At 14:22 2005-04-25 +0000, Andy wrote:
I'd like to use sendmail -bv like this
:0
* | $SENDMAIL -bv $WHOTO
Sort of like:
# if the From: address claims to be from a user or the local system,
# check sendmail to see if the user parses as valid.
# This is intended to catch random username forgeries.
:0
* FROM_DOMAIN ?? ^((host|anotherhost)\.)?domain\.tld$
{
VALIDRESULT=`$SENDMAIL -bv $CLEANFROM`
:0
* ! VALIDRESULT ?? deliverable:
{
SPAMVAL="+180"
SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} spoofed local user
$CLEANFROM${NL}"
}
}
Note that I'm not using the exitcode, but rather assigning the output of
the sendmail invocation to a variable and then checking to see if that
variable contains a key string. Yes, when running as a non-privledged
user, I get the same warning at the top of the output. It isn't of
consequence here.
"Notice: -bv may give misleading output for non-privileged user
can not chdir(/var/spool/mqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser."
That /var/spool/mqueue/ bit is disconcerting. You should verify ownership
perms and whatnot in your configuration (that is a sendmail matter - try
following up on comp.mail.sendmail). To perform a -bv, the MTA doesn't
need to access the mqueue.
I remember in the old days writing a little c prog
that acted as a wrapper and did stuff like this
(but my memory may be failing).
Yea, see the "sticky bit" in chmod. You can have a script which is flagged
to run as the UID of its owner, and set the owner to root. The script then
can invoke sendmail, and sendmail will be run as root. Doesn't even have
to be a C program, though there are efficiencies involved.
Note that if this is the case, you'd want to check the arguments input to
the script to ensure that you're not being passed something which might be
interpreted as a shell command such as "root;rm -rf /", which, if you're
invoking the sendmail program using a shell, rather than exec'ing it
directly, could do some heinous things.
I presume the user is changing the $WHOTO in their script? Sendmail
shouldn't be delivering to procmail (as LDA) unless the recipient is valid
to begin with...
---
Sean B. Straw / Professional Software Engineering
Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
Please DO NOT carbon me on list replies. I'll get my copy from the list.
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail