We have unix home directories on our filer. We just noticed today that sendmail reports that the .forward files are in a "World writable directory" and that the user directory is "unsafe directory path, marked unsafe". (These are sendmail errors - I'm at LogLevel=99 for sendmail).
Then the mail is delivered locally to the box as opposed to forwarded.
Now, my directories are not world writeable! So, I'm wondering what permissions aren't being read correctly. . . .
We've run into this problem when users have set or changed the permissions on their Unix home directory from a Windows client. Some of the complicated Windows permissions get represented to Unix (NFS) clients as "rwxrwxrwx", even though the more restrictive Windows permissions are enforced when a Unix client tries to access them.
It might be "better" if Unix sendmail actually tried to make the access it's checking for, rather than just looking at the permissions, but of course it's not really fair to expect an NFS client to know about those hidden Windows permissions.
What we do here is to setup the majority of users with their Windows homedirs as a subdirectory (~username/nt) of their Unix homedirs. Folks who are a little more savvy about multi-platform access can have their Windows homedirs be the same as their top-level Unix homedirs, and if they mess up their homedir permissions, they have to live with the consequences.
Moving the .forward files to an alternate location is a nice idea, although I'd be concerned about this approach making it difficult for users to access their own .forward files. E.g. we would rather not provide login nor remote (NFS) access to our mail server. But even if we did so, putting all users' .forward's in a single directory makes security and accessibility pretty challenging. How are you folks solving that issue?
Regards,