Re: [AMaViS-user] amavisd-new not binding to inet_socket_port 1024 ;
-Original Message- From: Robert Gomezi [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 31, 2007 7:55 AM To: Michael Scheidell Cc: AMaViS-user@lists.sourceforge.net Subject: Re: [AMaViS-user] amavisd-new not binding to inet_socket_port 1024 ; Michael, Thanks for cluebatting me. If I just invoke amavisd as /usr/sbin/amavisd with $inet_socket_port = 25 and daemon_user/daemon_group set = 'amavis' then it binds correctly Not that I am suggesting that isn't a good idea.. It isn't. You need to make your MTA do most of the work, not amavis/sa. Other than that, I don't know when centos or the script changes ownership as I do all my work on FreeBSD (and haven't ever wanted to have amavis listen on port 25) Sounds like you are on the right track, just poke around and maybe you can get it to do what you want it to do (or leave it as owner root) -- Michael Scheidell, CTO Office: 561-999-5000 x 1259 Direct: 561-939-7259 Join SECNAP at SecureWorld Dallas 14-15 http://www.secnap.com/events for free and discounted seminar tickets _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-new not binding to inet_socket_port 1024 ;
Michael, Thanks for cluebatting me. I checked the startup script in /etc/init.d/amavisd I'm using amavisd-new from rpmforge on Centos 5 That invokes amavis as user 'amavis' If I just invoke amavisd as /usr/sbin/amavisd with $inet_socket_port = 25 and daemon_user/daemon_group set = 'amavis' then it binds correctly I'll assume that setting daemon_user/daemon_group would do the right thing in terms of dropping priveleges after binding. Would this be considered equivalent to the startup script which does a daemon --user amavis /usr/sbin/amavisd -c /etc/amavisd.conf ? On 10/31/07, Michael Scheidell [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Gomezi Sent: Wednesday, October 31, 2007 6:34 AM To: AMaViS-user@lists.sourceforge.net Subject: [AMaViS-user] amavisd-new not binding to inet_socket_port 1024 ; Hi, I want to run amavisd-new on low ports (ports 1024), however when I set $inet_socket_port to values lower than 1024 it won't start up am I missing something obvious or is this by design ? Have you looked at the errors? Run in debug mode? Run from cli first? Also, if amavis changes to non root user before binding to those ports, most security settings on most operating systems would prevent non root users from binding to ports 1024. There may be some sysctls that would change that, but that is beyond the scope of this mailing list. -- Michael Scheidell, CTO Office: 561-999-5000 x 1259 Direct: 561-939-7259 Real time security alerts: http://www.secnap.com/news _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-new not binding to inet_socket_port 1024 ;
On Wed, Oct 31, 2007 at 07:54:35PM +0800, Robert Gomezi wrote: Michael, Thanks for cluebatting me. I checked the startup script in /etc/init.d/amavisd I'm using amavisd-new from rpmforge on Centos 5 That invokes amavis as user 'amavis' If I just invoke amavisd as /usr/sbin/amavisd with $inet_socket_port = 25 and daemon_user/daemon_group set = 'amavis' then it binds correctly Do you *really* want to run amavisd as the MTA interface visible to the world? Marc discourages that; it's designed to run behind an MTA such as Postfix. (If the goal is only to expose it internally to your other mailservers, you can run it on any port you like and tell them where to find it.) -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-new not binding to inet_socket_port 1024 ;
On Wed, Oct 31, 2007 at 10:53:36AM -1000, Clifton Royston wrote: On Wed, Oct 31, 2007 at 07:54:35PM +0800, Robert Gomezi wrote: Michael, Thanks for cluebatting me. I checked the startup script in /etc/init.d/amavisd I'm using amavisd-new from rpmforge on Centos 5 That invokes amavis as user 'amavis' If I just invoke amavisd as /usr/sbin/amavisd with $inet_socket_port = 25 and daemon_user/daemon_group set = 'amavis' then it binds correctly Do you *really* want to run amavisd as the MTA interface visible to the world? Marc discourages that; it's designed to run behind an MTA Mark, sorry. Slip of the brain. -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
Re: [AMaViS-user] amavisd-new not binding to inet_socket_port 1024 ;
Robert, I checked the startup script in /etc/init.d/amavisd I'm using amavisd-new from rpmforge on Centos 5 That invokes amavis as user 'amavis' If I just invoke amavisd as /usr/sbin/amavisd with $inet_socket_port = 25 and daemon_user/daemon_group set = 'amavis' then it binds correctly I'll assume that setting daemon_user/daemon_group would do the right thing in terms of dropping priveleges after binding. Yes. Would this be considered equivalent to the startup script which does a daemon --user amavis /usr/sbin/amavisd -c /etc/amavisd.conf ? Similar, but not exactly equivalent. The difference is the UID with which the config file is read and interpreted. If chrooting or low port numbers are not needed, it is safer to start amavisd through su or with an -u option, then letting a setting in amavisd.conf control the UID. If chrooting is required, one has no choice. As Clifton noted, don't let amavisd be exposed 'to the wild'. Even though it is fully RFC 2821 compliant, it lacks protection mechanisms for such exposure, it lacks recipient validation, and one can not afford to have as many child processes as incoming sessions would demand. Mark - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/