Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

MAIL-E-OPENOUT insufficient privilege or file protection violation

 
SOLVED
Go to solution
Maurizio Rondina
Frequent Advisor

MAIL-E-OPENOUT insufficient privilege or file protection violation

From some users, SMTP configuration work well, with other users there is the problem in subject.

The system is an Alphaserver ES40 OpenVms7.3 named A1 with TCPIP v.5.1 eco4, in attachment the SMTP configuration, the UAF configuration, the errors on the SMTP LOG file, the DIR/OWN/PROT output of the SMTP files.
18 REPLIES 18
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation


I done newer tests, changing the destination domain.


Seem that the problem is related to this:

if SMTP send to a WAN mail domain, such as my domain mauriziorondina.it all go well, instead if SMTP send to a LAN mail domain, the message "insufficient privilege or file protection" appear. Now I think that the problem not depend on OpenVms User Account, and that the error message is unappropriate.

labadie_1
Honored Contributor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Maurizio

May be not related, but the protection looks wrong for the SMTP directory, as I see

[TCPIP$AUX,TCPIP$BOOTP]
and I suppose it should be
[TCPIP$AUX,TCPIP$SMTP]

can you post a
$ mc authorize sh/bri tcpip$*

and a

$ dir/sec sys$sysdevice:[*]tcpip*.dir
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation


UAF> sho/bri tcpip$*
Owner Username UIC Account Privs Pri Directory

TCPIP$BIND TCPIP$BIND [3655,5] TCPIP Normal 8 SYS$SPECIFIC:[TCPIP$BIND]
TCPIP$BOOTP TCPIP$BOOTP [3655,1] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$BOOTP]
TCPIP$DHCP TCPIP$DHCP [3655,6] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$DHCP]
TCPIP$FTP TCPIP$FTP [3655,4] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$FTP]
TCPIP$LPD TCPIP$LPD [3655,5] TCPIP Normal 8 SYS$SPECIFIC:[TCPIP$LPD]
TCPIP$NFS TCPIP$NFS [3655,7] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$NFS]
TCPIP$PCNFS TCPIP$PCNFS [3655,11] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$PCNFS]
TCPIP$PORTM TCPIP$PORTM [3655,10] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$PORTM]
TCPIP$REXEC TCPIP$REXEC [3655,12] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$REXEC]
TCPIP$RSH TCPIP$RSH [3655,2] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$RSH]
TCPIP$SMTP TCPIP$SMTP [3655,13] TCPIP Normal 8 SYS$SPECIFIC:[TCPIP$SMTP]
TCPIP$SNMP TCPIP$SNMP [3655,4] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$SNMP]


Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

$ dir/sec sys$sysdevice:[*]tcpip*.dir

Directory SYS$SYSDEVICE:[SYS0]

TCPIP$BIND.DIR;1 [TCPIP$AUX,TCPIP$BIND] (RWE,RWE,RE,E)
TCPIP$ETC.DIR;1 [1,1] (RWE,RWE,RE,RE)
TCPIP$LPD.DIR;1 [TCPIP$AUX,TCPIP$LPD] (RWE,RWE,RE,E)
TCPIP$SMTP.DIR;1 [TCPIP$AUX,TCPIP$BOOTP] (RWE,RWE,RE,E)

Total of 4 files.

Directory SYS$SYSDEVICE:[VMS$COMMON]

TCPIP$LIB.DIR;1 [SYSTEM] (RWE,RWE,RE,RE)

Total of 1 file.

Grand total of 2 directories, 5 files.
labadie_1
Honored Contributor
Solution

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

As TCPIP$BOOTP has the UIC [3655,1] and
TCPIP$SMTP has [3655,13], you should issue

$ set file sys$sysdevice:[sys0]tcpip$smtp.dir/own=[3655,13]

$ set file sys$sysdevice:[sys0.tcpip$smtp]*.*;*/own=[3655,13]

and then stop and start SMTP and Mail.

You will notice that your files have RE (read and execute) for the group, not write.
The Brit
Honored Contributor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Could it be that the TCPIP$SMTP directory and its contents are owned by TCPIP$BOOTP.

All though the TCPIP accounts are normally in the same UIC group, there is no WRITE access for the group, in the prot string.

I know that your account has BYPASS, but I think this is not being accessed by the user, but by the SMTP process.

I had a similar problem with NTP not being able to start because the root directory was owned by a different TCPIP account.

HTH

Dave.
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Labadie,

Now i gave the following commands

set file /own=[TCPIP$AUX,TCPIP$SMTP] sys$specific:[000000]tcpip$smtp.dir

and

set file /own=[TCPIP$AUX,TCPIP$SMTP] sys$specific:[tcpip$smtp]*.*;*

and now also the LAN mail domain recipient, haven't problems.

Isnâ t clearly if there was a Internet mail domain problem or a OpenVms protection problem. Why before to set the correct owner, the mail to WAN recipients go well?

Tomorrow should start the automated weekly e-mail from E$USER1 and i will see if it work fine. Then i will inform you if all go well.
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

to The Brit (HTH Dave),

Very strange that the SMTP activation wizard of TCPIP$CONFIG, set the TCPIP$SMTP_COMMON directory and his content with TCPIP$BOOTP owner. BOOTP service never enabled on this system; seems that the TCPIP owners are set randomly.

And strange that with a similar protection problem, mail to LAN mail domain, go well.
Steve Reece_3
Trusted Contributor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Random ownership of TCP/IP accounts can happen when a SYSUAF and RIGHTSLIST pair get copied from an old system to a new one when the order of setting up TCP/IP Services has been different between the two systems. E.g. I buld a new server to take over from the old one, I configure all of the networking services, then copy the SYSUAF and RIGHTSLIST from the old system to the new one so that all of the user accounts come over.
The correct way to do this is to merge the files rather than copy one over the other.

Steve
The Brit
Honored Contributor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Maurizio,
I think if you set the ownership on the files to the correct owner then it might work.

$ set file /owner=TCPIP$SMTP SYS$SPECIFIC:[000000]TCPIP$SMTP.DIR
$ set file /owner=TCPIP$SMTP SYS$SPECIFIC:[TCPIP$SMTP...]*.*.*

Should do it.

Dave.

Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Dave,

after the set file /own command i gave last thursday, i solved the error message on the subject of this discussion.

But there are still problems due to network LAN infrastructure.

If users send out to an external mail domain eg. "mauriziorondina.it" all go well, if they send to the customer domain "custom.it" on the TCPIP$SMTP_LOGFILE.COM appear the following errors:
554 %TCPIP-E-SMTP_XFAIL, remote transaction failure, custom.it
550 %TCPIP-E-SMTP_NOSUCHUSER, no such user, SMTP%"postmaster@custom.it"

So i changed the "MAIL FROM" and "from:" parameters on the smtp message, and now mails seem go well, both in internal and external mail domain.

Strange that there are differences between "custom.it" and other domains, but this workaround seems good.
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

sometimes sending to the mailboxes at the customer domain "custom.it" the mails still aren't received.

In these cases on the TCPIP$SMTP_LOGFILE.COM appear the following error:
554 %TCPIP-E-SMTP_XFAIL, remote transaction failure, custom.it

Other times mails to "custom.it" domain, goes well.
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

I traced the smtp operations with

define/system tcpip$smtp_symb_trace 1
TCPIP STOP MAIL
WAIT 00:01:00
TCPIP START MAIL

sended a new mail

TCPIP STOP MAIL
WAIT 00:01:00
TCPIP START MAIL

In the cases when mails go wrong on TCPIP$SMTP_COMMON:TCPIP$SMTP_LOGFILE.LOG;-1

the last lines of the message are

recv buf=554 Transaction Failed Spam Message not queued.\d\a
send buf=QUIT\d\a
recv buf=221 Service closing transmission channel closing connection\d\a
554 %TCPIP-E-SMTP_XFAIL, remote transaction failure, custom.it

Now i ask to the administrator of mx.custom.it to leave free, the public ip of my alphaserver from his antispam filter
Hoff
Honored Contributor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Sounds like your DNS is messed up.
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Hoff,

wasn't a DNS problem, only a mail server anti-spam problem for mail domain "custom.it".
Now is all ok.

Thanks.
Hoff
Honored Contributor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

One of the usual triggers for detecting spam is bogus DNS; that the sending host lacks a valid and matching reverse DNS, for instance.
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Ok, but i haven't changed nothing on OpenVms's DNS and all go well. The problem was on external mail server that manage "custom.it" domain. That administrators made the change of their antispam configuration, and now is all good.
Maurizio Rondina
Frequent Advisor

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

See my last replies, on the discussion.