# fetchmail wont work with maildrop unless it's setuid[SOLVED]

## Skotlex

I used to have a simple fetchmail+maildrop system in place to retrieve my emails without having the mail client opened, and it worked fine for a long time until Gentoo's maildrop package decided to no longer install setuid. This was many, many months ago, and back then I solved it by just doing a "chmod +s /usr/bin/maildrop". Recently I rebuilt world and bumped into this problem again, and wondered if there isn't a better solution to get these two working together (I mean, if Gentoo packages maildrop not setuid, it must be for a good reason)?

Fetchmailrc

```

# Configuration created Wed Sep 18 12:13:34 2002 by fetchmailconf

set postmaster "<>"

set bouncemail

set daemon 30

set no spambounce

poll imap.gmail.com

        proto imap

        service 993

        user "<>"

        pass "<>"

        ssl

        is <user>

        limit 0

        mda "/usr/bin/maildrop -d %T"

        fetchall

```

Last edited by Skotlex on Fri Jun 02, 2017 2:52 am; edited 1 time in total

----------

## eccerr0r

Maildrop is a mail delivery agent.  I've not used it before as I've been using procmail.

Anyway it seems that delivering mail could deliver to arbitrary users.  As writing to other peoples' mailboxes require permissions, this necessarily requires root.  However in your case, writing to your own mailbox should not need root access and thus suid root is superfluous.

What error does it report when it's not suid root, perhaps that's the clue on how to fix it...  Are you using mbox?  Is the directory /var/spool/mail accessible to you as your unprivileged user (mode 1777)?

----------

## Skotlex

Well, even in a mono-user environment, Linux is designed to run processes from multiple users. Since I run fetchmail at system startup, it runs as the fetchmail user, so it does need to send email to a different user. When procmail is not setuid, it prints an error on invocation that it was unable to set its user/group:

```

/usr/bin/maildrop: Cannot set my user or group id.

```

So.... if the maildrop command is supposed to change its user/group, why it isn't installed setuid, what is supposed to be the right way to invoke it? Maybe I shouldn't worry about it and just make it setuid anyway?

----------

## eccerr0r

Ah I thought you were running it as the individual user instead of part of a system daemon.

I'm not sure how fetchmail could change to its fetchmail user when running as a system daemon... it has to be able to deliver in which it needs to be root or the user to write to the mailboxes... something doesn't seem right.

----------

## szatox

How 'bout using both, user and group permissions? 

Also, there are ACLs too, so a single file can have multiple owners. I don't particularly like this idea, but it could be a solution to some problems.

Setting permissions  on user's mail directory to 6770 would probably do the trick (together with setting correct owner, group, and assigning correct group to user or mailer).

----------

## Skotlex

The main problem is maildrop being unable to set the correct user ID to deliver the mail to the user's mailbox. According to the manual:

 *Quote:*   

> 
> 
>  -d user
> 
>            Run maildrop in delivery mode for this user ID.
> ...

 

So, if the fetchmail user invokes maildrop -T (as I do on my fetchmailrc file), then dropmail should be set UID. Apparently the way Gentoo packages dropmail, it isn't meant to be used with the "-d" argument, so it expects users to run the program locally, not system-wide? Though I do wonder why can't dropmail have a "setuid" use flag for people who need to use it that way?

Maybe I'll just make my own overlay and add an setuid flag for future-proofing my system for the next rebuild.

On the other hand, a permission-based solution would, maybe, be about setting the maildir (~/.maildir) to be owned by user:fetchmail, so that the fetchmail daemon can write to it when invoking sendmail. I'll play a bit with that, though I suspect the right solution to my issue is to just install maildrop setuid.

EDIT: Okay, I checked the maildrop ebuild and I can actually make it set the binary setuid, but I have to enable the "authlib" use flag for that. Why do I need "net-libs/courier-authlib" when a setuid was enough to make my maildrop work? Who knows, but I suppose that's the Gentoo way to solve my issue :S

EDIT2: And okay again, it turns out that just setuid dropmail might be considered a security risk because with authlib I can't use dropmail just like that, I get 

```

ERR: authdaemon: s_connect() failed: No such file or directory

/usr/bin/maildrop: Temporary authentication failure.

```

So I need to setup something else and configure it to give proper authentification. ._. Time to read up on courier-authlib and how to set it up, but I don't want postgres or mysql backends for a non-mail-server machine. >_<

EDIT3: So I fixed that by just starting /etc/init.d/courier-authlib, but I am not sure how I feel about having to run an extra service just to be able to receive emails. I don't even know what it does since I didn't have to touch any configurations nor setup any permissions on maildrop :O

Oh well, I guess that was a "just keep hitting things until it works" solution without actually fully understanding what the solution entails. X_X

----------

