FAQ
/usr/local/share/doc/mailman/mailman-install.txt

6.1.1 Integrating Postfix and Mailman
.
.
* When you configure Mailman, use the --with-mail-gid=mailman
switch; this will be the default if you configured Mailman after
adding the mailman owner. Because the owner of the aliases.db file
is mailman, Postfix will execute Mailman's wrapper program as uid
and gid mailman.
_______________________________
Extract from my mm_cfg.py
add_virtualhost('www.vizion2000.net', 'vizion2000.net')
add_virtualhost('www.atf4.com', 'atf4.com')
add_virtualhost('www.methuselaproject.org', 'methuselaproject.org')
add_virtualhost('www.methuselaproject.com', 'methuselaproject.com')
add_virtualhost('www.ispyforum.com', 'ispyforum.com')
add_virtualhost('www.workplacemassage.co.uk', 'workplacemassage.co.uk')
POSTFIX_STYLE_VIRTUAL_DOMAINS = ['atf4.com',
'vizion2000.net',
'methuselaproject.org',
'methuselaproject.com',
'ispyforum.com',
'workplacemassage.co.uk',
]
MTA ='Postfix'
SMTPHOST = 'dns1.vizion2000.net'
___________________________________
Extract from /var/maillog
Apr 20 08:24:58 dns1 Mailman mail-wrapper: Group mismatch error. Mailman
expected the mail wrapper script to be executed as group "nobody", but the
system's mail server executed the mail script as group "mailman". Try
tweaking the mail server to run the script as group "nobody", or re-run
configure, providing the command line option `--with-mail-gid=mailman'.
Apr 20 08:24:58 dns1 postfix/local[23091]: A271B1CC47:
to=<hanhamphoto at vizion2000.net>, orig_to=<hanhamphoto at atf4.com>, relay=local,
delayR6, delaysR6/0.02/0/0.01, dsn=4.3.0, status=SOFTBOUNCE (Command died
with status 2: "/usr/local/mailman/mail/mailman post hanhamphoto". Command
output: Group mismatch error. Mailman expected the mail wrapper script to be
executed as group "nobody", but the system's mail server executed the mail
script as group "mailman". Try tweaking the mail server to run the script as
group "nobody", or re-run configure, providing the command line option
`--with-mail-gid=mailman'. )
Apr 20 08:26:23 dns1 postfix/anvil[23079]: statistics: max connection rate
1/60s for (smtp:168.100.1.7) at Apr 20 08:23:03
__________________________________________________

I have tried to rebuild mailman BUT the configuration option screen does not
appear. I have tried
# make with-mail-gid=mailman
but still get the same results
#./configure --with-mail-gid=mailman
is not available
There seems that mailman does not keep a record of relevant configuration
setting and the command to extract current settings for mailman
bin/config_list does not report this setting either.

What should I be doing here?

Thanks in advance
david

Search Discussions

  • Jeffrey Goldberg at Apr 20, 2007 at 4:17 pm

    On Apr 20, 2007, at 10:41 AM, David Southwell wrote:

    ___________________________________
    Extract from /var/maillog
    Apr 20 08:24:58 dns1 Mailman mail-wrapper: Group mismatch error.
    Mailman
    expected the mail wrapper script to be executed as group "nobody",
    but the
    system's mail server executed the mail script as group "mailman". Try
    tweaking the mail server to run the script as group "nobody", or re-
    run
    configure, providing the command line option `--with-mail-
    gid=mailman'.
    This is the third and final time I'll ask you give a long directory
    listing of your mailman/data directory. (Twice here and once on the
    FreeBSD list).

    That information is needed to diagnose and fix the problem. In all
    likelihood, the problem will be fixed by a simple chown command. But
    the reason that I ask for information is because it is useful in
    getting the problem sorted out.

    If you have some privacy concerns or something that is making you
    reluctant to provide the information I asked for please say so. Or
    if you don't understand the questions, please say so.

    Asking for help, getting requests for more information, ignoring
    those requests, and than asking for more help on things that could
    have most likely been solved if you'd provided the requested
    information can get annoying.

    I recently set up mailman on a system extremely similar to yours
    (FreeBSD 6.*, postfix). And I've been a long time user of mailman
    (although with sendmail and exim). I really am in a good position to
    help, but I might have to leave it to people with more patience.

    Please see my previous post

    http://www.mail-archive.com/mailman-users%40python.org/msg44296.html

    where I ask for this information and ask a series of yes or no
    questions.
    I have tried to rebuild mailman BUT the configuration option screen
    does not
    appear. I have tried
    # make with-mail-gid=mailman
    but still get the same results
    #./configure --with-mail-gid=mailman
    is not available
    If you wish to override this when doing the build from BSD ports then
    you would use

    make -DMAIL_GID=mailman reinstall

    However, I STRONGLY advise against that. It is best to keep things
    as close to the default settings as possible.

    I do think that these problems are better served by doing the
    appropriate chown on the mailman/data directory instead of tinkering
    with the build which would probably lead to harder to diagnose problems.

    -j
  • David Southwell at Apr 20, 2007 at 6:38 pm

    On Friday 20 April 2007 09:17:29 Jeffrey Goldberg wrote:
    On Apr 20, 2007, at 10:41 AM, David Southwell wrote:
    ___________________________________
    Extract from /var/maillog
    Apr 20 08:24:58 dns1 Mailman mail-wrapper: Group mismatch error.
    Mailman
    expected the mail wrapper script to be executed as group "nobody",
    but the
    system's mail server executed the mail script as group "mailman". Try
    tweaking the mail server to run the script as group "nobody", or re-
    run
    configure, providing the command line option `--with-mail-
    gid=mailman'.
    This is the third and final time I'll ask you give a long directory
    listing of your mailman/data directory. (Twice here and once on the
    FreeBSD list).
    I'm sorry -- I did in fact try to send it but mailman trashed my mail system
    and I lost the thread.

    Here it is

    -rw-r----- 1 root mailman 41 Apr 16 07:51 adm.pw
    -rw-rw---- 1 root mailman 4364 Apr 20 06:39 aliases
    -rw-rw---- 1 mailman mailman 16384 Apr 20 06:39 aliases.db
    -rw-r----- 1 root mailman 41 Apr 16 07:52 creator.pw
    -rw-r--r-- 1 root mailman 10 Apr 20 07:11 last_mailman_version
    -rw-rw---- 1 mailman mailman 5 Apr 20 02:49 master-qrunner.pid
    -rw-r--r-- 1 root mailman 14114 Apr 20 07:11 sitelist.cfg
    -rw-rw-r-- 1 mailman mailman 0 Apr 17 09:52 virtual-aliases
    -rw-rw---- 1 www mailman 2275 Apr 20 06:39 virtual-mailman
    -rw-rw-r-- 1 mailman mailman 16384 Apr 20 06:39 virtual-mailman.db

    >
    I recently set up mailman on a system extremely similar to yours
    (FreeBSD 6.*, postfix). And I've been a long time user of mailman
    (although with sendmail and exim). I really am in a good position to
    help, but I might have to leave it to people with more patience.
    You have been great

    OK ask away for any further info you need.
    Please see my previous post

    http://www.mail-archive.com/mailman-users%40python.org/msg44296.html

    where I ask for this information and ask a series of yes or no
    questions.
    I have tried to rebuild mailman BUT the configuration option screen
    does not
    appear. I have tried
    # make with-mail-gid=mailman
    but still get the same results
    #./configure --with-mail-gid=mailman
    is not available
    If you wish to override this when doing the build from BSD ports then
    you would use

    make -DMAIL_GID=mailman reinstall

    However, I STRONGLY advise against that. It is best to keep things
    as close to the default settings as possible.

    I do think that these problems are better served by doing the
    appropriate chown on the mailman/data directory instead of tinkering
    with the build which would probably lead to harder to diagnose problems.

    -j
  • Jeffrey Goldberg at Apr 20, 2007 at 6:36 pm
    [I'm adding ports at freebsd.org to the cc in the hopes of making it
    easier for everyone following this discussion to follow it.]
    On Apr 20, 2007, at 1:38 PM, David Southwell wrote:

    I'm sorry -- I did in fact try to send it but mailman trashed my
    mail system
    and I lost the thread.
    OK, thanks.
    Here it is

    -rw-r----- 1 root mailman 41 Apr 16 07:51 adm.pw
    -rw-rw---- 1 root mailman 4364 Apr 20 06:39 aliases
    -rw-rw---- 1 mailman mailman 16384 Apr 20 06:39 aliases.db
    -rw-r----- 1 root mailman 41 Apr 16 07:52 creator.pw
    -rw-r--r-- 1 root mailman 10 Apr 20 07:11
    last_mailman_version
    -rw-rw---- 1 mailman mailman 5 Apr 20 02:49 master-qrunner.pid
    -rw-r--r-- 1 root mailman 14114 Apr 20 07:11 sitelist.cfg
    -rw-rw-r-- 1 mailman mailman 0 Apr 17 09:52 virtual-aliases
    -rw-rw---- 1 www mailman 2275 Apr 20 06:39 virtual-mailman
    -rw-rw-r-- 1 mailman mailman 16384 Apr 20 06:39 virtual-mailman.db
    OK, the aliases files need to be owned by "nobody" so

    chown nobody aliases* virtual-aliases* virtual-mailman*

    will fix that. When new files are added, we want them to be owned by
    "nobody" so also do a

    chown nobody /usr/local/mailman/data

    Those chown's will have to be done as root.

    Cheers,

    -j
  • Jeffrey Goldberg at Apr 20, 2007 at 4:38 pm

    On Apr 20, 2007, at 10:42 AM, David Southwell wrote:

    Extract from /var/maillog
    Apr 20 08:24:58 dns1 Mailman mail-wrapper: Group mismatch error.
    Mailman
    expected the mail wrapper script to be executed as group "nobody",
    but the
    system's mail server executed the mail script as group "mailman". Try
    tweaking the mail server to run the script as group "nobody", or re-
    run
    configure, providing the command line option `--with-mail-
    gid=mailman'.
    I've given a complementary response on the mailman-users list (to
    which I'm also cc'ing this)

    Nothing I say below takes away from what I said in that previous
    post. The answers to the questions I've asked would have resolved
    this problem long ago.

    There appears to be a bug in the pkg-install file that comes with the
    current mailman port. When one installs (through FreeBSD ports)
    mailman selecting postfix as the MTA, the MAIL_GID correctly gets set
    to "nobody"

    But in the pkg-install script all of the mailman files get set with

    echo "---> Creating Mailman directory (/usr/local/mailman)"
    (umask 002 && /bin/mkdir -p "/usr/local/mailman") || exit 1
    /usr/sbin/chown -R "mailman:mailman" "/usr/local/mailman" || exit 1
    /bin/chmod g+s "/usr/local/mailman" || exit 1

    Which is correct for everything except for /usr/local/mailman/data
    which should actually be set with

    chown -R nobody:mailman /usr/local/mailman/data

    I don't know enough about ports to actually find the source pkg-
    install fine (the one I looked at and quoted from is after make has
    edited it with sed). So I'm not certain whether the problem is in
    the Makefile or in the source for the pkg-install.

    I experienced the same problem David had just a few weeks ago, but I
    attributed the problem (which I fixed by manually doing the chown) to
    me having moved my mailman set up from one machine to another. So I
    thought that I had the wrong permissions for /usr/local/mailman/data
    as a consequence of the move and not because the mailman FreeBSD port
    was broken.

    When I saw some of David's problems I started to have some
    suspicions, but I wasn't able to get enough information from him to
    really look at the ownerships the port set up.

    Cheers,

    -j
  • David Southwell at Apr 20, 2007 at 6:32 pm

    On Friday 20 April 2007 09:38:03 Jeffrey Goldberg wrote:
    On Apr 20, 2007, at 10:42 AM, David Southwell wrote:
    Extract from /var/maillog
    Apr 20 08:24:58 dns1 Mailman mail-wrapper: Group mismatch error.
    Mailman
    expected the mail wrapper script to be executed as group "nobody",
    but the
    system's mail server executed the mail script as group "mailman". Try
    tweaking the mail server to run the script as group "nobody", or re-
    run
    configure, providing the command line option `--with-mail-
    gid=mailman'.
    I've given a complementary response on the mailman-users list (to
    which I'm also cc'ing this)

    Nothing I say below takes away from what I said in that previous
    post. The answers to the questions I've asked would have resolved
    this problem long ago.

    There appears to be a bug in the pkg-install file that comes with the
    current mailman port. When one installs (through FreeBSD ports)
    mailman selecting postfix as the MTA, the MAIL_GID correctly gets set
    to "nobody"

    But in the pkg-install script all of the mailman files get set with

    echo "---> Creating Mailman directory (/usr/local/mailman)"
    (umask 002 && /bin/mkdir -p "/usr/local/mailman") || exit 1
    /usr/sbin/chown -R "mailman:mailman" "/usr/local/mailman" || exit 1
    /bin/chmod g+s "/usr/local/mailman" || exit 1

    Which is correct for everything except for /usr/local/mailman/data
    which should actually be set with

    chown -R nobody:mailman /usr/local/mailman/data

    I don't know enough about ports to actually find the source pkg-
    install fine (the one I looked at and quoted from is after make has
    edited it with sed). So I'm not certain whether the problem is in
    the Makefile or in the source for the pkg-install.

    I experienced the same problem David had just a few weeks ago, but I
    attributed the problem (which I fixed by manually doing the chown) to
    me having moved my mailman set up from one machine to another. So I
    thought that I had the wrong permissions for /usr/local/mailman/data
    as a consequence of the move and not because the mailman FreeBSD port
    was broken.

    When I saw some of David's problems I started to have some
    suspicions, but I wasn't able to get enough information from him to
    really look at the ownerships the port set up.
    The problem is I was not able to actually rebuild the ports doing a config. It
    seems once mailman has been installed once you cannot get the config
    screne up and another make install leaves things exactly as they were for the
    previous installation. The original installation preferences are preserved -
    so I cannot tell you how the port created the ownership orininally. All I can
    tell you is that I followed the instructions in docs.
    Sorry to appear to be unhelpful -- but if there is anything I can do please
    let me know.

    Thanks agian for your warmth and help
    \david
    Cheers,

    -j
  • David Southwell at Apr 20, 2007 at 6:44 pm

    On Friday 20 April 2007 09:38:03 Jeffrey Goldberg wrote:
    chown -R nobody:mailman /usr/local/mailman/data
    Here is what happens if I do that command:

    [root at dns1 /usr/local/mailman/data]# ls -l
    total 64
    -rw-r----- 1 root mailman 41 Apr 16 07:51 adm.pw
    -rw-rw---- 1 root mailman 4364 Apr 20 06:39 aliases
    -rw-rw---- 1 mailman mailman 16384 Apr 20 06:39 aliases.db
    -rw-r----- 1 root mailman 41 Apr 16 07:52 creator.pw
    -rw-r--r-- 1 root mailman 10 Apr 20 07:11 last_mailman_version
    -rw-rw---- 1 mailman mailman 5 Apr 20 02:49 master-qrunner.pid
    -rw-r--r-- 1 root mailman 14114 Apr 20 07:11 sitelist.cfg
    -rw-rw-r-- 1 mailman mailman 0 Apr 17 09:52 virtual-aliases
    -rw-rw---- 1 www mailman 2275 Apr 20 06:39 virtual-mailman
    -rw-rw-r-- 1 mailman mailman 16384 Apr 20 06:39 virtual-mailman.db
    [root at dns1 /usr/local/mailman/data]# chown -R
    nobody:mailman /usr/local/mailman/data
    [root at dns1 /usr/local/mailman/data]# ls -l
    total 64
    -rw-r----- 1 nobody mailman 41 Apr 16 07:51 adm.pw
    -rw-rw---- 1 nobody mailman 4364 Apr 20 06:39 aliases
    -rw-rw---- 1 nobody mailman 16384 Apr 20 06:39 aliases.db
    -rw-r----- 1 nobody mailman 41 Apr 16 07:52 creator.pw
    -rw-r--r-- 1 nobody mailman 10 Apr 20 07:11 last_mailman_version
    -rw-rw---- 1 nobody mailman 5 Apr 20 02:49 master-qrunner.pid
    -rw-r--r-- 1 nobody mailman 14114 Apr 20 07:11 sitelist.cfg
    -rw-rw-r-- 1 nobody mailman 0 Apr 17 09:52 virtual-aliases
    -rw-rw---- 1 nobody mailman 2275 Apr 20 06:39 virtual-mailman
    -rw-rw-r-- 1 nobody mailman 16384 Apr 20 06:39 virtual-mailman.db
    [root at dns1 /usr/local/mailman/data]# cd ..
    [root at dns1 /usr/local/mailman]# ls -l
    total 36
    drwxrwsr-x 11 root mailman 1536 Apr 20 07:11 Mailman
    drwxrwsr-x 4 root mailman 512 Apr 16 07:07 archives
    drwxrwsr-x 2 root mailman 1024 Apr 20 07:11 bin
    drwxrwsr-x 2 root mailman 512 Apr 20 07:11 cgi-bin
    drwxrwsr-x 2 root mailman 512 Apr 20 07:11 cron
    drwxrwsr-x 2 nobody mailman 2048 Apr 20 08:24 data
    drwxrwsr-x 2 root mailman 512 Apr 20 07:11 icons
    drwxrwsr-x 7 root mailman 512 Apr 20 06:39 lists
    drwxrwsr-x 2 root mailman 512 Apr 20 11:40 locks
    drwxrwsr-x 2 root mailman 512 Apr 20 07:20 logs
    drwxrwsr-x 2 root mailman 512 Apr 20 07:11 mail
    drwxrwsr-x 34 root mailman 512 Apr 20 07:11 messages
    drwxrwsr-x 6 root mailman 512 Apr 20 07:11 pythonlib
    drwxrwsr-x 11 root mailman 512 Apr 20 02:49 qfiles
    drwxrwsr-x 2 root mailman 512 Apr 20 07:11 scripts
    drwxrwsr-x 2 root mailman 512 Apr 20 07:11 spam
    drwxrwsr-x 35 root mailman 512 Apr 20 07:11 templates
    drwxrwsr-x 4 root mailman 512 Apr 20 07:11 tests
    [root at dns1 /usr/local/mailman]# postfix reload
    postfix/postfix-script: refreshing the Postfix mail system
    [root at dns1 /usr/local/mailman]# bin/check_perms
    /usr/local/mailman/data/aliases.db owned by nobody (must be owned by mailman
    /usr/local/mailman/data/virtual-mailman.db owned by nobody (must be owned by
    mailman
    Problems found: 2
    Re-run as mailman (or root) with -f flag to fix
    [root at dns1 /usr/local/mailman]#

    David
  • Jeffrey Goldberg at Apr 20, 2007 at 6:51 pm

    On Apr 20, 2007, at 1:44 PM, David Southwell wrote:
    On Friday 20 April 2007 09:38:03 Jeffrey Goldberg wrote:
    chown -R nobody:mailman /usr/local/mailman/data
    Here is what happens if I do that command:

    [root at dns1 /usr/local/mailman]# bin/check_perms
    /usr/local/mailman/data/aliases.db owned by nobody (must be owned
    by mailman
    /usr/local/mailman/data/virtual-mailman.db owned by nobody (must be
    owned by
    mailman
    Problems found: 2
    Re-run as mailman (or root) with -f flag to fix
    [root at dns1 /usr/local/mailman]#
    Hmmm. Now that I check, I get the same warning. However, my system
    does work with owners and permissions like this

    Still, I guess this isn't a proper solution to the problem since the
    next time we run

    bin/check_perms -f

    we will actually break things on our systems.

    Maybe the correct solution is use owner "mailman" and MAIL_GID as
    "mailman", which means a simple fix to the mailman ports Makefile.

    In which case, your attempt to recompile with mailman as the GID
    would have been the right approach.

    The way to reset the OPTIONS for a FreeBSD port is to run

    make config

    in the port directory. But the MAIL_GID is not among the options
    settable that way.

    I believe that if you use

    make -DMAIL_GID=mailman reinstall

    then that will pass the correct option to the configure script that
    comes with mailman.

    Cheers,

    -j
  • Jeffrey Goldberg at Apr 20, 2007 at 7:23 pm

    On Apr 20, 2007, at 1:44 PM, Paul Schmehl wrote:

    *If* what you say is true [...]
    which I am increasingly doubtful of.
    then this should fix it:

    --- pkg-install.orig Fri Apr 20 13:42:17 2007
    +++ pkg-install Fri Apr 20 13:42:47 2007
    @@ -43,6 +43,7 @@
    (umask 002 && /bin/mkdir -p "%%MAILMANDIR%%") || exit 1
    /usr/sbin/chown -R "%%USER%%:%%GROUP%%" "%%MAILMANDIR%%" || exit 1
    /bin/chmod g+s "%%MAILMANDIR%%" || exit 1
    + /usr/sbin/chown -R "nobody" "%%MAILMANDIR%%/data" || exit 1
    fi
    ;;
    Can you tell me where to find the unprocessed version of pkg-
    install? What is in work/ has already been processed by sed, and I
    didn't see anything obvious in files/

    I know I should read the porters' handbook, but at this point I'm
    just poking around to try to get some sense of how the pieces come
    together.

    I'm beginning to think that the fix will be as simple as

    --- Makefile.orig Fri Apr 20 14:17:08 2007
    +++ Makefile Fri Apr 20 14:18:14 2007
    @@ -88,7 +88,7 @@
    .if defined(WITH_SENDMAIL) || defined(WITH_EXIM3) || defined(WITH_EXIM4)
    BROKEN= choose only one MTA integration
    .endif
    -MAIL_GID?= nobody
    +MAIL_GID?= mailman
    .endif
    .if defined(WITH_CHINESE)

    But I haven't tested. And I don't know what the original reason was
    for using "nobody", so I may very well be talking nonsense.

    Cheers,

    -j
  • Jeffrey Goldberg at Apr 21, 2007 at 12:54 am

    On Apr 20, 2007, at 4:31 PM, Paul Schmehl wrote:

    --On Friday, April 20, 2007 14:23:14 -0500 Jeffrey Goldberg
    wrote:
    Can you tell me where to find the unprocessed version of pkg-install?
    What is in work/ has already been processed by sed, and I didn't see
    anything obvious in files/
    /usr/ports/mail/mailman/pkg-install
    Ah. It was right under my nose.
    I'm beginning to think that the fix will be as simple as

    --- Makefile.orig Fri Apr 20 14:17:08 2007
    +++ Makefile Fri Apr 20 14:18:14 2007
    @@ -88,7 +88,7 @@
    .if defined(WITH_SENDMAIL) || defined(WITH_EXIM3) || defined
    (WITH_EXIM4)
    BROKEN= choose only one MTA integration
    .endif
    -MAIL_GID?= nobody
    +MAIL_GID?= mailman
    .endif
    .if defined(WITH_CHINESE)
    No, that's *absolutely* the wrong fix. The group required for
    mailman to work depends on the mail server you are using.
    Sendmail, postfix, qmail, etc. all require different groups. So
    using a fixed group might work for you, but it would break it for a
    lot of other people's setups.
    I think I'm beginning to understand where that "nobody" comes from
    and why you are right about that.

    Here is an excerpt from the postfix aliases(5)

    In the absence of a user context, the local(8) daemon uses
    the owner
    rights of the :include: file or alias database. When those
    files are
    owned by the superuser, delivery is made with the rights specified
    with
    the default_privs configuration parameter.

    I had been looking at the first half of that (which I was already
    aware of). So I thought that if the wrapper were compiled to only
    run as "nobody" than the relevant alias files had to be owned by
    "nobody". I wasn't, until looking this up, aware of what happens
    when the aliases file is owned by root.

    In the postfix out of ports on FreeBSD, default_privs is set to
    "nobody".

    So the first fix (modifying the owner of data/aliases{,.db}) is the
    right way to go, but instead of making those files owned by
    "nobody" (which does seem dangerous because than anything running as
    "nobody" could change those file) they should be owned by root with
    mailman as the group and permissions like 664.

    Let me just test that now... Yes. Mail delivery seems to work with

    [jeffrey at dobby /usr/local/mailman/data]$ ls -la .
    total 78
    drwxrwsr-x 2 root mailman 1024 Apr 19 16:03 .
    drwxrwsr-x 20 mailman mailman 512 Mar 30 13:57 ..
    -rw-r----- 1 root mailman 41 Sep 11 2006 adm.pw
    -rw-rw---- 1 root mailman 3523 Mar 31 16:10 aliases
    -rw-rw-r-- 1 root mailman 16384 Mar 31 16:10 aliases.db
    -rw-rw-r-- 1 root mailman 12288 Sep 13 2006 aliases.db.rpmsave
    -rw-r----- 1 root mailman 41 Sep 11 2006 creator.pw
    -rw-r--r-- 1 root mailman 10 Mar 30 13:57 last_mailman_version
    -rw-rw---- 1 root mailman 4 Apr 17 14:34 master-qrunner.pid
    -rw-r--r-- 1 root mailman 14114 Mar 30 13:57 sitelist.cfg
    -rw-rw---- 1 root mailman 3334 Mar 31 16:10 virtual-mailman
    -rw-rw-r-- 1 root mailman 16384 Mar 31 16:10 virtual-mailman.db

    I haven't yet tested list creation, but the permissions look fine to
    me. All of the relevant files (as well as the data directory itself)
    are writable by members of the mailman group.

    But I think I now see the problem

    $ ../bin/check_perms
    /usr/local/mailman/data/aliases.db owned by root (must be owned by
    mailman
    /usr/local/mailman/data/virtual-mailman.db owned by root (must be
    owned by mailman
    Problems found: 2
    Re-run as mailman (or root) with -f flag to fix

    Somehow check_perms doesn't seem to know how postfix does things. If
    I were to actually run

    check_perms -f

    it would break to ownership of the aliases file so that we would have
    the mismatch between what the uid postfix gives the the wrapper
    ("mailman") and what the wrapper demands ("nobody").

    So maybe the problem is with check_perms and not with the port at all
    (well the port would still need to get the aliases files owned by root).

    While setting the aliases files to be owned by "nobody" or by making
    the wrapper want "mailman" instead of "nobody" would be work-arounds,
    both of those lose out on the security achieved by having the aliases
    files owned by root.

    Of course my two previous "understandings" of how things were
    supposed to work were wrong. So please take my current analysis with
    a large grain of salt.

    And thank you all for your patience in putting up with my half-baked
    postings.

    Cheers,

    -j
  • Jeffrey Goldberg at Apr 21, 2007 at 4:59 am

    On Apr 20, 2007, at 9:26 PM, Paul Schmehl wrote:

    --On April 20, 2007 7:54:45 PM -0500 Jeffrey Goldberg
    wrote:
    So the first fix (modifying the owner of data/aliases{,.db}) is the
    right way to go, but instead of making those files owned by "nobody"
    (which does seem dangerous because than anything running as "nobody"
    could change those file) they should be owned by root with mailman as
    the group and permissions like 664.
    Nobody is an unprivileged user.
    Thank you. I forgot about that. I was treating "nobody" like "www"
    or "mail". It entirely slipped my mind that "nobody" really is
    different.
    it would break to ownership of the aliases file so that we would have
    the mismatch between what the uid postfix gives the the wrapper
    ("mailman") and what the wrapper demands ("nobody").
    Nope. I've been running mailman for years now, and it works
    perfectly fine. The owner of the data directory is mailman, and
    the group is mailman.
    ls -lsa /usr/local/mailman/data/
    total 132
    2 drwxrwsr-x 2 mailman mailman 512 Apr 7 19:47 .
    2 drwxrwsr-x 20 mailman mailman 512 Nov 28 17:48 ..
    48 -rw-r--r-- 1 mailman mailman 65536 Sep 6 2005 .db
    2 -rw-r----- 1 mailman mailman 41 Sep 6 2005 adm.pw
    6 -rw-r--r-- 1 root mailman 4383 Oct 14 2005 aliases
    4 -rw-r----- 1 mailman mailman 3984 Sep 8 2005 aliases.bak
    48 -rw-r----- 1 mailman mailman 49152 May 5 2006 aliases.db
    0 -rw-rw-rw- 1 mailman mailman 0 Sep 9 2005 bounce-
    events-00446.pck
    0 -rw-rw-rw- 1 mailman mailman 0 Sep 9 2005 bounce-
    events-00449.pck
    0 -rw-rw-rw- 1 mailman mailman 0 Sep 9 2005 bounce-
    events-00467.pck
    0 -rw-rw-rw- 1 mailman mailman 0 Jan 27 2006 bounce-
    events-00567.pck
    0 -rw-rw-rw- 1 mailman mailman 0 Oct 13 2005 bounce-
    events-38840.pck
    2 -rw-r----- 1 mailman mailman 41 Sep 6 2005 creator.pw
    2 -rw-r--r-- 1 root mailman 10 Nov 28 17:48
    last_mailman_version
    2 -rw-rw---- 1 mailman mailman 4 Apr 1 08:31 master-
    qrunner.pid
    14 -rw-r--r-- 1 root mailman 14114 Nov 28 17:48 sitelist.cfg
    I am fairly confident that if that is working for you, than you are
    not running with /usr/local/mailman/mail/mailman that was compiled
    with the current port with the postfix option set. The binary
    mailman has a gid compiled into it. Given the current port
    WITH_POSTFIX.

    Installing the current port WITH_POSTFIX will produce a mailman
    binary which will only allow itself to be run by "nobody". Yours
    must have "mailman" compiled in where "nobody" is in what I (and
    David) get.

    [jeffrey at dobby /usr/local/mailman/mail]$ strings mailman | tail
    leave
    post
    owner
    request
    unsubscribe
    Mailman mail-wrapper
    nobody
    Illegal command: %s
    Usage: %s program [args...]
    $FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.6 2005/05/19 07:31:06 dfr
    Exp $


    What is your result on your system? If you get "mailman" where I
    have "nobody" then one of my earlier suggestions (change MAIL_GID for
    the postfix setting from "nobody" to "mailman" in the port Makefile)
    may be the right thing. That is what is most consistent with the
    mailman install instructions.

    From /usr/local/share/doc/mailman/mailman-install.txt

    In section 6.1.1 Integrating Postfix and Mailman


    * When you configure Mailman, use the --with-mail-gid=mailman
    switch;

    However, the current ports Makefile compiles mailman --with-mail-
    gid=nobody

    The same section also says

    Make sure that the owner of the data/aliases and data/aliases.db
    file is mailman, that the group owner for those files is
    mailman,
    or whatever user and group you used in the configure command,
    and
    that both files are group writable:
    % su
    % chown mailman:mailman data/aliases*
    % chmod g+w data/aliases*
    It is the *group* that matters to postfix, *not* the owner. Per
    the pkg-message file:
    Mailman has been installed, but requires further configuration
    before use!

    You will have to configure both your MTA (mail server) and web
    server to
    integrate with Mailman. If the port's documentation has been
    installed,
    extensive post-installation instructions may be found in:

    %%DOCSDIR%%/FreeBSD-post-install-notes

    Note (1): If you use an alternate (non-Sendmail) MTA, you MUST be
    sure
    that the correct value of MAIL_GID was used when this port or package
    was built. Performing a "make options" in the Mailman port directory
    will list required values for various mail servers.

    Note that MAIL_GID is what matters. That is the *group* not the
    owner of the files. Note also that the group only has read writes
    to the aliases file, although it does have read/write access to the
    bounce-events files.
    However it is the owner of the file containing the pipe alias that
    matters to postfix local deliveries. See local(8).

    So maybe the problem is with check_perms and not with the port at all
    (well the port would still need to get the aliases files owned by
    root).
    There's nothing at all wrong with the check_perms script.
    I am coming to that conclusion. I now think that my second
    suggestion of changing the ports Makefile to set MAIL_GID to mailman
    instead of nobody when configuring for postfix is the correct
    direction to go.
    mailman owns the aliases db for mailman:
    ls -lsa /usr/local/mailman/data/aliases*
    6 -rw-r--r-- 1 root mailman 4383 Oct 14 2005 /usr/local/
    mailman/data/aliases
    4 -rw-r----- 1 mailman mailman 3984 Sep 8 2005 /usr/local/
    mailman/data/aliases.bak
    48 -rw-r----- 1 mailman mailman 49152 May 5 2006 /usr/local/
    mailman/data/aliases.db

    And this is a working setup of mailman and postfix that's been
    running for years.
    But I don't believe that that set-up will work with the configure
    options that get passed for compiling mailman with the current port.

    PORTNAME= mailman
    DISTVERSION= 2.1.9
    PORTREVISION= 1
    CATEGORIES?= mail

    Thus, with a bit more confidence that before I present the same
    Makefile diff I recommend:

    --- Makefile.orig Fri Apr 20 14:17:08 2007
    +++ Makefile Fri Apr 20 23:57:22 2007
    @@ -7,7 +7,7 @@
    PORTNAME= mailman
    DISTVERSION= 2.1.9
    -PORTREVISION= 1
    +PORTREVISION= 2
    CATEGORIES?= mail
    MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} \
    http://www.list.org/
    @@ -88,7 +88,7 @@
    .if defined(WITH_SENDMAIL) || defined(WITH_EXIM3) || defined(WITH_EXIM4)
    BROKEN= choose only one MTA integration
    .endif
    -MAIL_GID?= nobody
    +MAIL_GID?= mailman
    .endif
    .if defined(WITH_CHINESE)

    Cheers,

    -j

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedApr 20, '07 at 3:41p
activeApr 21, '07 at 4:59a
posts11
users2
websitelist.org

People

Translate

site design / logo © 2022 Grokbase