MSMTPQ: works only from root user

Colleagues, please tell me what I'm doing wrong.

I have OrangePI with Asterisk. When he receives from GSM an SMS, he must send it via e-mail. The msmtp package is installed for this purpose. To ensure that messages are not lost when communication with the mail server is interrupted, is used wrapper msmtpq.
The script that generates letters is launched from the Asterisk dialplan using the System command. Of course, this comes from user asterisk:asterisk.

When I wrote and debugged these scripts, I ran them as root. Everything worked very well.
When the same scripts are launched from the asterisk user, msmtpq writes that it cannot connect to the mail server and places the letters in the outgoing queue.

2024 20 Mar 22:47:12 : mail for [ --debug --logfile=/tmp/msmtp.log -C/etc/msmtprc -a sms sms@mailhost.net ] : couldn't be sent - host not connected
2024 20 Mar 22:47:12 : enqueued mail as : [ 2024-03-20-22.47.12 ] ( --debug --logfile=/tmp/msmtp.log -C/etc/msmtprc -a sms sms@mailhost.net ) : successful

If I run this script with the same parameters as the root user, then the entire queue immediately goes to the mail server.

Mar 21 00:38:53 host=192.168.1.10 tls=on auth=off from=sms@gsm.mailhost.net recipients=sms@mailhost.net mailsize=256 smtpstatus=250 smtpmsg='250 2.0.0 42KLcrwM016542 Message accepted for delivery' exitcode=EX_OK
2024 21 Mar 00:38:53 : mail for [ --debug --logfile=/tmp/msmtp.log -C/etc/msmtprc -a sms sms@mailhost.net ] : send was successful

Where do I lack rights? How to watch it?

Ogogon.

It is uncommon to have anything other than a root user on OpenWrt. Have you installed and configured additional users?

What is the output of

ubus call system board

If you install the Asterisk package, you will see that it is launched from the user asterisk:asterisk, who was created when installing the package. Therefore, the user was created not by me, but by opkg.

root@GSM.mailhost.net:~$ ubus call system board
{
	"kernel": "5.15.134",
	"hostname": "GSM.mailhost.net",
	"system": "ARMv7 Processor rev 5 (v7l)",
	"model": "Xunlong Orange Pi PC",
	"board_name": "xunlong,orangepi-pc",
	"rootfs_type": "ext4",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.0",
		"revision": "r23497-6637af95aa",
		"target": "sunxi/cortexa7",
		"description": "OpenWrt 23.05.0 r23497-6637af95aa"
	}
}
root@GSM.mailhost.net:~$ 

I don't use Asterisk, but I installed it on a dev box and it installs with ownership root:root

root@OpenWrt:/usr/sbin# ls -al asterisk 
-rwxr-xr-x    1 root     root       2153355 Jan  5 19:05 asterisk

Obviously I can't lauch it because I don't have a config file or the requisite telephony services to connect to the asterisk installation, but the file itself seems to be root owned. Do you see the same?

I have a similar file, but it is launched from its own user.

Mem: 79476K used, 947424K free, 1128K shrd, 1812K buff, 31404K cached
CPU:   0% usr   0% sys   0% nic  99% idle   0% io   0% irq   0% sirq
Load average: 0.00 0.00 0.00 3/139 5639
  PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
 3486     1 asterisk S    48820   5%   0% /usr/sbin/asterisk -U asterisk -f
 5639  4930 root     R     1116   0%   0% top

By the way, it should start on default settings.

Who owns the actual file in /usr/sbin?

Owner of binary file is root:root. But after the start, it changes the user. ("-U asterisk")

The question arises, why does Asterisk open sockets and establish connections from its user, but msmtpq cannot?

I don’t use these packages, so I can’t help there. Sorry.

It's a shame, but thank you very much anyway. I hope someone can advise...

You need to install sudo and configure user asterisk as a sudo user.
Then use sudo in your scripts to call msmtpq.

Thank you. I never delved into the logic of how sudo works, I only used it for the "sudo su" command. It's time to get into it.
Why is this necessary? What mechanism prevents the mail client from being launched as a non-root user? Is it a firewall, security settings?

Usually it is the package itself. The mail client runs as root and asterisk runs as its own user, so you need sudo for asterisk to talk to msmtp/msmtpq.
It is nothing to do with the firewall, it is purely access rights for one user to another.

Some packages have a config setting to "change user" on startup, others do not.

The msmtp packages might, I do not recall.

Thank you. I installed sudo and configured sudoers for the asterisk user to allow sudo without entering a password.
I believe that from a security point of view the solution is not very correct, but everything worked.

However, I can't understand an important point. Why does msmtpq only want to work with the root user?

Here are the executable files of this package, they can be launched not only by the user, but also by the group and others.

root@OpenWrt:/usr/bin$ ls -al msmtp*
-rwxr-xr-x    1 root     root         98303 Sep 22  2023 msmtp
-rwxr-xr-x    1 root     root          1080 Sep 22  2023 msmtp-enqueue.sh
-rwxr-xr-x    1 root     root           175 Sep 22  2023 msmtp-listqueue.sh
-rwxr-xr-x    1 root     root          1003 Sep 22  2023 msmtp-queue
-rwxr-xr-x    1 root     root          1484 Sep 22  2023 msmtp-runqueue.sh
-rwxr-xr-x    1 root     root         24244 Sep 22  2023 msmtpq
root@OpenWrt:/usr/bin$ 

The wrapper scripts of this package provide work with the home directory by user name.

In theory, the msmtp package, like any email client, should work with all users present in the system.
Perhaps there is some kind of bug here. When porting to OpenWRT, we checked the package's operation only with the root user.

Strictly speaking msmtp is not an email client. It is an smtp forwarder designed to run on routers or IoT devices. On OpenWrt it is designed for the router itself to be able to send emails using an outside smtp server.

OpenWrt by default has only the root user. Only when an OpenWrt hosted service is accessible from outside the router is another user needed for security. Asterisk is accessed by external entities, as are web servers like lighttpd, apache, nginx etc and all of these use their own "user" when running.

The msmtp package though is not a server it is just an executable that acts as a forwarder for sending emails.