[Mimedefang] List troubles
John Rudd
john at rudd.cc
Fri Mar 31 16:30:10 EST 2006
On Mar 31, 2006, at 12:01 PM, Richard A Nelson wrote:
> On Fri, 31 Mar 2006, Kenneth Porter wrote:
>
>> --On Friday, March 31, 2006 9:32 AM -0400 "Oliver Schulze L."
>> <oliver at samera.com.py> wrote:
>>
>>> Nice option to sendmail. I think it would be nice if sendmail can
>>> run as
>>> a normal user, given the recent security issues.
>>
>> I hadn't really thought about it before, but sendmail probably
>> doesn't do a lot that requires root privilege. The LDA can be suid to
>> access mailboxes, and that leaves just the creation of the sub-1024
>> sockets.
>
> there's a document on the sendmail site, and in Security or somesuch in
> the distribution that talks about this...
>
> It is fairly easy, but there some big pitfalls:
> * Port 25
> * .forward
> * non suid LDA
The last two aren't important if your running MD/Sendmail on a gateway
instead of an end-user machine (actually, they don't matter to me at
all -- the MTA/LDA/etc software on the machine the users use is
entirely different (CommuniGate Pro), so the idea of a .forward or an
LDA are concepts that just don't apply to some situations).
The 1st one is the hurdle, IMO. And, it can be solved in a few
different ways.
At home, where I'm behind a NAT box, I can just pick which port
sendmail will run on, and have the NAT box direct to that port. I
think at work, our load balancer could do something similar.
Or, I could use some form of tunneling service (stunnel perhaps, with
some machinations; but I don't remember if there's a more generic
(non-ssl specific) counterpart to stunnel) to forward ports within a
local machine. Though, the tunnel option costs you connection
information (you'll get the connection information for your tunnel
host, instead of the actual sender, keeping you from doing things like
DNSBLs).
More information about the MIMEDefang
mailing list