Existence wrote:
Rick Widmer wrote:
That is what i meant, not everyone is able to have a special server just for mail, and thus running Apache as vpopmail:vchkpw is not an option. If you created some sort of deamon that allows you with public and privatekey's to communicate. Then you can run apache as www:www and not have to worry about users being able to alter vpopmail stuff cause of the mail server running under vpopmail:vchkpw.
It is very easy to start a second instance of Apache. Just create a second httpd.conf file with different users, different DocumentRoot and add Listen directives to both httpd.conf files specifying which ports and IP addresses each server handles.
The more I think about it the more it looks like the most secure solution. (Other than a separate mail server.)
I personally dont like the idea that i have to use resources on two running Apache's, but it is indeed possible.
A binary that handled a few information retrieval functions is probablyWell, what i meant is that having one binary that can do everything in one, is easier than having to run several different commands each time to add or remove domains, and having to parse different output each time.
all that would be needed. I think there would be about 4-6 functions it
should be able to return data from. I actually considered writing it
before I decided to attack the PHP extension.
For the rest we may as well exec the existing progtrams and not re-invent existing functionality. I've already got a PHP program that manages mail domains that way, but it reads the ~vpopmail/domains/ directory to get all its information.
I personally might start on this, if i get the chance, as it would be a lot better than running apache as the mail user, when other there are other websites on it.
If you do, please be sure to implement security within your program. Each page hit the php program needs to pass user supplied credentials so you can verify the user. The vpopmail library does not do this security checking, so you have to. If the vpopmail library becomes directly available to anyone running as www:www, they can do ANYTHING to your mail accounts.
Yeah, that much i have figured out :P.
I would use http auth, and then use the checkpasswd implementation in this long running deamon, to check if it is correct or not, if it is not correct, we drop the connection, if this happens 3 times in a row, that user is disallowed to contact the deamon again, until they have waited 1 hour.
Rick
