Mailman + postfix <-- which group have people selected?

Chris Rees crees at freebsd.org
Tue Jun 14 20:44:34 UTC 2011 

On 14 June 2011 21:02, Olli Hauer <ohauer at freebsd.org> wrote:
> On 2011-06-14 20:43, Chris Rees wrote:
>> Hi all,
>>
>> Before I say anything else, please _do not_ bother wxs@ on this
>> subject -- any problems to do with ownership/groups in mailman should
>> be sent to me-- it's my mess!
>>
>> I fixed mailman recently to not touch PREFIX before the install phase,
>> which opened up a small can of worms in itself -- a fix is waiting for
>> approval.
>>
>> The PR at [1] states that the value for MAIL_GROUP for using mailman
>> with Postfix should be nobody, but [2] talks about that being wrong.
>>
>> Before I revert the MAIL_GID=nobody change (I have had private mail
>> explaining that it is in fact incorrect), does anyone have any more
>> information on which value is more correct, and why one is preferable?
>>
>> In short (pseudocode):
>>
>> .if defined(WITH_POSTFIX)
>> MAIL_GID= nobody
>> .endif
>>
>> or
>>
>> .if defined(WITH_POSTFIX)
>> MAIL_GID=mailman
>> .endif
>>
>> ? Comments please?
>>
>
> Second one, GID=mailman
>
> The group nobody is not really secure (even it is unprivileged). Mostly
> the nobody group is chosen for daemons which do not write data at all.
>
> Normally you try to protect the alias databases which is not given if
> nobody has write access to them.
>
>
> From mailman-2.1.14/doc/mailman-install/postfix-integration.html
>
>> When you configure Mailman, use the --with-mail-gid=mailman switch this
>> will be the default if you configured Mailman after adding the mailman
>> owner. Because the owner of the aliases.db file is mailman, Postfix will
>> execute Mailman's wrapper program as uid and gid mailman.
>
>
> From mailman-2.1.14/doc/mailman-install/postfix-virtual.html
>
>> As above with the data/aliases* files, you want to make sure that both
>> data/virtual-mailman and data/virtual-mailman.db are user and group owned
>> by mailman.
>
>
> Other Sources:
> http://www.seaglass.com/postfix/mailman-gid.html
> http://lists.freebsd.org/pipermail/freebsd-ports/2007-April/040289.html
>
>
> I think it is a good idea to revert the GID as soon as possible back to
> mailman and additional instruct postfix users to make sure the group
> of the alias / virtual-alias databases are set to mailman.

Thank you. A patch to reverse the group change and fix the REINPLACE
is in my Tinderbox -- it should be ready by tomorrow.

Chris

More information about the freebsd-ports mailing list