postfix: add setgid wrapper for postqueue/postdrop

Both postqueue[1] and postdrop[2] implement a subset of administration
task that are supposed to be run unprivileged users
and require the setgid bit to full-fill this task.

[1] http://www.postfix.org/postqueue.1.html
[2] http://www.postfix.org/postdrop.1.html

1 files changed, 17 insertions, 1 deletions

diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index 33249aa3e554..d43733484ffa 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -602,7 +602,7 @@ in
             target = "postfix";
           };
 
-        # This makes comfortable for root to run 'postqueue' for example.
+        # This makes it comfortable to run 'postqueue/postdrop' for example.
         systemPackages = [ pkgs.postfix ];
       };
 
@@ -616,6 +616,22 @@ in
         setgid = true;
       };
 
+      security.wrappers.postqueue = {
+        program = "postqueue";
+        source = "${pkgs.postfix}/bin/postqueue";
+        group = setgidGroup;
+        setuid = false;
+        setgid = true;
+      };
+
+      security.wrappers.postdrop = {
+        program = "postdrop";
+        source = "${pkgs.postfix}/bin/postdrop";
+        group = setgidGroup;
+        setuid = false;
+        setgid = true;
+      };
+
       users.users = optional (user == "postfix")
         { name = "postfix";
           description = "Postfix mail server user";