Updated Dovecot 2.3.0 now getting 2 strange log errors
Florian Pritz
bluewind at xinu.at
Sat Jan 6 20:42:49 EET 2018
On 03.01.2018 18:14, Tony wrote:
> I downgraded dovecot to 2.2.33.2 and pigeonhole 0.4.21 and can confirm
> the reported problem does not exist with "permission denied" and
> sendmail getting hung up/timing out.
The issue is that sendmail/maildrop/postdrop uses setgid to change to
the maildrop group (`stat $(which postdrop)`) and the
NoNewPrivileges=true setting in the service file explicitly disables
this (look in man systemd.exec). This settings appears to be new in 2.3[1].
What is somewhat infuriating is that this behaviour change is not
mentioned in the release notes/upgrade notes and the commit that
introduces the change changes multiple things and it doesn't explain why
things are changed. I'm happy to see service files that try to improve
security in an upstream repository though.
Does pigeonhole have any options to configure how mail is send when
using "redirect :copy" (possibly more commands, this is just what
triggered it here)? If not, support for injecting mail back via smtp
would be lovely. I'd like to reenable NoNewPrivileges at some point.
[1]
https://github.com/dovecot/core/commit/563c1e3b45bbb69bc67b75ff7a899699bea18e88#diff-5bbec0a0006d92d441b5c8fa72690f95
Florian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180106/1bb35a54/attachment.sig>
More information about the dovecot
mailing list