Re: postfix 2.5.1 breaks with tls

[Takahiro Kambe <taca%back-street.net@localhost>]

Hi,

In message <rmiir036zlt.fsf%fnord.ir.bbn.com@localhost>
        on Mon, 03 Mar 2008 20:34:54 -0500,
        Greg Troxel <gdt%ir.bbn.com@localhost> wrote:
> The problem is tlsmgr failing to create the PRNG exchange file.
> 
> Mar  3 20:26:54 foo postfix/tlsmgr[20577]: fatal: tls_prng_exch_open: cannot 
> open PRNG exchange file /var/lib/postfix/prng_exch: Permission denied uid 0 
> 12 0 12 /var/spool/postfix
> 
> (I added uid and: uid euid gid egid getcwd.)
I don't know the right solution but tlsmgr(8) says in SECURITY section:

       The tlsmgr(8) can be run chrooted  and  with  reduced  privileges.   At
       process  startup  it  connects to the entropy source and exchange file,
       and creates or truncates the optional TLS session cache files.

       With Postfix version 2.5 and later, the tlsmgr(8) no longer  uses  root
       privileges  when  opening cache files. These files should now be stored
       under the Postfix-owned data_directory.  As a migration aid, an attempt
       to open a cache file under a non-Postfix directory is redirected to the
       Postfix-owned data_directory, and a warning is logged.

And /var/lib/postfix comes from this "data_directory".

% /usr/pkg/sbin/postconf | egrep data_dir
data_directory = /var/lib/postfix
tls_random_exchange_name = ${data_directory}/prng_exch

I don't think /var/lib/postfix isn't goog default for data_directory
and it should be "/var/run/postfix" or "/var/db/postfix".

> I can't figure out if it's in a chroot - seems not to be in master.cf.
> And I can't figure out how to ktrace an intermediate process.
# ktrace -di -p <qmgr's pid>

is one of brute force method.  ;-p

-- 
Takahiro Kambe <taca%back-street.net@localhost>