Bug 694987

Summary: Directory permissions cause sendmail to fail
Product: [Fedora] Fedora Reporter: Richard Kimberly Heck <rikiheck>
Component: sendmailAssignee: Jaroslav Škarvada <jskarvad>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 14CC: jskarvad, mlichvar
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-04-22 14:59:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Richard Kimberly Heck 2011-04-09 13:25:55 UTC 
After a recent upgrade, I started to get repeated errors of the following sort:

Apr  3 08:56:53 rghquad sendmail[20178]: STARTTLS=client, relay=smtp.comcast.net, version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
Apr  3 08:56:53 rghquad sendmail[20178]: error: safesasl(/usr/lib64/sasl2/libsasldb.so) failed: Group writable directory
Apr  3 08:56:53 rghquad sendmail[20178]: error: safesasl(/usr/lib64/sasl2/libcrammd5.so) failed: Group writable directory
Apr  3 08:56:53 rghquad sendmail[20178]: error: safesasl(/usr/lib64/sasl2/liblogin.so) failed: Group writable directory
Apr  3 08:56:53 rghquad sendmail[20178]: error: safesasl(/usr/lib64/sasl2/libdigestmd5.so) failed: Group writable directory
Apr  3 08:56:53 rghquad sendmail[20178]: error: safesasl(/usr/lib64/sasl2/libanonymous.so) failed: Group writable directory
Apr  3 08:56:53 rghquad sendmail[20178]: error: safesasl(/usr/lib64/sasl2/libplain.so) failed: Group writable directory
Apr  3 08:56:53 rghquad sendmail[20178]: p33C5BIE003642: AUTH=client, available mechanisms do not fulfill requirements
Apr  3 08:56:53 rghquad sendmail[20178]: AUTH=client, relay=smtp.comcast.net, temporary failure, connection abort

The reason turns out to be that sendmail wants /usr/lib64/sasl2 AND ALL ITS SUPERDIRECTORIES to be writeable by its owner only. So:
  chmod 755 /usr
  chmod 755 /usr/lib64
  chmod 755 /usr/lib64/sasl2
solves the problem. 

Has there been some change in sendmail's configuration that led to this problem? It seems, as I said, to have arrived with the last update.

[rgheck@rghquad mail]# rpm -q sendmail
sendmail-8.14.4-10.fc14.x86_64
Comment 1 Jaroslav Škarvada 2011-04-21 14:26:32 UTC 
I am unable to reproduce. AFAIK nothing related was changed in sendmail:

Changelog between 8.14.4-9 - 8.14.4-10
- fixed m4 ldap routing macro, backported from 8.14.5.Alpha0, (#650366)
- fixed MAXHOSTNAMELEN (#485380)
- updated sendmail.nm-dispatcher script to handle VPN connections (#577540)
- added comments about purpose of files and patches

The /usr/lib64/sasl2 shouldn't be group/others writeable otherwise your installation is somehow modified, check:
# rpm -V cyrus-sasl cyrus-sasl-lib
Comment 2 Richard Kimberly Heck 2011-04-21 22:15:28 UTC 
I think my problem was that /usr was 0775; I don't remember about /usr/lib64/sasl2 now. Perhaps that is something from way back, but I don't know why I'd just have started seeing that.
Comment 3 Jaroslav Škarvada 2011-04-22 14:59:01 UTC 
OK, thanks, by default /usr shouldn't be 0775:
# rpm -V filesystem

It doesn't seem to be sendmail fault, thus closing. Feel free to reopen in case there will be more information.