Post fix error mail_queue_enter: create file maildrop Permission denied

SYSTEM INFORMATION
OS type and version Ubuntu Linux 22.04.4
Virtualmin version 7.10.0 Pro

seeing this error in /var/logs/mail.log:

postfix/postdrop[27084]: warning: mail_queue_enter: create file maildrop/287338.27084: Permission denied

any ideas?

thanks

That looks like you’ve changed the mailbox_command. Any particular reason why?

didn’t change anything – this is fresh install. just saw it in the logs

Show us: grep mailbox_command /etc/postfix/main.cf

Blockquote
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME

Huh. That’s right.

Oh, but I guess postdrop is not the delivery agent, it’s the mail injection command. We don’t mess with that or use it, so I’m not sure what’s going on.

What are you trying to do that results in that error? I mean, I think it could be used for locally sending mail (maybe even the sendmail command provided by Postfix uses it, I’m not sure, I’ve never dug into it to see, as it’s always just worked).

According to the manpage, the postdrop command is privileged (setuid, so it’s running with elevated privileges in the normal case). So, the fact that you’re seeing permission denied when it runs means something has changed…it’s no longer setuid.

e.g. on my mail server:

# ls -al /usr/sbin/postdrop 
-rwxr-sr-x 1 root postdrop 20920 Aug 14  2023 /usr/sbin/postdrop

What’s yours look like? (Note the s.)

Have you disallowed setuid binaries or run some sort or security tool on the system that breaks setuid binaries?

-r-xr-sr-x 1 root postdrop 22960 Jan 29 03:02 /usr/sbin/postdrop

didn’t change anything

Huh, also right. I’m confused how there could be a permission problem.

Is that filesystem mounted read-only? Are there any apparmor messages in the kernel log? Anything else interesting in the kernel logs?

well, yours has a w in root part. mine doens’t

I don’t think that matters. It’s an executable, it doesn’t need to be writable to run.

The directory is probably in /var/spool/postfix or…some chroot path that I don’t remember, if it’s configured to run chrooted (I don’t remember which distros chroot it by default, we support either mostly transparently, and it makes no real difference to security or functionality).

Try:

ls -l /var/spool/postfix

That will only show us permissions on the directory (maildrop being the relevant one), but a read-only filesystem mount would prevent any writes.

drwx-wx–T 2 postfix postdrop 4096 Jun 28 16:29 maildrop

cat /proc/mounts will show you mounted filesystems and their options. You’d need to match up the filesystem with where that directory is.

Hmm…

Mines:

drwx-wx---.  2 postfix  postdrop 106496 Jun 28 20:11 maildrop

But, all my servers are Rocky, not Ubuntu. It’s possible there are packaging differences. T is sticky bit without execute permissions. I’m not sure what impact that’d have.

/dev/sdb4 / ext4 rw,relatime,quota,usrquota,grpquota 0 0