[Mimedefang] List troubles

John Rudd john at rudd.cc
Fri Mar 31 16:30:10 EST 2006

On Mar 31, 2006, at 12:01 PM, Richard A Nelson wrote:

> On Fri, 31 Mar 2006, Kenneth Porter wrote:
>> --On Friday, March 31, 2006 9:32 AM -0400 "Oliver Schulze L." 
>> <oliver at samera.com.py> wrote:
>>> Nice option to sendmail. I think it would be nice if sendmail can 
>>> run as
>>> a normal user, given the recent security issues.
>> I hadn't really thought about it before, but sendmail probably 
>> doesn't do a lot that requires root privilege. The LDA can be suid to 
>> access mailboxes, and that leaves just the creation of the sub-1024 
>> sockets.
> there's a document on the sendmail site, and in Security or somesuch in
> the distribution that talks about this...
> It is fairly easy, but there some big pitfalls:
> 	* Port 25
> 	* .forward
> 	* non suid LDA

The last two aren't important if your running MD/Sendmail on a gateway 
instead of an end-user machine (actually, they don't matter to me at 
all -- the MTA/LDA/etc software on the machine the users use is 
entirely different (CommuniGate Pro), so the idea of a .forward or an 
LDA are concepts that just don't apply to some situations).

The 1st one is the hurdle, IMO.  And, it can be solved in a few 
different ways.

At home, where I'm behind a NAT box, I can just pick which port 
sendmail will run on, and have the NAT box direct to that port.  I 
think at work, our load balancer could do something similar.

Or, I could use some form of tunneling service (stunnel perhaps, with 
some machinations; but I don't remember if there's a more generic 
(non-ssl specific) counterpart to stunnel) to forward ports within a 
local machine.  Though, the tunnel option costs you connection 
information (you'll get the connection information for your tunnel 
host, instead of the actual sender, keeping you from doing things like 

More information about the MIMEDefang mailing list