From owner-freebsd-questions@FreeBSD.ORG Sun Oct 17 10:39:31 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 504AB16A4CE for ; Sun, 17 Oct 2004 10:39:31 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id E407643D1F for ; Sun, 17 Oct 2004 10:39:29 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i9HAdGVs009348 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 17 Oct 2004 11:39:16 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)i9HAdG5q009347; Sun, 17 Oct 2004 11:39:16 +0100 (BST) (envelope-from matthew) Date: Sun, 17 Oct 2004 11:39:16 +0100 From: Matthew Seaman To: Gary Aitken Message-ID: <20041017103916.GA9251@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Gary Aitken , questions@freebsd.org References: <4171D15D.5010004@dreamchaser.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZPt4rx8FFjLCG7dd" Content-Disposition: inline In-Reply-To: <4171D15D.5010004@dreamchaser.org> User-Agent: Mutt/1.4.2.1i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.6 (smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 17 Oct 2004 11:39:16 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040904, clamav-milter version 0.75l on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.7 required=5.0 tests=ALL_TRUSTED,AWL autolearn=ham version=3.0.0 X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on happy-idiot-talk.infracaninophile.co.uk cc: questions@freebsd.org Subject: Re: installation of sendmail milters, security questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Oct 2004 10:39:31 -0000 --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 16, 2004 at 07:56:45PM -0600, Gary Aitken wrote: > Trying to install milter-greylist. > After configuring sendmail, and without the milter-greylist daemon > running, maillog contains messages of the type: >=20 > sm-mta[59533]: i9H12H4P059533: Milter (greylist): local socket name=20 > /var/milter-greylist/milter-greylist.sock unsafe >=20 > From what I've been able to dig up, this is because sendmail thinks > it's unsafe to read/write that socket. No, this is sendmail's convoluted way of telling you that milter-greylist isn't actually running, and so it would be unsafe (ie. might result in lost e-mail) if it was to attempt to communicate via the socket with that non-existent process. It doesn't have anything to do with the ownership/permissions of either the milter-greylist socket, or the milter-greylist process itself. The answer is just to start up the milter-greylist process. > Upon checking, I discovered /var/milter-greylist was owned by smmsp, > so I changed it to root. Unfortunately, that didn't solve the > problem. Um... don't do that. Leave the permissions as they were when the port was installed. The various parts of the mail system are deliberately configured to run as *non root* for security reasons: essentially, if someone can take over the process by eg. a buffer overflow attack, all they get is a process with ordinary user credentials, so limiting the amount of damage they can do. /var/milter-greylist has to be writable by the UID milter-greylist runs as, and the best way of doing that is to give that UID ownership of the directory. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --ZPt4rx8FFjLCG7dd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBckvTiD657aJF7eIRAmZfAKCz86JKRQM6oEzGXcqMYftDJQcKDACZAU81 sXqD9tkYsZeSlCkHsrqmS2Y= =IQyB -----END PGP SIGNATURE----- --ZPt4rx8FFjLCG7dd--