Yahoo Groups archive
Thread
2009-02-13 by Vladimir Vassiliev
How can I configure milter-greylist and sendmail to work under different uids (without chmod 666 <greylist-socket>)? Suppose, sendmail are running under <sm_user>:<sm_group> and greylist under <gr_user>:<gr_group> Add <sm_user> to <gr_group> and set socket "/var/milter-greylist/milter-greylist.sock" 660 in greylist.conf. But sendmail complains about unsafe socket now. -- Vladimir Vassiliev <vova@...>
2009-02-13 by manu@netbsd.org
Vladimir Vassiliev <vova@...> wrote: > But sendmail complains about unsafe socket now. There is a DontBlameSendmail option you can set sendmail.cf so that sendmail will stop complaining. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2009-02-13 by Vladimir Vassiliev
On Пятница 13 февраля 2009, manu@... wrote: > Vladimir Vassiliev <vova@edu.yar.ru> wrote: > > > But sendmail complains about unsafe socket now. > > There is a DontBlameSendmail option you can set sendmail.cf so that > sendmail will stop complaining. > And which item should I use? -- Vladimir Vassiliev <vova@...>
2009-02-13 by manu@netbsd.org
Vladimir Vassiliev <vova@...> wrote: > > There is a DontBlameSendmail option you can set sendmail.cf so that > > sendmail will stop complaining. > And which item should I use? I don't remember. Look for DontBlameSendmail in the Sendmail operation guide. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2009-02-13 by Vladimir Vassiliev
On Пятница 13 февраля 2009, manu@... wrote: > Vladimir Vassiliev <vova@edu.yar.ru> wrote: > > > > There is a DontBlameSendmail option you can set sendmail.cf so that > > > sendmail will stop complaining. > > And which item should I use? > > I don't remember. Look for DontBlameSendmail in the Sendmail operation > guide. > IMHO, the problem is that sendmail don't know about its supplementary groups so its view of permissions is far from truth. Here the best working setup I could to achive: drwxr-x--- 2 greylist sendmail 4096 Фев 13 14:41 /var/milter-greylist -rw------- 1 greylist greylist 13110069 Фев 13 14:04 greylist.db srwxrwxrwx 1 greylist greylist 0 Фев 13 14:41 milter-greylist.sock -- Vladimir Vassiliev <vova@...>
2009-02-13 by Oliver Fromme
Vladimir Vassiliev wrote: > IMHO, the problem is that sendmail don't know about its supplementary groups so its view of permissions is far from truth. > > Here the best working setup I could to achive: > > drwxr-x--- 2 greylist sendmail 4096 ??? 13 14:41 /var/milter-greylist > > -rw------- 1 greylist greylist 13110069 ??? 13 14:04 greylist.db > srwxrwxrwx 1 greylist greylist 0 ??? 13 14:41 milter-greylist.sock Another possibility is to run milter-greylist as root, then you can have this: drwx------ 2 root wheel 512 Feb 13 12:50 /var/milter-greylist -rw------- 1 root wheel 8331 Feb 13 12:50 greylist.db srwx------ 1 root wheel 0 Nov 4 04:43 milter-greylist.sock Of course, if you run milter-greylist as root, it is strongly recommended to put it into a jail (like those supported on FreeBSD) or similarly restricted environment, or use MAC (mandatory access control) with appropriate policy if your OS supports it. (I do not recommend to use ordinary chroot environment because it is too weak.) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M. Handelsregister: Registergericht Muenchen, HRA 74606, Gesch\ufffdftsfuehrung: secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn- chen, HRB 125758, Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd It's trivial to make fun of Microsoft products, but it takes a real man to make them work, and a God to make them do anything useful.
2009-02-13 by Vladimir Vassiliev
> Another possibility is to run milter-greylist as root, then > you can have this: > > drwx------ 2 root wheel 512 Feb 13 12:50 /var/milter-greylist > -rw------- 1 root wheel 8331 Feb 13 12:50 greylist.db > srwx------ 1 root wheel 0 Nov 4 04:43 milter-greylist.sock > > Of course, if you run milter-greylist as root, it is strongly > recommended to put it into a jail (like those supported on > FreeBSD) or similarly restricted environment, or use MAC > (mandatory access control) with appropriate policy if your > OS supports it. (I do not recommend to use ordinary chroot > environment because it is too weak.) But here you can't have sendmail as non-root. -- Vladimir Vassiliev <vova@...>
2009-02-13 by Oliver Fromme
Vladimir Vassiliev wrote:
>
> > Another possibility is to run milter-greylist as root, then
> > you can have this:
> >
> > drwx------ 2 root wheel 512 Feb 13 12:50 /var/milter-greylist
> > -rw------- 1 root wheel 8331 Feb 13 12:50 greylist.db
> > srwx------ 1 root wheel 0 Nov 4 04:43 milter-greylist.sock
> >
> > Of course, if you run milter-greylist as root, it is strongly
> > recommended to put it into a jail (like those supported on
> > FreeBSD) or similarly restricted environment, or use MAC
> > (mandatory access control) with appropriate policy if your
> > OS supports it. (I do not recommend to use ordinary chroot
> > environment because it is too weak.)
>
> But here you can't have sendmail as non-root.
You have to run sendmail as root anyway if you want it to
listen on port 25. (Of course, other parts of sendmail
such as the "queue runner" are running as user smmsp or
whatever you have configured.)
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn-
chen, HRB 125758, Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"I invented Ctrl-Alt-Delete, but Bill Gates made it famous."
-- David Bradley, original IBM PC design team2009-02-13 by Vladimir Vassiliev
> You have to run sendmail as root anyway if you want it to > listen on port 25. (Of course, other parts of sendmail > such as the "queue runner" are running as user smmsp or > whatever you have configured.) > Yes, but it's only listener. See confRUN_AS_USER. -- Vladimir Vassiliev <vova@...>
2009-02-13 by Oliver Fromme
Vladimir Vassiliev wrote:
>
> > You have to run sendmail as root anyway if you want it to
> > listen on port 25. (Of course, other parts of sendmail
> > such as the "queue runner" are running as user smmsp or
> > whatever you have configured.)
>
> Yes, but it's only listener. See confRUN_AS_USER.
You cannot use confRUN_AS_USER on machines where you have
local users (i.e. local delivery), because then people's
.forward files won't work correctly anymore, unless you
install procmail (or similar) setuid-root, which I regard
as a very bad idea.
Of course, if you don't have local users, then you can use
confRUN_AS_USER in the way you described, and then the
socket (and its directory) must be accessible by the mail
user.
Best regards
Oliver
--
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
Handelsregister: Registergericht Muenchen, HRA 74606, Gesch\ufffdftsfuehrung:
secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht M\ufffdn-
chen, HRB 125758, Gesch\ufffdftsf\ufffdhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
FreeBSD-Dienstleistungen, -Produkte und mehr: http://www.secnetix.de/bsd
"I started using PostgreSQL around a month ago, and the feeling is
similar to the switch from Linux to FreeBSD in '96 -- 'wow!'."
-- Oddbjorn Steffensen