Hi Adam, Adam Wolk wrote on Sat, Jan 23, 2016 at 07:54:44PM +0100:
> After some IRC talk with ebarret we came to the following conclusions: > - the script assumes the mailbox is a file (in my case it's a maildir) > - the comment should say 'unreadable by others' > > I think check_mailboxes should be altered when the target entry > in /var/mail is a directory. Instead of expecting u+rw it should expect > u+rwx in that specific case. > > If no one raises issues with this I'll send a patch to tech@ modifying > security(8) to behave like that. I already had that patch written before seeing this mail and will send it to tech@ shortly. Yours, Ingo > On Sat, 23 Jan 2016 19:29:36 +0100 > Adam Wolk <[email protected]> wrote: > > > Hi misc@ > > > > I'm using OpenSMTPD setup according to [1]. OpenBSD's security(8) > > keeps complaining on the way I setup my maildir on the host. > > > > TL;DR: why u+x on users maildir is considered a bad practice? > > > > Running security(8): > > > > Checking mailbox ownership. > > user mulander mailbox is drwx------, group mulander > > user nemessica mailbox is drwx------, group nemessica > > > > Wanting to understand what I'm doing wrong I took a look at the code > > (as man security(8) only states that it checks maildir permissions, no > > details). > > > > Code performing the check is located in /usr/libexec/security > > > > # Mailboxes should be owned by the user and unreadable. > > sub check_mailboxes { > > > > I'm not exactly sure of the intent for the comment but the culprit in > > my case is the +x bit for the owner of the folder. > > > > Simply removing that leads to issues in my setup as dovecot sieve > > scripts can't traverse the directory and file mail accordingly. > > > > Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: > > stat(/var/mail/mulander/tmp) failed: Permission denied > > (euid=1000(mulander) egid=1000(muland er) missing +x > > perm: /var/mail/mulander, dir owner missing perms) Jan 23 18:53:24 > > tintagel dovecot: lmtp(mulander): Error: K8AnMgm+o1YvIwAAl8n8gw: > > sieve: msgid=<[email protected] > > gengine.com>: failed to store into mailbox 'INBOX': Internal error > > occurred. Refer to server log for more information. [2016-01-23 > > 18:53:24] Jan 23 18:53:24 tintagel dovecot: lmtp(mulander): Error: > > K8AnMgm+o1YvIwAAl8n8gw: sieve: Execution of > > script /home/mulander/.dovecot.sieve was aborted due to temporary > > failure (user logfile /home/mulander/.dovecot.sieve.log may reveal > > additional details) > > > > > > Now obviously I treat security(8) warnings seriously but I would like > > to know why a +x flag is considered a bad practice here?
