Lähettäjä: Mike Cardwell Päiväys: Vastaanottaja: exim-users Aihe: Re: [exim] Running exim as a user with no username
* on the Tue, Feb 21, 2006 at 12:06:52PM +0800, W B Hacker wrote:
>> The environment this is running in sounds very different to yours.
>> The machines are actually web servers, not mail servers. Exim
>> isn't even running as a daemon. The only reason exim is on there
>> is so people can send emails from forms. UIDs on the system are
>> mapped to usernames via an ldap connection to the Active
>> Directory. When someone runs their (hopefully safe) copy of
>> formmail.cgi etc they run under a suexec style system so the
>> process runs as their own user. At the normal user level they
>> don't have access to query the AD. Is this starting to look more
>> clear?
> I now understand how. I think I understand what for.
>
> 'Why Exim' for mere submission of outbound traffic to a foreign
> host, and only from a 'known in advance' list/DB of permitted
> users, still escapes me. If that is actally the 'what'.
>
> Unless Exim is *also* (but separately) installed to handle
> other-than formmail traffic, the whole exercise strikes me as a
> bit like potting rabbits with a 16-inch-fifty. Even with free
> ammunition, the cost of positioning and aiming the piece is too
> great for the gain.
>
> One could use a <language of your choice> tool and no 'full
> spec' MTA at all. Or do specialized relay through a single
> remote Exim you control for many-many webservers.
People commonly call /usr/sbin/sendmail from their scripts. The
plan for the entire exercise was to do a "yum install exim" and
leave them to it. That's not a lot of work. There was one problem.
That being exim refused to send the mail because it couldn't figure
out the username. So I had a look for workarounds that wouldn't
mean exposing the AD to normal users. Couldn't find one, so emailed
the exim mailing list. After some more googling, I found the answer
my self. I've probably devoted more time to signing up to the list,
emailing it and justifying the method, than I actually spent
finding the solution, so it's not overkill at all.
By the way Exim on the webheads does immediately shunt the mail to a
smarthost already.
If there is a more light weight tool, that is faster to install, will
take mail from the command line using the same arguments as sendmail
and will forward all mail onto a smarhost, than exim. Please let me
know and I'll use that instead.
> Or (my preference) no mail services of any kind on the box,
> write the form output to a quarantined file area, and collect
> them if-exist and/or at-intervals by file transfer. Or
> interested parties login and read/download them via browser,
> wiki/forum style.
> Keeps 'em off the public smtp roads entirely.
Most form to mail style scripts take advantage of /usr/sbin/sendmail.
We would need to support that. We could always have written a script
which takes mail from there and then puts it in a quarantined area
and then sends it later, but there's no advanrage to that.