spamass-milt-list
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spamassass-milter-0.2.0+cvs

From: Niki Waibel
Subject: Re: spamassass-milter-0.2.0+cvs
Date: Sun, 19 Oct 2003 15:01:13 +0200 (MEST) 
>> Oct 17 16:28:51 enterprise2 sendmail[10763]:
>>         [ID 801593 mail.crit] NOQUEUE: SYSERR(smmilter):
>>         /opt/newlogic/opt/sendmail/8.12.10/etc/mail/sendmail.cf: line 0: 
>> cannot open: Permission denied
>> 
>> since i updated to spamassass-milter-0.2.0+cvs i get this error in
>> the syslog.
>> 
>> milter and spamassassin run as some unpriv user and they have no
>> access to that file. should they have access?
> 
> They shouldn't need access, but the sendmail binary should.  The CVS
> version runs "sendmail -bv address@hidden" to expand aliases and
> virtusertable entries.  If you run that from a shell prompt as a
> regular user, do you get error messages?

this is the problem! if i verify email addr as unpriv user:
===
$ id -a
uid=126(smmilter) gid=126(smmilter) groups=126(smmilter)
$ /usr/lib/sendmail -bv address@hidden
/opt/newlogic/opt/sendmail/8.12.10/etc/mail/sendmail.cf: line 102: fileclass: 
cannot open '/opt/newlogic/opt/sendmail/8.12.10/e
tc/ma
il/local-host-names_24': Permission denied
Notice: -bv may give misleading output for non-privileged user
can not chdir(/opt/newlogic/opt/sendmail/8.12.10/var/spool/mqueue_24/): 
Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
$ Oct 19 14:18:51 enterprise2 sendmail[13202]: [ID 801593 mail.crit] NOQUEUE: 
SYSERR(smmilter): /opt/newlogic/opt/sendmail/8.12
.10/e
tc/mail/sendmail.cf: line 102: fileclass: cannot open 
'/opt/newlogic/opt/sendmail/8.12.10/etc/mail/local-host-names_24': Permis
sion 
denied
Oct 19 14:18:51 enterprise2 sendmail[13202]: [ID 801593 mail.crit] NOQUEUE: 
SYSERR(smmilter): can not chdir(/opt/newlogic/opt/s
endma
il/8.12.10/var/spool/mqueue_24/): Permission denied
===

but if i use the submit.cf file:
===
$ /usr/lib/sendmail -Ac -bv address@hidden
Notice: -bv may give misleading output for non-privileged user
address@hidden deliverable: mailer relay, host [localhost], user address@hidden
===
then everything is fine.
this is what's done when a user calls sendmail directly.
the is not allowed to get a list of recipients!

sendmail/SECURITY:
===
What doesn't work anymore
-------------------------
Normal users can't use mailq anymore to see the MTA mail queue.
There are several ways around it, e.g., changing QueueFileMode
or giving users access via a program like sudo.
sendmail -bv may give misleading output for normal users since it
may not be able to access certain files, e.g., .forward files of
other users.
===

i dont understand
===
sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
===
compleatly.

can you explain why you need to know the recipients?

if it is not absolutely necessary to know all recipients,
what about having a switch to use ``/usr/lib/sendmail -Ac ...''
instead of ``/usr/lib/sendmail -Am ...'' (which is the default in
-bv mode)?

and/or a switch to get rid of calling /usr/lib/sendmail again... this
could be a good way to reduce the load in high traffic environments.

what do you think?

niki
reply via email to
[Prev in Thread] Current Thread [Next in Thread]