« XMail Authentication | Main | Thin Jail »

07 October 2004

XMail No Root

[Software] 

As mentioned, XMail runs as root. The following steps make XMail run as a non-root uid/gid on a Unix-like host.

» Create group 'xmail' and user 'xmail'.

» Change the permissions of /var/MailRoot: 

# chown root:xmail /var/MailRoot
# chmod 750 /var/MailRoot

» Change ownership of the following files and directories in /var/MailRoot to 'xmail:xmail'; for directories, the ownership changes apply recursively: 

dnscache/
domains/
logs/
message.id
pop3locks/
spool/
tabindex/

» The file 'mailusers.tab' contains "encrypted" passwords; it must be readable by uid/gid 'xmail' although it can be owned by root, e.g., 

-rw-r-----   1 root   xmail     1118 Oct  5 08:17 mailusers.tab

» Since XMail no longer runs as root, it is unable to bind to ports 25 (smtp), 79 (finger) and 110 (pop3). The command line options for these ports are "-Sp", "-Pp" and "-Fp", respectively. XMail comes with a sample startup script: modify the line XMAIL_CMD_LINE in this file to incorporate the above command line options, e.g.: 

XMAIL_CMD_LINE="-Sp 50025 -Pp 50110 -Fp 50079"

Because the script is run by root, another modification further down that file is needed to add the requisite "su - xmail -c ..." command to start XMail as the uid 'xmail'.

» The final step is to add firewall rules to redirect traffic hitting the standard ports to the non-privileged ports that XMail is running on.


Posted by ngps at 23:21 | Comments (0) | Trackbacks (0)
Comments
There is no comment.
Trackbacks
Please send trackback to:http://sandbox.rulemaker.net/ngps/132/tbping
There is no trackback.