Robert, > I checked the startup script in /etc/init.d/amavisd I'm using > amavisd-new from rpmforge on Centos 5 > That invokes amavis as user 'amavis' > > If I just invoke amavisd as /usr/sbin/amavisd with $inet_socket_port = 25 > and daemon_user/daemon_group set = 'amavis' then it binds correctly > > I'll assume that setting daemon_user/daemon_group would do the right > thing in terms of dropping priveleges after binding.
Yes. > Would this be considered equivalent to the startup script which does a > daemon --user amavis /usr/sbin/amavisd -c /etc/amavisd.conf ? Similar, but not exactly equivalent. The difference is the UID with which the config file is read and interpreted. If chrooting or low port numbers are not needed, it is safer to start amavisd through su or with an -u option, then letting a setting in amavisd.conf control the UID. If chrooting is required, one has no choice. As Clifton noted, don't let amavisd be exposed 'to the wild'. Even though it is fully RFC 2821 compliant, it lacks protection mechanisms for such exposure, it lacks recipient validation, and one can not afford to have as many child processes as incoming sessions would demand. Mark ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
