Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Marek Królikowski
Hello Guys
Yesterday i buy new EMC storage and i want move few ppl from old SATA HDD to new FC EMC HDD but i got problem and don`t know how resolve this problem mayby You help me:
1. I mount new storage to /mnt/EMC
2. I create a /mnt/EMC/var/spool/mail/
3. i move user file (test) from /var/spool/mail/test to /mnt/EMC/var/spool/mail/test
4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test /var/spool/mail/test
 
and now i got problem... when i try  send anything to this user i got:
Nov  8 00:41:36 MAIL01 postfix/local[23980]: 0F7CA3193CAF: to=<[hidden email]>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=5.2.0, status=bounced (cannot update mailbox /var/spool/mail/test for user test. file is a symbolic link)
and he don`t get email.....
 
so i remove write permision for /var/spool/mail for other users like this:
chmod 755 /var/spool/mail
but now i got warnings in mail.log:
Nov  8 00:41:10 MAIL01 ipop3d[24089]: Mailbox vulnerable - directory /var/spool/mail must have 1777 protection
 
 
Any idea how resolve this problem?
 
Thanks
 
Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Wietse Venema
Marek Kr?likowski:
> Hello Guys
> Yesterday i buy new EMC storage and i want move few ppl from old SATA HDD to new FC EMC HDD but i got problem and don`t know how resolve this problem mayby You help me:
> 1. I mount new storage to /mnt/EMC
> 2. I create a /mnt/EMC/var/spool/mail/
> 3. i move user file (test) from /var/spool/mail/test to /mnt/EMC/var/spool/mail/test
> 4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test /var/spool/mail/test
>

Unfortunately, symlinks to mailbox files are unsafe when the mail
directory is writable by users other than root, regardless of who
owns the symlink. You can thank the Linux, Solaris and IRIX people
for that. This security check will not be removed from Postfix.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Marek Królikowski
-----Oryginalna wiadomość-----
From: Wietse Venema
Sent: Tuesday, November 08, 2011 2:27 AM
To: Postfix users
Subject: Re: Symlink problem = file is a symbolic link or Mailbox
vulnerable - directory /var/spool/mail must have 1777 protection

>>Marek Krolikowski:
>> Hello Guys
>> Yesterday i buy new EMC storage and i want move few ppl from old SATA HDD
>> to new FC EMC HDD but i got problem and don`t know how resolve this
>> problem mayby You help me:
>> 1. I mount new storage to /mnt/EMC
>> 2. I create a /mnt/EMC/var/spool/mail/
>> 3. i move user file (test) from /var/spool/mail/test to
>> /mnt/EMC/var/spool/mail/test
>> 4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test
>> /var/spool/mail/test
>>

>Unfortunately, symlinks to mailbox files are unsafe when the mail
> directory is writable by users other than root, regardless of who
> owns the symlink. You can thank the Linux, Solaris and IRIX people
> for that. This security check will not be removed from Postfix.

Thanks for answer so the best way is chmod 755 /var/spool/mail and ignore
log spam about directory /var/spool/mail must have 1777 protection ???
Sounds little stupid and crazy ;)

Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Stan Hoeppner
On 11/7/2011 11:13 PM, Marek Królikowski wrote:

> -----Oryginalna wiadomość----- From: Wietse Venema
> Sent: Tuesday, November 08, 2011 2:27 AM
> To: Postfix users
> Subject: Re: Symlink problem = file is a symbolic link or Mailbox
> vulnerable - directory /var/spool/mail must have 1777 protection
>>> Marek Krolikowski:
>>> Hello Guys
>>> Yesterday i buy new EMC storage and i want move few ppl from old SATA
>>> HDD to new FC EMC HDD but i got problem and don`t know how resolve
>>> this problem mayby You help me:
>>> 1. I mount new storage to /mnt/EMC
>>> 2. I create a /mnt/EMC/var/spool/mail/
>>> 3. i move user file (test) from /var/spool/mail/test to
>>> /mnt/EMC/var/spool/mail/test
>>> 4. i do symlink to that file: ln -sn /mnt/EMC/var/spool/mail/test
>>> /var/spool/mail/test
>>>
>
>> Unfortunately, symlinks to mailbox files are unsafe when the mail
>> directory is writable by users other than root, regardless of who
>> owns the symlink. You can thank the Linux, Solaris and IRIX people
>> for that. This security check will not be removed from Postfix.
>
> Thanks for answer so the best way is chmod 755 /var/spool/mail and
> ignore log spam about directory /var/spool/mail must have 1777
> protection ???
> Sounds little stupid and crazy ;)

Simply mount the EMC device to a temporary mount point, which you have
done.  Stop all mail related daemons so nothing is accessing
/var/spool/mail.  Use 'cp -a' to copy all the mail files to the EMC
filesystem.  Verify the copy process.  Delete all the mail files and any
subdirectories from /var/spool/mail/ so the directory is empty and can
be used as a mount point.  Unmount the EMC filesystem and remount it at
/var/spool/mail/.  Verify directory permissions are correct.  Restart
mail daemons.  Done.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Marek Królikowski
>-----Oryginalna wiadomość-----
>From: Stan Hoeppner
>Sent: Tuesday, November 08, 2011 8:26 AM
>To: [hidden email]
>Subject: Re: Symlink problem = file is a symbolic link or Mailbox
>vulnerable - directory /var/spool/mail must have 1777 protection

>Simply mount the EMC device to a temporary mount point, which you have
>done.  Stop all mail related daemons so nothing is accessing
>/var/spool/mail.  Use 'cp -a' to copy all the mail files to the EMC
>filesystem.  Verify the copy process.  Delete all the mail files and any
>subdirectories from /var/spool/mail/ so the directory is empty and can
>be used as a mount point.  Unmount the EMC filesystem and remount it at
>/var/spool/mail/.  Verify directory permissions are correct.  Restart
>mail daemons.  Done.


Yes i know but this is how to move EVERYONE to EMC.
I don`t want move everyone to EMC i want move only half of all users.
Iknow i can mount EMC to /var/spool/mail but this is not what i want.
I want move user per user not everyone in 1 time.

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Stan Hoeppner
On 11/8/2011 1:29 AM, Marek Krolikowski wrote:

>> -----Oryginalna wiadomość----- From: Stan Hoeppner
>> Sent: Tuesday, November 08, 2011 8:26 AM
>> To: [hidden email]
>> Subject: Re: Symlink problem = file is a symbolic link or Mailbox
>> vulnerable - directory /var/spool/mail must have 1777 protection
>
>> Simply mount the EMC device to a temporary mount point, which you have
>> done.  Stop all mail related daemons so nothing is accessing
>> /var/spool/mail.  Use 'cp -a' to copy all the mail files to the EMC
>> filesystem.  Verify the copy process.  Delete all the mail files and any
>> subdirectories from /var/spool/mail/ so the directory is empty and can
>> be used as a mount point.  Unmount the EMC filesystem and remount it at
>> /var/spool/mail/.  Verify directory permissions are correct.  Restart
>> mail daemons.  Done.
>
>
> Yes i know but this is how to move EVERYONE to EMC.
> I don`t want move everyone to EMC i want move only half of all users.
> Iknow i can mount EMC to /var/spool/mail but this is not what i want.
> I want move user per user not everyone in 1 time.

Then you need to tell us what MDA you are currently using and what type
of mailbox storage.  The list welcome message directed you to paste the
output of "postconf -n".  That will tell us what MDA you use, if what
you want to do can be done, and how easy/difficult it may be to setup
such a thing.  If you're using Dovecot it is relatively painless, if not
time consuming.  If you are simply having Postfix local(8) delivery
directly to mbox mailboxes it will be more difficult to move user
mailboxes one by one.  I've never used procmail so I have no tips for
you in that case.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Marek Królikowski
>From: Stan Hoeppner
>Sent: Tuesday, November 08, 2011 8:59 AM
>To: [hidden email]
>Subject: Re: Symlink problem = file is a symbolic link or Mailbox
>vulnerable - directory /var/spool/mail must have 1777 protection
>Then you need to tell us what MDA you are currently using and what type
>of mailbox storage.  The list welcome message directed you to paste the
>output of "postconf -n".  That will tell us what MDA you use, if what
>you want to do can be done, and how easy/difficult it may be to setup
>such a thing.  If you're using Dovecot it is relatively painless, if not
>time consuming.  If you are simply having Postfix local(8) delivery
>directly to mbox mailboxes it will be more difficult to move user
>mailboxes one by one.  I've never used procmail so I have no tips for
>you in that case.
MAIL01 ~ # postconf -n
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = //usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = /usr/share/doc/postfix-2.8.4/html
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 30000000
mydestination = $myhostname, localhost, taken.pl
mydomain = taken.pl
myhostname = taken.pl
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.8.4/readme
relayhost = out.taken.pl
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/protected_destinations, check_client_access
hash:/etc/postfix/access, check_recipient_access
hash:/etc/postfix/recipient_access, permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination, check_sender_access
hash:/etc/postfix/sender_checks_my, reject_unauth_pipelining
smtpd_restriction_classes = insiders_only, insiders_only2
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/smtp-cert.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/smtp-cert.crt
smtpd_tls_key_file = /etc/postfix/smtp-cert.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550

Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Stan Hoeppner
On 11/8/2011 2:54 AM, Marek Krolikowski wrote:

>> From: Stan Hoeppner
>> Sent: Tuesday, November 08, 2011 8:59 AM
>> To: [hidden email]
>> Subject: Re: Symlink problem = file is a symbolic link or Mailbox
>> vulnerable - directory /var/spool/mail must have 1777 protection
>> Then you need to tell us what MDA you are currently using and what type
>> of mailbox storage.  The list welcome message directed you to paste the
>> output of "postconf -n".  That will tell us what MDA you use, if what
>> you want to do can be done, and how easy/difficult it may be to setup
>> such a thing.  If you're using Dovecot it is relatively painless, if not
>> time consuming.  If you are simply having Postfix local(8) delivery
>> directly to mbox mailboxes it will be more difficult to move user
>> mailboxes one by one.  I've never used procmail so I have no tips for
>> you in that case.
> MAIL01 ~ # postconf -n
...
> mail_spool_directory = /var/spool/mail

Ok, so it appears you're having Postfix deliver to UNIX style mbox
mailboxes via local(8).  How are your users reading their mail?  A
popper?  Or something like pine or mutt?  The point I'm getting at is
reconfiguring users individually in Postfix only covers half the
problem--mail delivery.  You'll also have to tell the programs reading
the mail of each user's new mailbox location.

To address the Postfix delivery aspect, you'll need use
virtual_mailbox_maps as it facilitates specifying mail_location on a per
recipient bases.  Read this and everything related to it:

http://www.postfix.org/postconf.5.html#virtual_mailbox_maps

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: Symlink problem = file is a symbolic link or Mailbox vulnerable - directory /var/spool/mail must have 1777 protection

Marek Królikowski
>-----Oryginalna wiadomość-----
>From: Stan Hoeppner
>Sent: Tuesday, November 08, 2011 11:06 AM
>To: [hidden email]
>Subject: Re: Symlink problem = file is a symbolic link or Mailbox
>vulnerable - directory /var/spool/mail must have 1777 protection
>
>Ok, so it appears you're having Postfix deliver to UNIX style mbox
>mailboxes via local(8).  How are your users reading their mail?  A
>popper?  Or something like pine or mutt?  The point I'm getting at is
>reconfiguring users individually in Postfix only covers half the
>problem--mail delivery.  You'll also have to tell the programs reading
>the mail of each user's new mailbox location.
>
>To address the Postfix delivery aspect, you'll need use
>virtual_mailbox_maps as it facilitates specifying mail_location on a per
>recipient bases.  Read this and everything related to it:
>
>http://www.postfix.org/postconf.5.html#virtual_mailbox_maps

Hello
I use net-mail/uw-imap-2007e-r1 - there is inside imap and ipop3d - both
have no problem with reading symlink files/dirs