AW: [Mimedefang] Fw: please try again later
Martin Bene
martin.bene at icomedias.com
Thu Apr 4 08:54:52 EST 2002
> > -rwsr-sr-x 1 smmsp smmsp 78692 Mar 25 13:15 mimedefang*
> > -rwsr-sr-x 1 smmsp smmsp 25324 Mar 25 13:15 mimedefang-multiplexor*
> > -rwxr-xr-x 1 root root 63258 Mar 25 13:15 mimedefang.pl*
> But if the socket creation fails, the multiplexor should just
> exit... maybe that's not it. Still, the fact that you're
> running md/md-mux suid is the only difference from my standard
> setup.
Just for the record: I'm running mimedefang as non-root user myself, here are several points to consider when setting this up:
* there's no reason to run it as smmsp (user used for local mail submissions), I'd recomend having a seperate user for mimedefang
* don't run mimedefang/mimedefang multiplexor suid anything - I' don't think it was designed as a suid program and so it won't have the necessary paranoid checks built in. OK, you can't do very much with smmsp user/group rights but it's an unnecessary and avoidable exposure.
here's how I've got it set up:
I've got a seperate user "milter" set aside for mimedefang + kaspersky AVP daemon, and aditional directories writable by milter user in /var/run so they can create their pids and sochets.
[root at relay /root]# ls -la /var/run/
drwxr-xr-x 2 milter milter 4096 Apr 4 01:16 kav
drwxr-xr-x 2 milter milter 4096 Mar 15 11:41 mimedefang
[root at relay spool]# ls /var/spool/
drwxr-x--- 848 milter milter 69632 Apr 4 15:37 MIMEDefang
drwxrwx--- 2 smmsp smmsp 4096 Apr 4 15:36 clientmqueue
Multiplexor and mimedefang are started from the sendmail startup script by root to run as user milter:
echo -n "Starting mimefilter: "
rm -f /var/run/mimedefang/mimedefang.sock /var/run/mimedefang/mimedefang-multi.sock
daemon --user milter /usr/local/bin/mimedefang-multiplexor -s /var/run/mimedefang/mimedefang-multi.sock -x 10 -m 2 -l
daemon --user milter /usr/local/bin/mimedefang -m /var/run/mimedefang/mimedefang-multi.sock -p /var/run/mimedefang/mimedefang.sock
This way I don't need any aditional suid files and still get mimedefang running as non-root user.
As an aside: I've got the kaspersky AV scanner daemon running under the same user because the scanner needs to be able to look into the /var/spool/MIMEDefang/Work directories, and I didn't want to fiddle with mimedefang source to get it to use different permissions.
Bye, Martin
More information about the MIMEDefang
mailing list