Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add information about how to set postfix permissions #3594

Merged
merged 4 commits into from
Jan 2, 2018

Conversation

danielnelson
Copy link
Contributor

closes #3591

Required for all PRs:

  • Signed CLA.
  • Associated README.md updated.
  • Has appropriate unit tests.

@danielnelson danielnelson added the docs Issues related to Telegraf documentation and configuration descriptions label Dec 16, 2017
@danielnelson danielnelson added this to the 1.5.1 milestone Dec 16, 2017
@danielnelson
Copy link
Contributor Author

@dynek Can you review?

@phemmer
Copy link
Contributor

phemmer commented Dec 16, 2017

One caveat about these methods is that the directories in deferred are created on first use. So if they're created after these commands are run, then they'll need to be run again.

However in the case of ACL, you can set a default ACL, which should get inherited by the new directories (unless postfix is doing something silly like explicitly performing a chown instead of using a umask).


Posix ACL:
```sh
$ sudo setfacl -R -m u:telegraf:r /var/spool/postfix
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'll need execute as well to be able to read the dir. setfacl supports X (upper case) to only set execute bit on dirs, not files.

@danielnelson
Copy link
Contributor Author

danielnelson commented Dec 16, 2017

I added the +X to setfacl, and the setgid bit to chmod

@dynek
Copy link
Contributor

dynek commented Dec 16, 2017

Now getting:
Dec 16 08:02:52 server.host.tld postfix/postdrop[7766]: warning: mail_queue_enter: create file maildrop/6997.7766: Permission denied

Trying to fix it :-/

@dynek
Copy link
Contributor

dynek commented Dec 16, 2017

OK fixed it with a previous dump or permissions (ls -lsaR) and postfix check.

Will check it a bit later.

Apparently we should not be overriding chgrping of postdrop for some dirs.

@phemmer
Copy link
Contributor

phemmer commented Dec 16, 2017

yeah, looks like the maildrop directory does utlize group permissions. So the chgrp should be targetted at just the active, deferred, hold, incoming, & maildrop dirs.

@dynek
Copy link
Contributor

dynek commented Dec 17, 2017

Not 100% tested but that seems OK

sudo chgrp -R telegraf /var/spool/postfix/{active,hold,incoming,deferred}
sudo chmod -R g+rXs /var/spool/postfix/{active,hold,incoming,deferred}
sudo usermod -a -G postdrop telegraf
sudo chmod g+r /var/spool/postfix/maildrop
sudo setfacl -Rdm u:telegraf:rX /var/spool/postfix/{active,hold,incoming,deferred,maildrop}

@phemmer what do you think?
What about adding telegraf to group postdrop, not sure about this one.

@danielnelson
Copy link
Contributor Author

Updated proposed docs, can you review again?

@danielnelson danielnelson force-pushed the postfix-permission-docs branch from 47999f7 to 32fd8ae Compare January 2, 2018 19:59
@danielnelson danielnelson merged commit a440ed8 into master Jan 2, 2018
@danielnelson danielnelson deleted the postfix-permission-docs branch January 2, 2018 22:09
danielnelson added a commit that referenced this pull request Jan 2, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs Issues related to Telegraf documentation and configuration descriptions
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Postfix plugin permissions
3 participants