On Mon, Oct 23, 2000 at 09:06:35AM -0600, Bruce Guenter wrote:
> On Mon, Oct 23, 2000 at 01:59:20PM +0200, Andrzej wrote:
> > stunnel and other SSL wrappers work great, but then qmail sees all
> > connections incoming from localhost. It's not possible to use the "POP3
> > before SMTP" relay controls any more.
> 
> Nope.  With both stunnel and sslwrap you can (and should) run the target
> program directly from the wrapper program.
> 
> The sslwrap documentation states:
>       Instead of doing a loopback IP connection as described above,
>       you can use the -exec option to directly execute a program. For
>       security reasons, I recommend using the standard inetd
>       configuration specified above, instead.
> I queried the author about why he felt that doing loopback IP
> connections was more secure than just exec'ing the program directly, and
> received no response.  I know of no reason it would be more secure, and
> it prevents you from doing things like relay-ctrl as well.

If you ran qmail-popup directly from sslwrap, you'd have to run sslwrap as
root. I do the loopback connection thing and I can run sslwrap as the user
"sslwrap," which has regular user permissions.

Chris

Reply via email to