Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

Maurizio Rondina · ‎04-08-2010

From some users, SMTP configuration work well, with other users there is the problem in subject.

The system is an Alphaserver ES40 OpenVms7.3 named A1 with TCPIP v.5.1 eco4, in attachment the SMTP configuration, the UAF configuration, the errors on the SMTP LOG file, the DIR/OWN/PROT output of the SMTP files.

Maurizio Rondina · ‎04-08-2010

I done newer tests, changing the destination domain.

Seem that the problem is related to this:

if SMTP send to a WAN mail domain, such as my domain mauriziorondina.it all go well, instead if SMTP send to a LAN mail domain, the message "insufficient privilege or file protection" appear. Now I think that the problem not depend on OpenVms User Account, and that the error message is unappropriate.

labadie_1 · ‎04-08-2010

Maurizio

May be not related, but the protection looks wrong for the SMTP directory, as I see

[TCPIP$AUX,TCPIP$BOOTP]
and I suppose it should be
[TCPIP$AUX,TCPIP$SMTP]

can you post a
$ mc authorize sh/bri tcpip$*

and a

$ dir/sec sys$sysdevice:[*]tcpip*.dir

Maurizio Rondina · ‎04-08-2010

UAF> sho/bri tcpip$*
Owner Username UIC Account Privs Pri Directory

TCPIP$BIND TCPIP$BIND [3655,5] TCPIP Normal 8 SYS$SPECIFIC:[TCPIP$BIND]
TCPIP$BOOTP TCPIP$BOOTP [3655,1] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$BOOTP]
TCPIP$DHCP TCPIP$DHCP [3655,6] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$DHCP]
TCPIP$FTP TCPIP$FTP [3655,4] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$FTP]
TCPIP$LPD TCPIP$LPD [3655,5] TCPIP Normal 8 SYS$SPECIFIC:[TCPIP$LPD]
TCPIP$NFS TCPIP$NFS [3655,7] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$NFS]
TCPIP$PCNFS TCPIP$PCNFS [3655,11] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$PCNFS]
TCPIP$PORTM TCPIP$PORTM [3655,10] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$PORTM]
TCPIP$REXEC TCPIP$REXEC [3655,12] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$REXEC]
TCPIP$RSH TCPIP$RSH [3655,2] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$RSH]
TCPIP$SMTP TCPIP$SMTP [3655,13] TCPIP Normal 8 SYS$SPECIFIC:[TCPIP$SMTP]
TCPIP$SNMP TCPIP$SNMP [3655,4] TCPIP Normal 8 SYS$SYSDEVICE:[TCPIP$SNMP]

Maurizio Rondina · ‎04-08-2010

$ dir/sec sys$sysdevice:[*]tcpip*.dir

Directory SYS$SYSDEVICE:[SYS0]

TCPIP$BIND.DIR;1 [TCPIP$AUX,TCPIP$BIND] (RWE,RWE,RE,E)
TCPIP$ETC.DIR;1 [1,1] (RWE,RWE,RE,RE)
TCPIP$LPD.DIR;1 [TCPIP$AUX,TCPIP$LPD] (RWE,RWE,RE,E)
TCPIP$SMTP.DIR;1 [TCPIP$AUX,TCPIP$BOOTP] (RWE,RWE,RE,E)

Total of 4 files.

Directory SYS$SYSDEVICE:[VMS$COMMON]

TCPIP$LIB.DIR;1 [SYSTEM] (RWE,RWE,RE,RE)

Total of 1 file.

Grand total of 2 directories, 5 files.

labadie_1 · ‎04-08-2010

As TCPIP$BOOTP has the UIC [3655,1] and
TCPIP$SMTP has [3655,13], you should issue

$ set file sys$sysdevice:[sys0]tcpip$smtp.dir/own=[3655,13]

$ set file sys$sysdevice:[sys0.tcpip$smtp]*.*;*/own=[3655,13]

and then stop and start SMTP and Mail.

You will notice that your files have RE (read and execute) for the group, not write.

The Brit · ‎04-08-2010

Could it be that the TCPIP$SMTP directory and its contents are owned by TCPIP$BOOTP.

All though the TCPIP accounts are normally in the same UIC group, there is no WRITE access for the group, in the prot string.

I know that your account has BYPASS, but I think this is not being accessed by the user, but by the SMTP process.

I had a similar problem with NTP not being able to start because the root directory was owned by a different TCPIP account.

HTH

Dave.

Maurizio Rondina · ‎04-08-2010

Labadie,

Now i gave the following commands

set file /own=[TCPIP$AUX,TCPIP$SMTP] sys$specific:[000000]tcpip$smtp.dir

and

set file /own=[TCPIP$AUX,TCPIP$SMTP] sys$specific:[tcpip$smtp]*.*;*

and now also the LAN mail domain recipient, haven't problems.

Isnâ t clearly if there was a Internet mail domain problem or a OpenVms protection problem. Why before to set the correct owner, the mail to WAN recipients go well?

Tomorrow should start the automated weekly e-mail from E$USER1 and i will see if it work fine. Then i will inform you if all go well.

Maurizio Rondina · ‎04-08-2010

to The Brit (HTH Dave),

Very strange that the SMTP activation wizard of TCPIP$CONFIG, set the TCPIP$SMTP_COMMON directory and his content with TCPIP$BOOTP owner. BOOTP service never enabled on this system; seems that the TCPIP owners are set randomly.

And strange that with a similar protection problem, mail to LAN mail domain, go well.

Steve Reece_3 · ‎04-08-2010

Random ownership of TCP/IP accounts can happen when a SYSUAF and RIGHTSLIST pair get copied from an old system to a new one when the order of setting up TCP/IP Services has been different between the two systems. E.g. I buld a new server to take over from the old one, I configure all of the networking services, then copy the SYSUAF and RIGHTSLIST from the old system to the new one so that all of the user accounts come over.
The correct way to do this is to merge the files rather than copy one over the other.

Steve

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: MAIL-E-OPENOUT insufficient privilege or file protection violation

MAIL-E-OPENOUT insufficient privilege or file protection violation