I’ve done lots of operations from /etc/smrsh under sendmail. I can’t say I’ve ever used setuid for this type of work; it may well suffice. Now in my case with sendmail, the scripts run as the user receiving the email locally, so I don’t need to do any of the below. I simply define the account that I want to run the script as the recipient of the message and it’s all done.
I’d suggest to run sudo and make an entry in /etc/sudoers. You want to be paranoid around any publicly visible service like email but an entry like this might work in /etc/sudoers:
mail ALL=(user2) NOPASSWD: /usr/local/script.to.run.sh Defaults:mail !requiretty
Again, I’m not sure why you are seeing this run as the “mail” user unless that is the name of the local account, sendmail runs these kinds of scripts as the user receiving the messages. In which case, if my user was “taxinfo” it would look like
taxinfo ALL=(user2) NOPASSWD: /usr/local/script.to.run.sh Defaults:taxinfo !requiretty
Note that the last line (Defaults…) is probably needed because there’s not an actual terminal involved when processing a background script. Try without and see if it works. Then, in /etc/smrsh/received.sh you have
/usr/bin/sudo -u taxinfo /usr/local/script.to.run.sh;
And in your .forward file: (don’t forget to chmod 600 this file)