Maildrop must be run as the uid/gid of the user whose mailbox it
is delivering to.

Therefore, if the MTA does not spawn it with the correct uid/gid,
it needs to be suid root to perform the operation itself.

The port is installed with the suid bit stripped by default.  This
works out-of-the-box with MTAs like qmail, which spawn maildrop
with the correct uid/gid it needs to perform the delivery.

For more information, please read the documentation in
${PREFIX}/share/doc/maildrop/INSTALL.  It should be safe to enable
the suid bits, but scan over the code first and satisfy yourself
that there are no security holes.

If you perform a full audit, please inform <ports@openbsd.org> and
the suid bit may then be enabled by default.  Note that there have
been no security advisories about this package in the past.

The following files will need suid re-enabled if you so choose:

${PREFIX}/bin/maildrop
${PREFIX}/bin/dotlock
${PREFIX}/bin/reformail

Marc Balmer <mbalmer@openbsd.org>
$OpenBSD: SECURITY,v 1.2 2004/12/06 23:06:01 mbalmer Exp $