-STARTTLS
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-ENHANCEDSTATUSCODES
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250 8BITMIME
Jul 13 14:26:55 g0n postfix/smtp[19415]: server features: 0x101f size 15728640
Jul 13 14:26:55 g0n postfix/smtp[19415]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: STARTTLS
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 220 2.0.0 Ready to start TLS
Jul 13 14:26:55 g0n postfix/smtp[19415]: setting up TLS connection to mail.t-com.hr[195.29.150.2]:25
Jul 13 14:26:55 g0n postfix/smtp[19415]: mail.t-com.hr[195.29.150.2]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jul 13 14:26:55 g0n postfix/smtp[19415]: looking for session smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.2&&0814CAA147FAE482C0A834ECDC9AC4250F6C3AB1B8595FC8500B0E1B2FA0CEC7 in smtp cache

40 lines cut out.
Code: Select all
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: master_notify: status 1
Jul 13 14:26:55 g0n postfix/smtp[19415]: private/tlsmgr: wanted attribute: status
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute name: status
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute value: 0
Jul 13 14:26:55 g0n postfix/smtp[19415]: private/tlsmgr: wanted attribute: seed
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute name: seed
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute value: gBAl0iAJwETDxNdDRFoPlIj5vikgWvNADhV6fzR2fUo=
Jul 13 14:26:55 g0n postfix/smtp[19415]: private/tlsmgr: wanted attribute: (list terminator)
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute name: (end)
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:before/connect initialization
Jul 13 14:26:55 g0n postfix/smtp[19415]: write to 8BD674E50 [8BD680320] (517 bytes => 517 (0x205))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 16 03 01 02 00 01 00 01|fc 03 03 b8 14 a7 90 7d  ........ .......}

Some 20 lines mumbo-jumbo cut out. See the obsolete SSLv2/v3 IIUC?
Code: Select all
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0150 01 05 02 05 03 04 01 04|02 04 03 03 01 03 02 03  ........ ........
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0160 03 02 01 02 02 02 03 00|0f 00 01 01 00 15 00 95  ........ ........
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0170 - <SPACES/NULLS>
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv2/v3 write client hello A
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685880] (7 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685880] (7 bytes => 7 (0x7))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 16 03 01 00 51 02                                ....Q.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0006 - <SPACES/NULLS>
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD68588A] (79 bytes => 79 (0x4F))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 00 4d 03 01 55 a3 ae 64|0d fa 32 23 e5 e2 10 32  .M..U..d ..2#...2
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0010 cf f7 4d 14 7e 39 e9 ee|ce 7f 16 d3 d9 5b 8e 04  ..M.~9.. .....[..
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0020 d0 e1 fa 55 20 0f 43 9d|65 bc d5 4a 38 13 24 85  ...U .C. e..J8.$.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0030 b2 8a 92 27 ec a7 fe 9f|ec d5 54 6d c9 6f 7e 9f  ...'.... ..Tm.o~.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0040 72 60 75 c5 89 00 39 00|00 05 ff 01 00 01        r`u...9. ......
Jul 13 14:26:55 g0n postfix/smtp[19415]: 004e - <SPACES/NULLS>
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 read server hello A
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685883] (5 bytes => 5 (0x5))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 16 03 01 10 93                                   .....
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685888] (4243 bytes => 4243 (0x1093))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 0b 00 10 8f 00 10 8c 00|04 79 30 82 04 75 30 82  ........ .y0..u0.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0010 03 5d a0 03 02 01 02 02|10 63 f4 44 19 e5 75 ad  .]...... .c.D..u.

250 lines of mumbo-jumbo cut out (containing the Thawte certs shown in one of the previous posts).
Code: Select all
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0fc0 da 11 4a 6e 08 9f 2f 2d|e3 f9 aa 3a 86 73 b6 46  ..Jn../- ...:.s.F
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0fd0 53 58 c8 89 05 bd 83 11|b8 73 3f aa 07 8d f4 42  SX...... .s?....B
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0fe0 4d e7 40 9d 1c 37 02 03|01 00 01 a3 13 30 11 30  [email protected].. .....0.0
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0ff0 0f 06 03 55 1d 13 01 01|ff 04 05 30 03 01 01 ff  ...U.... ...0....
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1000 30 0d 06 09 2a 86 48 86|f7 0d 01 01 04 05 00 03  0...*.H. ........
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1010 81 81 00 26 48 2c 16 c2|58 fa e8 16 74 0c aa aa  ...&H,.. X...t...
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1020 5f 54 3f f2 d7 c9 78 60|5e 5e 6e 37 63 22 77 36  _T?...x` ^^n7c"w6
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1030 7e b2 17 c4 34 b9 f5 08|85 fc c9 01 38 ff 4d be  ~...4... ....8.M.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1040 f2 16 42 43 e7 bb 5a 46|fb c1 c6 11 1f f1 4a b0  ..BC..ZF ......J.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1050 28 46 c9 c3 c4 42 7d bc|fa ab 59 6e d5 b7 51 88  (F...B}. ..Yn..Q.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1060 11 e3 a4 85 19 6b 82 4c|a4 0c 12 ad e9 a4 ae 3f  .....k.L .......?
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1070 f1 c3 49 65 9a 8c c5 c8|3e 25 b7 94 99 bb 92 32  ..Ie.... >%.....2
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1080 71 07 f0 86 5e ed 50 27|a6 0d a6 23 f9 bb cb a6  q...^.P' ...#....
Jul 13 14:26:55 g0n postfix/smtp[19415]: 1090 07 14 42                                         ..B
Jul 13 14:26:55 g0n postfix/smtp[19415]: mail.t-com.hr[195.29.150.2]:25: depth=3 verify=0 subject=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]

Just three lines cut out.
Code: Select all
Jul 13 14:26:55 g0n postfix/smtp[19415]: mail.t-com.hr[195.29.150.2]:25: depth=0 verify=1 subject=/CN=mail.t-com.hr
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 read server certificate A
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685883] (5 bytes => 5 (0x5))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 16 03 01 02 0d                                   .....
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685888] (525 bytes => 525 (0x20D))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 0c 00 02 09 00 80 b0 fe|b4 cf d4 55 07 e7 cc 88  ........ ...U....
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0010 59 0d 17 26 c5 0c a5 4a|92 23 81 78 da 88 aa 4c  Y..&...J .#.x...L

30 lines cut out. And no more cutting to the "carrier lost" line, the last of our interest here.
Code: Select all
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0200 b5 6e be 4c 67 96 14 05|83 28 3a 1c 2c           .n.Lg... .(:.,
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 read server key exchange A
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685883] (5 bytes => 5 (0x5))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 16 03 01 00 04                                   .....
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685888] (4 bytes => 4 (0x4))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 0e                                               .
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0001 - <SPACES/NULLS>
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 read server done A
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 write client key exchange A
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 write change cipher spec A
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 write finished A
Jul 13 14:26:55 g0n postfix/smtp[19415]: write to 8BD674E50 [8BD6937C0] (198 bytes => 198 (0xC6))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 16 03 01 00 86 10 00 00|82 00 80 8e 9c 9f e1 c4  ........ ........
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0010 17 04 e6 72 e0 d6 47 8a|f6 79 14 fc cf 72 60 e8  ...r..G. .y...r`.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0020 0c 58 5c 79 0f 97 4d 4e|5c 64 2d 7d 89 8d 64 58  .X\y..MN \d-}..dX
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0030 d6 39 37 88 90 3d f8 70|e1 08 f5 e0 55 e8 02 3f  .97..=.p ....U..?
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0040 48 74 2d dc d7 93 2b 22|88 11 46 50 ba 17 c6 44  Ht-...+" ..FP...D
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0050 a1 63 d5 f3 d1 a1 35 28|8e ea 51 d2 96 45 d6 41  .c....5( ..Q..E.A
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0060 58 de 89 5b bb 93 a1 68|76 d4 45 58 f2 55 bb 42  X..[...h v.EX.U.B
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0070 ee 82 a4 cc 97 e8 aa 06|3e 89 14 71 da 47 ab cb  ........ >..q.G..
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0080 ff 70 4e 1e 3d 84 9a f1|d6 4d 59 14 03 01 00 01  .pN.=... .MY.....
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0090 01 16 03 01 00 30 51 67|5b 5a cd f7 ef 87 16 c9  .....0Qg [Z......
Jul 13 14:26:55 g0n postfix/smtp[19415]: 00a0 e7 aa c5 af 21 5c 49 81|61 46 f1 b5 f5 e7 46 a8  ....!\I. aF....F.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 00b0 b7 28 df d3 84 cb 4e 81|f4 e2 da 8c 04 04 7e a7  .(....N. ......~.
Jul 13 14:26:55 g0n postfix/smtp[19415]: 00c0 0b bc b2 1a 78 f9                                ....x.
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 flush data
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685883] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685883] (5 bytes => 5 (0x5))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 14 03 01 00 01                                   .....
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685888] (1 bytes => 1 (0x1))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 01                                               .
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685883] (5 bytes => 5 (0x5))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 16 03 01 00 30                                   ....0
Jul 13 14:26:55 g0n postfix/smtp[19415]: read from 8BD674E50 [8BD685888] (48 bytes => 48 (0x30))
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0000 6f f4 63 9e a1 e2 d6 65|c2 bc 4e 75 ad 9e 31 4f  o.c....e ..Nu..1O
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0010 d0 30 51 c3 df 42 eb 6c|75 bd 0f d7 75 e2 a8 52  .0Q..B.l u...u..R
Jul 13 14:26:55 g0n postfix/smtp[19415]: 0020 4f e8 9c 92 be f1 87 48|ca 00 ca 44 bc af 51 6e  O......H ...D..Qn
Jul 13 14:26:55 g0n postfix/smtp[19415]: SSL_connect:SSLv3 read finished A
Jul 13 14:26:55 g0n postfix/smtp[19415]: save session smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.2&&0814CAA147FAE482C0A834ECDC9AC4250F6C3AB1B8595FC8500B0E1B2FA0CEC7 to smtp cache
Jul 13 14:26:55 g0n postfix/smtp[19415]: send attr request = update
Jul 13 14:26:55 g0n postfix/smtp[19415]: send attr cache_type = smtp
Jul 13 14:26:55 g0n postfix/smtp[19415]: send attr cache_id = smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.2&&0814CAA147FAE482C0A834ECDC9AC4250F6C3AB1B8595FC8500B0E1B2FA0CEC7
Jul 13 14:26:55 g0n postfix/smtp[19415]: send attr session = [data 1271 bytes]
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: master_notify: status 0
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: request
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute name: request
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute value: update
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: cache_type
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute name: cache_type
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute value: smtp
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: cache_id
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute name: cache_id
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute value: smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.2&&0814CAA147FAE482C0A834ECDC9AC4250F6C3AB1B8595FC8500B0E1B2FA0CEC7
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: session
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute name: session
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute value: MIIE8wIBAQICAwEEAgA5BCAPQ51lvNVKOBMkhbKKkifsp/6f7NVUbclvfp9yYHXFiQQwE1DlO2rjvT+MbzS1px39rBOl0IcNfwNi/TuOh2BTMkIHzfemQMKkTjWImOC8B71HoQYCBFWjro+iBAICHCCjggR5MIIEdTCCA12gAwIBAgIQY/REGeV1rR2dRDPLDBQzJjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAeFw0xNDA5MTgwMDAwMDBaFw0xNTExMTcyMzU5NTlaMBgxFjAUBgNVBAMUDW1haWwudC1jb20uaHIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8jYsF7CB0O1lgpEsUjKzXUrHpRB7+e4Rwk0J/M4iYNDe6BbV4e26+/wY8CdiOVIJ6FehHEK8thjV/35s4lLUWOFx+cl0RGjUEbRJzRWU3bkH4KVx3cj3yXnCGLVUsJibG2qON7/sVdAA/RSMd/cw+K0j+UgScAlC4Bbq4kxz7FrikMPcU1w0iv4uBPyf8bXqXp9t7hER2vFwkT7izlHOGaZi0PGUSp7laW+oyaMc+U+fMYOteAal736aEsUXUeo/Adu2J6jKMW7tmKPOVzeh9BiQKzdGJUu7kd43u1hG9wYPZDmQb5zjU586lrTCxRDAakTr/j0aXmHa/oOav0STPAgMBAAGjggFzMIIBbzAYBgNVHREEETAPgg1tYWlsLnQtY29tLmhyMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3RjLnN5bWNiLmNvbS90Yy5jcmwwcgYDVR0gBGswaTBnBgpghkgBhvhFAQc2MFkwJgYIKwYBBQUHAgEWGmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTAfBgNVHSMEGDAWgBSrRORd7IPH2cCFn/fhxpeQsIw/mDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3RjLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3RjLnN5bWNiLmNvbS90Yy5jcnQwDQYJKoZIhvcNAQEFBQADggEBAEsO/C4lj53Nn3BpTUtdpxIJdSHHLrmOKZe0J+51YzQDhT0kgMd+WnWehiPh/atNqsdOz+KQpG2b9L+LzYb3syQt+CWEVhINNf466T6VgutK1tXuacL5v9EmH9O17zncgfT0qn+vmABoqRusPEPiZ5nDA7o5AbqFHC4f0+TMaLh51puU3KShqzNaft8/sq+4wsEa61Rk4RJpSStAGlS7mvCWfGfeCFFQxk98vlV7Y2AVGxkuYTGyJYSkq9tyo0Bvxk+IgLAFWKYgcbuR5yfVWyzydYOoKN90Qq3Mz0p6nXWtbwj5uD65sJDmMl2lRgDV9Q4pPJ9AHdtJ0ffxN+GoAKikAgQApQMCARM=
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: (list terminator)
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: input attribute name: (end)
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: put smtp session id=smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.2&&0814CAA147FAE482C0A834ECDC9AC4250F6C3AB1B8595FC8500B0E1B2FA0CEC7 [data 1271 bytes]
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: write smtp TLS cache entry smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.2&&0814CAA147FAE482C0A834ECDC9AC4250F6C3AB1B8595FC8500B0E1B2FA0CEC7: time=1436790415 [data 1271 bytes]
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: send attr status = 0
Jul 13 14:26:55 g0n postfix/tlsmgr[21715]: master_notify: status 1
Jul 13 14:26:55 g0n postfix/smtp[19415]: private/tlsmgr: wanted attribute: status
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute name: status
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute value: 0
Jul 13 14:26:55 g0n postfix/smtp[19415]: private/tlsmgr: wanted attribute: (list terminator)
Jul 13 14:26:55 g0n postfix/smtp[19415]: input attribute name: (end)
Jul 13 14:26:55 g0n postfix/smtp[19415]: mail.t-com.hr[195.29.150.2]:25: subject_CN=mail.t-com.hr, issuer_CN=Thawte DV SSL CA, fingerprint=57:11:8D:AB:B9:B1:47:66:F5:30:72:87:C8:DC:AD:9A, pkey_fingerprint=54:2F:63:8B:8E:F8:D2:48:3A:EF:73:11:49:78:02:A0
Jul 13 14:26:55 g0n postfix/smtp[19415]: Untrusted TLS connection established to mail.t-com.hr[195.29.150.2]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: EHLO g0n.localdomain
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-ls265.t-com.hr
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-PIPELINING
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-SIZE 15728640
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-ETRN
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250-ENHANCEDSTATUSCODES
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250 8BITMIME
Jul 13 14:26:55 g0n postfix/smtp[19415]: server features: 0x100f size 15728640
Jul 13 14:26:55 g0n postfix/smtp[19415]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: MAIL FROM:<[email protected]> SIZE=2377
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: RCPT TO:<[email protected]>
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: DATA
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250 2.1.0 Ok
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250 2.1.5 Ok
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=120 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 354 End data with <CR><LF>.<CR><LF>
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=180 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: .
Jul 13 14:26:55 g0n postfix/smtp[19415]: > mail.t-com.hr[195.29.150.2]:25: QUIT
Jul 13 14:26:55 g0n postfix/smtp[19415]: smtp_stream_setup: maxtime=600 enable_deadline=0
Jul 13 14:26:55 g0n postfix/smtp[19415]: < mail.t-com.hr[195.29.150.2]:25: 250 2.0.0 Ok: queued as 2252B20B0226
Jul 13 14:26:55 g0n postfix/smtp[19415]: 281CF380FC9: to=<[email protected]>, relay=mail.t-com.hr[195.29.150.2]:25, delay=0.62, delays=0.09/0.04/0.3/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 2252B20B0226)
Jul 13 14:26:55 g0n postfix/smtp[19415]: name_mask: resource
Jul 13 14:26:55 g0n postfix/smtp[19415]: name_mask: software
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: status
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: status
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: diag_type
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: diag_type
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: diag_text
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: diag_text
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: mta_type
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: mta_type
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: mta_mname
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: mta_mname
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: action
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: action
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: reason
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: reason
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: status
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: status
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute value: 0
Jul 13 14:26:55 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: (list terminator)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: input attribute name: (end)
Jul 13 14:26:55 g0n postfix/qmgr[21709]: qmgr_queue_unthrottle: queue [mail.t-com.hr]
Jul 13 14:26:55 g0n postfix/qmgr[21709]: qmgr_active_done: 281CF380FC9
Jul 13 14:26:55 g0n postfix/qmgr[21709]: 281CF380FC9: removed
Jul 13 14:26:55 g0n postfix/qmgr[21709]: qmgr_job_free: 281CF380FC9 smtp
Jul 13 14:26:58 g0n kernel: [413961.290874] 8139too 0000:04:06.0 eth1: link down
Jul 13 14:26:58 g0n dhcpcd[31589]: eth1: carrier lost

The only places that I cut out from the actual log, are those that I explicitly wrote that I did so.

But for this topic to be complete, I need to post, not just my current RBAC policy for postfix, but also the old log which examination led me to the current working policy for postfix.

In the next post.

Re: A denied seteuid issue with Postfix (Role: root)

PostPosted: Mon Jul 13, 2015 1:18 pm
by timbgo
This message actually contains one particular line that was of great importance for setting my RBAC policy for postfix right.

Kind reader, try and figure that line (even in this shortened log, with lines cut out only where I write so), before you go and read the next post where I'll try and explain which line it is and what I needed to change in.
Code: Select all
Jul 12 08:44:45 g0n postfix/cleanup[21526]: open incoming/6CFB6380BE9
Jul 12 08:44:45 g0n postfix/cleanup[21526]: cleanup_open: open incoming/6CFB6380BE9
Jul 12 08:44:45 g0n kernel: [306968.424540] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/cleanup[cleanup:21526] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0

14 lines cut out
Code: Select all
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Date: Sun, 12 Jul 2015 08:44:45 +0200
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N From: [email protected]
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N To: [email protected]
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Subject: Re: [Dillo-dev] Fonts not found issue persists in 3.0.5
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Message-ID: <20150712064445.GA17278@g0n>
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N References: <20150707072918.GB4340@g0n>
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N  <20150709201910.GA21286@g0n>
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N  <[email protected]>
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N MIME-Version: 1.0
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Content-Type: multipart/signed; micalg=pgp-sha512;
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N ?protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT"
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Content-Disposition: inline
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N In-Reply-To: <[email protected]>

This is my email in reply to Jorge Arellano Cid, the principal developer of Dillo, and who created Dillo, as you can see.
Code: Select all
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N On Sat, Jul 11, 2015 at 05:29:20PM -0300, Jorge Arellano Cid wrote:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > On Thu, Jul 09, 2015 at 10:19:11PM +0200, [email protected] wrote:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > See this issue below?
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > >=20
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > On Tue, Jul 07, 2015 at 09:29:18AM +0200, [email protected] wrot=
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N e:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > I got the new Dillo version 3.0.5 (in the master air-gapped box, whic=
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N h I
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > yet have to clone onto this, for online, same hardware box), as it is
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > available in gentoo:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > >=20
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/d=
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N illo/
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > >=20
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > but my problem with fonts (the FAQ issue
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > http://www.dillo.org/FAQ.html#q27), to which eocene has kindly given =

6 lines cut.
Code: Select all
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > And we thought:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > For people reading this message offline, I'll paste his advice, since=
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N  it is
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > > also important:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > >=20

8 lines cut.
Code: Select all
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > But we were wrong! And it was only something an unimaginative person
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > like me can be capable of not figuring out despite urgent need and
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > sincere desire because of that urgent need (my eyes have been hurting
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > from the fixed not-much-more-than ASCII font that was all I've seen in,
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > what?, a few months?
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > >=20

8 lines cut.
Code: Select all
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > But I think I am going to file a bug on Gentoo Bugzilla about this!
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > (But if anybody can tell a reason that justifies the xft use flag not
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > being the default, pls. do tell me... in which case my filing the bug
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > > would not make sense; I don't see such reason though.)
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N >=20
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N >   I neither see a reason for this...
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N >=20
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N > --=20
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N >   Cheers
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N >   Jorge.-
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Thanx, boss!
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N I think I found what was missing in the Gentoo ebuild, and I may have
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N reported correctly on the Bugzilla:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Dillo ebuild is missing xft flag for fltk, causes eye-sore
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N https://bugs.gentoo.org/show_bug.cgi?id=3D554588

20 lines cut.
Code: Select all
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N code (slowly making progress there too), so only then I'll know if the
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N issue has been fixed in it...
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Just, in case anyone could see any reasons for the thousands per minute
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N cookies.dpi lines as described in my Grsecurity Forums Dillo topic:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N Deploy RBAC on Dillo browser
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N https://forums.grsecurity.net/viewtopic.php?f=3D5&t=3D4228
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N where my current policy for Dillo is at:
Jul 12 08:44:45 g0n postfix/pickup[17335]: 6CFB6380BE9: read N https://forums.grsecurity.net/viewtopic.php?f=3D5&t=3D4228#p15372

Surely I can not cut out the reference on Dillo-dev to this forum and the RBAC policy on Dillo, can I?

But you can read the message and its stories in its links on:

Fonts not found issue persists in 3.0.5
http://lists.dillo.org/pipermail/dillo- ... 10599.html
Code: Select all
130 lines cut.
[code]
Jul 12 08:44:45 g0n postfix/cleanup[21526]: been_here: rfc822;[email protected][email protected][email protected]: 0
Jul 12 08:44:45 g0n postfix/cleanup[21526]: initial envelope M
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: master_notify: status 1
Jul 12 08:44:45 g0n postfix/cleanup[21526]: cleanup_header_callback: 'Received: by g0n.localdomain (Postfix, from userid 1000)??id 6CFB6380BE9; Sun, 12 Jul 2015 08:44:45 +0200 (CEST)'
[/code]
100 lines cut.
[code]
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_scan_start: start incoming queue scan
Jul 12 08:44:45 g0n postfix/pickup[17335]: master_notify: status 1
Jul 12 08:44:45 g0n postfix/qmgr[21777]: master_notify: status 1
Jul 12 08:44:45 g0n postfix/cleanup[21526]: master_notify: status 1
Jul 12 08:44:45 g0n postfix/cleanup[21526]: connection closed
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_active_feed: queue incoming
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_active_feed: incoming/6CFB6380BE9
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_message_alloc: active 6CFB6380BE9
Jul 12 08:44:45 g0n postfix/qmgr[21777]: 6CFB6380BE9: recipient limit 5000
Jul 12 08:44:45 g0n postfix/qmgr[21777]: 6CFB6380BE9: from=<[email protected]>, size=5644, nrcpt=1 (queue active)
[/code]
Risking readers' wrath, I'll leave all uncut here, because I don't get the reason why the message was not sent.
[code]
Jul 12 08:44:45 g0n postfix/qmgr[21777]: start sorted recipient list
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_message_sort: [email protected]
Jul 12 08:44:45 g0n postfix/qmgr[21777]: end sorted recipient list
Jul 12 08:44:45 g0n postfix/qmgr[21777]: connect to subsystem private/rewrite
Jul 12 08:44:45 g0n postfix/qmgr[21777]: send attr request = resolve
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: connection established fd 129
Jul 12 08:44:45 g0n postfix/qmgr[21777]: send attr sender = [email protected]
Jul 12 08:44:45 g0n postfix/qmgr[21777]: send attr address = [email protected]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: master_notify: status 0
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: rewrite socket: wanted attribute: request
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: input attribute name: request
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: input attribute value: resolve
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: rewrite socket: wanted attribute: sender
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: input attribute name: sender
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: input attribute value: [email protected]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: rewrite socket: wanted attribute: address
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: input attribute name: address
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: input attribute value: [email protected]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: rewrite socket: wanted attribute: (list terminator)
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: input attribute name: (end)
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: match_string: mydestination: dillo.org ~? 127.0.0.1
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: match_string: mydestination: dillo.org ~? g0n.localdomain
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: match_string: mydestination: dillo.org ~? localhost.localdomain
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: match_string: mydestination: dillo.org ~? localdomain.localdomain
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: match_string: mydestination: dillo.org ~? localhost
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: match_string: mydestination: dillo.org ~? localdomain
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: match_list_match: dillo.org: no match
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: maps_find: sender_dependent_relayhost_maps: hash:/etc/postfix/sender_relay(0,lock|no_regsub|fold_fix|utf8_request): [email protected] = [mail.t-com.hr]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: mail_addr_find: [email protected] -> [mail.t-com.hr]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: maps_find: transport_maps: [email protected]: not found
[/code]
Notice the line above.
[code]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: maps_find: transport_maps: dillo.org: not found
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: maps_find: transport_maps: .org: not found
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: `[email protected]' -> `[email protected]' -> (`smtp' `[mail.t-com.hr]' `[email protected]' `4096')
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: send attr flags = 0
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: send attr transport = smtp
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: send attr nexthop = [mail.t-com.hr]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: send attr recipient = [email protected]
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: send attr flags = 4096
Jul 12 08:44:45 g0n postfix/qmgr[21777]: private/rewrite socket: wanted attribute: flags
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute name: flags
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute value: 0
Jul 12 08:44:45 g0n postfix/qmgr[21777]: private/rewrite socket: wanted attribute: transport
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute name: transport
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute value: smtp
Jul 12 08:44:45 g0n postfix/qmgr[21777]: private/rewrite socket: wanted attribute: nexthop
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute name: nexthop
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute value: [mail.t-com.hr]
Jul 12 08:44:45 g0n postfix/qmgr[21777]: private/rewrite socket: wanted attribute: recipient
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute name: recipient
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute value: [email protected]
Jul 12 08:44:45 g0n postfix/qmgr[21777]: private/rewrite socket: wanted attribute: flags
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute name: flags
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute value: 4096
Jul 12 08:44:45 g0n postfix/qmgr[21777]: private/rewrite socket: wanted attribute: (list terminator)
Jul 12 08:44:45 g0n postfix/qmgr[21777]: input attribute name: (end)
Jul 12 08:44:45 g0n postfix/qmgr[21777]: resolve_clnt: `[email protected]' -> `[email protected]' -> transp=`smtp' host=`[mail.t-com.hr]' rcpt=`[email protected]' flags= class=default
Jul 12 08:44:45 g0n postfix/qmgr[21777]: start sorted recipient list
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_message_sort: [email protected]
Jul 12 08:44:45 g0n postfix/qmgr[21777]: end sorted recipient list
Jul 12 08:44:45 g0n postfix/qmgr[21777]: mail_flow_put: 1 1
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_transport_select: smtp
Jul 12 08:44:45 g0n postfix/qmgr[21777]: qmgr_active_drain: allocate smtp
Jul 12 08:44:45 g0n postfix/qmgr[21777]: connect to subsystem private/smtp
Jul 12 08:44:45 g0n postfix/qmgr[21777]: done incoming queue scan
Jul 12 08:44:45 g0n postfix/trivial-rewrite[21527]: master_notify: status 1
Jul 12 08:44:45 g0n kernel: [306968.510589] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/smtp (smtp -t unix -u ) by /usr/libexec/postfix/smtp[master:21530] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:44:45 g0n kernel: [306968.544054] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/smtp[smtp:21530] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:44:45 g0n postfix/smtp[21530]: initializing the client-side TLS engine
Jul 12 08:44:46 g0n postfix/pickup[17335]: trigger_server_accept_local: trigger arrived
Jul 12 08:44:46 g0n postfix/pickup[17335]: master_notify: status 0
Jul 12 08:44:46 g0n postfix/pickup[17335]: master_notify: status 1
[/code]
As you can see by the postfix logging, just above and below, the message was not sent.

Further above I pointed your attention to the "[email protected]: not found", (and there will be one more below), and this one and that one conclude it with "connection closed" and "rewrite stream disconnect".
[code]
Jul 12 08:44:50 g0n postfix/cleanup[21526]: rewrite stream disconnect
Jul 12 08:44:50 g0n postfix/trivial-rewrite[21527]: connection closed fd 128
Jul 12 08:44:50 g0n postfix/qmgr[21777]: rewrite stream disconnect
Jul 12 08:44:50 g0n postfix/trivial-rewrite[21527]: connection closed fd 129
[/code]
This is only me, in the terminal where I am logged in as admin for grsecurity, checking if the mail was sent, but issuing "mailq" in the terminal.
[code]
Jul 12 08:44:56 g0n kernel: [306979.209624] grsec: (admin:S:/) exec of /usr/sbin/sendmail (mailq ) by /usr/sbin/sendmail[bash:21531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:44:56 g0n kernel: [306979.218482] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/sendmail[mailq:21531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:44:56 g0n kernel: [306979.218683] grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -p ) by /usr/sbin/postqueue[mailq:21531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:44:56 g0n kernel: [306979.229148] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:21531] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:44:56 g0n kernel: [306979.229793] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/showq (showq -t unix -u ) by /usr/libexec/postfix/showq[master:21532] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:44:56 g0n kernel: [306979.235974] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/showq[showq:21532] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:01 g0n kernel: [306984.232850] grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -f ) by /usr/sbin/postqueue[bash:21533] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:01 g0n postfix/qmgr[21777]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:01 g0n postfix/qmgr[21777]: master_notify: status 0
Jul 12 08:45:01 g0n postfix/qmgr[21777]: request: 70 (F)
Jul 12 08:45:01 g0n postfix/pickup[17335]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:01 g0n postfix/qmgr[21777]: request: 65 (A)
Jul 12 08:45:01 g0n postfix/qmgr[21777]: request: 68 (D)
Jul 12 08:45:01 g0n postfix/qmgr[21777]: request: 73 (I)
Jul 12 08:45:01 g0n postfix/qmgr[21777]: request: 0 (?)
Jul 12 08:45:01 g0n postfix/qmgr[21777]: request ignored
Jul 12 08:45:01 g0n postfix/qmgr[21777]: qmgr_enable_all
Jul 12 08:45:01 g0n kernel: [306984.238666] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:21533] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:01 g0n postfix/qmgr[21777]: qmgr_scan_start: start incoming queue scan
Jul 12 08:45:01 g0n postfix/qmgr[21777]: qmgr_enable_all
Jul 12 08:45:01 g0n postfix/pickup[17335]: master_notify: status 0
Jul 12 08:45:01 g0n postfix/qmgr[21777]: qmgr_scan_start: start deferred queue scan
Jul 12 08:45:01 g0n postfix/qmgr[21777]: master_notify: status 1
Jul 12 08:45:01 g0n postfix/pickup[17335]: master_notify: status 1
Jul 12 08:45:01 g0n postfix/qmgr[21777]: done deferred queue scan
Jul 12 08:45:01 g0n postfix/qmgr[21777]: done incoming queue scan
Jul 12 08:45:03 g0n kernel: [306986.599816] grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -f ) by /usr/sbin/postqueue[bash:21534] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:03 g0n kernel: [306986.605636] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:21534] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:03 g0n postfix/qmgr[21777]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:03 g0n postfix/pickup[17335]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:03 g0n postfix/qmgr[21777]: master_notify: status 0
Jul 12 08:45:03 g0n postfix/qmgr[21777]: request: 70 (F)
Jul 12 08:45:03 g0n postfix/pickup[17335]: master_notify: status 0
Jul 12 08:45:03 g0n postfix/qmgr[21777]: request: 65 (A)
Jul 12 08:45:03 g0n postfix/qmgr[21777]: request: 68 (D)
Jul 12 08:45:03 g0n postfix/qmgr[21777]: request: 73 (I)
Jul 12 08:45:03 g0n postfix/qmgr[21777]: request: 0 (?)
Jul 12 08:45:03 g0n postfix/qmgr[21777]: request ignored
Jul 12 08:45:03 g0n postfix/qmgr[21777]: qmgr_enable_all
Jul 12 08:45:03 g0n postfix/pickup[17335]: master_notify: status 1
Jul 12 08:45:03 g0n postfix/qmgr[21777]: qmgr_scan_start: start incoming queue scan
Jul 12 08:45:03 g0n postfix/qmgr[21777]: qmgr_enable_all
Jul 12 08:45:03 g0n postfix/qmgr[21777]: qmgr_scan_start: start deferred queue scan
Jul 12 08:45:03 g0n postfix/qmgr[21777]: master_notify: status 1
Jul 12 08:45:03 g0n postfix/qmgr[21777]: done deferred queue scan
Jul 12 08:45:03 g0n postfix/qmgr[21777]: done incoming queue scan
Jul 12 08:45:04 g0n kernel: [306987.767014] grsec: (admin:S:/) exec of /usr/sbin/sendmail (mailq ) by /usr/sbin/sendmail[bash:21535] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:04 g0n kernel: [306987.773428] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/sendmail[mailq:21535] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:04 g0n kernel: [306987.773626] grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -p ) by /usr/sbin/postqueue[mailq:21535] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:04 g0n kernel: [306987.783331] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:21535] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
[/code]
I'll cut short some of my explanation here.

Just this is my iptables setup dropping some bad packets:
[code]
Jul 12 08:45:11 g0n kernel: [306994.284558] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:3c:94:d5:cf:8f:f0:08:00 SRC=10.16.96.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=4492 PROTO=2
Jul 12 08:45:42 g0n kernel: [307025.843758] grsec: (root:U:/usr/libexec/postfix/tlsmgr) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:21536] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:42 g0n kernel: [307025.843825] grsec: (root:U:/usr/libexec/postfix/tlsmgr) denied access to hidden file /lib64/ld-2.20.so by /usr/libexec/postfix/tlsmgr[master:21536] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:42 g0n master[21536]: fatal: master_spawn: exec /usr/libexec/postfix/tlsmgr: No such file or directory
Jul 12 08:45:43 g0n postfix/master[21774]: warning: process /usr/libexec/postfix/tlsmgr pid 21536 exit status 1
Jul 12 08:45:43 g0n postfix/master[21774]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
Jul 12 08:45:46 g0n postfix/pickup[17335]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:46 g0n postfix/pickup[17335]: master_notify: status 0
Jul 12 08:45:46 g0n postfix/pickup[17335]: master_notify: status 1
Jul 12 08:45:53 g0n kernel: [307036.841272] grsec: (admin:S:/) exec of /usr/sbin/sendmail (mailq ) by /usr/sbin/sendmail[bash:21540] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:53 g0n kernel: [307036.850215] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/sendmail[mailq:21540] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:53 g0n kernel: [307036.850435] grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -p ) by /usr/sbin/postqueue[mailq:21540] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:53 g0n kernel: [307036.861051] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:21540] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:55 g0n kernel: [307038.425772] grsec: (admin:S:/) exec of /usr/sbin/postqueue (postqueue -f ) by /usr/sbin/postqueue[bash:21541] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:55 g0n postfix/qmgr[21777]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:55 g0n postfix/qmgr[21777]: master_notify: status 0
Jul 12 08:45:55 g0n postfix/qmgr[21777]: request: 70 (F)
Jul 12 08:45:55 g0n postfix/qmgr[21777]: request: 65 (A)
Jul 12 08:45:55 g0n postfix/qmgr[21777]: request: 68 (D)
Jul 12 08:45:55 g0n postfix/qmgr[21777]: request: 73 (I)
Jul 12 08:45:55 g0n postfix/qmgr[21777]: request: 0 (?)
Jul 12 08:45:55 g0n postfix/qmgr[21777]: request ignored
Jul 12 08:45:55 g0n postfix/qmgr[21777]: qmgr_enable_all
Jul 12 08:45:55 g0n postfix/qmgr[21777]: qmgr_scan_start: start incoming queue scan
Jul 12 08:45:55 g0n postfix/pickup[17335]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:55 g0n postfix/qmgr[21777]: qmgr_enable_all
Jul 12 08:45:55 g0n postfix/qmgr[21777]: qmgr_scan_start: start deferred queue scan
Jul 12 08:45:55 g0n postfix/qmgr[21777]: master_notify: status 1
Jul 12 08:45:55 g0n postfix/pickup[17335]: master_notify: status 0
Jul 12 08:45:55 g0n postfix/pickup[17335]: master_notify: status 1
Jul 12 08:45:55 g0n postfix/qmgr[21777]: done deferred queue scan
Jul 12 08:45:55 g0n postfix/qmgr[21777]: done incoming queue scan
Jul 12 08:45:55 g0n kernel: [307038.432521] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:21541] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:06 g0n kernel: [307049.362021] 8139too 0000:04:06.0 eth1: link down

Next post continues exactly from what was the next line in this log, nothing cut out.

Re: A denied seteuid issue with Postfix (Role: root)

PostPosted: Mon Jul 13, 2015 1:23 pm
by timbgo
This is the continuation of the same log as the previous post. Nothing cut out.

Is this one of those accesses that is not really needed?
[/code]
Jul 12 08:46:06 g0n kernel: [307049.362274] grsec: (root:U:/sbin/dhcpcd) denied access to hidden file /dev/log by /sbin/dhcpcd[dhcpcd:31589] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:06 g0n kernel: [307049.362534] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:21543] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:31589] uid/euid:0/0 gid/egid:0/0
[/code]
All the execs of the dhcpcd program are there, but it's too broad for the topic.
6 lines cut.
Code: Select all
Jul 12 08:46:06 g0n kernel: [307049.389404] grsec: (root:U:/lib64/dhcpcd/dhcpcd-run-hooks) exec of /lib64/dhcpcd/dhcpcd-run-hooks (/lib/dhcpcd/dhcpcd-run-hooks ) by /lib64/dhcpcd/dhcpcd-run-hooks[dhcpcd:21554] uid/euid:0/0 gid/egid:0/0, parent /sbin/dhcpcd[dhcpcd:31589] uid/euid:0/0 gid/egid:0/0

8 lines cut.

You can see here my script uncenz-kill in action. See the little program on:
https://github.com/miroR/uncenz

Code: Select all
Jul 12 08:46:08 g0n kernel: [307051.474703] grsec: (miro:U:/) exec of /usr/local/bin/uncenz-kill (uncenz-kill ) by /usr/local/bin/uncenz-kill[bash:21566] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3670] uid/euid:1000/1000 gid/egid:1000/1000

30 lines cut.
Code: Select all
Jul 12 08:46:10 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c ps aux
Jul 12 08:46:10 g0n kernel: [307053.861564] grsec: (root:U:/bin/bash) exec of /bin/bash (/bin/bash -c ps aux ) by /bin/bash[sudo:21584] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-kill[uncenz-kill:21583] uid/euid:1000/1000 gid/egid:1000/1000
Jul 12 08:46:10 g0n kernel: [307053.865646] grsec: (miro:U:/) exec of /bin/grep (grep -E [d]umpcap ) by /bin/grep[egrep:21585] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-kill[uncenz-kill:21583] uid/euid:1000/1000 gid/egid:1000/1000
Jul 12 08:46:10 g0n kernel: [307053.867048] grsec: (root:U:/bin/ps) exec of /bin/ps (ps aux ) by /bin/ps[bash:21584] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-kill[uncenz-kill:21583] uid/euid:1000/1000 gid/egid:1000/1000
Jul 12 08:46:10 g0n kernel: [307053.995982] grsec: (miro:U:/usr/bin/sudo) exec of /usr/bin/sudo (sudo -s kill ) by /usr/bin/sudo[uncenz-kill:21587] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-kill[uncenz-kill:21577] uid/euid:1000/1000 gid/egid:1000/1000
Jul 12 08:46:10 g0n sudo:     miro : TTY=pts/16 ; PWD=/Cmn/mr ; USER=root ; COMMAND=/bin/bash -c kill
Jul 12 08:46:10 g0n kernel: [307054.000557] grsec: (root:U:/bin/bash) exec of /bin/bash (/bin/bash -c kill ) by /bin/bash[sudo:21587] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-kill[uncenz-kill:21577] uid/euid:1000/1000 gid/egid:1000/1000

You can see postfix restart that I issued here. And you can see what is not right, and if you didn't notice the most important line that I told you about at the of this commented posting of my July 12th log, then you miss the thoroug understanding of how to read the logs to fix your RBAC policy. Because I deliberately skipped explaining, in the immediately previous post to this one, when that line was close. Will refer to it in the next post, where I will repeat that section of the log...

So this is postfix restart, because the message, for some reason, wasn't sent. But you'll see those admin lines that make me worry. I like better them not being around when I'm online...
Code: Select all
Jul 12 08:46:17 g0n kernel: [307060.781920] grsec: (admin:S:/) exec of /etc/init.d/postfix (/etc/init.d/postfix restart ) by /etc/init.d/postfix[bash:21588] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.785357] grsec: (admin:S:/) chdir to / by /etc/init.d/postfix[postfix:21588] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.794819] grsec: (admin:S:/) exec of /lib64/rc/sh/openrc-run.sh (/lib64/rc/sh/openrc-run.sh /etc/init.d/postfix stop ) by /lib64/rc/sh/openrc-run.sh[postfix:21589] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/postfix[postfix:21588] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.804336] grsec: (admin:S:/) exec of /sbin/openrc (eval_ecolors ) by /sbin/openrc[openrc-run.sh:21592] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21591] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.814925] grsec: (admin:S:/) exec of /bin/mkdir (mkdir -p /sys/fs/cgroup/openrc/postfix ) by /bin/mkdir[openrc-run.sh:21594] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.816777] grsec: (admin:S:/) chdir to /sys by /bin/mkdir[mkdir:21594] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.816826] grsec: (admin:S:/) chdir to /sys/fs by /bin/mkdir[mkdir:21594] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.816871] grsec: (admin:S:/) chdir to /sys/fs/cgroup by /bin/mkdir[mkdir:21594] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.816914] grsec: (admin:S:/) chdir to /sys/fs/cgroup/openrc by /bin/mkdir[mkdir:21594] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.818034] grsec: (admin:S:/) exec of /bin/mkdir (mkdir -p /sys/fs/cgroup/openrc/postfix ) by /bin/mkdir[openrc-run.sh:21595] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.818599] grsec: (admin:S:/) chdir to /sys by /bin/mkdir[mkdir:21595] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.818615] grsec: (admin:S:/) chdir to /sys/fs by /bin/mkdir[mkdir:21595] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.818628] grsec: (admin:S:/) chdir to /sys/fs/cgroup by /bin/mkdir[mkdir:21595] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.818642] grsec: (admin:S:/) chdir to /sys/fs/cgroup/openrc by /bin/mkdir[mkdir:21595] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.825103] grsec: (admin:S:/) exec of /sbin/openrc (ebegin Stopping postfix  ) by /sbin/openrc[openrc-run.sh:21600] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.827463] grsec: (admin:S:/) exec of /usr/sbin/postfix (/usr/sbin/postfix stop ) by /usr/sbin/postfix[openrc-run.sh:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.832995] grsec: (admin:S:/) chdir to /usr/sbin by /usr/sbin/postfix[postfix:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.833008] grsec: (admin:S:/) chdir to /usr/libexec/postfix by /usr/sbin/postfix[postfix:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.833019] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postfix[postfix:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.833186] grsec: (admin:S:/) exec of /usr/libexec/postfix/postfix-script (/usr/libexec/postfix/postfix-script stop ) by /usr/libexec/postfix/postfix-script[postfix:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.840720] grsec: (admin:S:/) chdir to /usr/sbin by /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.840877] grsec: (admin:S:/) chdir to /usr/libexec/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.841122] grsec: (admin:S:/) chdir to /etc/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.841325] grsec: (admin:S:/) chdir to /usr/lib64/postfix/3.0.1 by /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.841459] grsec: (admin:S:/) chdir to /etc/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.841596] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.842019] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -dh config_directory ) by /usr/sbin/postconf[postfix-script:21602] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.848507] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h multi_instance_directories ) by /usr/sbin/postconf[postfix-script:21604] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21603] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.848905] grsec: (admin:S:/) exec of /bin/sed (sed s/,/ / ) by /bin/sed[postfix-script:21605] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21603] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.860224] grsec: (admin:S:/) exec of /usr/libexec/postfix/master (/usr/libexec/postfix/master -t ) by /usr/libexec/postfix/master[postfix-script:21606] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.865932] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/master[master:21606] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.867030] grsec: (admin:S:/) exec of /usr/sbin/postlog (/usr/sbin/postlog -t postfix/postfix-script -p info stopping the Postfix mail system ) by /usr/sbin/postlog[postfix-script:21607] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n postfix/postfix-script[21607]: stopping the Postfix mail system
Jul 12 08:46:17 g0n kernel: [307060.873660] grsec: (admin:S:/) exec of /bin/sed (sed 1q pid/master.pid ) by /bin/sed[postfix-script:21608] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n postfix/master[21774]: terminating on signal 15
Jul 12 08:46:17 g0n kernel: [307060.882743] grsec: (admin:S:/) exec of /usr/libexec/postfix/master (/usr/libexec/postfix/master -t ) by /usr/libexec/postfix/master[postfix-script:21609] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.894338] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/master[master:21609] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21601] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.895903] grsec: (admin:S:/) exec of /sbin/openrc (eend ) by /sbin/openrc[openrc-run.sh:21610] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21589] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.902048] grsec: (:::kernel::::S:/) exec of /lib64/rc/sh/cgroup-release-agent.sh (/lib64/rc/sh/cgroup-release-agent.sh /postfix ) by /lib64/rc/sh/cgroup-release-agent.sh[kworker/u8:2:21613] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:2:25871] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.908469] grsec: (:::kernel::::S:/) exec of /bin/rmdir (rmdir /sys/fs/cgroup/openrc//postfix ) by /bin/rmdir[cgroup-release-:21614] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/cgroup-release-agent.sh[cgroup-release-:21613] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.915125] grsec: (admin:S:/) exec of /lib64/rc/sh/openrc-run.sh (/lib64/rc/sh/openrc-run.sh /etc/init.d/postfix start ) by /lib64/rc/sh/openrc-run.sh[postfix:21615] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/postfix[postfix:21588] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.925813] grsec: (admin:S:/) exec of /sbin/openrc (eval_ecolors ) by /sbin/openrc[openrc-run.sh:21618] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21617] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.937281] grsec: (admin:S:/) exec of /bin/mkdir (mkdir -p /sys/fs/cgroup/openrc/postfix ) by /bin/mkdir[openrc-run.sh:21620] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.939100] grsec: (admin:S:/) chdir to /sys by /bin/mkdir[mkdir:21620] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.939149] grsec: (admin:S:/) chdir to /sys/fs by /bin/mkdir[mkdir:21620] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.939193] grsec: (admin:S:/) chdir to /sys/fs/cgroup by /bin/mkdir[mkdir:21620] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.939237] grsec: (admin:S:/) chdir to /sys/fs/cgroup/openrc by /bin/mkdir[mkdir:21620] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.940236] grsec: (:::kernel::::S:/) exec of /lib64/rc/sh/cgroup-release-agent.sh (/lib64/rc/sh/cgroup-release-agent.sh /postfix ) by /lib64/rc/sh/cgroup-release-agent.sh[kworker/u8:2:21621] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:2:25871] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.940457] grsec: (admin:S:/) exec of /bin/mkdir (mkdir -p /sys/fs/cgroup/openrc/postfix ) by /bin/mkdir[openrc-run.sh:21622] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.941163] grsec: (admin:S:/) chdir to /sys by /bin/mkdir[mkdir:21622] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.941181] grsec: (admin:S:/) chdir to /sys/fs by /bin/mkdir[mkdir:21622] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.941198] grsec: (admin:S:/) chdir to /sys/fs/cgroup by /bin/mkdir[mkdir:21622] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.941214] grsec: (admin:S:/) chdir to /sys/fs/cgroup/openrc by /bin/mkdir[mkdir:21622] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0

That was all stopping.
And now the second part of the restart, which is starting.
Code: Select all
Jul 12 08:46:17 g0n kernel: [307060.943874] grsec: (:::kernel::::S:/) exec of /bin/rmdir (rmdir /sys/fs/cgroup/openrc//postfix ) by /bin/rmdir[cgroup-release-:21624] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/cgroup-release-agent.sh[cgroup-release-:21621] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.948818] grsec: (admin:S:/) exec of /sbin/openrc (ebegin Starting postfix  ) by /sbin/openrc[openrc-run.sh:21627] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.951256] grsec: (admin:S:/) exec of /usr/sbin/postfix (/usr/sbin/postfix start ) by /usr/sbin/postfix[openrc-run.sh:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.956874] grsec: (admin:S:/) chdir to /usr/sbin by /usr/sbin/postfix[postfix:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.956889] grsec: (admin:S:/) chdir to /usr/libexec/postfix by /usr/sbin/postfix[postfix:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.956903] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postfix[postfix:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.956978] grsec: (admin:S:/) exec of /usr/libexec/postfix/postfix-script (/usr/libexec/postfix/postfix-script start ) by /usr/libexec/postfix/postfix-script[postfix:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.959953] grsec: (admin:S:/) chdir to /usr/sbin by /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.960011] grsec: (admin:S:/) chdir to /usr/libexec/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.960098] grsec: (admin:S:/) chdir to /etc/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.960172] grsec: (admin:S:/) chdir to /usr/lib64/postfix/3.0.1 by /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.960221] grsec: (admin:S:/) chdir to /etc/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.960274] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0, parent /lib64/rc/sh/openrc-run.sh[openrc-run.sh:21615] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.960748] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -dh config_directory ) by /usr/sbin/postconf[postfix-script:21629] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.968131] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h multi_instance_directories ) by /usr/sbin/postconf[postfix-script:21631] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21630] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.968179] grsec: (admin:S:/) exec of /bin/sed (sed s/,/ / ) by /bin/sed[postfix-script:21632] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21630] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.979847] grsec: (admin:S:/) exec of /usr/libexec/postfix/master (/usr/libexec/postfix/master -t ) by /usr/libexec/postfix/master[postfix-script:21633] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.992468] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/master[master:21633] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307060.994295] grsec: (admin:S:/) exec of /usr/libexec/postfix/postfix-script (/usr/libexec/postfix/postfix-script check-fatal ) by /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.001207] grsec: (admin:S:/) chdir to /usr/sbin by /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.001367] grsec: (admin:S:/) chdir to /usr/libexec/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.001631] grsec: (admin:S:/) chdir to /etc/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.001728] grsec: (admin:S:/) chdir to /usr/lib64/postfix/3.0.1 by /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.001769] grsec: (admin:S:/) chdir to /etc/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.001812] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.002311] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -dh config_directory ) by /usr/sbin/postconf[postfix-script:21635] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.015025] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h multi_instance_directories ) by /usr/sbin/postconf[postfix-script:21637] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21636] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:17 g0n kernel: [307061.015403] grsec: (admin:S:/) exec of /bin/sed (sed s/,/ / ) by /bin/sed[postfix-script:21638] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21636] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.030262] grsec: (admin:S:/) exec of /bin/bash (/bin/sh /usr/libexec/postfix/post-install create-missing ) by /bin/bash[postfix-script:21639] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.037881] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -d mail_version ) by /usr/sbin/postconf[sh:21640] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21639] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.044207] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -d -h config_directory ) by /usr/sbin/postconf[sh:21641] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21639] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.050381] grsec: (admin:S:/) exec of /bin/sed (sed s/,/ / ) by /bin/sed[sh:21644] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21642] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.050525] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h multi_instance_directories ) by /usr/sbin/postconf[sh:21643] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21642] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.066247] grsec: (admin:S:/) exec of /bin/uname (uname -s ) by /bin/uname[sh:21645] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21639] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.069029] grsec: (admin:S:/) exec of /bin/grep (grep setgid_group /etc/postfix/main.cf ) by /bin/grep[sh:21646] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21639] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.074176] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -dhx mail_version ) by /usr/sbin/postconf[sh:21648] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.079761] grsec: (admin:S:/) exec of /bin/sed (sed s/\./\\./g ) by /bin/sed[sh:21651] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21649] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.082821] grsec: (admin:S:/) exec of /bin/sed (sed s/3\.0\.1$/${mail_version}/g ) by /bin/sed[sh:21654] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21652] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.087333] grsec: (admin:S:/) exec of /bin/sed (sed s/3\.0\.1$/${mail_version}/g ) by /bin/sed[sh:21657] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21655] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.092988] grsec: (admin:S:/) exec of /bin/sed (sed s/3\.0\.1$/${mail_version}/g ) by /bin/sed[sh:21660] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21658] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.095114] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h command_directory ) by /usr/sbin/postconf[sh:21661] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.103635] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h daemon_directory ) by /usr/sbin/postconf[sh:21662] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.116056] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h data_directory ) by /usr/sbin/postconf[sh:21663] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.122424] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h html_directory ) by /usr/sbin/postconf[sh:21664] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.128208] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h mail_owner ) by /usr/sbin/postconf[sh:21665] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.134181] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h mailq_path ) by /usr/sbin/postconf[sh:21666] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.140829] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h manpage_directory ) by /usr/sbin/postconf[sh:21667] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.147206] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h newaliases_path ) by /usr/sbin/postconf[sh:21668] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.153499] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h queue_directory ) by /usr/sbin/postconf[sh:21669] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.166124] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h readme_directory ) by /usr/sbin/postconf[sh:21670] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.177092] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h sample_directory ) by /usr/sbin/postconf[sh:21671] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.185165] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h sendmail_path ) by /usr/sbin/postconf[sh:21672] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.192917] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h setgid_group ) by /usr/sbin/postconf[sh:21673] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.206096] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h shlib_directory ) by /usr/sbin/postconf[sh:21674] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.211441] grsec: (admin:S:/) exec of /usr/sbin/postconf (/usr/sbin/postconf -c /etc/postfix -h meta_directory ) by /usr/sbin/postconf[sh:21675] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21647] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.221201] grsec: (admin:S:/) exec of /usr/bin/find (find /etc/postfix/postfix-files.d -type f ) by /usr/bin/find[sh:21677] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21676] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.221224] grsec: (admin:S:/) exec of /bin/sort (sort ) by /bin/sort[sh:21678] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21676] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.222616] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/bin/find[find:21677] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:21676] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.363415] grsec: (admin:S:/) exec of /usr/sbin/postsuper (/usr/sbin/postsuper ) by /usr/sbin/postsuper[postfix-script:21679] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0

We are still at postfix own execs... All these in jus one (1) second so far --find the /etc/init.d/postfix restart at Jul 12 08:46:17 above.
Code: Select all
Jul 12 08:46:18 g0n kernel: [307061.373693] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/sbin/postsuper[postsuper:21679] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21634] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.440464] grsec: (admin:S:/) exec of /usr/libexec/postfix/postfix-script (/usr/libexec/postfix/postfix-script check-warn ) by /usr/libexec/postfix/postfix-script[postfix-script:21680] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0

40 lines cut.

I think I saw at this point that line "starting the Postfix mail system" printed in the terminal.
Code: Select all
Jul 12 08:46:18 g0n kernel: [307061.550548] grsec: (admin:S:/) exec of /usr/sbin/postlog (/usr/sbin/postlog -t postfix/postfix-script -p info starting the Postfix mail system ) by /usr/sbin/postlog[postfix-script:21705] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n postfix/postfix-script[21705]: starting the Postfix mail system
Jul 12 08:46:18 g0n kernel: [307061.563394] grsec: (admin:S:/) exec of /usr/libexec/postfix/master (/usr/libexec/postfix/master -w ) by /usr/libexec/postfix/master[postfix-script:21706] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/postfix-script[postfix-script:21628] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n kernel: [307061.578298] grsec: (admin:S:/) chdir to /var/spool/postfix by /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21706] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:18 g0n postfix/master[21707]: daemon started -- version 3.0.1, configuration /etc/postfix
Jul 12 08:46:18 g0n kernel: [307061.613415] grsec: (admin:S:/) exec of /usr/libexec/postfix/pickup (pickup -l -t unix -u -v ) by /usr/libexec/postfix/pickup[master:21708] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0

300 lines cut.

However, the sending failed. And I don't get the clue here myself exactly why.
Code: Select all
Jul 12 08:46:18 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: mta_mname
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute name: mta_mname
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:18 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: action
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute name: action
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:18 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: reason
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute name: reason
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute value: Host or domain name not found. Name service error for name=mail.t-com.hr type=A: Host not found, try again
Jul 12 08:46:18 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: status
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute name: status
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute value: 4294967295
Jul 12 08:46:18 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: (list terminator)
Jul 12 08:46:18 g0n postfix/qmgr[21709]: input attribute name: (end)
Jul 12 08:46:18 g0n postfix/qmgr[21709]: qmgr_queue_throttle: queue [mail.t-com.hr]: 4.4.3 delivery temporarily suspended: Host or domain name not found. Name service error for name=mail.t-com.hr type=A: Host not found, try again
Jul 12 08:46:18 g0n postfix/qmgr[21709]: qmgr_active_done: 6CFB6380BE9
Jul 12 08:46:18 g0n postfix/qmgr[21709]: wakeup 6CFB6380BE9 after 300 secs
Jul 12 08:46:18 g0n postfix/qmgr[21709]: qmgr_active_defer: defer 6CFB6380BE9
Jul 12 08:46:18 g0n postfix/qmgr[21709]: qmgr_job_free: 6CFB6380BE9 smtp
Jul 12 08:46:23 g0n postfix/qmgr[21709]: rewrite stream disconnect
Jul 12 08:46:23 g0n postfix/trivial-rewrite[21713]: connection closed fd 128
Jul 12 08:46:23 g0n postfix/tlsmgr[21715]: connection closed fd 128

Those "rewrite stream disconnect" and "connection closed" that I was talking about many lines above. Nope! In the previous post.

Anyway, I thought it was good that I exit from the admin role.
Code: Select all
Jul 12 08:46:25 g0n kernel: [307068.189257] grsec: (admin:S:/) exec of /sbin/gradm (gradm -u ) by /sbin/gradm[bash:21717] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:25 g0n kernel: [307068.191393] grsec: (admin:S:/) successful unauth of special role admin (id 13) by /sbin/gradm[gradm:21717] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0

This is me issuing "grep RBAC /proc/$$/status to see if I have exited.
Code: Select all
Jul 12 08:46:29 g0n kernel: [307072.057314] grsec: (root:U:/bin/grep) exec of /bin/grep (grep --colour=auto RBAC /proc/3736/status ) by /bin/grep[bash:21718] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:29 g0n kernel: [307072.058439] grsec: (root:U:/bin/grep) denied access to hidden file /lib64/libpcre.so.1.2.5 by /bin/grep[grep:21718] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:29 g0n kernel: [307072.058516] grsec: (root:U:/bin/grep) denied access to hidden file /lib64/libpcre.so.1.2.5 by /bin/grep[grep:21718] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:29 g0n kernel: [307072.058546] grsec: (root:U:/bin/grep) denied access to hidden file /lib64 by /bin/grep[grep:21718] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:29 g0n kernel: [307072.058600] grsec: more alerts, logging disabled for 10 seconds

These denied access'es are just because as root, I can't see my status in the proc/$$/status. Root is close to regular user in my machines.

And here I start the screencast/traffic-capturing with the uncenz-1st of my little program.
Code: Select all
Jul 12 08:46:32 g0n kernel: [307075.722744] grsec: (miro:U:/) exec of /usr/local/bin/uncenz-1st (uncenz-1st ) by /usr/local/bin/uncenz-1st[bash:21719] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3670] uid/euid:1000/1000 gid/egid:1000/1000
Jul 12 08:46:32 g0n kernel: [307075.730425] grsec: (miro:U:/bin/hostname) exec of /bin/hostname (hostname ) by /bin/hostname[uncenz-1st:21721] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/local/bin/uncenz-1st[uncenz-1st:21720] uid/euid:1000/1000 gid/egid:1000/1000

50 lines cut.

Here below is part of the execs connected to the "mailq" command described in the previous post, and then I issue "postqueue -f" to flush the queue and send the mail.
Code: Select all
Jul 12 08:46:39 g0n kernel: [307082.235034] grsec: (root:U:/usr/sbin/sendmail) exec of /usr/sbin/sendmail (mailq ) by /usr/sbin/sendmail[bash:21776] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:39 g0n kernel: [307082.241058] grsec: (root:U:/usr/sbin/sendmail) chdir to /var/spool/postfix by /usr/sbin/sendmail[mailq:21776] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:39 g0n kernel: [307082.241263] grsec: (root:U:/usr/sbin/postqueue) exec of /usr/sbin/postqueue (postqueue -p ) by /usr/sbin/postqueue[mailq:21776] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:39 g0n kernel: [307082.248023] grsec: (root:U:/usr/sbin/postqueue) chdir to /var/spool/postfix by /usr/sbin/postqueue[postqueue:21776] uid/euid:0/0 gid/egid:0/208, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:39 g0n kernel: [307082.248557] grsec: (root:U:/usr/libexec/postfix) exec of /usr/libexec/postfix/showq (showq -t unix -u ) by /usr/libexec/postfix/showq[master:21777] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:39 g0n kernel: [307082.257197] grsec: (root:U:/usr/libexec/postfix) chdir to /var/spool/postfix by /usr/libexec/postfix/showq[showq:21777] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:41 g0n kernel: [307084.850450] grsec: (root:U:/usr/sbin/postqueue) exec of /usr/sbin/postqueue (postqueue -f ) by /usr/sbin/postqueue[bash:21778] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3736] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:41 g0n postfix/qmgr[21709]: trigger_server_accept_local: trigger arrived
Jul 12 08:46:41 g0n postfix/pickup[21708]: trigger_server_accept_local: trigger arrived
Jul 12 08:46:41 g0n postfix/qmgr[21709]: master_notify: status 0
Jul 12 08:46:41 g0n postfix/pickup[21708]: master_notify: status 0

Is this another one of those denied open that is fine to leave and not worry about? I don't know. But the message was sent, as you can see further below.
Code: Select all
Jul 12 08:46:41 g0n kernel: [307084.951056] grsec: (postfix:U:/usr/libexec/postfix/smtp) denied open of /proc/meminfo for reading by /usr/libexec/postfix/smtp[smtp:21714] uid/euid:207/207 gid/egid:207/207, parent /usr/libexec/postfix/master[master:21707] uid/euid:0/0 gid/egid:0/0
Jul 12 08:46:41 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: (list terminator)
Jul 12 08:46:41 g0n postfix/tlsmgr[21715]: input attribute name: (end)
Jul 12 08:46:41 g0n postfix/tlsmgr[21715]: lookup smtp session id=smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5
Jul 12 08:46:41 g0n postfix/tlsmgr[21715]: send attr status = 4294967295
Jul 12 08:46:41 g0n postfix/tlsmgr[21715]: send attr session = [data 0 bytes]
Jul 12 08:46:41 g0n postfix/tlsmgr[21715]: master_notify: status 1
Jul 12 08:46:41 g0n postfix/smtp[21714]: private/tlsmgr: wanted attribute: status
Jul 12 08:46:41 g0n postfix/smtp[21714]: input attribute name: status
Jul 12 08:46:41 g0n postfix/smtp[21714]: input attribute value: 4294967295

You are spared 430 lines here of SSLv2/v3 conversations.
Code: Select all
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: input attribute name: cache_type
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: input attribute value: smtp
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: cache_id
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: input attribute name: cache_id
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: input attribute value: smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: session
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: input attribute name: session
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: input attribute value: MIIE8wIBAQICAwEEAgA5BCD07wASobQKQZ6M+kALoEocRvkq6ZhBrVU5pzf8wZABDwQwFt4hTDQALw2N0qHVwpIgtjqqzWs7CTLzcFnI47CALF2KPwJzYYQ+QWSKe3Fxque+oQYCBFWiDVGiBAICHCCjggR5MIIEdTCCA12gAwIBAgIQY/REGeV1rR2dRDPLDBQzJjANBgkqhkiG9w0BAQUFADBeMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAeFw0xNDA5MTgwMDAwMDBaFw0xNTExMTcyMzU5NTlaMBgxFjAUBgNVBAMUDW1haWwudC1jb20uaHIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8jYsF7CB0O1lgpEsUjKzXUrHpRB7+e4Rwk0J/M4iYNDe6BbV4e26+/wY8CdiOVIJ6FehHEK8thjV/35s4lLUWOFx+cl0RGjUEbRJzRWU3bkH4KVx3cj3yXnCGLVUsJibG2qON7/sVdAA/RSMd/cw+K0j+UgScAlC4Bbq4kxz7FrikMPcU1w0iv4uBPyf8bXqXp9t7hER2vFwkT7izlHOGaZi0PGUSp7laW+oyaMc+U+fMYOteAal736aEsUXUeo/Adu2J6jKMW7tmKPOVzeh9BiQKzdGJUu7kd43u1hG9wYPZDmQb5zjU586lrTCxRDAakTr/j0aXmHa/oOav0STPAgMBAAGjggFzMIIBbzAYBgNVHREEETAPgg1tYWlsLnQtY29tLmhyMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3RjLnN5bWNiLmNvbS90Yy5jcmwwcgYDVR0gBGswaTBnBgpghkgBhvhFAQc2MFkwJgYIKwYBBQUHAgEWGmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMC8GCCsGAQUFBwICMCMMIWh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vcmVwb3NpdG9yeTAfBgNVHSMEGDAWgBSrRORd7IPH2cCFn/fhxpeQsIw/mDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL3RjLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL3RjLnN5bWNiLmNvbS90Yy5jcnQwDQYJKoZIhvcNAQEFBQADggEBAEsO/C4lj53Nn3BpTUtdpxIJdSHHLrmOKZe0J+51YzQDhT0kgMd+WnWehiPh/atNqsdOz+KQpG2b9L+LzYb3syQt+CWEVhINNf466T6VgutK1tXuacL5v9EmH9O17zncgfT0qn+vmABoqRusPEPiZ5nDA7o5AbqFHC4f0+TMaLh51puU3KShqzNaft8/sq+4wsEa61Rk4RJpSStAGlS7mvCWfGfeCFFQxk98vlV7Y2AVGxkuYTGyJYSkq9tyo0Bvxk+IgLAFWKYgcbuR5yfVWyzydYOoKN90Qq3Mz0p6nXWtbwj5uD65sJDmMl2lRgDV9Q4pPJ9AHdtJ0ffxN+GoAKikAgQApQMCARM=
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: tlsmgr socket: wanted attribute: (list terminator)
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: input attribute name: (end)
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: put smtp session id=smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5 [data 1271 bytes]
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: write smtp TLS cache entry smtp&[mail.t-com.hr]&mail.t-com.hr&195.29.150.5&&A0BEF5C25DF36A5FFE02EDEA06E97852EE4BECC33A6CB5937CD74C4C01B8C8D5: time=1436683602 [data 1271 bytes]
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: send attr status = 0
Jul 12 08:46:42 g0n postfix/tlsmgr[21715]: master_notify: status 1
Jul 12 08:46:42 g0n postfix/smtp[21714]: private/tlsmgr: wanted attribute: status
Jul 12 08:46:42 g0n postfix/smtp[21714]: input attribute name: status
Jul 12 08:46:42 g0n postfix/smtp[21714]: input attribute value: 0
Jul 12 08:46:42 g0n postfix/smtp[21714]: private/tlsmgr: wanted attribute: (list terminator)
Jul 12 08:46:42 g0n postfix/smtp[21714]: input attribute name: (end)
Jul 12 08:46:42 g0n postfix/smtp[21714]: mail.t-com.hr[195.29.150.5]:25: subject_CN=mail.t-com.hr, issuer_CN=Thawte DV SSL CA, fingerprint=57:11:8D:AB:B9:B1:47:66:F5:30:72:87:C8:DC:AD:9A, pkey_fingerprint=54:2F:63:8B:8E:F8:D2:48:3A:EF:73:11:49:78:02:A0
Jul 12 08:46:42 g0n postfix/smtp[21714]: Untrusted TLS connection established to mail.t-com.hr[195.29.150.5]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul 12 08:46:42 g0n postfix/smtp[21714]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 12 08:46:42 g0n postfix/smtp[21714]: > mail.t-com.hr[195.29.150.5]:25: EHLO g0n.localdomain
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250-ls266.t-com.hr
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250-PIPELINING
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250-SIZE 15728640
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250-ETRN
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250-ENHANCEDSTATUSCODES
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250 8BITMIME
Jul 12 08:46:42 g0n postfix/smtp[21714]: server features: 0x100f size 15728640
Jul 12 08:46:42 g0n postfix/smtp[21714]: Using ESMTP PIPELINING, TCP send buffer size is 46080, PIPELINING buffer size is 4096
Jul 12 08:46:42 g0n postfix/smtp[21714]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 12 08:46:42 g0n postfix/smtp[21714]: > mail.t-com.hr[195.29.150.5]:25: MAIL FROM:<[email protected]> SIZE=5644
Jul 12 08:46:42 g0n postfix/smtp[21714]: > mail.t-com.hr[195.29.150.5]:25: RCPT TO:<[email protected]>
Jul 12 08:46:42 g0n postfix/smtp[21714]: > mail.t-com.hr[195.29.150.5]:25: DATA
Jul 12 08:46:42 g0n postfix/smtp[21714]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250 2.1.0 Ok
Jul 12 08:46:42 g0n postfix/smtp[21714]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250 2.1.5 Ok
Jul 12 08:46:42 g0n postfix/smtp[21714]: smtp_stream_setup: maxtime=120 enable_deadline=0
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 354 End data with <CR><LF>.<CR><LF>
Jul 12 08:46:42 g0n postfix/smtp[21714]: smtp_stream_setup: maxtime=180 enable_deadline=0
Jul 12 08:46:42 g0n postfix/smtp[21714]: > mail.t-com.hr[195.29.150.5]:25: .
Jul 12 08:46:42 g0n postfix/smtp[21714]: > mail.t-com.hr[195.29.150.5]:25: QUIT
Jul 12 08:46:42 g0n postfix/smtp[21714]: smtp_stream_setup: maxtime=600 enable_deadline=0
Jul 12 08:46:42 g0n postfix/smtp[21714]: < mail.t-com.hr[195.29.150.5]:25: 250 2.0.0 Ok: queued as 24F32120224
Jul 12 08:46:42 g0n postfix/smtp[21714]: 6CFB6380BE9: to=<[email protected]>, relay=mail.t-com.hr[195.29.150.5]:25, delay=117, delays=116/0/0.24/0.21, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 24F32120224)
Jul 12 08:46:42 g0n postfix/smtp[21714]: name_mask: resource
Jul 12 08:46:42 g0n postfix/smtp[21714]: name_mask: software
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: status
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: status
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: diag_type
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: diag_type
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: diag_text
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: diag_text
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: mta_type
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: mta_type
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: mta_mname
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: mta_mname
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: action
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: action
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: reason
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: reason
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: status
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: status
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute value: 0
Jul 12 08:46:42 g0n postfix/qmgr[21709]: private/smtp socket: wanted attribute: (list terminator)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: input attribute name: (end)
Jul 12 08:46:42 g0n postfix/qmgr[21709]: qmgr_queue_unthrottle: queue [mail.t-com.hr]
Jul 12 08:46:42 g0n postfix/qmgr[21709]: qmgr_active_done: 6CFB6380BE9
Jul 12 08:46:42 g0n postfix/qmgr[21709]: 6CFB6380BE9: removed
Jul 12 08:46:42 g0n postfix/qmgr[21709]: qmgr_job_free: 6CFB6380BE9 smtp

And the message was sent, as you can see.

Re: A denied seteuid issue with Postfix (Role: root)

PostPosted: Mon Jul 13, 2015 1:33 pm
by timbgo
This is a repeat for those who didn't figure out the important message that grsec put in the logs. ;-)

Like I said long stretches of text before: wrote:This message actually contains one particular line that was of great importance for setting my RBAC policy for postfix right.


Code: Select all
Jul 12 08:45:11 g0n kernel: [306994.284558] mrfw_dropIN=eth1 OUT= MAC=01:00:5e:00:00:01:3c:94:d5:cf:8f:f0:08:00 SRC=10.16.96.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=4492 PROTO=2
Jul 12 08:45:42 g0n kernel: [307025.843758] grsec: (root:U:/usr/libexec/postfix/tlsmgr) exec of /usr/libexec/postfix/tlsmgr (tlsmgr -l -t unix -u -v ) by /usr/libexec/postfix/tlsmgr[master:21536] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:42 g0n kernel: [307025.843825] grsec: (root:U:/usr/libexec/postfix/tlsmgr) denied access to hidden file /lib64/ld-2.20.so by /usr/libexec/postfix/tlsmgr[master:21536] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0
Jul 12 08:45:42 g0n master[21536]: fatal: master_spawn: exec /usr/libexec/postfix/tlsmgr: No such file or directory
Jul 12 08:45:43 g0n postfix/master[21774]: warning: process /usr/libexec/postfix/tlsmgr pid 21536 exit status 1
Jul 12 08:45:43 g0n postfix/master[21774]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling
Jul 12 08:45:46 g0n postfix/pickup[17335]: trigger_server_accept_local: trigger arrived
Jul 12 08:45:46 g0n postfix/pickup[17335]: master_notify: status 0
Jul 12 08:45:46 g0n postfix/pickup[17335]: master_notify: status 1

And I lied, not on purpose though.
when I said wrote:Next post continues exactly from what was the next line in this log, nothing cut out.

because this is the post after next, and not the next post to that one.

But anyway, looking up my grsec policy, I see quite a few of:

Code: Select all
# egrep '\/lib64\/ld-2.20.so' /etc/grsec/policy | wc -l
19
# egrep '\/lib64\/ld-2.20.so' /etc/grsec/policy | sort -u
   /lib64/ld-2.20.so      x
#

and it was learned so by my grsec. (This is the current case. But only one of the 19 instances is the one placed in the subject for tlsmgr.)

And so, back when I was reading these logs, I trusted that it was fine that I put that line in the policy for tlsmgr.

It currently looks like:

Code: Select all
# Role: root
subject /usr/libexec/postfix/tlsmgr o {
   /            h
   /bin/bash      x
   /dev            h
   /dev/log         rw
   /etc/localtime         r
   /lib64/ld-2.20.so      x
   /var/spool/postfix      rwcd
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family all
}


and Postfix appears to be working fine.

The line, again:
Code: Select all
Jul 12 08:45:42 g0n kernel: [307025.843825] grsec: (root:U:/usr/libexec/postfix/tlsmgr) denied access to hidden file /lib64/ld-2.20.so by /usr/libexec/postfix/tlsmgr[master:21536] uid/euid:0/0 gid/egid:0/0, parent /usr/libexec/postfix/master[master:21774] uid/euid:0/0 gid/egid:0/0

Cheers!

Re: Issues with and RBAC Policy for Postfix

PostPosted: Tue Jul 21, 2015 3:14 am
by timbgo
I have just put a notice that readers beware, and not lose time reading previous posts:

Issues with and RBAC Policy for Postfix
viewtopic.php?f=5&t=4230&p=15368#p15368

I am sorry to have arrived at some wrong conclusions in the few previous posts.

But I think I got it going in the right way now.
---

I have finished the grsec learning, a couple of hours ago, and will try to post my likely (but I never know) working postfix policy now.

I'll explain hwat I did using diffs among these files, which are the backups now, and at their time, as the timestamp says, they were the new /etc/grsec/policy versions if I can call them that. Well, local tentative impementations at that time.
Code: Select all
# ls -l grsec_150717_g0n_03 grsec_150720_g0n_0*
-rw------- 1 root root 105448 2015-07-17 14:14 grsec_150717_g0n_03
-rw------- 1 root root 107491 2015-07-20 16:05 grsec_150720_g0n_00-L
-rw------- 1 root root 106947 2015-07-20 16:16 grsec_150720_g0n_01
-rw------- 1 root root 108934 2015-07-20 16:56 grsec_150720_g0n_02
-rw------- 1 root root 109686 2015-07-20 17:23 grsec_150720_g0n_03
-rw------- 1 root root 109753 2015-07-20 18:23 grsec_150720_g0n_04
-rw------- 1 root root 109833 2015-07-20 18:47 grsec_150720_g0n_05
#

The grsec_150717_g0n_03 contains a lot my learning wishes for the grsec. See:

Code: Select all
# grep -B1 -A5 ' ol ' grsec_150717_g0n_03
# Role: root
subject /usr/libexec/postfix ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}
--
# Role: root
subject /usr/sbin/postconf ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}
--
# Role: root
subject /usr/sbin/postdrop ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}
--
# Role: root
subject /usr/sbin/postfix ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}
--
# Role: root
subject /usr/sbin/postlog ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}
--
# Role: root
subject /usr/sbin/postqueue ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}
--
# Role: root
subject /usr/sbin/postsuper ol {
user_transition_allow postfix
group_transition_allow postfix

   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}

--
# Role: postfix
subject /usr/libexec/postfix ol {
   /            h
   bind   disabled
   connect   disabled
}

# Role: postfix
subject /usr/sbin/postsuper ol {
   /            h
   -CAP_ALL
   bind   disabled
   connect   disabled
}
#

( To be sincere with you, I corrected the above output for the postsuper in Role: root, it needed -A8 but the others didn't. )

Only now do I notice that I missed to insert the
Code: Select all
   -CAP_ALL

line for subject /usr/libexec/postfix in Role: postfix. That might have had to do with some difficulties which I will later explain. A plain oversight.

Then I:

Code: Select all
# cp -iav grsec_150717_g0n_03 /etc/grsec/policy

and:

Code: Select all
# gradm -L /etc/grsec/learning.logs -E


NOTE: I had, just before issuing that command, deleted the previous /etc/grsec/learning.logs that grew to a few hundred MB, as I kept it for long. Good or bad having kept it for so long? Don't know. The policy is generally working fine.

And I let it run, because the measure is not time since started, but how many emails you send. Some emails, local or to internet, I sent purposefully, to get the routine noticed well by the learning grsec. Others only when I had reason to send mails. So it took time.

And then, a couple of hours ago, I decided I did enough repetitive tasks that I use postfix for, and:

Code: Select all
# gradm -D
# gradm -L /etc/grsec/learning.logs -O /etc/grsec/policy


And grsec added these lines to the end of /etc/grsec/policy,
Code: Select all
# diff grsec_150717_g0n_03 grsec_150720_g0n_00-L | sed 's/> //' >> \
   /Cmn/mr/Grsec_150720_postfix.txt
,
these lines (exclude the first line pls; and I'm not cheating here, no correcting, that exact output I got with that command):
Code: Select all
5824a5825,5942
###  THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "root" ###
# Role: root
subject /usr/libexec/postfix o {
user_transition_allow postfix
group_transition_allow postfix

   /            h
   /dev            h
   /dev/log         rw
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /proc            h
   /proc/sys/kernel/ngroups_max   r
   /sys            h
   /sys/devices/system/cpu/online   r
   /usr            h
   /usr/lib64         rx
   /usr/libexec         x
   /var            h
   /var/spool/postfix      rw
   /var/tmp         
   -CAP_ALL
   +CAP_DAC_READ_SEARCH
   +CAP_KILL
   +CAP_SETGID
   +CAP_SETUID
   bind   disabled
   connect   disabled
   sock_allow_family unix inet netlink
}

# Role: root
subject /usr/sbin/postdrop o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postdrop      rx
   /usr/share         h
   /usr/share/zoneinfo      r
   /var            h
   /var/spool/postfix      rwcd
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family unix inet netlink
}

# Role: root
subject /usr/sbin/postqueue o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postqueue      rx
   /usr/share         h
   /usr/share/zoneinfo      r
   /var            h
   /var/spool/postfix      rw
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family unix inet netlink
}


###  THE BELOW SUBJECT(S) SHOULD BE ADDED TO THE USER ROLE "postfix" ###
# Role: postfix
subject /usr/libexec/postfix o {
   /            h
   /etc            h
   /etc/ld.so.cache      r
   /etc/localtime         
   /etc/services         r
   /lib64            h
   /lib64/libnss_db-2.20.so   rx
   /var            h
   /var/spool/postfix      rwcd
   -CAP_ALL
   bind   disabled
   connect 178.218.164.164/32:25 stream tcp
}

You can count 9 ' ol ' instances in the input policy for the learning grsec. But, as you can see, for some reason, grsec gave me back policies for only 4 of those subjects.

Never mind, as you'll see, out of that, I later still got a likely working postfix policy (still testing it, and the testing will similarly take time, according to when I'll need to send emails; I mean more emails, as I sent successfully a couple so far).

It's not clear cut what I got with the grsec learning though. And it wasn't really sufficient. I had to combine it with looking up my old grsec policy backups and do some additional editing, and only then it worked.

Aaargh! I forgot to say! And a lot of figuring out what the grsec 'denied ...' messages in the system log meant! But I'm getting sooo much better at understanding those ;-) .

More in the next post.

Re: Issues with and RBAC Policy for Postfix

PostPosted: Tue Jul 21, 2015 3:37 am
by timbgo
But before I go on, let me explain that, when I started grsec learning, I also reconfigured postfix.

To be in the clear, I currently use postfix only as, as far as the internet goes, smtp client. I only send mails with it to my mail hubs, one the local ISP, the other the hoster of http://www.CroatiaFidelis.hr. I do also use it for local mailing of messages, such as by rkhunter or tripwire installations, but I don't currently use it as smtpd server, to be able to, once I have a domain hosted in my place, and not by third parties, also receive emails directly without the hubs, and not just only send them (also surely directly without the hubs).

If you look up in the learned policies that grsec added to /etc/grsec/policy, you can see the line:

Code: Select all
   connect 178.218.164.164/32:25 stream tcp

which I later removed. This post is not about postfix configuration, but that line is for sending to mailhub for my CroatiaFidelis.hr hoster, and that grsec learned while I was trying things, but that mail hub has regular 587 submission TLS service (to which it recently switched and therefore I needed to reconfigure postifx to accomodate for the change).

At this time I don't remember well enough why I had to learn the /usr/libexc/postfix ol ... for Role: root, and also /usr/libexc/postfix ol ... for Role: postfix. I remember I tried just Role: postfix but it simply wouldn't work and it just wouldn't work... Just for the completeness.

The first version that I replaced into /etc/grsec/policy after the learning wouldn't work. It consisted of simply replacing the 4 subject policies grsec learned in place of the respective subjects that had ' ol ' for learning.

And the manual editing of the remaining not-learned for subjects (5 of them), I replaced from the old grsec backup, which I forgot to list in this, probably successful part of this topic that I started today, the list in the immediately previous post to this.

This previously backed-up policy:
# ls -l grsec_150715_g0n_00
Code: Select all
-rw------- 1 root root 113590 2015-07-15 16:44 grsec_150715_g0n_00


So maybe the diff will tell more clearly what it now hopefully, finally, corrected from the previous policies (but I have to comment the diff to make it clearer; reminder: these are real output, the only way for me --a non-expert-- to post it),

# diff grsec_150715_g0n_00 grsec_150720_g0n_05
Added to the,
subject /bin/ps o { ...
Code: Select all
1266a1267
>    /dev/null         rw

because of the denies like:
Code: Select all
Jul 20 18:03:14 g0n kernel: [536442.316710] grsec: (root:U:/bin/ps) denied access to hidden file /dev/null by /bin/ps[ps:22703] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/uncenz-1st[uncenz-1st:22702] uid/euid:1000/1000 gid/egid:1000/1000

(you can see my uncenz-1st program runs that exec in:
and it is "denied access to" if you wish
)
After long thinking I decided I should allow dhcpcd access to /sbin/dhcpcd
Code: Select all
Jul 20 17:57:01 g0n kernel: [536069.143060] grsec: (root:U:/sbin/dhcpcd) denied access to hidden file /dev/log by /sbin/dhcpcd[dhcpcd:2411] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

(not that anything with the good dhcpcd program wouldn't work; not sure if this was really needed):
Code: Select all
2025a2027
>    /dev/log         rw

Similarly for /usr/bin/mutt. It's complaints were:
Code: Select all
Jul 20 17:43:22 g0n kernel: [535250.250507] grsec: (root:U:/usr/bin/mutt) denied access to hidden file /dev/log by /usr/bin/mutt[mutt:19365] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3301] uid/euid:0/0 gid/egid:0/0

and:
Code: Select all
Jul 20 17:44:50 g0n kernel: [535338.162842] grsec: (root:U:/usr/bin/mutt) denied access to hidden file /dev/urandom by /usr/bin/mutt[mutt:22267] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3301] uid/euid:0/0 gid/egid:0/0

yes to confirm but I'm confident those denied access lines now went away:
Code: Select all
2424a2427
>    /dev/log         rw
2425a2429
>    /dev/urandom         r

I can't find this one promptly, but I remember root couldn create a dir /root/postponed when I wanted to postpone a message as I was writing it in the root mutt window... Nope, and I found it:
Code: Select all
Jul 20 17:31:33 g0n kernel: [534540.226052] grsec: (root:U:/usr/bin/mutt) denied link of /root/postponed/tmp/new.1437406292.19365_0.g0n to /root/postponed/new/1437406293.19365_1.g0n by /usr/bin/mutt[mutt:19365] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3301] uid/euid:0/0 gid/egid:0/0

Anyway, that now works, whatever that it precisely is:
Code: Select all
2441,2442c2445,2446
<    /root            rwcd
<    /root/Maildir      rwxcd
---
>    /root            rwcdl
>    /root/Maildir      rwxcdl

This was replacing a lot now!
A separate policy subject /usr/libexec/postfix/local not anymore needed! Took me really long, didn't it!
Code: Select all
3014,3051d3017
<    bind   disabled
<    connect   disabled
< }
<
< # Role: root
< subject /usr/libexec/postfix/local o {
<    /            h
<    /dev            h
<    /dev/log         rw
<    /etc            r
<    /etc/grsec         h
<    /etc/gshadow         h
<    /etc/gshadow-         h
<    /etc/mail         h
<    /etc/mail/aliases      
<    /etc/mail/aliases.db      r
<    /etc/postfix         h
<    /etc/postfix/main.cf      r
<    /etc/shadow         h
<    /etc/shadow-         h
<    /etc/ssh         h
<    /home            h
<    /home/miro/Maildir/tmp      wcdl
<    /lib64            rx
<    /lib64/modules         h
<    /root            wcdl
<    /sys            h
<    /sys/devices/system/cpu/online   r
<    /usr            h
<    /usr/lib64         rx
<    /usr/libexec         h
<    /usr/libexec/postfix/local   x
<    /var            h
<    /var/spool/postfix      rwcd
<    /var/tmp         
<    -CAP_ALL
<    +CAP_SETGID
<    +CAP_SETUID

This was a line in that same /usr/libexec/postfix/local subject, on the left side. Just for completeness. On the write is the ending policy for mutt. So the diff works...
Code: Select all
3056c3022,3023
<    sock_allow_family netlink
---
>    bind   disabled
>    connect   disabled


However, at this point it is wiser to leave the big diff chunks for explaining by simply posting the respective new policies, and the old ones are those which I already posted:

A no-poetterware desktop RBAC policy
viewtopic.php?f=5&t=4153#p15354

the rest of the diff...
Code: Select all
3065,3066d3031
<    /bin         h
<    /bin/bash         x
3069d3033
<    /dev/null         rw
3075,3080d3038
<    /etc/host.conf      r
<    /etc/hosts         r
<    /etc/mail         h
<    /etc/mail/aliases      
<    /etc/mail/aliases.db      r
<    /etc/postfix         r
3084,3085d3041
<    /home            h
<    /home/miro/Maildir/tmp      wcdl
3087d3042
<    /lib64/libnss_dns-2.20.so         rx
3090d3044
<    /proc/meminfo         r
3092d3045
<    /root            wcdl
3097,3100c3050
<    /usr/lib64/libnss_dns-2.20.so         rx
<    /usr/libexec         h
<    /usr/libexec/postfix   x
< #   /usr/libexec/postfix/bounce   x
---
>    /usr/libexec         x
3102,3103c3052
<    /var/lib/postfix   rw   
< #   /var/lib/postfix/prng_exch   rw
---
>    /var/spool/postfix      rwcdl
3105d3053
<    /var/spool/postfix      rwcd
3113,3134c3061
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp
<    sock_allow_family all
< }
<
< # Role: root
< subject /usr/libexec/postfix/tlsmgr o {
<    /            h
<    /bin/bash      x
<    /dev            h
<    /dev/log         rw
<    /etc/localtime         r
<    /lib64/ld-2.20.so      x
<    /etc/ld.so.cache      r
<    /lib64            rx
<    /usr/lib64/postfix/3.0.1   x
<    /var/spool/postfix      rwcd
<    -CAP_ALL
<    +CAP_SETGID
<    +CAP_SETUID
<    bind   0.0.0.0/32:0 ip dgram stream tcp udp
<    connect   127.0.0.1/32 ip dgram stream tcp udp
---
>    connect   192.168.1.1/32:53 dgram udp
3263c3190
< # Role: root
---
> ## Role: root
3305c3232
<    /usr/sbin/postdrop      x
---
>    /usr/sbin/postdrop      rx
3309c3236
<    /var/spool/postfix      rwcd
---
>    /var/spool/postfix      rwcdl
3311,3312d3237
<    +CAP_SETGID
<    +CAP_SETUID
3315,3317c3240
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp
<    sock_allow_family netlink
---
>    sock_allow_family unix inet netlink
3349c3272
<    /var/spool/postfix      rwcd   
---
>    /var/spool/postfix      rwcdl
3385c3308
<
---
> #
3405c3328
<    /usr/sbin/postqueue      x
---
>    /usr/sbin/postqueue      rx
3411,3417c3334,3337
<    +CAP_SETGID
<    +CAP_SETUID
<    bind   0.0.0.0/32:0 ip dgram stream tcp udp
<    connect   127.0.0.1/32 ip dgram stream tcp udp
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp
<    sock_allow_family netlink
---
>    bind   disabled
>    connect   disabled
> #   sock_allow_family unix inet netlink
>    sock_allow_family all
3981,4025c3901
< subject /usr/libexec/postfix/bounce o {
<    /            h
<    /etc/localtime         
<    /var/spool/postfix      rwcd
<    -CAP_ALL
<    +CAP_SETGID
<    +CAP_SETUID
<    bind   0.0.0.0/32:0 ip dgram stream tcp udp
<    connect   127.0.0.1/32 ip dgram stream tcp udp
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp
<    sock_allow_family netlink
< }
<
< # Role: postfix
< subject /usr/libexec/postfix/cleanup o {
<    /            h
<    /etc/localtime         
<    /var/spool/postfix      rwcd
<    -CAP_ALL
<    +CAP_SETGID
<    +CAP_SETUID
<    bind   0.0.0.0/32:0 ip dgram stream tcp udp
<    connect   127.0.0.1/32 ip dgram stream tcp udp
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp
<    sock_allow_family netlink
< }
<
< # Role: postfix
< subject /usr/libexec/postfix/error o {
<    /            h
<    /var/spool/postfix      rwcd
<    -CAP_ALL
<    +CAP_SETGID
<    +CAP_SETUID
<    bind   0.0.0.0/32:0 ip dgram stream tcp udp
<    connect   127.0.0.1/32 ip dgram stream tcp udp
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp
<    sock_allow_family netlink
< }
<
< # Role: postfix
< subject /usr/libexec/postfix/pickup o {
---
> subject /usr/libexec/postfix o {
4027d3902
<    /bin/bash      x
4030,4046c3905,3924
<    /etc/localtime         r
<    /var/spool/postfix      rwcd
<    -CAP_ALL
<    +CAP_SETGID
<    +CAP_SETUID
<    bind   0.0.0.0/32:0 ip dgram stream tcp udp
<    connect   127.0.0.1/32 ip dgram stream tcp udp
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp
<    sock_allow_family netlink
< }
<
< # Role: postfix
< subject /usr/libexec/postfix/qmgr o {
<    /            h
<    /dev/log         rw
<    /var/spool/postfix      rwcd
---
>    /dev/urandom         r
>    /etc            r
>    /etc/grsec         h
>    /etc/gshadow         h
>    /etc/gshadow-         h
>    /etc/shadow         h
>    /etc/shadow-         h
>    /etc/ssh         h
>    /lib64            rx
>    /lib64/modules         h
>    /proc            h
>    /proc/sys/kernel/ngroups_max   r
>    /sys            h
>    /sys/devices/system/cpu/online   r
>    /usr            h
>    /usr/lib64         rx
>    /usr/libexec         x
>    /var            h
>    /var/spool/postfix      rwcdl
>    /var/tmp         
4047a3926,3927
>    +CAP_DAC_READ_SEARCH
>    +CAP_KILL
4051a3932
>    connect   192.168.1.1/32:53 dgram udp
4054,4087c3935
<    sock_allow_family netlink
< }
<
< # Role: postfix
< subject /usr/libexec/postfix/smtp o {
<    /            h
<    /etc            h
<    /etc/ld.so.cache      r
<    /etc/resolv.conf      r
<    /etc/services         r
<    /lib64            h
<    /lib64/libnss_db-2.20.so   rx
<    /proc            
<    /proc/bus         h
<    /proc/kallsyms         h
<    /proc/kcore         h
<    /proc/modules         h
<    /proc/slabinfo         h
<    /proc/sys         h
<    /var            h
<    /var/spool/postfix      rw
<    -CAP_ALL
<    +CAP_SETGID
<    +CAP_SETUID
<    bind   0.0.0.0/32:0 ip dgram stream tcp udp
<    connect   178.218.164.164/32:25 stream tcp
<    connect   195.29.150.2/32:25 stream tcp
<    connect   195.29.150.5/32:25 stream tcp
<    connect   192.168.1.1/32:53 dgram udp
<    connect   127.0.0.1/32:53 dgram udp
< #   connect   127.0.0.1/32 ip dgram stream tcp udp
< #   connect   195.29.150.0/24 ip dgram stream tcp udp
< #   connect   178.218.164.164/32 ip dgram stream tcp udp
< #   sock_allow_family netlink
---
>    sock_allow_family all
4886d4733
<    /bin/bash         x
6119,6120d5965
<    connect   195.29.150.0/24 ip dgram stream tcp udp
<    connect   178.218.164.164/32 ip dgram stream tcp udp

I'll only note that I post these (commented on the left in diff) lines below because for documenting purposes, I post real output. It was to do with the Mutt compilation that needed grsec policies set appropriately, which you can find about somewhere in the:

My Hard Earned RBAC policy for Mutt
viewtopic.php?f=5&t=4235#p15391
Code: Select all
6185,6190d6029
< #subject /usr/bin/autom4te-2.69 ol {
< #   /            h
< #   -CAP_ALL
< #   bind   disabled
< #   connect   disabled
< #}

A summarily look at the above diff allows you to conclude that I got rid of the separate policies for (these are exact lines pasted from the diff):
Code: Select all
< subject /usr/libexec/postfix/tlsmgr o {
< subject /usr/libexec/postfix/bounce o {
< subject /usr/libexec/postfix/cleanup o {
< subject /usr/libexec/postfix/error o {
< subject /usr/libexec/postfix/pickup o {
< subject /usr/libexec/postfix/smtp o {

on which a separate post, not with those subjects, really, but only with
Code: Select all
subject /usr/libexec/postfix o {

even though still duplicated, from Role: root, and for Role: postfix. Because this line from the diff:
Code: Select all
> subject /usr/libexec/postfix o {

is on the right side, the new policy, that replaces the old. Next.

Re: Issues with and RBAC Policy for Postfix

PostPosted: Tue Jul 21, 2015 3:41 am
by timbgo
These are the actual policies from my /etc/grsec/policy. The
Code: Select all
# diff  grsec_150720_g0n_05 /etc/grsec/policy
#

returns empty string.
Code: Select all
# Role: root
subject /usr/libexec/postfix o {
user_transition_allow postfix
group_transition_allow postfix

   /            h
   /dev            h
   /dev/log         rw
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /proc            h
   /proc/sys/kernel/ngroups_max   r
   /sys            h
   /sys/devices/system/cpu/online   r
   /usr            h
   /usr/lib64         rx
   /usr/libexec         x
   /var            h
   /var/spool/postfix      rwcdl
   /var/tmp         
   -CAP_ALL
   +CAP_DAC_READ_SEARCH
   +CAP_KILL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   192.168.1.1/32:53 dgram udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family all
}



Still in role root, I need to repeat that, probably I misconfigured something, such as what I admited when I saw it, in the first post, but grsec learned policies for only 4 out of 9 subjects that I gave it for learning. So some of the following are grsec policies, manually improved, and others are copied policies from previous backups, also occasionally manually improved by looking for the 'denied ...' lines in the system log.

Code: Select all
## Role: root
subject /usr/sbin/postconf o {
   /            h
   /etc            h
   /etc/ld.so.cache      r
   /etc/postfix/main.cf      r
   /etc/postfix/master.cf      r
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postconf      x
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family netlink
}

# Role: root
subject /usr/sbin/postdrop o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postdrop      rx
   /usr/share         h
   /usr/share/zoneinfo      r
   /var            h
   /var/spool/postfix      rwcdl
   -CAP_ALL
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   sock_allow_family unix inet netlink
}

# Role: root
subject /usr/sbin/postfix o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/host.conf      r
   /etc/hosts         r
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /proc/meminfo         r
   /lib64            rx
   /lib64/libnss_dns-2.20.so         rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/lib64/libnss_dns-2.20.so         rx
   /usr/libexec         h
   /usr/libexec/postfix      x
#   /usr/libexec/postfix/postfix-script   x
   /usr/sbin         
   /usr/sbin/postfix      x
   /var            h
   /var/spool/postfix      rwcdl
   -CAP_ALL
   bind   disabled
   connect   disabled
   sock_allow_family netlink
}

# Role: root
subject /usr/sbin/postlog o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postlog      x
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family netlink
}
#
# Role: root
subject /usr/sbin/postqueue o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postqueue      rx
   /usr/share         h
   /usr/share/zoneinfo      r
   /var            h
   /var/spool/postfix      rw
   -CAP_ALL
   bind   disabled
   connect   disabled
#   sock_allow_family unix inet netlink
   sock_allow_family all
}

# Role: root
subject /usr/sbin/postsuper o {
user_transition_allow postfix
group_transition_allow postfix

   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postsuper      x
   /var            h
   /var/spool/postfix      
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family netlink
}



The sendmail in a postfix MTA system (Mail Transfer Agent) can not normally live different packages in the same system, such as you can not have Exim and Postfix at the same time) is a Postfix binary.
Code: Select all
# Role: root
subject /usr/sbin/sendmail o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postdrop      x
   /usr/sbin/postqueue      x
   /usr/sbin/sendmail      x
   /var            h
   /var/spool/postfix      
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family netlink
}



role postfix itself:
Code: Select all
role postfix u
role_allow_ip   0.0.0.0/32
# Role: postfix
subject /  {
   /            h
   /dev/urandom         r
   /etc/localtime         
   /var/spool/postfix      rwcd
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family netlink
}


And in it, the subject /usr/libexec/postfix again, from what grsec gave, but hugely improved by pasting from its Role: root equivalent:
Code: Select all
# Role: postfix
subject /usr/libexec/postfix o {
   /            h
   /dev            h
   /dev/log         rw
   /dev/urandom         r
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /proc            h
   /proc/sys/kernel/ngroups_max   r
   /sys            h
   /sys/devices/system/cpu/online   r
   /usr            h
   /usr/lib64         rx
   /usr/libexec         x
   /var            h
   /var/spool/postfix      rwcdl
   /var/tmp         
   -CAP_ALL
   +CAP_DAC_READ_SEARCH
   +CAP_KILL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   192.168.1.1/32:53 dgram udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family all
}


And I don't know what to do with this one. Do I need it? If I don't, I'll comment it out in an edit to this post sometimes in the future.
Code: Select all
# Role: postfix
subject /usr/sbin/postsuper o {
   /            h
   /var/spool/postfix      wd
   -CAP_ALL
   bind   disabled
   connect   disabled
}


It contains a paste too, the line:
Code: Select all
   /var/spool/postfix      wd


Finally, in role miro, there are a few subjects for two binaries of that MTA:
Code: Select all
# Role: miro
subject /usr/sbin/postdrop o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postdrop      x
   /usr/share         h
   /usr/share/zoneinfo      r
   /var            h
   /var/spool/postfix      rwcd
   -CAP_ALL
   +CAP_SETGID
   +CAP_SETUID
   bind   0.0.0.0/32:0 stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   sock_allow_family all
}

# Role: miro
subject /usr/sbin/sendmail o {
   /            h
   /dev            h
   /dev/log         rw
   /etc            r
   /etc/grsec         h
   /etc/gshadow         h
   /etc/gshadow-         h
   /etc/postfix         h
   /etc/postfix/main.cf      r
   /etc/shadow         h
   /etc/shadow-         h
   /etc/ssh         h
   /lib64            rx
   /lib64/modules         h
   /usr            h
   /usr/lib64         rx
   /usr/sbin         h
   /usr/sbin/postdrop      x
   /usr/sbin/sendmail      x
   /var            h
   /var/spool/postfix      
   -CAP_ALL
   bind   0.0.0.0/32:0 ip dgram stream tcp udp
   connect   127.0.0.1/32 ip dgram stream tcp udp
   connect   195.29.150.0/24 ip dgram stream tcp udp
   connect   178.218.164.164/32 ip dgram stream tcp udp
   sock_allow_family netlink
}


Sure they are probably pastes from my old grsec policies.

Not sure how this will prove to work (as I hope) or not. So, let me be back to tell some, hopefully not distant, time in the future.

Regards!

Re: Issues with and RBAC Policy for Postfix

PostPosted: Wed Jul 22, 2015 7:30 am
by timbgo
I got more 'denied ...' messages from my clever helper grsec:
Code: Select all
Jul 21 20:13:56 gbn kernel: [ 1024.635391] grsec: (root:U:/sbin/macchanger) denied access to hidden file /dev/hwrng by /sbin/macchanger[macchanger:3223] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3214] uid/euid:0/0 gid/egid:0/0

This first one is easily explained (although I don't know what /dev/hwrng is --maybe hardware random number generator?--, as it is not a file that belongs to the complaining package, the macchanger --which I launch after every boot to randomize my MAC numbers; just loving privacy, and learning for full freedom in computing) [This first one is easily explained], here's its policy:
Code: Select all
# Role: root
subject /sbin/macchanger o {
   /            h
   /dev            h
   /dev/hwrng         r
   /dev/random         r
   /etc            h
   /etc/ld.so.cache      r
   /lib64            rx
   /lib64/modules         h
   /sbin            h
   /sbin/macchanger      x
   -CAP_ALL
   +CAP_NET_ADMIN
   +CAP_SYS_MODULE
   bind   0.0.0.0/32:0 dgram ip
   connect   disabled
}


(notice the line with /dev/hrwng now added).

And the next line (gotten at different tries of sending local mail)
Code: Select all
Jul 21 20:24:09 gbn kernel: [ 1638.159838] grsec: (root:U:/usr/libexec/postfix) change to uid 0 denied for /usr/libexec/postfix/local[local:3353] uid/euid:0/207 gid/egid:0/207, parent /usr/libexec/postfix/master[master:2764] uid/euid:0/0 gid/egid:0/0

which resulted in postfix not being able to send local mail, and complaining. And sticking under:
Code: Select all
# Role: postfix
subject /usr/libexec/postfix o {

these:
Code: Select all
user_transition_allow root
group_transition_allow root

solved it. But maybe I should have stuck those two lines under:
Code: Select all
role postfix u
role_allow_ip   0.0.0.0/32

which would cover role postfix entirely.

Haven't yet tested mailing to internet (only the initial couple of mails
yesterday --posting later, but I wrote this on 2015-07-21, at which one day later time I can add that it apparently now, with that added, and for the role, and for the subjects, so in both, and if there is more, also added, [that now apparently] works).

Re: Issues with and RBAC Policy for Postfix

PostPosted: Sun Aug 16, 2015 2:34 pm
by timbgo
A month ago I wrote in this very "RBAC ... for Postfix" topic wrote:I have just studied:

The grsecurity Wiki
https://en.wikibooks.org/wiki/Grsecurity

for another bout of not so small number of hours (and I'd like to try and finish my today's posting with what amazed me the most. Because, to me, it's pure and sublime intellectual thrills [these] honest and capable, sophisticated and eye-opening, programs which there are a few available in the FOSS world, and among which programs, the grsecurity [including PaX] is the leader in the revealing and in the excellence. I'm reserving my telling to you about what amazed me the most in that wikibook, for the last paragraphs of the few posts that I, hopefully, plan to post today in this topic that I've opened on Grsecurity Forums.)

I'm late with telling what I meant. I work slowly, and get a little overwhelmed and lost at times...

What I meant is, and readers can try and tell if they can guess what I mean first:

Which of the pages of the grsecurity wikibook feels like a spy manual revealed to the understanding public? Which one resembles such a dear and thrilling object, you who read the grsecurity wikibook?

Because the poor users like me, where would I be without the ability to figure out what can be done with my system, if I don't defend it?

And because of such knowledge revealed and offered to the public, I can, I can deploy my Poor Users Security as I like to call my assorment of methods that I use, and I can really have calm time when I venture into the huge open space of the Internet, where octopuses like Google reign, and where every huge state or corporate subject surveilles and controls so much on the users they can grab hold on!

Go and read:

The grsecurity Wiki
https://en.wikibooks.org/wiki/Grsecurity

and figure out which of the pages resembles the spybook revealed teh most, and only then come back and read on.

Re: Issues with and RBAC Policy for Postfix

PostPosted: Sun Aug 16, 2015 2:51 pm
by timbgo
I'm not a man of many books. But I like to learn well the good books that are dear to me.

And surely grsecurity is one such book...

I'm talking allegorically, the knowledge, the lore that spender and PaX Team give honestly to the public is what I mean by the book in the sentence above.

Surely also the wikibook is an (electronic) incarnation of that lore.

The folks at Gentoo FOSS Linux, which is probably the most advanced in the whole Linuxdom, the versatilitiy of Gentoo surpassing any other of the distros, those folks have not, barring a minoriity which you always get in any community, objected to my introducing into my signature the links in all my signatures under all my piost in Gentoo Forums. My signature in Gentoo Forums looks like this:

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)

So, now you can see which great chapters in the grsecurity lore look and feel like a spy-book (not the authors-spies' book, but the authors revealing in the book what spies do, or can do, to you), in the electronic "incarnation" of that lore. It is this page:

https://en.wikibooks.org/wiki/Grsecurit ... scriptions

Just read it carefully. And thank the authors who allowed you to protect yourself!

Sorry if there are typose left uncorrected above, my eyes hurt tonight.

Regards!
Miroslav Rovis
http://www.CroatiaFidelis.hr

Re: Issues with and RBAC Policy for Postfix

PostPosted: Sun Oct 25, 2015 12:07 pm
by timbgo
Since a lot of people are reading this, I need to finish what I left unclear.

I wrote in the post before last that I:
Haven't yet tested mailing to internet (only the initial couple of mails
yesterday --posting later, but I wrote this on 2015-07-21, at which one day later time I can add that it apparently now, with that added, and for the role, and for the subjects, so in both, and if there is more, also added, [that now apparently] works.

but it should be said that that policy worked from then on just fine.
You can see that the email (that one described in there or a previous or a later one, can't check, no time):
Fonts not found issue persists in 3.0.5
http://lists.dillo.org/pipermail/dillo- ... 10595.html

and the mails I sent to dillo-dev after that mail (if you look them up by date).

So these policies for postfix should be fine. I'm not fresh to remember about them, as I haven't touched them ever since, I just remember I left this note, until now, unwritten. Done now.

Regards!