Hi,
We have implemented the procmail security patch from Isaac Saldana's
site: http://www.ee.ucr.edu/~isaldana/procmail/secure.html , however, it had
one down side. The downside is that a rule containing ! email(_at_)here, aka:
:0
* some match rule here
! email(_at_)here
didn't work anymore for users not in /etc/procmailusers (as procmail needs to
exec /usr/sbin/sendmail, or whatever DEFsendmail is set to). Due to this
fact, I created a small patch to fix this, and allow e-mail forwarding via
procmail while still denying access to unwanted binaries and to unwanted
users.
There are two caveats. One is that a link to /usr/sbin/sendmail or
whatever DEFsendmail in procmail-3.22/config.h points to needs to be put in
your procmail allowed executables directory. The second (obvious) caveat is
that DEFsendmail *MUST* be defined and it must point towards a sendmail
compatible binary (that will accept -oi). Both of these "caveats" are non
issues, but needed.
The patch needs to be applied after the patch from Isaac Saldana, direct
link to his patch is:
http://www.ee.ucr.edu/~isaldana/procmail/procmail-3.22-secpatch.diff
best,
--Ariel
--
Ariel Biener, CISO
Tel-Aviv University CIT div.
e-mail: ariel(_at_)aristo(_dot_)tau(_dot_)ac(_dot_)il phone: 03-6406086
PGP key: http://www.tau.ac.il/~ariel/pgp.html
procmail-3.22-secpatch-fix.diff
Description: Text Data
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail