local "sendmail user" and MSA with M=Ea
ska
I had setup the MSA to require authentification on the external
interface only, recent changes made it problematic to trust 127 by
default, so I reinstalled sendmail.mc with just:
DAEMON_OPTIONS(`Family=inet, Name=MSP-v4, Port=submission, M=Ea')dnl
After that
root:~# echo test | sendmail -X /tmp/log user
fails with
18547 >>> EHLO external-hostname
18547 <<< 250-external-hostname Hello smmsp@localhost [127.0.0.1],
pleased to meet you
[...]
18547 >>> >>> MAIL From:<root@external-hostname> SIZE=6
AUTH=root@external-hostname
18547 >>> <<< 530 5.7.0 Authentication required
18547 >>> 554 5.0.0 Service unavailable
Can I have sendmail MSA trust the authentification of mails issued not
via port but command line sendmail?
ska
Andrzej Adam Filip
Most likely your submit.cf (not sendmail.cf) is configured to relay mail
via 127.0.0.1:587 instead of default 127.0.0.1. You can make submit.cf
use default port by changing submit.mc and generating new submit.cf.
In submit.mc change:
FEATURE(`msp', `[127.0.0.1]', `MSA')dnl
to
FEATURE(`msp', `[127.0.0.1]')dnl
URL(s):
http://www.sendmail.org/m4/features.html#msp
--
[pl>en Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
Thirteen at a table is unlucky only when the hostess has only twelve chops.
-- Groucho Marx
----
http://groups.google.com/groups/profile?user=anfi%40onet.eu
http://groups.google.com/groups?selm=0m6l3txf78%40domitila.fsf.hobby-site.com
ska
> In submit.mc change:
> FEATURE(`msp', `[127.0.0.1]', `MSA')dnl
> to
> FEATURE(`msp', `[127.0.0.1]')dnl
You have been correct. It seems that this is the default in Debian
Etch.
However, is it possible to pass along the fact that the sendmail
binary had been used to submit the mail and that the submitter is
already authentificated as the system user?
I guess I have to build something like to trust ${auth_author} if $_
is smmsp@localhost, because I can trust ident on localhost.
ska
Andrzej Adam Filip
Sendmail on Debian is built with _FFR_DAEMON_NETUNIX.
<quote src="sendmail/conf.c">
/* Allow local (not just TCP) socket connection to server. */
</quote>
It makes possible passing messages between MSA and MTA via unix socket
accessible (due to file permissions) only to unix group sendmail uses
as setgid.
Command to test compiled in FFR (For Future Release):
/usr/sbin/sendmail -d0.13 -bv root
--
[pl>en Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
Nullum magnum ingenium sine mixtura dementiae fuit.
[There is no great genius without some touch of madness.]
-- Seneca
----
http://groups.google.com/groups/profile?user=anfi%40onet.eu
http://groups.google.com/groups?selm=jezelc6r78%40teresa.fsf.hobby-site.com
ska
> It makes possible passing messages between MSA and MTA via unix socket
> accessible (due to file permissions) only to unix group sendmail uses
> as setgid.
My intention is to know the mail author in the milter, because certain
user groups have different rights. Using sockets I hoped the sendmail
MTA would pickup the user id of the other end of the local socket
(aka implicit authentification), but it doesn't.
ska
ska
/etc/mail/sendmail.mc:
DAEMON_OPTIONS(`Family=local, Name=MTA-Unix, Addr=/var/run/sendmail/
mta/smsocket, M=SE')dnl
/etc/mail/submit.mc:
dnl
#---------------------------------------------------------------------
dnl # The real reason we're here: the FEATURE(msp)
dnl
#---------------------------------------------------------------------
dnl ska!FEATURE(`msp', `[127.0.0.1]', `MSA')dnl
define(`RELAY_MAILER_ARGS', `FILE /var/run/sendmail/mta/smsocket')dnl
FEATURE(`msp')dnl
Funnily /var/run/sendmail/mta/smsocket was already present before, but
as zero-length regular file.
ska
Andrzej Adam Filip
> Just for reference, I did this:
>
> /etc/mail/sendmail.mc:
> DAEMON_OPTIONS(`Family=local, Name=MTA-Unix, Addr=/var/run/sendmail/mta/smsocket, M=SE')dnl
Why have you named it MTA-Unix instead of MSP-unix?
> /etc/mail/submit.mc:
> dnl
> #---------------------------------------------------------------------
> dnl # The real reason we're here: the FEATURE(msp)
> dnl
> #---------------------------------------------------------------------
> dnl ska!FEATURE(`msp', `[127.0.0.1]', `MSA')dnl
> define(`RELAY_MAILER_ARGS', `FILE /var/run/sendmail/mta/smsocket')dnl
> FEATURE(`msp')dnl
>
> Funnily /var/run/sendmail/mta/smsocket was already present before, but
> as zero-length regular file.
--
[pl>en Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
Four fifths of the perjury in the world is expended on tombstones, women
and competitors.
-- Lord Thomas Dewar
----
http://groups.google.com/groups/profile?user=anfi%40onet.eu
http://groups.google.com/groups?selm=fc6g0pa378%40gisela.fsf.hobby-site.com
Andrzej Adam Filip
Ident info ($_) is reliable for connections from 127.0.0.1 *BUT* it will
be useless for non instant deliveries.
How many different "user groups" you have to distinguish?
[ There are *many* ways to get what you want but I would like to suggest
the least complicated *fit* ]
--
[pl>en Andrew] Andrzej Adam Filip : an...@priv.onet.pl : an...@xl.wp.pl
The Harvard Law states: Under controlled conditions of light, temperature,
humidity, and nutrition, the organism will do as it damn well pleases.
-- Larry Wall in <1997101618...@wall.org>
----
http://groups.google.com/groups/profile?user=anfi%40onet.eu
http://groups.google.com/groups?selm=0tneci5k78%40laura.fsf.hobby-site.com