On 03.01.2018 18:14, Tony wrote:
I downgraded dovecot to 2.2.33.2 and pigeonhole 0.4.21 and can confirm the reported problem does not exist with "permission denied" and sendmail getting hung up/timing out.
The issue is that sendmail/maildrop/postdrop uses setgid to change to
the maildrop group (stat $(which postdrop)) and the
NoNewPrivileges=true setting in the service file explicitly disables
this (look in man systemd.exec). This settings appears to be new in 2.3[1].
What is somewhat infuriating is that this behaviour change is not mentioned in the release notes/upgrade notes and the commit that introduces the change changes multiple things and it doesn't explain why things are changed. I'm happy to see service files that try to improve security in an upstream repository though.
Does pigeonhole have any options to configure how mail is send when using "redirect :copy" (possibly more commands, this is just what triggered it here)? If not, support for injecting mail back via smtp would be lovely. I'd like to reenable NoNewPrivileges at some point.
[1] https://github.com/dovecot/core/commit/563c1e3b45bbb69bc67b75ff7a899699bea18...
Florian