installation of sendmail milters, security questions
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sun Oct 17 03:39:31 PDT 2004
On Sat, Oct 16, 2004 at 07:56:45PM -0600, Gary Aitken wrote:
> Trying to install milter-greylist.
> After configuring sendmail, and without the milter-greylist daemon
> running, maillog contains messages of the type:
>
> sm-mta[59533]: i9H12H4P059533: Milter (greylist): local socket name
> /var/milter-greylist/milter-greylist.sock unsafe
>
> From what I've been able to dig up, this is because sendmail thinks
> it's unsafe to read/write that socket.
No, this is sendmail's convoluted way of telling you that
milter-greylist isn't actually running, and so it would be unsafe
(ie. might result in lost e-mail) if it was to attempt to communicate
via the socket with that non-existent process. It doesn't have
anything to do with the ownership/permissions of either the
milter-greylist socket, or the milter-greylist process itself.
The answer is just to start up the milter-greylist process.
> Upon checking, I discovered /var/milter-greylist was owned by smmsp,
> so I changed it to root. Unfortunately, that didn't solve the
> problem.
Um... don't do that. Leave the permissions as they were when the port
was installed. The various parts of the mail system are deliberately
configured to run as *non root* for security reasons: essentially, if
someone can take over the process by eg. a buffer overflow attack, all
they get is a process with ordinary user credentials, so limiting the
amount of damage they can do. /var/milter-greylist has to be writable
by the UID milter-greylist runs as, and the best way of doing that is
to give that UID ownership of the directory.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20041017/f3082f1a/attachment.bin
More information about the freebsd-questions
mailing list