Mike Cardwell wrote:
* on the Tue, Feb 21, 2006 at 04:27:04AM +0800, W B Hacker wrote:
I understand the solution, but I was puzzled by your OP as to
why you wanted to do this at all (w/r Exim's EUID) - and am
still puzzled.
Just as background, in my own installations Exim, SA, ClamAV,
Dovecot IMAP/POP, and the Webmail daemon each run at all times
as their own UID.
The end user's ID is not only not used - they don't even *have*
one. Even 'postmaster' has to have an entry in the SQL DB.
Which is perhaps as diametrically opposite to your approach as
it gets - where you run the daemon with no default UID, I handle
the users with no UID.
Neither criticizing nor advocating either method, as mine is as
non-standard as yours is.
But hope you can see why I am (still) curious...
Care to enlighten?
The environment this is running in sounds very different to yours.
The machines are actually web servers, not mail servers. Exim
isn't even running as a daemon. The only reason exim is on there
is so people can send emails from forms. UIDs on the system are
mapped to usernames via an ldap connection to the Active
Directory. When someone runs their (hopefully safe) copy of
formmail.cgi etc they run under a suexec style system so the
process runs as their own user. At the normal user level they
don't have access to query the AD. Is this starting to look more
clear?
Mike
I now understand how. I think I understand what for.
'Why Exim' for mere submission of outbound traffic to a foreign
host, and only from a 'known in advance' list/DB of permitted
users, still escapes me. If that is actally the 'what'.
Unless Exim is *also* (but separately) installed to handle
other-than formmail traffic, the whole exercise strikes me as a
bit like potting rabbits with a 16-inch-fifty. Even with free
ammunition, the cost of positioning and aiming the piece is too
great for the gain.
One could use a <language of your choice> tool and no 'full
spec' MTA at all. Or do specialized relay through a single
remote Exim you control for many-many webservers.
Or (my preference) no mail services of any kind on the box,
write the form output to a quarantined file area, and collect
them if-exist and/or at-intervals by file transfer. Or
interested parties login and read/download them via browser,
wiki/forum style.
Keeps 'em off the public smtp roads entirely.
YMMV,
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
