“Depending on where you are and what you’re doing there,
security can mean very different things. This second article in
our series on sendmail and security, based on the tutorial given by
Eric Allman and Greg Shapiro at the recent USENIX conference in San
Diego, looks at what you can do to secure sendmail on four types of
systems: systems with user login access, systems with user accounts
but no shell access, POP/IMAP mail servers, and
firewalls.“
“When it comes to security, systems with general user accounts
have some inherent limitations. First, things have to be in their
expected locations so users (and user programs) can find them.
Second, RunAsUser won’t cut it: sendmail has to run as root to
assume individual users’ identities when reading and writing files
or executing programs on their behalf. For instance, if a user
forwards something to the vacation program, vacation has to run as
that user to access and update files in that user’s home
directory.”
“You can still have a tight security policy, but this kind of
system imposes some distinct limits. So what can you actually do?
Here’s a checklist:….”