On Thu, Jul 23, 2020 at 07:17:19PM -0500, Matt Saladna wrote:
> Bit of a pickle here with systemd in CentOS 8. Certain protective
> directives, such as DynamicUser= or PrivateDevices=yes implicitly sets
> NoNewPrivileges=true (systemd/systemd #12476). In turn that's blocking
> setgid with /usr/sbin/postdrop. postdrop hangs indefinitely unable to
> send its input to Postfix. As an example on CentOS 8 this breaks,
Local mail submission via sendmail(1) *requires* that postdrop(1)
be able to run setgid. If you're going to prevent that, then you
need to submit email via some other interface, e.g. a sendmail(1)
replacement that submits email via SMTP. This means that some
email may be lost when the SMTP server is down, but if that's
acceptable, then that's the way to go.
> What's an appropriate workaround for this? Add postdrop to the list of
> SupplementaryGroups= for the service,
No.
> open world write access for /var/spool/postfix/maildrop,
No.
> or is there a better route? It's a PHP-FPM pool, which I'd like to
> tamp down as much as possible.
Replace local submission with some IPC-based mechanism, e.g. SMTP.
--
Viktor.
