Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Oct 2004 11:39:16 +0100
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        Gary Aitken <garya@dreamchaser.org>
Cc:        questions@freebsd.org
Subject:   Re: installation of sendmail milters, security questions
Message-ID:  <20041017103916.GA9251@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <4171D15D.5010004@dreamchaser.org>
References:  <4171D15D.5010004@dreamchaser.org>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Sat, Oct 16, 2004 at 07:56:45PM -0600, Gary Aitken wrote:

> Trying to install milter-greylist.
> After configuring sendmail, and without the milter-greylist daemon
> running, maillog contains messages of the type:
> 
> sm-mta[59533]: i9H12H4P059533: Milter (greylist): local socket name 
> /var/milter-greylist/milter-greylist.sock unsafe
> 
> From what I've been able to dig up, this is because sendmail thinks
> it's unsafe to read/write that socket.

No, this is sendmail's convoluted way of telling you that
milter-greylist isn't actually running, and so it would be unsafe
(ie. might result in lost e-mail) if it was to attempt to communicate
via the socket with that non-existent process.  It doesn't have
anything to do with the ownership/permissions of either the
milter-greylist socket, or the milter-greylist process itself.

The answer is just to start up the milter-greylist process.

> Upon checking, I discovered /var/milter-greylist was owned by smmsp,
> so I changed it to root.  Unfortunately, that didn't solve the
> problem.

Um... don't do that.  Leave the permissions as they were when the port
was installed.  The various parts of the mail system are deliberately
configured to run as *non root* for security reasons: essentially, if
someone can take over the process by eg. a buffer overflow attack, all
they get is a process with ordinary user credentials, so limiting the
amount of damage they can do.  /var/milter-greylist has to be writable
by the UID milter-greylist runs as, and the best way of doing that is
to give that UID ownership of the directory.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBckvTiD657aJF7eIRAmZfAKCz86JKRQM6oEzGXcqMYftDJQcKDACZAU81
sXqD9tkYsZeSlCkHsrqmS2Y=
=IQyB
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041017103916.GA9251>