| |

Allow Postfix to call custom scripts by using mail aliases

Byetzion

Using custom mail aliases to run scripts is an existing practice. However, on modern Linux distributions it is blocked as a security risk. Following Postfix common guidelines do not allow for it to run the scripts. It reports the script as called, however – it does actually nothing. This has been verified on Oracle Linux 9 (OEL9).

The reason for it doing nothing is that systemd has a limited unit file for Postfix, on OEL9 (and most likely – on RHEL9/8 as well).

Let’s go over the setup required to make it work.

Initially, we need to have aliases file with a few examples. Let’s show one. A snippet of a few lines from /etc/aliases

user1: [email protected]
user2: /tmp/last_user2_email.txt
user3: "|/usr/local/bin/mail_parse.sh"

After the required modification, run the command ‘newaliases’ to build the map and update Postfix.

However, mail targeted at these accounts (user2 and user3) will do nothing. Postfix logs will show that the script was called, but it will not happen, and there is no indication in the logs as to why.

The cause of that is systemd Postfix unit, as mentioned before. A hint pointing me at the correct direction was found in this forum post. In order to work around it, my best offer is to create a replacement systemd file in /etc/systemd/system/postfix.service :

[Unit]
Description=Postfix Mail Transport Agent
After=syslog.target network.target
Conflicts=sendmail.service exim.service
 
[Service]
Type=forking
PIDFile=/var/spool/postfix/pid/master.pid
EnvironmentFile=-/etc/sysconfig/network
#PrivateTmp=true
#CapabilityBoundingSet=~ CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_MODULE
#ProtectSystem=true
#PrivateDevices=true
ExecStartPre=-/usr/sbin/restorecon -R /var/spool/postfix/pid
ExecStartPre=-/usr/libexec/postfix/aliasesdb
ExecStartPre=-/usr/libexec/postfix/chroot-update
ExecStart=/usr/sbin/postfix start
ExecReload=/usr/sbin/postfix reload
ExecStop=/usr/sbin/postfix stop

[Install]
WantedBy=multi-user.target
EOF

Note the commented out lines, including PrivateTmp, CapabilityBoundingSet, ProtectSystem and PrivateDevices. Now, to reload systemd, we need to run

systemctl daemon-reload
systemctl restart postfix.service

This should do the trick, and allow Postfix (under default OEL9 configuration) to run scripts. Of course – you need to make sure that the script is executable by ‘nobody’ and that the script can be called without any problems.

Additional parameters which might be required in Postfix to allow mailing to scripts are allow_mail_to_commands and allow_mail_to_files. You can enable them like this:

postconf allow_mail_to_commands=alias,forward,include
postconf allow_mail_to_files=alias,forward,include
systemctl restart postfix.service

Now it should work as expected. Test your setup and see that it actually works.

Related posts:

  1. Cacti monitoring of Postfix and Amavisd-new
  2. DBMail, the hard way

Powered by YARPP.

Similar Posts

Extracting/Recreating RHEL/Centos6 initrd.img and install.img

Byetzion

A quick note about extracting and recreating RHEL6 or Centos6 (and their derivations) installation media components: Initrd: Extract: Archive (after you applied your changes): /images/install.img: Extract: Archive (after you applied your changes): Additional note for Anaconda installation parameters: I did not test it, however there is a boot flag called stage2= which should lead to…

| |

Ubuntu 18.04 and TPM2 encrypted system disk

Byetzion

*** EDIT *** : An updated version of this post can be found here: https://run.tournament.org.il/ubuntu-20-04-and-tpm2-encrypted-system-disk/ When you encrypt your entire disk, you are required to enter your passphrase every time you boot your computer. The TPM device has a purpose – keeping your secrets secure (available only to your running system), and combined with SecureBoot,…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.