[Mailman-Users] Group mismatch error

John Dennis jdennis at redhat.com
Wed May 11 19:23:09 CEST 2005

On Wed, 2005-05-11 at 17:12 +0100, John Poltorak wrote:
> On Wed, May 11, 2005 at 09:08:40AM -0400, John Dennis wrote:
> > On Tue, 2005-05-10 at 23:45 +0100, John Poltorak wrote:
> > > Can someone explain what I need to do when I get this error - I don't want 
> > > to have to re-run configure.
> > > 
> > > Group mismatch error.  Mailman expected the mail
> > > wrapper script to be executed as group "mail", but
> > > the system's mail server executed the mail script as
> > > group "mailnull".  Try tweaking the mail server to run the
> > > script as group "mail", or re-run configure,
> > > providing the command line option `--with-mail-gid=mailnull'.
> > > 554 5.3.0 unknown mailer error 2
> > 
> > As has beem said, you have two choices, either re-configure, re-build,
> > or change how your MTA executes child processes (or possibly just how
> > your MTA executes)
> > 
> > If this was working before then something must have changed with your
> > MTA, but you didn't say which MTA you're using. Some MTA's can be
> > configured via their config file to run with specific identities (e.g.
> > the postfix mail_owner parameter). Ths is an MTA issue, please consult
> > your MTA documentation.
> I'm using sendmail but don't know which permissions need changing. I 
> thought this would have been the file which needed the correct 
> permissions:-
> # ls -al /usr/local/mailman/mail
> total 48
> drwxrwsr-x    2 root     mailman      4096 Jan 31  2004 .
> drwxrwsr-x   20 root     mailman      4096 Mar 19  2003 ..
> -rwxr-sr-x    1 root     mailman     39385 Jan 31  2004 mailman

No, this is the wrapper, the wrapper is trying to verify the identity of
the process which is invoking it, which is your MTA. The wrapper is
built with the MTA's gid in (via the --with-mail-gid parameter). 

> If I have mailman running with UID root, I don't understand what the 
> problem is. Should I just add mailman to the mail group?

No, you've got this backwards. What is going on is that your MTA invokes
the mailman wrapper. The wrapper in effect says "I will only execute if
and only if I trust the program that invoked me, which must be an MTA".
It makes that decision by looking at the group of the program that
invoked it and compares it to the group that was inserted into its
source code via the --with-mail-gid parameter. If those two groups match
it trusts this is really the MTA that is asking mailman to process mail.

The problem you're having is that the MTA that is invoking mailman is
not running with the group identity that you told mailman it would
execute with when you built it.

> I guess this sounds like a FAQ...

Yes, actually I wrote up a whole explanation of this a few weeks back on
the developers list because this is so much misinformation and confusion
with respect to this issue. It's time to get that into the FAQ.
John Dennis <jdennis at redhat.com>

More information about the Mailman-Users mailing list