# Sendmail - OTP unavailable



## fullauto2012 (Dec 17, 2017)

Getting a TON of these in /var/log/messages

```
Dec 17 13:32:58 kif sendmail[95760]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied
```

I'm reluctant to change anything like /etc/opiekeys file permissions seeing as I'm not too familiar with sendmail yet, and I have found little in the way of information on what this actually does, or how to fix it.

I was always under the impression that sendmail ran as root, so I'm unclear how 600 permissions on the file in question could be a problem. But, seeing as how there clearly is a permissions issue, how do I find out what account sendmail is running as also?


```
Tim@kif:/etc->uname -a
FreeBSD kif 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
```


```
Tim@kif:/etc/mail->cat kif.mc
divert(-1)
<edited out comments>
divert(0)
VERSIONID(`$FreeBSD: releng/11.1/etc/sendmail/freebsd.mc 285230 2015-07-07 03:00:57Z gshapiro $')
OSTYPE(freebsd6)
DOMAIN(generic)

FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
FEATURE(virtusertable, `hash -o /etc/mail/virtusertable')

MASQUERADE_AS(XXX.XXX)dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(XXX.XXX)dnl

dnl Enable STARTTLS for receiving email.
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confSERVER_CERT', `CERT_DIR/host.cert')dnl
define(`confSERVER_KEY', `CERT_DIR/host.key')dnl
define(`confCLIENT_CERT', `CERT_DIR/host.cert')dnl
define(`confCLIENT_KEY', `CERT_DIR/host.key')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl

define(`confAUTH_MECHANISMS',`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN');
define(`confAUTH_OPTIONS',`p,y')

dnl Uncomment to allow relaying based on your MX records.
dnl NOTE: This can allow sites to use your server as a backup MX without
dnl       your permission.
dnl FEATURE(relay_based_on_MX)

dnl DNS based black hole lists
dnl --------------------------------
dnl DNS based black hole lists come and go on a regular basis
dnl so this file will not serve as a database of the available servers.
dnl For more information, visit
dnl http://en.wikipedia.org/wiki/DNSBL

dnl Uncomment to activate your chosen DNS based blacklist
dnl FEATURE(dnsbl, `dnsbl.example.com')
dnl Alternatively, you can provide your own server and rejection message:
dnl FEATURE(dnsbl, `dnsbl.example.com', ``"550 Mail from " $&{client_addr} " rejected"'')

dnl Dialup users should uncomment and define this appropriately
dnl define(`SMART_HOST', `your.isp.mail.server')

dnl Uncomment the first line to change the location of the default
dnl /etc/mail/local-host-names and comment out the second line.
dnl define(`confCW_FILE', `-o /etc/mail/sendmail.cw')
define(`confCW_FILE', `-o /etc/mail/local-host-names')

dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet')
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Modifiers=O')

define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
MAILER(local)
MAILER(smtp)
```


```
Tim@kif:/etc->ls -la | grep keys
-rw-------   1 root  wheel         0 Dec  7 20:24 opiekeys
```


----------



## fullauto2012 (Dec 17, 2017)

OK. I did some reading and figured out what opie passwords are, and that they are to be used by people forced to log in from insecure locations. I created a random user, created an opie password, and successfully logged into my system from a remote (insecure) location. However, I still don't have the foggiest clue why sendmail would be pitch errors about this.

Any ideas?


----------

