> It is hard to guess what you need from the scarce information you
provide. I'm sorry... On hindsight, that was _very_ little information.
I'm running 5.0, with postfix as an MTA, delivering mail for two virtual
domains (maildir). Courier is used for IMAP, and runs as vmail:vmail. >
Can you show the output of > # ls -al /var/mail $ ls -l /var/mail total
2148 -rw------- 1 root wheel 1076477 Jan 14 16:13 root drwx------ 4 vmail
vmail 512 Dec 5 00:33 vmail -rw------- 1 zeloff users 0 Jan 10 2011
zeloff Inside /var/mail/vmail is a folder of each of the virtual domains,
and inside that one for every user, etc. Every thing from here on down
has either 700 (folders) or 600 (files) permissions. > on the machine in
question, and the exact messages you see in your > daily security emails?
Running security(8): Checking mailbox ownership. user vmail mailbox is
drwx------, group vmail If I chmod 600 /var/mail/vmail, security(8) runs
clean, so its the executable bit that's causing the trouble, but
unsetting it is not an option for the obvious reasons. Relocating the
whole thing is most probably the best idea, but is there anything wrong
with this patch I came up with? --- /usr/libexec/security Mon Apr 16
10:43:36 2012 +++ security Mon Apr 16 11:43:20 2012 @@ -457,7 +457,7 @@
my $gname = (getgrgid $fgid)[0] // $fgid; nag $fname ne $name, "user
$name mailbox is owned by $fname"; - nag S_IMODE($mode) != (S_IRUSR |
S_IWUSR), + nag S_IMODE($mode) != (S_IRUSR | S_IWUSR | +
(S_ISDIR(S_IFMT($mode)) && S_IXUSR) ), sprintf 'user %s mailbox is %s,
group %s', $name, strmode($mode), $gname; } I have no proper perl skills
whatsoever, but I tested it on a few files with different permissions and
it appears to work properly... So, what's the verdict? Should maildirs be
kept out of /var/mail altogether, or is patching security(8) a viable
alternative? Many thanks Zi (with an acute-accented 'e', damn
encodings...)
