GNU Mailman Set Group ID Wrapper Error

Written by Geoff Mottram (geoff at minaret dot biz).

Placed in the public domain on September 5, 2004 by the author.

Last updated: April 23, 2005.

This document is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose and noninfringement. In no event shall the author be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with this document or the use or other dealings in this document.


This document describes problems that can occur when installing GNU Mailman. This tip was written for Mailman version 2.1.5 but will apply to other versions of the software. There is a separate document that describes a bug in the subscription confirmation code in Mailman 2.1.5 along with its solution.

GNU Mailman is an open source mailing list manager. Like most mailing list software, Mailman uses aliases in a system's mail transport agent (MTA) to forward inbound email messages to a program for processing. In sendmail, this is accomplished with pipe symbols. For example:

mailman:     "|/usr/local/mailman/mail/mailman post mailman"

If you followed the installation instructions for Mailman, its files should belong to group "mailman". In addition, the mailman executable should have the set group ID bit set so that the effective user ID of the program becomes whatever group Mailman was installed as (i.e. group "mailman").

Under these circumstances, you may receive the following error whenever you send an email message to the Mailman program:

Group mismatch error.  Mailman expected the mail
wrapper script to be executed as group "mailman", but
the system's mail server executed the mail script as
group "mail".  Try tweaking the mail server to run the
script as group "mailman", or re-run configure, 
providing the command line option `--with-mail-gid=mail'.
554 5.3.0 unknown mailer error 2

The problem lies with some confusion in the Mailman installation instructions in the file INSTALL. Almost every installation of Mailman will require the use of the --with-mail-gid option when you run the configure script. Under most Linuxes, sendmail is run as user "mail" and group "mail". If you follow the Mailman installation instructions to the letter, you create a "mailman" user and group. When you run configure without the --with-mail-gid, the configure script will use "mailman" for the --with-mail-gid option. This configuration will not work on most Linuxes running sendmail.

The INSTALL file says that you use the --with-mail-gid option to:

Specify an alternative group for running scripts via the mail wrapper.

It may sound like this option specifies the effective group ID of the wrapper program. That is not the case. What this option really means is "Specify the group that your mail transport agent (MTA) runs as." The effective group ID of the wrapper program will almost always be "mailman", a setting that is different from and independent of the --with-mail-gid option.

To enhance the security of Mailman, the wrapper program checks that it is only being run by the MTA (or someone in that group). Since the wrapper program has the "set effective group ID" bit set and execute permission for anyone on your system, anyone can run the wrapper program as group "mailman". This is why the wrapper has to check the "real" group ID it is being run as. You specify what the correct group ID is with the --with-mail-gid configuration option.

The --with-cgi-gid works in the same manner. All of the cgi-bin scripts that come with Mailman check the real group ID they are being run as to insure they have been called by the Web server and not just anyone on your system. However, the configure script does a much better job of guessing the value of this parameter.

If you follow the Mailman installation instructions to the letter, you create a "mailman" group on your system. Unless you override the --with-mail-gid option, the wrapper program will expect your mail transport agent (MTA) to run as group "mailman". This will almost certainly not be the case. If you are using Linux and sendmail, the group name is most likely "mail". The fix is to run the configure script as follows:

./configure --with-mail-gid=mail

If the configure script is not correctly guessing what group your web server is running under, you might run the configure script like this:

./configure --with-mail-gid=mail --with-cgi-gid=nobody

Replace "nobody" with the actual group name your web server runs as.

Once you have run configure, install Mailman as directed (i.e. make install, etc.).

Technical Tips