On Mon, Oct 23, 2000 at 09:06:35AM -0600, Bruce Guenter wrote:
> On Mon, Oct 23, 2000 at 01:59:20PM +0200, Andrzej wrote:
> > stunnel and other SSL wrappers work great, but then qmail sees all
> > connections incoming from localhost. It's not possible to use the "POP3
> > before SMTP" relay controls any more.
>
> Nope. With both stunnel and sslwrap you can (and should) run the target
> program directly from the wrapper program.
>
> The sslwrap documentation states:
> Instead of doing a loopback IP connection as described above,
> you can use the -exec option to directly execute a program. For
> security reasons, I recommend using the standard inetd
> configuration specified above, instead.
> I queried the author about why he felt that doing loopback IP
> connections was more secure than just exec'ing the program directly, and
> received no response. I know of no reason it would be more secure, and
> it prevents you from doing things like relay-ctrl as well.
If you ran qmail-popup directly from sslwrap, you'd have to run sslwrap as
root. I do the loopback connection thing and I can run sslwrap as the user
"sslwrap," which has regular user permissions.
Chris
