On Wed, 14 Sep 2005, Bryan Henderson wrote: > I organized the email poorly. I mean the receiving process can > inherit the socket (when the system starts up).
*The* socket? Note that Exim supports listening on multiple ports and multiple interfaces (and also IPv6 and IPv4). In general, it uses a number of sockets. > I have a program called "socketexec" that simply binds a socket and > then execs a named program with it as Standard Input. Fine if you only want to use one socket. > >Sorry, I can't follow that. What do you mean by "mail queue"? Exim has > >its own queue which of course it must access. What am I missing? > > I could have chosen a better word. Mail spool, probably. E.g. > /var/spool/mail/bryanh. Aha! You mean what I call "the local mailboxes". I tend to think of "the mail spool" as Exim's mail spool - i.e. its "queue" (which isn't really a queue, of course). > Run as a mail originator for locally bound mail (e.g. someone typing > an "exim bryanh <mymessage" shell command), Exim usually wants to > write to /var/spool/mail/bryanh (and probably some exim-owned files as > well), and therefore wants to be setuid. But I'm claiming that it > doesn't have to. It can instead make an SMTP connection to the local > Exim daemon, which requires no privilege at all. True, and it's trivial to configure it to do that: router: driver = accept check_local_user transport = transport transport: driver = smtp hosts = 127.0.0.1 allow_localhost But of course the configuration for the daemon must do something different, to avoid looping forever. As I say when I am running Exim courses, other MTAs have taken different approaches to security issues as they have made a point of developing alternative security scenarios as one of their "selling points". I am not a security expert; I obviously wanted to write a secure MTA, but I did not want to be experimenting with new security approaches. That is why Exim operates more or less "traditionally", though it does use only setuid() and not seteuid(), and it never runs as root when receiving or delivering messages. -- Philip Hazel University of Cambridge Computing Service, [EMAIL PROTECTED] Cambridge, England. Phone: +44 1223 334714. Get the Exim 4 book: http://www.uit.co.uk/exim-book -- ## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
