Just ran into this:
https://stackoverflow.com/questions/8568596/procmail-disregards-etc-group#
Postfix is doing something before/while it calls procmail for local delivery which strips all but the primary group of the recipient. This means any complicated pipe I have setup in procmail which relies on secondary groups fails with read perm errors.
Sendmail doesn't do this stupidity (yay)! But I needed to (argh finally) use postfix on a box that needed 2 MTAs installed (and sendmail couldn't, in the end, do it properly).
I consider the current stackoverflow answer to be a non-answer because Fedora/RHEL doesn't install procmail setgid/setuid anymore, and I don't want to fudge u+s g+s on every dnf update!
I've solved the problem by "washing" the procmail piped-to command through sudo. I had to add to sudoers: fooman ALL=(fooman) NOPASSWD: /bin/php
and change my procmail recipe pipe to: | /bin/sudo -u fooman /bin/php /needs/secondary/groups/to/read.php
Ok great, it all works with postfix now just like it did with sendmail.
The tricky question for you uber *nix geeks is: Can I achieve the same thing without the sudoers entry? In other words, is there a way to achieve this without root access, if someone didn't have root on the box, say.
Too bad sudo isn't smart enough to say "hey, user fooman can run anything as user fooman" without a specific entry. Maybe an option for postfix? Maybe some magic sudo or su can do?
Is an option to procmail possible or is this a problem that can *only* be solved by washing the call, somewhere along the line, through a setuid program (because once stripped by postfix they are gone forever)?
I wonder why sendmail doesn't chop off the groups but postfix does.