Newsgroups: comp.mail.sendmail
Path: utzoo!utgpu!jarvis.csri.toronto.edu!neat.ai.toronto.edu!rayan
From: rayan@ai.toronto.edu (Rayan Zachariassen)
Subject: Re: Non-root sendmail? (general comments on recent topics)
Message-ID: <88Nov13.134506est.6360@neat.ai.toronto.edu>
Organization: Department of Computer Science, University of Toronto
References: <756@hudson.acc.virginia.edu> <7902@bloom-beacon.MIT.EDU>
Date: Sun, 13 Nov 88 17:04:58 EST

Sendmail refuses to talk to itself in the (mistaken) belief that doing so is
necessarily a symptom of an imminent infinite loop.  It wants to be nice
and save your behind.

Sendmail needs root permissions so that:

1. it can read random user's .forward files
2. it can create [qdlx]f* files in a particular "secure" directory
3. it can execute "mailers" which require root permissions to do their work
4. it can read /dev/kmem to grab load averages, used to decide when to run

Every one of these points can be compromised, but you won't end up with a
normal sendmail.  It is hard to make a mailer run non-root unless you
use a different model of the environment (e.g. "protected ~/.forward files will
be ignored", or use a completely different scheme with the same functionality).

# why is it that when sendmail invokes a pipe to a program, if it can resolve
# the sender of the mail message to a local user, it runs the program as that
# user?

Because it is cheap security in the normal case (Sendmail always has to
route the sender address anyway, in order to verify From: and Sender:
headers), and someone overlooked the interaction of this mechanism with SMTP.

There have been two efforts going on to get rid of Sendmail, neither are
yet widely/publically available (so don't ask unless you want to put some
work in):

Smail 3.x:	This is sort of "Sendmail without the rulesets", or as one
		of the authors put it "A 100% solution for 90% of the sites,
		a 90% solution for 9% of the sites, a 9% solution for 1%
		of the sites, etc.".  From what I've seen, this will be a
		a good product.  Its configuration feels MMDF-like to someone
		who hasn't used MMDF (me); although apart from that it
		isn't like MMDF at all.

ZMailer:	This is my solution to the Sendmail problem, it is intended
		to be "A 100% solution for 100% of the sites".  That doesn't
		imply complexity, on the contrary.  At UofT, the version running
		on internal servers and the one running on a gateway differ
		only in their databases; the configuration file is identical.
		The configuration file has a different feel than anything
		else I know (superficially reminiscent of Upas I suppose),
		it is a /bin/sh-superset language.

MMDF is an alternative to Sendmail if you have predictable address
manipulation needs.

SliME and Upas are other solutions to the mail problem, perhaps some
sweet guy can be coaxed to comment on them?

Also, quoting one of the Smail3.x authors, "The complexity of sendmail.cf
is highly overrated"... it is.  Sendmail has problems in its basic design
that makes it unsuitable (i.e. it isn't flexible enough) for real situations.
For a while though, it was the only game in town for our purposes.

rayan

Sendmail's old hat! ZMailer's where its at!


