Solved How do I stop sshd from setting the MAIL env. variable?

ShelLuser · Apr 20, 2025

Hi gang,

So... I moved away from mbox to the Maildir format courtesy of Sendmail, procmail & Mutt; this setup works like a charm.

However... there's a problem when the MAIL environment variable it set (this defaults to /var/mail/$USER) because this will make Mutt switch to focussing on the mbox again. So... I changed /etc/login.conf (and ran cap_mkdb), verified /usr/share/skel and my local shell setups... everything checks out.

When I log onto the console... no more MAIL. But... when I log on using SSH... lo and behold: MAIL=/var/mail/peter returns.

I already set PermitUserEnvironment to 'no' in /etc/ssh/sshd_config but even that doesn't stop it. It also doesn't matter if I log on using PuTTY or Windows' own SSH client.. the variable gets set.

Anyone got an idea how to tell SSHd to stop doing this? At least that's my conclusion so far...

(edit)

In the mean time I temporarily resolved this idiocy by adding the following line to ~/.profile:

Code:

if [ ! -z $MAIL ]; then unset MAIL; fi

...but that's obviously not a very satisfying solution as this shouldn't have been set in the first place.

covacat · Apr 20, 2025

looking at the source it seems you can't
just use .profile

ShelLuser · Apr 20, 2025

covacat said:
looking at the source it seems you can't
just use .profile

Appreciate the feedback, especially because I've also been studying the source tree as well, came to the same conclusion but wasn't fully sure of my findings. Well, onto plan B

Just finished setting up DSpam and I'm just going to "ab"use the mbox as a fallback quarantine and add a macro to Mutt that gets me to my IMAP server so that you're basically forced to check the quarantine first.

facedebouc · Apr 20, 2025

You could see the ~/.ssh/authorized_keys way to set environment variables.
See sshd(8).

tommiie · Tuesday at 11:01 AM

covacat said:
looking at the source it seems you can't
just use .profile

Sorry for being too lazy to read the source myself. Could you elaborate on what you mean? Does sshd hard-code a MAIL environment variable?

covacat · Tuesday at 11:06 AM

yes and others too

Code:

 1031         child_set_env(&env, &envsize, "USER", pw->pw_name);
 1032         child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
 1033 #ifdef _AIX
 1034         child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
 1035 #endif
 1036         child_set_env(&env, &envsize, "HOME", pw->pw_dir);
 1037         snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name);
 1038         child_set_env(&env, &envsize, "MAIL", buf);
 1039 #ifdef HAVE_LOGIN_CAP
 1040         child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
 1041         child_set_env(&env, &envsize, "TERM", "su");

i did not see any way to bypass this

POSIX.1 · Tuesday at 11:10 AM

tommiie said:
Sorry for being too lazy to read the source myself.

grep(1) is the fast tool for the lazy folks. Even faster is ag(1). So no excuses here for being lazy.

tommiie · Tuesday at 11:25 AM

Setting the other environment variables make sense; for MAIL not so much. Perhaps one could create a ticket with OpenSSH to have this modified?

ShelLuser · Tuesday at 11:57 AM

tommiie said:
Setting the other environment variables make sense; for MAIL not so much. Perhaps one could create a ticket with OpenSSH to have this modified?

Yah, I'm looking into that. But first I'm trying to come up with a solid diff which I might be able to present.

Charlie_ · Tuesday at 12:56 PM

POSIX.1 said:
Even faster is ag(1). So no excuses here for being lazy.

It's hard to find textproc/the_silver_searcher from your comments.
Even if not lazy.
I looked at ag(1) and found it with pkg search -o Silver.Searcher and cat /usr/ports/textproc/the_silver_searcher/pkg-plist.

gpw928 · Tuesday at 11:02 PM

Maybe I'm lazy, but I always use a login shell, and thus $HOME/.profile always prevails.

I see ssh(1) always "dots in" ~/.ssh/environment, plus the PermitUserEnvironment option in sshd_config(5) applies.

Kai Burghardt · Wednesday at 12:14 AM

ShelLuser said:
[…] when the MAIL environment variable it set (this defaults to /var/mail/$USER) because this will make Mutt switch to focussing on the mbox again. […]

As far as I understand the $MAIL environment variable is used as a default spoolfile and you are supposed to overwrite it in your .muttrc, no?

ShelLuser said:
[…] I changed /etc/login.conf (and ran cap_mkdb), […]

Instead of removing the line, how about setting mail to an empty string? If I understand crypto/openssh/session.c correctly, the login class environment is merged with the default environment covacat already quoted.

Code:

	:mail=:\

ShelLuser said:
Code:

if [ ! -z $MAIL ]; then unset MAIL; fi

This is totally beside the point, but is the -n-check even necessary? Just always unset MAIL. unset doesn’t “blow up” if it’s a nonexistent variable name.

tommiie said:
[…] Perhaps one could create a ticket with OpenSSH to have this modified?

Actually, this has been reported at least once before.

ShelLuser · Wednesday at 10:43 AM

Kai Burghardt said:
As far as I understand the $MAIL environment variable is used as a default spoolfile and you are supposed to overwrite it in your .muttrc, no?

No, you don't overwrite environment variables in software like Mutt.

What you can do is tell Mutt to use the Maildir, which I did, but even then Mutt always starts by opening the mbox first no matter what. Sure, I could then easily open the other, real, mail storage but that's beside the point. Mutt should be opening the Maildir first.

Which it does as soon as MAIL is removed. Setting this to an empty value has no effect.

Kai Burghardt said:
Actually, this has been reported at least once before.

Good to know.

(edit: overlooked this one):

Kai Burghardt said:
This is totally beside the point, but is the -n-check even necessary? Just always unset MAIL. unset doesn’t “blow up” if it’s a nonexistent variable name.

Force of habbit

I prefer clean code which isn't based on assumptions, so that's what I'm always using.