632102 – mail-filter/procmail-3.22-r10 vs mail-mta/exim-4.89-r1: do not work with each other

Bug 632102 - mail-filter/procmail-3.22-r10 vs mail-mta/exim-4.89-r1: do not work with each other

Summary: mail-filter/procmail-3.22-r10 vs mail-mta/exim-4.89-r1: do not work with each...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Net-Mail Packages

URL:	https://archives.gentoo.org/gentoo-de...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2017-09-26 20:25 UTC by Clemens Noss
Modified:	2017-10-02 07:11 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Clemens Noss 2017-09-26 20:25:08 UTC

This applies possibly to newer versions too.

Exim, by its default configuration, will not use procmail if it is not readable by the recipient user.

procmail, as a big exception among everything in /usr/bin, is installed o-r.

ll /usr/bin/procmail
-rwsr-s--x 1 root root 76040 Nov  6  2016 /usr/bin/procmail

In /etc/exim/exim.conf: (not really, simplified by me)
procmail:
  require_files = $local_part:+$home/.procmailrc:+/usr/bin/promail

To make it work, the possible ways are:
- make procmail binary o+r
- remove $local_part from the line in exim.conf (try to read as exim user, not recipient user)
- remove +/usr/bin/procmail from the line (do not check the binary)

Any of these may be undesirable for different reasons, maybe someone can find a better way.

Comment 1 Fabian Groffen gentoo-dev

2017-09-27 07:18:52 UTC

Do you happen to know if this used to work (and changed recently)?

Comment 2 Clemens Noss 2017-09-30 17:09:17 UTC

I found a procmail binary from 2009 that is world un-readable.

For the exim part, it installs /etc/exim/exim.conf.dist (as example), and the problem is only noticeable if this file is copied to exim.conf.

I don't know if it ever worked before. It is possible that last time (long ago) I started with a different configuration.

Comment 3 Fabian Groffen gentoo-dev

2017-10-01 10:25:39 UTC

ok, so here's the thing from Exim point of view: the procmail router from the exim.conf.dist file comes straight from upstream.  I don't like to change that file for that reason.

I just installed procmail on Ubuntu to see what they do, and they have
-rwsr-sr-x 1 root mail /usr/bin/procmail

So perhaps, we should consider your first suggestion o+r, or drop an einfo in the procmail ebuild to suggest one needs that for mta integration or something.

One interesting thing here, the ebuild installs using:
    insopts -m 6755

but somehow the following happens when merging:
 * >>> SetUID and SetGID: [chmod o-r] /usr/bin/procmail ...              [ ok ]
 * >>> SetGID: [chmod o-r] /usr/bin/lockfile ...                         [ ok ]

Which feels like some security/qa check biting this particular use-case.

Comment 4 Fabian Groffen gentoo-dev

2017-10-02 07:11:00 UTC

Ok, this is on purpose.  (Done via portage's misc-functions.sh)  I think the best we can do is drop an ewarn or something in procmail if sfperms is in FEATURES.

I added this warning, and assume that's the best we can do, hence closing this bug.

Thanks for the report and analysis!