AW: [Mimedefang] Fw: please try again later

Martin Bene martin.bene at icomedias.com
Thu Apr 4 08:54:52 EST 2002 

> > -rwsr-sr-x 1 smmsp smmsp 78692 Mar 25 13:15 mimedefang*
> > -rwsr-sr-x 1 smmsp smmsp 25324 Mar 25 13:15 mimedefang-multiplexor*
> > -rwxr-xr-x 1 root root 63258 Mar 25 13:15 mimedefang.pl*

> But if the socket creation fails, the multiplexor should just 
> exit... maybe that's not it.  Still, the fact that you're 
> running md/md-mux suid is the only difference from my standard 
> setup.

Just for the record: I'm running mimedefang as non-root user myself, here are several points to consider when setting this up:

* there's no reason to run it as smmsp (user used for local mail submissions), I'd recomend having a seperate user for mimedefang
* don't run mimedefang/mimedefang multiplexor suid anything - I' don't think it was designed as a suid program and so it won't have the necessary paranoid checks built in. OK, you can't do very much with smmsp user/group rights but it's an unnecessary and avoidable exposure.

here's how I've got it set up:

I've got a seperate user "milter" set aside for mimedefang + kaspersky AVP daemon, and aditional directories writable by milter user in /var/run so they can create their pids and sochets.

[root at relay /root]# ls -la /var/run/
drwxr-xr-x    2 milter   milter       4096 Apr  4 01:16 kav
drwxr-xr-x    2 milter   milter       4096 Mar 15 11:41 mimedefang

[root at relay spool]# ls /var/spool/
drwxr-x---  848 milter   milter      69632 Apr  4 15:37 MIMEDefang
drwxrwx---    2 smmsp    smmsp        4096 Apr  4 15:36 clientmqueue

Multiplexor and mimedefang are started from the sendmail startup script by root to run as user milter:

echo -n "Starting mimefilter: "
rm -f /var/run/mimedefang/mimedefang.sock /var/run/mimedefang/mimedefang-multi.sock
daemon --user milter /usr/local/bin/mimedefang-multiplexor -s /var/run/mimedefang/mimedefang-multi.sock -x 10 -m 2 -l
daemon --user milter /usr/local/bin/mimedefang -m /var/run/mimedefang/mimedefang-multi.sock -p /var/run/mimedefang/mimedefang.sock

This way I don't need any aditional suid files and still get mimedefang running as non-root user.

As an aside: I've got the kaspersky AV scanner daemon running under the same user because the scanner needs to be able to look into the /var/spool/MIMEDefang/Work directories, and I didn't want to fiddle with mimedefang source to get it to use different permissions.

Bye, Martin

More information about the MIMEDefang mailing list