postfix queue perms' control for pflogsumm reporting? avoiding "warning: mail_queue_enter: create file maildrop/...: Permission denied"

Wed, 28 Oct 2020 09:03:13 -0700 

on a new, from-distro-pkgs install of Postfix, i've noted an intermittent perms 
problem

it'll run just fine for quite awhile, then I start seeing a steady stream of

        ...
        Oct 28 15:02:40 svr019 postfix/postdrop[64624]: warning: 
mail_queue_enter: create file maildrop/553726.64624: Permission denied
        Oct 28 15:02:45 svr019 postfix/postdrop[32688]: warning: 
mail_queue_enter: create file maildrop/766615.32688: Permission denied
        ...

I don't intentionally/explicitly 'do' anything with maildrop/postdrop, and am 
not yet sure what triggers the problem.

spool/queue perms are an obvious 1st suspect ...

as installed, atm, i've

        ls -al /var/spool/postfix/
                total 64K
                drwxr-xr-x 16 root    root     4.0K Aug 31 02:52 ./
                drwxr-xr-x 14 root    root     4.0K Oct 25 19:05 ../
                drwx------  2 postfix root     4.0K Oct 28 07:51 active/
                drwx------  2 postfix root     4.0K Oct 26 16:43 bounce/
                drwx------  2 postfix root     4.0K Aug 31 02:52 corrupt/
                drwx------ 18 postfix root     4.0K Sep  1 15:35 defer/
                drwx------ 18 postfix root     4.0K Sep  1 15:35 deferred/
                drwx------  2 postfix root     4.0K Aug 31 02:52 flush/
                drwx------  2 postfix root     4.0K Aug 31 02:52 hold/
                drwx------  2 postfix root     4.0K Oct 28 08:00 incoming/
                drwx-wx---  2 postfix postdrop 4.0K Oct 27 17:00 maildrop/
                drwxr-xr-x  2 root    root     4.0K Oct 28 08:04 pid/
                drwx------  2 postfix root     4.0K Oct 28 08:04 private/
                drwx--x---  2 postfix postdrop 4.0K Oct 28 08:04 public/
                drwx------  2 postfix root     4.0K Aug 31 02:52 saved/
                drwx------  2 postfix root     4.0K Oct 17 04:54 trace/

        ls -al `which postfix` `which postqueue`
                -rwxr-xr-x 1 root root     21K Aug 31 02:52 /usr/sbin/postfix*
                -rwxr-sr-x 1 root postdrop 25K Aug 31 02:52 /usr/sbin/postqueue*

I'm mostly sure (still checking) that my 'culprit' is an overly aggressive 
'pflogsumm.service'; changing,

        [Unit]
        Description=Daily pflogsumm report

        [Service]
        Type=oneshot
        ExecStart=/usr/local/etc/postfix/scripts/pflogsumm-report.sh

        KillMode=process

        LockPersonality=yes
        MemoryDenyWriteExecute=yes
-       NoNewPrivileges=yes
+       NoNewPrivileges=no
        PrivateDevices=yes
        PrivateTmp=yes
        ProtectControlGroups=yes
        ProtectHome=yes
        ProtectKernelLogs=yes
        ProtectKernelModules=yes
        ProtectKernelTunables=yes
        ProtectSystem=strict
        ReadWritePaths=/var/spool/postfix/
        RestrictNamespaces=yes
        RestrictRealtime=yes

seems to do the trick; at least, I've not seen the log perm errors since I made 
the change; _do_ need to watch for a bit.

I'd cribbed the .service from posts online, so don't have full confidence in 
the hardening settings yet.

Is there, generally, any expected harm/risk to a Postfix setup's security/perms 
model with that^ change,

-       NoNewPrivileges=yes
+       NoNewPrivileges=no

that should better be handled in Postfix configs?

Reply via email to