Re: Procmail can't create mailbox

[Rick Stevens <ricks nerd com>]

Bob McClure Jr wrote:
> On Mon, Dec 01, 2008 at 01:21:50PM -0800, Rick Stevens wrote:
> > Bob McClure Jr wrote:
> > > On Mon, Dec 01, 2008 at 10:11:08AM -0800, Rick Stevens wrote:
> > > > Bob McClure Jr wrote:
> > > > > On Sat, Nov 29, 2008 at 09:28:38AM -0500, Mark Corsi wrote:
> > > > > > My guess is that the server is seeing the process as 'other'. This leaves
> > > > > > two solutions. One is to start the process with sudo so it starts as root. I
> > > > > > would hazard a guess that this would open up an unexpected security hole
> > > > > > since this is a mail process. The other solution is to make the process
> > > > > > owner part of the group that owns that folder and make the folder group
> > > > > > writable. Pretty sure the second solution will maintain security while
> > > > > > accomplishing your goal.
> > > > > Well, I already have a sufficiently secure work-around, but that works
> > > > > around a symptom.  I want to find out why an out-of-the-box
> > > > > configuration quit working.
> > > > Were there any diagnostics in the logs that may be of use?
> > > Only
> > >
> > > Nov 28 18:45:46 lfvsfcp19080 postfix/local[30613]: 759B024035:
> > > to=<bmcclure dn net>, orig_to=<root dn net>, relay=local, delay=3,
> > > delays=0/0/0/3, dsn=5.2.0, status=bounced (can't create user output
> > > file. Command output: procmail: Couldn't create "/var/mail/bmcclure" )
> > >
> > > > Did you
> > > > check /usr/bin/procmail and verified it was rwxr-xr-x (755), owned by
> > > > root, group of mail?
> > > -rwxr-xr-x 1 root mail 99128 Jul 12  2006 /usr/bin/procmail
> > >
> > > > Yes, /var/mail is a symlink to /var/spool/mail and
> > > > the link should be mode rwxrwxrwx (777).
> > > lrwxrwxrwx 1 root root 10 Nov 21 20:43 /var/mail -> spool/mail
> > >
> > > > /var/spool/mail itself should be owned by root, group of mail with mode
> > > > rwxrwxr-x (775).
> > > drwxrwxr-x 2 root mail 4096 Nov 28 04:02 /var/spool/mail
> > >
> > > > The files below that should be owned by the user whose
> > > > mailbox it is, group of mail with mode rw-rw---- (660).
> > > -rw------- 1 root root 0 Nov 28 04:02 root
> > > -rw-rw---- 1 root mail 0 Nov 21 20:52 root2
> > > -rw-rw---- 1 rpc  mail 0 Nov 21 20:47 rpc
> > >
> > > > I know of no extra things that may be affected by the addition of a user
> > > > via the "adduser" scripts that wouldn't be handled IF all of the user-
> > > > related files (home directories, hidden files, etc.) are present.
> > > drwx------ 25 bmcclure bmcclure 12288 Dec  1 04:02 /home/bmcclure
> > > -rw-r--r-- 1 bmcclure apache 1716 Nov 28 21:40 /home/bmcclure/.procmailrc
> > >
> > > I am mystified.
> > Have you tried (as root):
> >
> > 	touch /var/mail/bmcclure
> > 	chown bmcclure:mail /var/mail/bmcclure
> > 	chmod 660 /var/mail/bmcclure
>
> Yeah, I know that works.
>
> > Not sure if the adduser scripts create the empty mailbox or not.
>
> Hmm.  I've been assuming that it doesn't, but I just looked at
> /etc/defaults/useradd, and indeed:
>
> # useradd defaults file
> GROUP=100
> HOME=/home
> INACTIVE=-1
> EXPIRE=
> SHELL=/bin/bash
> SKEL=/etc/skel
> CREATE_MAIL_SPOOL=yes
>
> > They
> > may...check that, they do.  One of the possible exit values for useradd
> > is:
> >
> > 	13 can’t create mail spool
> >
> > Ok, now THAT'S subtle to find!
>
> Well, that would explain this server, and I know just how to fix it.
> Now I have to go back to the others, because, on at least one of them,
> useradd was not creating the mailbox.  Gotta verify that's the case
> and fix that.
>
> Thanks for the clue.

No problem.  IIRC, procmail runs as the recipient's user and group.  I
believe some systems have the procmail binary's set-group-ID bit set
("chmod g+s /usr/bin/procmail") which would make it run as group "mail".
That'd get around the lack of a world-write bit set on /var/spool/mail.
For the machines where it worked, see if that's true.  procmail would
show up "rwxr-sr-x", I think.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks nerd com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-      "Microsoft is a cross between The Borg and the Ferengi.       -
-  Unfortunately they use Borg to do their marketing and Ferengi to  -
-               do their programming."  -- Simon Slavin              -
----------------------------------------------------------------------