Search code examples
emailfilterpostfix-mtacentos7execv

Trying to add an after-queue mail filter in Postfix on CentOS, get execvp permission denied

So I followed [the guide][1] on how to set up a simple mail filter with Postfix, so that I can do a find-replace in the body of outgoing emails. I created a script at /tmp/mailfilter.sh, and changed the /etc/postfix/master.cf file as instructed

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
      -o content_filter=filter:dummy

filter    unix  -       n       n       -       10      pipe
    flags=Rq user=filter null_sender=
    argv=/tmp/mailfilter.sh -f ${sender} -- ${recipient}

I created a user called filter and made it the owner of the script. But when I tried sending an email, I get the following error:

Jun  7 03:01:53 localhost postfix/qmgr[31288]: 134D944A0673: from=<sender@gmail.com>, size=894, nrcpt=1 (queue active)
Jun  7 03:01:53 localhost pipe[31603]: fatal: pipe_command: execvp /tmp/mailfilter.sh: Permission denied
Jun  7 03:01:53 localhost postfix/pipe[31562]: 134D944A0673: to=<receiver@gmail.com>, relay=filter, delay=8974, delays=8974/0/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /tmp/mailfilter.sh: Permission denied )

Specifically what I'm assuming is relevant is

(temporary failure. Command output: pipe: fatal: pipe_command: execvp /tmp/mailfilter.sh: Permission denied )

/tmp/mailfilter.sh has chmod a+x and is owned by filter. I tried removing everything in it so it's just an empty file, and I still get the permission denied error.

I can't figure out what I'm missing. I've set every permission I can find, but Postfix is doing something arcane that I don't understand.

Solution

  • CentOS uses SELinux as a MAC framework, so maybe you need to set properly the type of your executable. You can check in /var/log/audit/audit.log for any security violation. If SELinux is denying you, you can try this command as root:

    chcon -t postfix_pipe_exec_t /tmp/mailfilter.sh

    That manual is a good reference: http://linux.die.net/man/8/postfix_selinux