global procmailrc and sendmail execution rights

Question

I am setting up procmail on my Debian Jessie mail server with the following global procmail config file (/etc/procmailrc):

SHELL="/bin/bash"
DELIVER="/usr/lib/dovecot/deliver"
LOGFILE="$HOME/.procmail.log"
DEFAULT="$HOME/Maildir/"
MAILDIR="$HOME/Maildir/"
ORGMAIL="$HOME/Maildir/"
# VERBOSE=on

# Invoke spambayes
:0 fw
| sb_filter -d /home/shared_directories/spambayes

# If the mail contains a dangerous file, send it to the admin.
:0 wB
* ^((Content-Disposition:.*(|$)[    ]*filename)|(Content-Type:.*(|$)[   ]*name))=.*\.(0|000|386|3gr|7z|7z\.001|7z\.002|9|a00|a01|a02|ace|add|ade|aepl|agg|ain|alz|apz|ar|arc|archiver|arh|ari|arj|ark|aru|asp|asr|atm|aut|b1|b64|ba|bas|bat|bh|bhx|bin|bkd|blf|bll|bmw|bndl|boo|bps|bqf|buk|bundle|bup|bxz|bz|bz2|bza|bzip|bzip2|c00|c01|c02|c10|car|cb7|cba|cbr|cbt|cbz|cc|cdz|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|comppkg_hauptwerk_rar|comppkg\.hauptwerk\.rar|cp9|cpgz|cpl|cpt|crt|ctbl|cxarchive|cxq|cyw|czip|dar|dbd|dbx|dd|deb|delf|dev|dgc|dist|dl_|dlb|dli|dll|dllx|docm|dom|drv|dx|dxz|dyv|dyz|dz|ecs|efw|egg|epi|exe|exe1|exe_renamed|ezt|f|fag|fdp|fjl|fnr|fon|fp8|fuj|fzbz|fzpz|gca|gmz|gz|gz2|gza|gzi|gzip|gzquar|ha|hbc|hbc2|hbe|hki|hki1|hki2|hki3|hlp|hlw|hpk|hsq|hta|hts|hyp|iadproj|ice|inf|ins|ipg|ipk|ish|isp|isx|ita|iva|iws|ize|j|jar|jar\.pack|jgz|jic|js|jse|jsonlz4|kcd|kgb|kz|layout|lbr|lemon|let|lha|libzip|lik|lkh|lnk|lnx|lok|lpaq5|lqr|lz|lzh|lzm|lzma|lzo|lzx|md|mdb|mde|mfu|mint|mjg|mjz|mou|mpkg|msc|msi|msp|mst|mzp|nex|nls|nz|oar|ocx|osa|oz|ozd|p01|p19|package|pack\.gz|pae|pak|paq6|paq7|paq8|paq8f|paq8l|paq8p|par|par2|pax|pbi|pcd|pcv|pcx|pea|pet|pf|pgm|php3|pid|pif|pim|pit|piz|pkg|plc|pr|psz|pup|puz|pwa|qda|qit|qrn|r0|r00|r01|r02|r03|r1|r2|r21|r30|rar|reg|rev|rhk|rk|rna|rnc|rp9|rpm|rsc_tmp|rte|rz|s00|s01|s02|s7p|s7z|sar|sbx|scr|sct|sdc|sdn|sea|sen|sfg|sfs|sfx|sh|shar|shb|shk|shr|shs|sifz|sit|sitx|ska|smm|smpf|smtmp|snappy|snb|sop|spam|spt|sqx|srep|ssy|stproj|swf|sy_|sys|tar\.bz2|tar\.gz|tar\.gz2|tar\.lz|tar\.lzma|tar\.xz|tar\.z|taz|tbz|tbz2|tg|tgz|tko|tlz|tlzma|tps|trs|tsa|tti|tx_|txs|txz|tz|uc2|ufs\.uzip|uha|upa|url|uzip|uzy|vb|vba|vbe|vbs|vbx|vem|vexe|vsi|vxd|vzr|wa|waff|war|wlb|wlpginstall|wmf|wot|ws|wsc|wsf|wsh|xar|xdu|xef|xez|xir|xlm|xlv|xmcdz|xnt|xnxx|xtbl|xx|xz|xzm|y|yz|yz1|z|z01|z02|z03|z04|zap|zfsendtotarget|zi|zip|zipx|zix|zl|zoo|zpi|zsplit|zvz|zw|zz)
{
:0 fw
| formail -I "X-Dangerous-Attachment: YES"

:0 w
! spam@localhost
}

# Handle ham: Send a copy to the admin
:0 c
* ^X-Spambayes-Classification: ham
! spam@localhost

# Handle spam and unsure: Send the mail to the admin
:0 w
* ^X-Spambayes-Classification: (spam|unsure)
! spam@localhost

:0 w
| $DELIVER

With above global config file, I get the following log output:

procmail: [7287] Mon Jul 25 19:57:52 2016
procmail: Executing "sb_filter,-d,/home/shared_directories/spambayes"
procmail: [7287] Mon Jul 25 19:57:53 2016
procmail: No match on "^((Content-Disposition:.*(|$)[   ]*filename)|(Content-Type:.*(|$)[   ]*name))=.*\.(0|000|386|3gr|7z|7z\.001|7z\.002|9|a00|a01|a02|ace|add|ade|aepl|agg|ain|alz|apz|ar|arc|archiver|arh|ari|arj|ark|aru|asp|asr|atm|aut|b1|b64|ba|bas|bat|bh|bhx|bin|bkd|blf|bll|bmw|bndl|boo|bps|bqf|buk|bundle|bup|bxz|bz|bz2|bza|bzip|bzip2|c00|c01|c02|c10|car|cb7|cba|cbr|cbt|cbz|cc|cdz|ce0|ceo|cfxxe|chm|cih|cla|class|cmd|com|comppkg_hauptwerk_rar|comppkg\.hauptwerk\.rar|cp9|cpgz|cpl|cpt|crt|ctbl|cxarchive|cxq|cyw|czip|dar|dbd|dbx|dd|deb|delf|dev|dgc|dist|dl_|dlb|dli|dll|dllx|docm|dom|drv|dx|dxz|dyv|dyz|dz|ecs|efw|egg|epi|exe|exe1|exe_renamed|ezt|f|fag|fdp|fjl|fnr|fon|fp8|fuj|fzbz|fzpz|gca|gmz|gz|gz2|gza|gzi|gzip|gzquar|ha|hbc|hbc2|hbe|hki|hki1|hki2|hki3|hlp|hlw|hpk|hsq|hta|hts|hyp|iadproj|ice|inf|ins|ipg|ipk|ish|isp|isx|ita|iva|iws|ize|j|jar|jar\.pack|jgz|jic|js|jse|jsonlz4|kcd|kgb|kz|layout|lbr|lemon|let|lha|libzip|lik|lkh|lnk|lnx|lok|lpaq5|lqr|lz|lzh|lzm|lzma|lzo|lzx|md|mdb|mde|mfu|mint|mjg|mjz|mou|mpkg|msc|msi|msp|mst|mzp|nex|nls|nz|oar|ocx|osa|oz|ozd|p01|p19|package|pack\.gz|pae|pak|paq6|paq7|paq8|paq8f|paq8l|paq8p|par|par2|pax|pbi|pcd|pcv|pcx|pea|pet|pf|pgm|php3|pid|pif|pim|pit|piz|pkg|plc|pr|psz|pup|puz|pwa|qda|qit|qrn|r0|r00|r01|r02|r03|r1|r2|r21|r30|rar|reg|rev|rhk|rk|rna|rnc|rp9|rpm|rsc_tmp|rte|rz|s00|s01|s02|s7p|s7z|sar|sbx|scr|sct|sdc|sdn|sea|sen|sfg|sfs|sfx|sh|shar|shb|shk|shr|shs|sifz|sit|sitx|ska|smm|smpf|smtmp|snappy|snb|sop|spam|spt|sqx|srep|ssy|stproj|swf|sy_|sys|tar\.bz2|tar\.gz|tar\.gz2|tar\.lz|tar\.lzma|tar\.xz|tar\.z|taz|tbz|tbz2|tg|tgz|tko|tlz|tlzma|tps|trs|tsa|tti|tx_|txs|txz|tz|uc2|ufs\.uzip|uha|upa|url|uzip|uzy|vb|vba|vbe|vbs|vbx|vem|vexe|vsi|vxd|vzr|wa|waff|war|wlb|wlpginstall|wmf|wot|ws|wsc|wsf|wsh|xar|xdu|xef|xez|xir|xlm|xlv|xmcdz|xnt|xnxx|xtbl|xx|xz|xzm|y|yz|yz1|z|z01|z02|z03|z04|zap|zfsendtotarget|zi|zip|zipx|zix|zl|zoo|zpi|zsplit|zvz|zw|zz)"
procmail: No match on "^X-Spambayes-Classification: ham"
procmail: Match on "^X-Spambayes-Classification: (spam|unsure)"
procmail: Executing "/usr/sbin/sendmail,-oi,spam@localhost"
sendmail: warning: the Postfix sendmail command has set-uid root file permissions
sendmail: warning: or the command is run from a set-uid root process
sendmail: warning: the Postfix sendmail command must be installed without set-uid root file permissions
procmail: Assigning "LASTFOLDER=/usr/sbin/sendmail -oi spam@localhost"
procmail: Notified comsat: "testuser@:/usr/sbin/sendmail -oi spam@localhost"
From david@sardari.eu Mon Jul 25 19:57:52 2016
 Subject: test
  Folder: /usr/sbin/sendmail -oi spam@localhost                2922

Procmail complains about the sendmail command having the sticky bit. But, that's not the case:

root@mail2:~# ls -l /usr/sbin/sendmail 
-rwxr-xr-x 1 root root 25964 Nov  4  2014 /usr/sbin/sendmail

I don't get this error if I place the config file in the user's home folder (~/.procmailrc).

Questions:

How do I get rid of the sticky bit warning in the procmail log?
How can I place the code in the curly brackets in one line, e.g. | formail -I "X-Dangerous-Attachment: YES" ! spam@localhost?
Did I cover every possibility to find the attachment's filename? Is there another possibility of being informed on the attachment's filename besides a "filename=" after "Content-Disposition" and "name=" after "Content-Type"?

Please only ask one question per post. Multiple tangential questions tend to result in a situation where no one answer is properly suitable to accept as correct, and makes it harder for future visitors to find focused information which is relevant to them. — tripleee, Jul 26 '16 at 09:02
I don't think there are other standard MIME headers besides `Content-Disposition` with a fallback to `Content-Type` that you need to examine for the file name. You should, ideally, be able to cope with [RFC2231](https://tools.ietf.org/html/rfc2231) encoding of the value. — tripleee, Jul 26 '16 at 09:13
#2 is basically a duplicate of http://stackoverflow.com/questions/33674229/using-procmail-to-copy-emails-to-another-address-and-altering-from — tripleee, Jul 26 '16 at 09:14
The `w` flag doesn't make sense on a recipe whose action is a set of braces with more recipes inside, but once you follow the link in the previous comment, you'll be back to a single action where it does make sense again. — tripleee, Jul 26 '16 at 09:16

tripleee · Answer 1 · 2016-07-26T09:18:41.403

0

When it is executing /etc/procmailrc, Procmail is running setuid root. Postfix doesn't like that.

The simplest solution is probably to put DROPPRIVS=yes somewhere above any delivering action. Perhaps like this;

# below the last :0fw filter, of course
:0cw
| $DELIVER

DROPPRIVS=yes

# any unprivileged actions here
:0
! spam@localhost

Because you seem to end up delivering everything to spam@localhost I simply took out the conditions.

edited Jul 26 '16 at 09:18

answered Jul 26 '16 at 09:12

tripleee

139,311
24
207
268

I'm guessing `$DELIVER` is something like one of the popular IMAP local delivery agents. – tripleee Jul 26 '16 at 09:19

global procmailrc and sendmail execution rights

1 Answers1