Postfix pipe always runs as nobody

unix permissions www-data postfix email-server

The problem

I would like postfix to pipe emails to a script that operates on files owned by the www-data group located under /var/www/. However, I receive error messages that indicate insufficient privileges. By letting the script run whoami, I can confirm it's run by the correct user scriptuser (as set in my /etc/postfix/transport file). I can also confirm that the user has sufficient access rights, as no errors occur when executing the script using sudo -u scriptuser /path/to/script.

Therefore, I am quite confused and a bit lost. How is it possible that the user has access right to the files, the script is run by Postfix as this specific user, but I still get the permission denied message?

I have also tried adding default_privs = www-data to /etc/postfix/main.cf, as suggested in here with no success. Enabling access via chmod o+rx does the job, but I would consider this potentially dangerous as anyone with shell access to the server could read those files.

The config files

# in file /etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
virtual_maps  = hash:/etc/postfix/virtual/addresses

# in file /etc/postfix/master.cf
mailreply   unix    -   n   n   -   -   pipe
  flags=FR user=scriptuser argv=/usr/lib/postfix/sbin/pipemailreply

# in file /etc/postfix/transport
mailreplyuser@localhost mailreply

# in file /etc/postfix/virtual/addresses
mydomain.com                     DOMAIN
@mydomain.com                    mailreplyuser@localhost

The file rights in /var/www/hmtl/ (via ls -la):

drwxrws--- 4 www-data www-data  4096 Mar 13 00:41 .
drwxr-xr-x 3 root     root      4096 Mar 13 01:02 ..
-rw-r--r-- 1 root     www-data     8 Mar 13 00:15 test.txt

The error message

Mar 13 10:13:21 myservername postfix/pipe[3545]: 774F3FEB3B: to=<mailreplyuser@localhost>, orig_to=<[email protected]>, relay=mailreply, delay=0.13, delays=0.07/0/0/0.06, dsn=5.3.0, status=bounced (Command died with status 1: "/usr/lib/postfix/sbin/pipemailreply". Command output: cat: /var/www/html/test.txt: Permission denied )

Solution 1:

I changed "user=scriptuser" to "user=scriptuser:scriptgroup" and I was able to make it work.

http://www.postfix.org/pipe.8.html

Related

Scope of the Java System Properties
How to make Google Cloud Load Balancer respect the received X-Forwarded-Proto?
SCCM Keeps Downloading Express Updates
Android replace the current fragment with another fragment
How to log AWS SES event details
I want to put WordPress — all of it — on EFS. Should I?
Why does memset take an int instead of a char?
In 2020 - are there any viable Linux block-level replication alternatives for DRBD? [closed]
How should I manage per-user bandwidth?
Razor actionlink autogenerating ?length=7 in URL?
What is the best way to secure remote server/tool access from many locations?
What is the most effective way to setup a linux web server for manual failover