While setting up Postfix on Raspberry Pi OS (formerly Raspbian), many admins encounter this puzzling warning:
postfix/postfix-script: warning: symlink leaves directory: /etc/postfix/./makedefs.outThis isn't malware - it's actually part of Postfix's build system artifacts. The symlink gets created during package installation when Postfix builds its configuration files.
The ./makedefs.out symlink is created by Postfix's build system to reference the makedefs output file during installation. The warning triggers because:
- Postfix's security checks detect potential directory traversal (the
./sequence) - The symlink technically "escapes" the
/etc/postfixdirectory context - This is harmless but indicates non-optimal file placement
Let's inspect the actual symlink:
ls -la /etc/postfix/makedefs.out
# Typical output:
# lrwxrwxrwx 1 root root 12 Apr 10 10:00 /etc/postfix/makedefs.out -> ./makedefs.outThe circular reference (pointing to itself) confirms this is just a build artifact.
Method 1: Clean Reinstallation
Properly purge and reinstall Postfix:
sudo apt purge postfix
sudo rm -f /etc/postfix/makedefs.out
sudo apt install postfixMethod 2: Manual Symlink Removal
Simply remove the symlink (Postfix doesn't need it at runtime):
sudo rm /etc/postfix/makedefs.outMethod 3: Postfix Parameter Adjustment
Add this to main.cf to suppress the warning:
# /etc/postfix/main.cf
compatibility_level = 2Then reload Postfix:
sudo postfix reloadFor custom Postfix builds, modify the build process by editing makedefs:
# In Postfix source directory:
sed -i 's|./makedefs.out|makedefs.out|' postfix-scriptWhile this specific case is harmless, similar warnings could indicate:
- Actual directory traversal attempts
- Malicious symlink attacks
- Broken package installations
Always verify unexpected symlinks with:
readlink -f /etc/postfix/makedefs.outhtml
When setting up Postfix on Raspbian Buster, you might encounter this curious warning during postfix check:
postfix/postfix-script: warning: symlink leaves directory: /etc/postfix/./makedefs.outThis isn't a security breach - it's actually a benign artifact from Postfix's build process. The makedefs.out symlink gets created during package installation when Postfix compiles its configuration defaults.
The Debian postfix package maintains compatibility symlinks for legacy systems. On ARM architectures like Raspberry Pi, the build process generates this symlink due to:
- Path resolution quirks in Postfix's shell scripts
- The
./relative path notation interacting unexpectedly with symlink checks
Postfix's security model includes directory containment checks. The warning triggers when:
# Sample check from postfix-script
if [ "expr \"$file\" : \"\$queue_directory\"" -lt "expr length \"$queue_directory\"" ]; then
echo "warning: symlink leaves directory: $file" >&2
fiThe ./makedefs.out notation makes the path resolution fail the directory containment check, even though it's technically safe.
Method 1: Remove the Symlink (Recommended)
sudo rm /etc/postfix/makedefs.out
sudo postfix check # Verify warning disappearsMethod 2: Update Compatibility Level
sudo postconf compatibility_level=2
sudo postfix reloadThis moves Postfix to modern defaults where these legacy symlinks aren't needed.
Method 3: Patch the Postfix Script (Advanced)
For those compiling from source, modify postfix-script to handle relative paths:
# Around line 200 in postfix-script
file="$(readlink -f "$file")" # Normalize path before containment checkAfter applying fixes, verify with:
sudo postfix check
ls -l /etc/postfix | grep makedefs.out # Should show no resultsThe warning is ultimately harmless, but these methods provide clean solutions for production environments.