On 03.01.2018 18:14, Tony wrote: > I downgraded dovecot to 2.2.33.2 and pigeonhole 0.4.21 and can confirm > the reported problem does not exist with "permission denied" and > sendmail getting hung up/timing out.
The issue is that sendmail/maildrop/postdrop uses setgid to change to the maildrop group (`stat $(which postdrop)`) and the NoNewPrivileges=true setting in the service file explicitly disables this (look in man systemd.exec). This settings appears to be new in 2.3[1]. What is somewhat infuriating is that this behaviour change is not mentioned in the release notes/upgrade notes and the commit that introduces the change changes multiple things and it doesn't explain why things are changed. I'm happy to see service files that try to improve security in an upstream repository though. Does pigeonhole have any options to configure how mail is send when using "redirect :copy" (possibly more commands, this is just what triggered it here)? If not, support for injecting mail back via smtp would be lovely. I'd like to reenable NoNewPrivileges at some point. [1] https://github.com/dovecot/core/commit/563c1e3b45bbb69bc67b75ff7a899699bea18e88#diff-5bbec0a0006d92d441b5c8fa72690f95 Florian
signature.asc
Description: OpenPGP digital signature