Postfix vulnarebility wrongly reported by pkg audit?

David Benfell benfell at
Sun May 10 09:08:27 UTC 2015

Quoting Marko Turk <markoml at>:
> today my postfix-2.11.4,1 was marked as vulnerable by the pkg audit
> tool. But, when I go to the web pages the tool outputs it says that my
> version of postfix is not vulnerable (and that this vulnerabilities are
> from 2011).

If I understood correctly, the problem is with the ownership of  
/var/db/postfix. But to be honest, I don't see how it's in fact a  
vulnerability. The complaint is that the ownership is set to root  
rather than postfix.

When I look at my instance, I see:

[benfell at home ~]% ls -ald /var/db/postfix
drwx------  2 postfix  wheel  512 Apr 16 01:07 /var/db/postfix

Now, I can see how root ownership might prevent postfix from working.  
Not how it's a vulnerability. And it seems that at least on my  
instance, it is correctly set, anyhow. So I'm just confused.

David Benfell <benfell at>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: PGP Digital Signature
URL: <>

More information about the freebsd-questions mailing list