Oh, but I guess postdrop is not the delivery agent, it’s the mail injection command. We don’t mess with that or use it, so I’m not sure what’s going on.
What are you trying to do that results in that error? I mean, I think it could be used for locally sending mail (maybe even the sendmail command provided by Postfix uses it, I’m not sure, I’ve never dug into it to see, as it’s always just worked).
According to the manpage, the postdrop command is privileged (setuid, so it’s running with elevated privileges in the normal case). So, the fact that you’re seeing permission denied when it runs means something has changed…it’s no longer setuid.
e.g. on my mail server:
# ls -al /usr/sbin/postdrop
-rwxr-sr-x 1 root postdrop 20920 Aug 14 2023 /usr/sbin/postdrop
What’s yours look like? (Note the s.)
Have you disallowed setuid binaries or run some sort or security tool on the system that breaks setuid binaries?
I don’t think that matters. It’s an executable, it doesn’t need to be writable to run.
The directory is probably in /var/spool/postfix or…some chroot path that I don’t remember, if it’s configured to run chrooted (I don’t remember which distros chroot it by default, we support either mostly transparently, and it makes no real difference to security or functionality).
drwx-wx---. 2 postfix postdrop 106496 Jun 28 20:11 maildrop
But, all my servers are Rocky, not Ubuntu. It’s possible there are packaging differences. T is sticky bit without execute permissions. I’m not sure what impact that’d have.