Les Mikesell wrote:
> I never understood why all the mailers that make a big deal out
> of being more secure than sendmail by splitting the jobs and using
> separate uids for their processes left out the part you really need,
> which is a hook to scan content before accepting at the smtp level.
Actually, it is not a sendmail's fault that it runs as root. You can
have sendmail running as non-priv user too. If you don't need to
support kludges such as .forward files, it is easier to configure. If
you need to support kludges such as .forward files, than it is harder
(but not impossible) task.
If you noticed that /var/spool/mail files are historically owned by
group mail, mode 660, well, they were setup that way so that MTA and LDA
do not need to be running as root. Of course, sendmail running as
non-priv user will not have some functioanlity that aliases and dot
forward files provide, however IMO, this is something you can live
without (or implement in different way). And really, most of the stuff
you loose by not running MTA as root isn't something that MTA should be
doing in the first place. That's why we made separation to MTA and LDA.
Sendmail/Cyrus combination, where .forward files are usually not
present, and equivalent functionality is handled by LDA (using Sieve),
should be relatively simple to configure that way. This is because in
Cyrus, the idea of providng the user's with functionality of .forward
files was implemented the right way. And really, sendmail (as MTA)
shouldn't be concerned with local users or mailboxes. It should only
perform task of transporting the email (for which, no root privileges
are needed, apart for binding to port 25 at startup time).
--
Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
