installation of sendmail milters, security questions
m.seaman at infracaninophile.co.uk
Sun Oct 17 03:39:31 PDT 2004
On Sat, Oct 16, 2004 at 07:56:45PM -0600, Gary Aitken wrote:
> Trying to install milter-greylist.
> After configuring sendmail, and without the milter-greylist daemon
> running, maillog contains messages of the type:
> sm-mta: i9H12H4P059533: Milter (greylist): local socket name
> /var/milter-greylist/milter-greylist.sock unsafe
> From what I've been able to dig up, this is because sendmail thinks
> it's unsafe to read/write that socket.
No, this is sendmail's convoluted way of telling you that
milter-greylist isn't actually running, and so it would be unsafe
(ie. might result in lost e-mail) if it was to attempt to communicate
via the socket with that non-existent process. It doesn't have
anything to do with the ownership/permissions of either the
milter-greylist socket, or the milter-greylist process itself.
The answer is just to start up the milter-greylist process.
> Upon checking, I discovered /var/milter-greylist was owned by smmsp,
> so I changed it to root. Unfortunately, that didn't solve the
Um... don't do that. Leave the permissions as they were when the port
was installed. The various parts of the mail system are deliberately
configured to run as *non root* for security reasons: essentially, if
someone can take over the process by eg. a buffer overflow attack, all
they get is a process with ordinary user credentials, so limiting the
amount of damage they can do. /var/milter-greylist has to be writable
by the UID milter-greylist runs as, and the best way of doing that is
to give that UID ownership of the directory.
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041017/f3082f1a/attachment.bin
More information about the freebsd-questions