These ACLs were written for a qmail setup that was installed according to Dave Sill's Life with qmail. With this configuration, qmail must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so tcpserver can bind to port 25.
# setup /sbin/lidsconf -A -o /var/qmail -j READONLY /sbin/lidsconf -A -s /usr/local/bin/multilog \ -o /var/log/qmail -j WRITE /sbin/lidsconf -A -s /usr/local/bin/svc \ -o /var/qmail/supervise -j WRITE # queue access # /sbin/lidsconf -A -s /var/qmail/bin/qmail-inject \ -o /var/qmail/queue -j WRITE /sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \ -o /var/qmail/queue -j WRITE /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \ -o /var/qmail/queue -j WRITE /sbin/lidsconf -A -s /var/qmail/bin/qmail-queue \ -o /var/qmail/queue -j WRITE /sbin/lidsconf -A -s /var/qmail/bin/qmail-clean \ -o /var/qmail/queue -j WRITE /sbin/lidsconf -A -s /var/qmail/bin/qmail-send \ -o /var/qmail/queue -j WRITE /sbin/lidsconf -A -s /var/qmail/bin/qmail-remote \ -o /var/qmail/queue -j WRITE # Access to local mail boxes /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETUID -j GRANT /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_SETGID -j GRANT /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_OVERRIDE -j GRANT /sbin/lidsconf -A -s /var/qmail/bin/qmail-lspawn \ -o CAP_DAC_READ_SEARCH -j GRANT # Remote delivery /sbin/lidsconf -A -s /var/qmail/bin/qmail-rspawn \ -o CAP_NET_BIND_SERVICE -i -1 -j GRANT # supervise /sbin/lidsconf -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/supervise -j WRITE /sbin/lidsconf -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-smtpd/log/supervise -j WRITE /sbin/lidsconf -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/supervise -j WRITE /sbin/lidsconf -A -s /usr/local/bin/supervise \ -o /var/qmail/supervise/qmail-send/log/supervise -j WRITE |