Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Why not just change sendmail?' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Why not just change sendmail?
Authored by: saint.duo on May 05, '02 07:07:52PM
In the book "Mac OS X Unleashed", the author talks about having a group writable directory (as OS X does) and sendmail not liking it. His fix (and to me, this is more elegant, as updates and such don't break it) is to change the line:
#0 DontBlameSendmail=safe
to
0 DontBlameSendmail=GroupWritableDirPathSafe
in the /etc/mail/sendmail.cf file.

[ Reply to This | # ]
Why not just change sendmail?
Authored by: maclaw on May 05, '02 07:16:41PM

There is a legitimate security reason why sendmail does not like group writable directories. You are basically just telling sendmail to ignore it's better judgment by using that alteration.

As a general rule, it's probably bad to invoke any option in a program where the actual name of the option itself involves the words DontBlameProgramName, or something to that effect. Could there be a stronger suggestion that this is not an advisable option to be invoking?



[ Reply to This | # ]
Re: Why not just change sendmail?
Authored by: saint.duo on May 05, '02 08:08:30PM

As an exercise in curiosity (and me wanting to learn more), what is the security flaw that is opened up when changing this value in sendmail?
If the sendmail server is configured to only allow certain clients (IPs) relay permissions, and require others to authenticate to use it if they're not in the IP list, what can happen?
If you wish to email me off list to discuss this, feel free to.



[ Reply to This | # ]
Re: Why not just change sendmail?
Authored by: vonleigh on May 05, '02 08:46:11PM

Hello,

Have you really gotten authentication installed under OS X? I was looking through the web to see what was involved in getting SMTP authentication and it's not a trivial task.

First you need to compile sendmail from source, to do this you need to have also a user created "smmsp". Then you need to get a site.config.m4 (which I have no idea how to create or modify for my needs). Update the config files, add some cronjobs. After all this you have to figure out how the heck to compile Cyrus SASL (which seems to need some compile tweaks to work, hopefully someone on fink will get it working).

So if you did get smtp-auth to work, how about a friendly tutorial ;)


Vonleigh



[ Reply to This | # ]
Re: Why not just change sendmail?
Authored by: saint.duo on May 05, '02 09:11:22PM
Heh, I wish I could get authentication working. That would save me a few headaches. I just know that it is possible. Right now, I'm using IP addresses to restrict usage.

[ Reply to This | # ]