Permission denied when deliving mail while they are OK

[neva-blyad]

How to reproduce bug.
Create /etc/smtpd.conf with the content below.

#   $OpenBSD: smtpd.conf,v 1.14 2019/11/26 20:14:38 gilles Exp $

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# TLS certificates
pki lovecry.pt cert "/etc/ssl/certs/lovecry.pt.crt"
pki lovecry.pt key  "/etc/ssl/private/lovecry.pt"

# Listen on the interface for incoming connections
listen on socket
listen on all port  25 tls-require pki lovecry.pt      # Submission
listen on all port 587 tls-require pki lovecry.pt auth # SMTP

# Tables
table aliases file:/etc/mail/aliases
table domains file:/etc/mail/domains

# Actions
action "local_mail" maildir "/var/mail/%{user.username:lowercase}/" alias <aliases>
action "outbound" relay

# Matches
match from local for local action "local_mail"
match from any for domain <domains> action "local_mail"
match from any for local reject

match from local for any action "outbound"
match from any for any reject

Restart OpenSMTPd:
$ rcctl restart smtpd

Then I send test mail to myself:

$ mailx [email protected] << END`
> hi
> END

The error messages appear in /var/log/maillog:

May  1 02:40:35 srv smtpd[20038]: ad3b7badb06ce2ab smtp connected address=local host=lovecry.pt
May  1 02:40:35 srv smtpd[20038]: ad3b7badb06ce2ab smtp message msgid=809da9da size=354 nrcpt=1 proto=ESMTP
May  1 02:40:35 srv smtpd[20038]: ad3b7badb06ce2ab smtp envelope evpid=809da9dad4a9e26f from=<[email protected]> to=<[email protected]>
May  1 02:40:35 srv smtpd[20038]: ad3b7badb06ce2ab smtp disconnected reason=quit
May  1 02:40:35 srv smtpd[20038]: ad3b7baf99e79257 mda delivery evpid=809da9dad4a9e26f from=<[email protected]> to=<[email protected]> rcpt=<[email protected]> user=neva_blyad delay=0s result=TempFail stat=Error (temporary failure: "mail.maildir: Permission denied")

My maildir delivery directory:

root@srv:/var/mail/ # ls -la
итого 32
drwxrwx---  4 root       mail   512 May  1 02:07 .
drwxr-xr-x 25 root       wheel  512 Apr 29 21:13 ..
drwx------  5 de_sade    mail   512 May  1 02:07 de_sade
drwx------ 15 neva_blyad mail  1024 May  1 02:14 neva_blyad

Pay attention that I have a write permission 700 to the my own maildir directory /var/mail/neva_blyad/, but server shows error anyway. (Also note that neva_blyad, de_sade are users of mail group, it is not necessary to know here.)
Now I change the permissions:

root@srv:/var/mail/ # chmod 0777 .
root@srv:/var/mail/ # ls -la
итого 32
drwxrwxrwx  4 root       mail   512 May  1 02:07 .
drwxr-xr-x 25 root       wheel  512 Apr 29 21:13 ..
drwx------  5 de_sade    mail   512 May  1 02:07 de_sade
drwx------ 15 neva_blyad mail  1024 May  1 02:14 neva_blyad

Restart the server, send mail again and everything has gone fine.

May  1 02:48:48 srv smtpd[32557]: fdf8a05be7cf4e78 smtp connected address=local host=lovecry.pt
May  1 02:48:48 srv smtpd[32557]: fdf8a05be7cf4e78 smtp message msgid=b6cb1063 size=340 nrcpt=1 proto=ESMTP
May  1 02:48:48 srv smtpd[32557]: fdf8a05be7cf4e78 smtp envelope evpid=b6cb10631aad2c3c from=<[email protected]> to=<[email protected]>
May  1 02:48:48 srv smtpd[32557]: fdf8a05be7cf4e78 smtp disconnected reason=quit
May  1 02:48:48 srv smtpd[32557]: fdf8a05d7d689eaa mda delivery evpid=b6cb10631aad2c3c from=<[email protected]> to=<[email protected]> rcpt=<[email protected]> user=neva_blyad delay=0s result=Ok stat=Delivered
May  1 02:48:51 srv smtpd[50261]: Exiting

So there is bug. OpenSMTPd requires that all 777 permission flags set to the top-level maildir directory /var/mail, but in fact it has to write multiple files in /var/mail/$USER/ (700, owned by $USER) by $USER.

[IanDarwin]

Try chmod 755 /var/mail

[maffo999]

I think I'm seeing a similar issue with OpenSMTPD 6.8.0p2 on Ubuntu 22.04.
I wanted to set this up for a local delivery only using maildirs in /var/mail/<username> so I created the configuration file accordingly.
Unfortunately unless /var/mail/<username> is set to be world-writable, opensmtpd will refuse to deliver any email to the user maildir folder:

user@babylon:~$ ls -la /var/mail/
total 12
drwxrwsrwx  3 root mail 4096 Dec 27 05:32 .
drwxr-xr-x 16 root root 4096 Jun 18  2023 ..
drwxrwsr-x  2 root mail 4096 Dec 27 05:32 user

user@babylon:~$ tail -f /var/log/mail.log
Dec 27 05:42:12 babylon smtpd[284208]: 38bc37f42013e26d mda delivery evpid=2c2ed897b706575c from=<user@babylon> to=<user@babylon> rcpt=<user@babylon> user=lorenzo delay=6m result=TempFail stat=Error (temporary failure: "mail.maildir: Permission denied")

Only after chmod 777 /var/mail/user, opensmtpd can correctly deliver email:

user@babylon:~$ sudo chmod 777 /var/mail/user/
user@babylon:~$ sudo systemctl restart opensmtpd
user@babylon:~$ tail -f /var/log/mail.log
Dec 27 05:42:33 babylon smtpd[284321]: info: OpenSMTPD 6.8.0p2 starting
Dec 27 05:42:36 babylon smtpd[284326]: 0ce0e56572413b64 mda delivery evpid=02263674462f6c61 from=<user@babylon> to=<user@babylon> rcpt=<user@babylon> user=user delay=13m30s result=Ok stat=Delivered

I don't think a maildir folder should be left with 777 permissions as that would allow anybody to read/modify elements in it; unfortunately any more restrictive permissions set on the maildir (even 775) causes the delivery to fail.

[ghost]

The mail.maildir (or any other mda) runs as the recipient user. This user needs to be able to access the maildir directory. In the case of @neva-blyad '/var/mail/' had no read and execute for the user. So 'mail.maildir' as neva_blyad can not change the dir to '/var/mail/neva_blyad'. In the case of @maffo999 the dir '/var/mail/user' belongs to 'root:mail' and other have no write permission. Change the directory owner to 'user' and it will work.

[neva-blyad]

The mail.maildir (or any other mda) runs as the recipient user. This user needs to be able to access the maildir directory. In the case of @neva-blyad '/var/mail/' had no read and execute for the user. So 'mail.maildir' as neva_blyad can not change the dir to '/var/mail/neva_blyad'. In the case of @maffo999 the dir '/var/mail/user' belongs to 'root:mail' and other have no write permission. Change the directory owner to 'user' and it will work.

You are not right, /var/mail/ had 770 (drwxrwx---) permissions, it means the recepient could both read and write to the directory. (Note that neva_blyad is member of mail group.)

[neva-blyad]

The bug is still active

[ghost]

[2024-02-10 17:07] neva-blyad ***@***.***>

> The mail.maildir (or any other mda) runs as the recipient user. This user needs to be able to access the maildir directory. In the case of @neva-blyad '/var/mail/' had no read and execute for the user. So 'mail.maildir' as neva_blyad can not change the dir to '/var/mail/neva_blyad'. In the case of @maffo999 the dir '/var/mail/user' belongs to 'root:mail' and other have no write permission. Change the directory owner to 'user' and it will work. You are not right, /var/mail/ had 770 (drwxrwx---) permissions, it means the recepient could both read and write to the directory. ( Note that neva_blyad is member of mail group.)

Yes, but opensmtpd only sets the login gid (the one in passwd(5)). So this setting only helps when your login gid in /etc/passwd is the gid of the mail group. When you don't want to change your login groupid you can use a userbase or set the read and exec permissions for others. Btw: adding all mail users to the mail group _and_ setting /var/mail writeable to the mail group doesn't sound like a good idea.

[neva-blyad]

Thank you. it is undocumented behavior though, that OpenSMTPD ignores second groups and use only primary user group. It is non-intuitive and non-typical for Unix daemon.

P. S. I set sticky bit to /var/mail/ so it goes fine.