On Sun, Nov 20, 2022 at 07:37:08PM +0100, Jaroslaw Rafa wrote:
> Recently that external recipient address happened to reject mail due
> to some misconfiguration, and my Postfix tried to send a DSN to
> www-data user on my server, which failed due to lack of permissions to
> create a Maildir subdirectory in /var/www (which is the home directory
> for www-data). I got the following in my mail log:
>
> Nov 20 16:31:07 rafa postfix/local[20792]: 9DF0D446D0:
> to=<www-d...@rafa.eu.org>, relay=local, delay=0.05, delays=0.01/0.01/0/0.03,
> dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file
> /var/www/Maildir/tmp/1668958267.P20792.rafa: Permission denied)
>
> Here is my first question: why Postfix tried to create Maildir in /var/www
> (actual home directory taken from /etc/passwd), if it has the following
> entries in main.cf:
>
> home_mailbox = Maildir/
> mail_spool_directory = /home/
>
> Shouldn't it try to create the Maildir in /home/www-data in that case? I
> supposed it would do so, and because such a directory doesn't exist, the
> attempt would obviously fail.
As documented, "home_mailbox" is relative to the user's home directory,
not the mail spool directory.
> If Postfix tries to create Maildirs in actual home directories specified in
> /etc/passwd,
When you configure it to do so. The default setting is:
$ postconf -d home_mailbox
home_mailbox =
> then there's another, more important question. In this case it
> was good that there were no permissions and the Maildir was not created.
> However, some system users do have write access to their home directory.
Best practice is to not use home_mailbox, and store all mail in a common
tree owned by the IMAP service. And use local(8) only for mailing lists
and owned aliases, not mailbox delivery, which happens via LMTP,
virtual(8) or a mailstore-specific LDA.
> For example, the "statd" user has write access to its home directory, which
> is is /var/lib/nfs, so if someone sends mail to "st...@example.com",
> unwanted files and directories may be created in /var/lib/nfs, which isn't
> necessarily something good :)
You configured "home_mailbox". The various system users should all be
aliased to the administrator mailbox. No matter where their mail would
be delivered, it would still be the wrong place.
With virtual_mailbox_domains, only explicitly configured users get mail.
> Does local(8) implement any form of preventing mail delivery to system users
> (that is, users below certain UID threshold - for example 1000 in Debian -
> except root, which should be able to receive mail)?
No.
> I see no mentions in documentation about such a thing. In config
> description, I can only find a parameter "virtual_minimum_uid", which
> is for virtual(8) delivery agent only, but there seems to be nothing
> similar for local(8).
This is why local(8) should be used sparingly, just for capabilities
that don't exist in virtual(8). That is, indirect delivery via
":include:" and owner-alias envelope sender replacement.
> So, if one is using Maildirs (which is pretty common nowadays), there's a
> danger of messing up working directory of some system daemon just by sending
> mail to the user corresponding to that daemon.
Don't use home_mailbox.
> If I want to protect system users' directories from being messed up, is
> there any "smart" way to do it, besides creating explicit access
> restrictions for all those recipients, or aliasing those recipients to eg.
> /dev/null ? (which is not "smart", because if a new system user appears in
> your system - eg. due to installation of some package - you have to manually
> add another restriction or alias to Postfix)
Augment your aliases from a daily cron job with the output of:
$ getent passwd | awk -F: '$3 < 100 { printf "%s: postmaster\n", $1 }'
or something like that.
--
Viktor.
