Debian courier-mta package ========================== Please read /usr/share/doc/courier-base/README.Debian first for information about general changes applied to the Courier suite. This document describes Debian specific changes which have been applied to the courier-mta package and some important notes. Maildrop -------- Currently maildrop is packaged separately, which is in debate, please check https://bugs.debian.org/867121#15 In the past, a specific courier-maildrop was build from courier sources as provided by the Courier suite. Due to slight differences in compile time options, it varies slightly from the binary produced by the stand-alone maildrop binary. Sendmail and SUID ----------------- There are multiple binaries shipped by the courier-mta package that are setuid or setgid and therefore allow the caller to perform actions under the courier user (but not root): * /usr/sbin/sendmail * /usr/bin/malq * /usr/bin/cancelmsg * /usr/lib/courier/courier/submitmkdir However, for mail filtering "on the wire" to work, two binaries require setuid root: sendmail and maildrop. 1. maildrop is the actual mail filter. If you do not need mail filtering, setuid root privilege is only needed to implement mail filtering "on the wire", in the past a specific courier-maildrop was build from courier sources. only when received external mail relay (see localmailfilter(7) for more information). Removing the setuid root bit still allows traditional mail filtering to be used, after the message is received and delivered to the mailbox. 2. sendmail is the command line mail sender. Its first order of business is to set its group id to the Courier mail server's group id, and restore the original userid, dropping root. The reason that it needs root setuid is to set its real group id, because setting the setgid bit on the executable is not enough. The setgid bit sets only the effective group id, and the root setuid bit is required to set both effective and real group ids. Both real and effective group IDs are needed in order to be able to implement maildrop mail filtering. Aliases ------- A /usr/sbin/newaliases shell script was added for compliance with the Debian Policy (Section "Mail transport, delivery and user agents"). Please note that the default location for source alias file(s) is /etc/courier/aliases. The script reads /etc/aliases instead. -- PICCORO Lenz McKAY , Wed, 12 Dec 2020 10:51:54 -0400