Mailman + postfix <-- which group have people selected?
Olli Hauer
ohauer at FreeBSD.org
Tue Jun 14 20:02:52 UTC 2011
On 2011-06-14 20:43, Chris Rees wrote:
> Hi all,
>
> Before I say anything else, please _do not_ bother wxs@ on this
> subject -- any problems to do with ownership/groups in mailman should
> be sent to me-- it's my mess!
>
> I fixed mailman recently to not touch PREFIX before the install phase,
> which opened up a small can of worms in itself -- a fix is waiting for
> approval.
>
> The PR at [1] states that the value for MAIL_GROUP for using mailman
> with Postfix should be nobody, but [2] talks about that being wrong.
>
> Before I revert the MAIL_GID=nobody change (I have had private mail
> explaining that it is in fact incorrect), does anyone have any more
> information on which value is more correct, and why one is preferable?
>
> In short (pseudocode):
>
> .if defined(WITH_POSTFIX)
> MAIL_GID= nobody
> .endif
>
> or
>
> .if defined(WITH_POSTFIX)
> MAIL_GID=mailman
> .endif
>
> ? Comments please?
>
Second one, GID=mailman
The group nobody is not really secure (even it is unprivileged). Mostly
the nobody group is chosen for daemons which do not write data at all.
Normally you try to protect the alias databases which is not given if
nobody has write access to them.
>From mailman-2.1.14/doc/mailman-install/postfix-integration.html
> When you configure Mailman, use the --with-mail-gid=mailman switch this
> will be the default if you configured Mailman after adding the mailman
> owner. Because the owner of the aliases.db file is mailman, Postfix will
> execute Mailman's wrapper program as uid and gid mailman.
>From mailman-2.1.14/doc/mailman-install/postfix-virtual.html
> As above with the data/aliases* files, you want to make sure that both
> data/virtual-mailman and data/virtual-mailman.db are user and group owned
> by mailman.
Other Sources:
http://www.seaglass.com/postfix/mailman-gid.html
http://lists.freebsd.org/pipermail/freebsd-ports/2007-April/040289.html
I think it is a good idea to revert the GID as soon as possible back to
mailman and additional instruct postfix users to make sure the group
of the alias / virtual-alias databases are set to mailman.
More information about the freebsd-ports
mailing list