nixos/postfix: postalias should not use source file permissions

Our postfix-setup service ensures that the directory is only writable by root.

postalias by default drops permissions to the user of the source file. In the
case of NixOS that file is in the nix store and thus always owned by root and
everything works.

The problem is that when using a nixos-container with user namespaces (`-U`)
then the nix store is owned by nobody/nogroup, and postfix-setup.service will be
unable to create or modify `aliases.db`.

Since the file would otherwise be owned by root, we should tell postfix to not
assume the user and permissions of the `aliases` file by setting -o and -p

From postalias(1)

> -o Do not release root privileges when processing a non-root input file. By
> default, postalias(1) drops root privileges and runs as the source file owner
> instead.

> -p Do not inherit the file access permissions from the input file when
> creating a new file. Instead, create a new file with default access
> permissions (mode 0644).

1 files changed, 1 insertions, 1 deletions

diff --git a/nixos/modules/services/mail/postfix.nix b/nixos/modules/services/mail/postfix.nix
index 23c47aaca7e2..bfc4b6ccbfee 100644
--- a/nixos/modules/services/mail/postfix.nix
+++ b/nixos/modules/services/mail/postfix.nix
@@ -747,7 +747,7 @@ in
 
             ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
               ln -sf ${from} /var/lib/postfix/conf/${to}
-              ${pkgs.postfix}/bin/postalias /var/lib/postfix/conf/${to}
+              ${pkgs.postfix}/bin/postalias -o -p /var/lib/postfix/conf/${to}
             '') cfg.aliasFiles)}
             ${concatStringsSep "\n" (mapAttrsToList (to: from: ''
               ln -sf ${from} /var/lib/postfix/conf/${to}