Re: postfix queue perms' control for pflogsumm reporting? avoiding "warning: mail_queue_enter: create file maildrop/...: Permission denied"

Wed, 28 Oct 2020 10:14:12 -0700 

On 10/28/20 10:00 AM, Viktor Dukhovni wrote:

On Wed, Oct 28, 2020 at 09:01:38AM -0700, PGNet Dev wrote:


        Oct 28 15:02:40 svr019 postfix/postdrop[64624]: warning: 
mail_queue_enter: create file maildrop/553726.64624: Permission denied
        Oct 28 15:02:45 svr019 postfix/postdrop[32688]: warning: 
mail_queue_enter: create file maildrop/766615.32688: Permission denied


Barring interference from SELinux or AppArmour,


neither in-place/enabled here atm


... this should not
happen unless file permissions change.  Correct file permissions are set
via "postfix set-permissions" (at package install time)


yup.  and, also tried re-exec'ing here.  so far, no curative effect by itself.


and should not change thereafter.


that's what i've always seen to date.  and why i suspect it's something _else_ 
i've done that's monkeying with it.


For reference, on my system:

     $ postconf setgid_group
     setgid_group = maildrop
     $ ls -ld /var/spool/postfix/maildrop
     drwx-wx---  2 postfix  maildrop  2 Oct 28 12:52 /var/spool/postfix/maildrop
     $ ls -l /usr/local/sbin/postdrop
     -rwxr-sr-x  1 root  maildrop  41656 Oct 25 03:44 /usr/local/sbin/postdrop


here (fwiw, this is Fedora32-packaged Postfix et al), minor diff

  postconf setgid_group
!!  setgid_group = postdrop

  ls -ld /var/spool/postfix/maildrop
    drwx-wx--- 2 postfix postdrop 4.0K Oct 28 08:45 /var/spool/postfix/maildrop/

  ls -l `which postdrop`
    -rwxr-sr-x 1 root postdrop 25K Aug 31 02:52 /usr/sbin/postdrop*


Provided that setgid bit and group of the postdrop executable
allows it to write to /var/spool/postfix/maildrop, and all
parent directories have "x" for all users, all should work.



If /, /var, /var/spool, /var/spool/postfix are not world-accessible
(x bit for "other"), or if /var/spool/maildrop is not group-wx, or
postdrop is not setgid, or has the wrong group, then things don't
work.


as set by a relatively new install -- i.e., _not_ manually by me,



  ls -ald / /var /var/spool /var/spool/postfix

    dr-xr-xr-x. 22 root root 4.0K Sep  6 10:59 //

    drwxr-xr-x. 21 root root 4.0K Oct 27 20:36 /var/

    drwxr-xr-x  14 root root 4.0K Oct 25 19:05 /var/spool/

    drwxr-xr-x  16 root root 4.0K Aug 31 02:52 /var/spool/postfix/





so far, on this install, 'everything works' ... except for the eventual/random 
appearance of those^ complaints.

after changing that NoNewPerms bit in the pflogsumm.sh, I'm seeing no further 
errors.
now that I've clearly jinxed it ... i'll keep watch some more.

Reply via email to