Hello, Running Postfix 3.3.1 under Linux, postfix-script produces pointless warnings if/when there are symbolic links in or below $config_directory.
1. I installed (CA root) certificates in a subdir of /etc/postfix and rehash with "openssl rehash <subdir>. This will of course create a symlink to each certificate. But to reproduce, any symlink in (a subdir of) /etc/postfix will do. Now restart Postfix, since you can't run "postfix-script check-warn" directly. For each symlink, a warning is written in the log, like this: postfix/postfix-script[23592]: warning: group or other writable: /etc/postfix/./tls/CAcerts/02265526.0 This should not happen, as the permissions of symbolic links are irrelevant on Linux. They are never used, it is those of the pointed-to file that count. See "man 1 chmod" or - if you have it installed - "man 7 symlink". Of course, these "bogus" warnings do not really hurt, but they do clutter the logs and thereby obscure the real thing. The following (very) simple patch to postfix-script 3.3.1 takes care of them : ==================== @@ -302,7 +302,7 @@ find $todo ! -user root \ -exec $WARN not owned by root: {} \; - find $todo \( -perm -020 -o -perm -002 \) \ + find -L $todo \( -perm -020 -o -perm -002 \) \ -exec $WARN group or other writable: {} \; # Check Postfix mail_owner-owned directory tree owner/permissions. ==================== I suppose the -L parameter could be added to the other occurrences of "find", but I didn't bother with that. 2. As an aside, it would be cool if those warnings could give the real name of the offending file. That is, instead of: /etc/postfix/./tls/CAcerts/.... it really should be: /etc/postfix/tls/CAcerts/.... But that is a cosmetic issue only. NB: my copy of "find" is from an older findutils 4.5.11 package, current seems to be 4.6.0. 3. What is maybe more important, that is that there were no such warnings about the symlinks in the chroot jail. Yet I did copy all the certificates from that CAcerts dir over into its jail counterpart, and rehashed there as well. So I would have expected the same bogus warnings about the symlinks in there. However, the postfix-script doesn't seem to check (all) the subdirs of the $queue_directory for owner- and permission-related issues. It just looks at /var/spool/postfix/pip. Maybe it should check the others as well? Or at least "/var/spool/postfix/etc/postfix" ? Luc