[Mailman-Users] mailman and courier
fmouse-mailman at fmp.com
fmouse-mailman at fmp.com
Fri Jul 2 02:31:51 CEST 2004
Thus spake Richard Barrett on Thu, Jul 01, 2004 at 06:01:50PM CDT
> On 1 Jul 2004, at 22:08, fmouse-mailman at fmp.com wrote:
> >I solved this by hacking src/common.c so as to only compare the procces
> >group name with parentgroup if strcmp("mailman", mygroup->gr_name)
> >returns non-zero. This solves the problem, but surely there must be a
> >more elegant solution.
> I do not grok courier but why on earth is the delivery of a message to
> one list alias versus a message to another list alias done in some
> different way by the MTA such that the euid/egid under which Mailman's
> delivery script is executed is different? It seems to be this which is
> causing the problem rather than some deficiency in Mailman's security
> wrapper for its delivery script.
Courier delivers, by default, to Maildir structures in a user's filespace
and the MDA process sets it's user/group to match the user/group of the
delivery target. Lists are set up as virtual mail aliases. In this case,
courier runs as the user/group of the virtual mail user (vmail:courier), as
determined by the authentication database (or /etc/passwd) which belongs to
the 'courier' group. When bounces come back to 'mailman-anything...' the
MDA runs as the user/group of the mailman user. Mailman belongs to the
'mailman' group and isn't a virtual user but a real user. You have to
understand how courier works, but it's entirely logical.
According to Sam Varshavchik, the principle developer of courier, the
user/group of the delivery process should be determined by the MySQL
authentication database, however it looks as if it's being determined by
the uid/gid set in /etc/passwd instead. I'm going to approach the problem
from that angle and see if I can figure out what's happening and maybe get
courier to set the delivery gid independent of the mailman user gid.
> >>According to the mailman INSTALL document, one can configure mailman at
> >>build time to accept any one
> Yes one is selected at configuration time from the options your provide
> and then that one is baked into the security wrapper you have hacked.
> It is not a list of option for execution time of the wrapper.
OK, I misunderstood the INSTALL doc, and what you say matches the code.
Thanks for the clarification.
The hack I did works, although it's not elegant, and since apparently I need
to solve the problem from the point of view of the MTA/MDA rather than
mailman, I'll let it stand until figure out what's going on. I have lots of
people depending on the list server. Opening up security so that it accepts
mail from group 'mailman' as well as group 'courier' won't get me
fire-bombed by the Bad Guys (not yet, anway :-)
Lindsay Haisley | "Everything works | PGP public key
FMP Computer Services | if you let it" | available at
512-259-1190 | (The Roadie) | <http://www.fmp.com/pubkeys>
http://www.fmp.com | |
More information about the Mailman-Users