At 06:28 PM 11/28/02 -0800, Sara "Pollita" Golemon wrote:
Qmail seems to trust everyone on the system by default. I did nothing special to allow 'nobody' rights to use sendmail -f to set the From: address. (Running Qmail's sendmail wrapper.)I'm a big -1 on this. The patch will not actually solve the root problem.On Unix systems, the MTA needs to know that the webserver user is 'trusted' to masquerade as another user. In exim this would be the 'trusted-users' directive, sendmail, qmail, and postfix have similar directives. I agree that the documentation could use some updating in this regard and would be happy to make that modification after I collect up some examples of the correct directives to use on common systems.
You might consider recommending a configuration setting like the following in each <VirtualHost> block on a multi-domain Apache server. This sends bounces and replies to the webmaster of the domain if no attempt is made to set the From: and Reply-to: headers when mail() is used.
<VirtualHost www.mydomain.com>
pph_admin_value sendmail_path "/usr/sbin/sendmail -t [EMAIL PROTECTED]"
I think sendmail requires the user to be a member of the 'trusted' group, but I yield to anyone who knows more about it.
Rick
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
