exim4: Permissions for mail spool, mail queue, configuration files, account and group names
[sent separately to exim-users and debian-devel]
recently, I stumbled over a minor configuration issue of exim 4, which
has led to major re-thinking of my permission concept. This has
managed to completely confuse me, and I will try to write things up to
get clarification, to learn what I did miss, and probably to discuss
things. My system is Debian GNU/Linux, so I have to worry about Debian
policy as well.
Debian status quo is as follows:
(1) Mail spool (/var/mail) is the place where user mailboxes are
stored. The directory should be root:mail 2775; the mailboxes
$USER:mail 660. MUAs run sgid mail to be able to create dot-locks
on the Mailboxes.
(2) exim's Mail queue (/var/spool/exim) is the place where exim stores
queued messages, message logs and a bunch of hint databases. On
Debian, directories in the mail queue are mail:mail 0750, files
mail:mail 0640. This currently allows misbehaving MUA programs to
read inside the mail queue which they are not supposed to.
(3) Logs go to /var/log/exim4 (mail:adm 2750).
(4) There is no policy about trusted and admin users for exim.
(5) Getting a statically allocated uid/gid for any package is quite
hard, so this must be avoided for the package.
What I'd like to have is a setup that satisfies the following
(A) Keep MUAs from reading inside the mail queue.
(B) Allow a group of admins.
(C) Allow a group of user accounts to be trusted.
(D) Generally: Keep different roles reasonably separated.
To have them satisfied, I think that the following changes to the exim
4 packages would be needed:
(a) Create a uid/gid for exim on installation of the package.
(b) chown mail queue to exim:exim and log directory to exim:adm
(c) Create a group "postmaster" (or should it be called mailadmin?) on
(d) Either declare admin_groups=postmaster or allow postmaster members
to sudo to exim (which approach is preferable?)
(e) Create a group "exim_trusted" on package installation.
(f) Declare trusted_groups=exim_trusted.
(g) If exim should run without root privileges, exim_group needs to be
mail to be able to write to mail spool. No problem with the mail
queue here since the exim uid can write there.
These changes yield the following additional questions that are not
(i) in src/EDITME, does EXIM_USER=exim compile in the numeric UID of
the exim account on the build system, or does it compile in the
string to be resolved to a numeric UID at run-time?
(ii) If an admin-user only command line option is invoked by a
non-admin user, does exim give a dedicated return value, so that
it would be possible to re-try the invocation with a sudo clause
in a wrapper automagically?
(iii) Would it be enough to make the exim user member of the mail
group in case of (g)? Or would that contradict the effort made
(iv) Can I use the postmaster group? To me, that name sounds
straightforward, but am I probably occupying a place in
namespace I am not supposed to take?
Thanks for your consideration and the discussion. Am I over the top,
or are my thoughts reasonable?
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29