[PATCH v2] cli/insert: new message file can be world-readable (rely on umask)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Feb 8 18:00:46 PST 2018

On Thu 2018-02-08 20:40:40 -0500, Daniel Kahn Gillmor wrote:

> postfix's local delivery agent has apparently been delivering with mode
> 0600 for nearly 20 years:
>     https://github.com/vdukhovni/postfix/blame/master/postfix/src/local/maildir.c#L188

and even postfix's master process (the one capable of spawning the local
delivery agent, which is ultimately responsible for dropping privileges
to the local user to execute commands in ~/.forward) starts off with a


this makes it pretty difficult to attempt safe simple world-readable
mail delivery through the MUA :(

Anyway, this is not on the critical path for me.  For the purposes of
mail delivery to the mailing list archive, i'm now considering just
writing a wrapper script around "notmuch insert" that (as the local
user) chmod on the files that are delivered with overly-restrictive

This makes me nervous, because chmods are tricky to do safely,
especially in an automated fashion, but given the tight permissions
we're seeing during message delivery at the moment, this is the simplest

Another option would be to write a mailman3 plugin that delivers to
notmuch, but that's a bigger task than i'm willing to take on right now.

I welcome other suggestions though!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20180208/7bad148c/attachment.sig>

More information about the notmuch mailing list