Re: Is sendmail trusted-user feature broken?
Thanks for all the help I received on this. Yes,
the X-Authentication-Warning reporting abuse of the
sendmail -f switch, went away after I added the following
line to submit.mc
FEATURE(`use_ct_file')dnl
and, of course, adding the trusted username (in my case,
apache, since that's what my server is running under) to
/etc/trusted-users :)
First, make sure this (or something darn near like it) is indeed
in /etc/mail/sendmail.cf:
Ft/etc/mail/trusted-users %[^\#]
Now, if this process actually winds up invoking sendmail binary
vs talking to port 25, you'll also need to add that FEATURE
to /etc/mail/submit.mc and remake (no restart required).
Welcome to the world of split personality sendmail :)
I read that the trusted-user feature was entirely disabled
in sendmail versions 8.1 through 8.6, but then was revived.
Does that have anything to do with it?
No, and I don't recall seeing that, but 'tis been a while :)
I read it in the O'Reilly {Sendmail} book, on page 245. But
oh my gosh! I see that my edition of that book was printed in
1994! My, how time flies
Thanks again,
--
+---+
| John Sigerson |
| EIR News Service, Inc. E-mail: [EMAIL PROTECTED]|
| 60 Sycolin RoadVoice: 703-777-9451 x543 |
| Leesburg, VA 20175 Fax:703-771-3099 or 771-9492 |
| USAWeb:http://www.larouchepub.com |
+---+
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is sendmail trusted-user feature broken?
Thanks for all the help I received on this. Yes,
the X-Authentication-Warning reporting abuse of the
sendmail -f switch, went away after I added the following
line to submit.mc
FEATURE(`use_ct_file')dnl
and, of course, adding the trusted username (in my case,
apache, since that's what my server is running under) to
/etc/trusted-users :)
First, make sure this (or something darn near like it) is indeed
in /etc/mail/sendmail.cf:
Ft/etc/mail/trusted-users %[^\#]
Now, if this process actually winds up invoking sendmail binary
vs talking to port 25, you'll also need to add that FEATURE
to /etc/mail/submit.mc and remake (no restart required).
Welcome to the world of split personality sendmail :)
I read that the trusted-user feature was entirely disabled
in sendmail versions 8.1 through 8.6, but then was revived.
Does that have anything to do with it?
No, and I don't recall seeing that, but 'tis been a while :)
I read it in the O'Reilly {Sendmail} book, on page 245. But
oh my gosh! I see that my edition of that book was printed in
1994! My, how time flies
Thanks again,
--
+---+
| John Sigerson |
| EIR News Service, Inc. E-mail: [EMAIL PROTECTED]|
| 60 Sycolin RoadVoice: 703-777-9451 x543 |
| Leesburg, VA 20175 Fax:703-771-3099 or 771-9492 |
| USAWeb:http://www.larouchepub.com |
+---+
RE: Is sendmail trusted-user feature broken?
Sorry, but do you have changed the default user for apache from 'www-data' to 'apache'? Otherwise you have to put www-data into one line of '/etc/mail/trusted-users'. That works on our servers (pure woody). Our 'submit.mc': ... OSTYPE(`debian')dnl DOMAIN(`debian-msp')dnl FEATURE(use_ct_file)dnl ... Please be aware about the position - - it dosen't work everywhere within that file! Christian -Original Message- From: John Sigerson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:47 AM To: debian-isp@lists.debian.org Subject: Is sendmail trusted-user feature broken? ... The docs indicate that "apache" needs to be added as a "trusted user", and so I added "apache" to /etc/mail/trusted-users; added FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make, and restarted sendmail. (For testing, I also did not include authwarnings as one of the privacy flags.) ...
Re: Is sendmail trusted-user feature broken?
Well, I had already fooled around with submit.mc, but
on your suggestion I tried it again--but with no success.
I added the following line to submit.mc:
define(`confTRUSTED_USER', `johnsig')dnl
then did make, and from my johnsig shell, did the following:
/usr/sbin/sendmail [EMAIL PROTECTED] johnsig
but alas! I {still} get the X-Authentication-Warning message
saying that johnsig used -f.
Maybe there's some kind of PAM issue lurking here?
Anyway, to solve the immediate problem, I just installed
sudo, added "apache" to the list of sudoers, giving it
NOPASSWD:/usr/sbin/sendmail permission, and then
edited the CGI script, adding sudo before the
sendmail command. It is admittedly less secure,
but my CGI can only be run by users who have been
authenticated over SSL. But if you think this is a
really bad idea, please let me know.
--John Sigerson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Sigerson <[EMAIL PROTECTED]> wrote:
X-Authentication-Warning: eirweb2.chvlva.adelphia.net: apache set
sender to [EMAIL PROTECTED] using -f
The docs indicate that "apache" needs to be added as a "trusted
user", and so I added "apache" to /etc/mail/trusted-users; added
FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make,
and restarted sendmail. (For testing, I also did not include
authwarnings as one of the privacy flags.)
But still, this pesky X-Authentication-Warning will not go away!
You also need to edit submit.mc to add the trusted user feature.
Yours sincerely,
- -- Mark Suter <[EMAIL PROTECTED]> | I have often regretted my
Miju Systems - http://www.miju.com.au/ | speech, never my silence.
mobile 0411 262 316 gnupg key 2C71D63D | Xenocrates (396-314 B.C.)
--
+---+
| John Sigerson |
| EIR News Service, Inc. E-mail: [EMAIL PROTECTED]|
| 60 Sycolin RoadVoice: 703-777-9451 x543 |
| Leesburg, VA 20175 Fax:703-771-3099 or 771-9492 |
| USAWeb:http://www.larouchepub.com |
+---+
RE: Is sendmail trusted-user feature broken?
Sorry, but do you have changed the default user for apache from 'www-data' to 'apache'? Otherwise you have to put www-data into one line of '/etc/mail/trusted-users'. That works on our servers (pure woody). Our 'submit.mc': ... OSTYPE(`debian')dnl DOMAIN(`debian-msp')dnl FEATURE(use_ct_file)dnl ... Please be aware about the position - - it dosen't work everywhere within that file! Christian -Original Message- From: John Sigerson [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 25, 2003 3:47 AM To: [EMAIL PROTECTED] Subject: Is sendmail trusted-user feature broken? ... The docs indicate that "apache" needs to be added as a "trusted user", and so I added "apache" to /etc/mail/trusted-users; added FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make, and restarted sendmail. (For testing, I also did not include authwarnings as one of the privacy flags.) ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is sendmail trusted-user feature broken?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Sigerson <[EMAIL PROTECTED]> wrote: > X-Authentication-Warning: eirweb2.chvlva.adelphia.net: apache set > sender to [EMAIL PROTECTED] using -f > > The docs indicate that "apache" needs to be added as a "trusted > user", and so I added "apache" to /etc/mail/trusted-users; added > FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make, > and restarted sendmail. (For testing, I also did not include > authwarnings as one of the privacy flags.) > > But still, this pesky X-Authentication-Warning will not go away! You also need to edit submit.mc to add the trusted user feature. Yours sincerely, - -- Mark Suter <[EMAIL PROTECTED]> | I have often regretted my Miju Systems - http://www.miju.com.au/ | speech, never my silence. mobile 0411 262 316 gnupg key 2C71D63D | Xenocrates (396-314 B.C.) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Check Keyservers or http://zwitterion.org/keys/ iD8DBQE++UQGRYso2ixx1j0RAgJ4AJ0f5k+m/CKwADLJMPNZ660eTKa0TwCfZJXR /QqLRGhUCyWV5uPOMGtpPRE= =rTFn -END PGP SIGNATURE-
Re: Is sendmail trusted-user feature broken?
Well, I had already fooled around with submit.mc, but
on your suggestion I tried it again--but with no success.
I added the following line to submit.mc:
define(`confTRUSTED_USER', `johnsig')dnl
then did make, and from my johnsig shell, did the following:
/usr/sbin/sendmail [EMAIL PROTECTED] johnsig
but alas! I {still} get the X-Authentication-Warning message
saying that johnsig used -f.
Maybe there's some kind of PAM issue lurking here?
Anyway, to solve the immediate problem, I just installed
sudo, added "apache" to the list of sudoers, giving it
NOPASSWD:/usr/sbin/sendmail permission, and then
edited the CGI script, adding sudo before the
sendmail command. It is admittedly less secure,
but my CGI can only be run by users who have been
authenticated over SSL. But if you think this is a
really bad idea, please let me know.
--John Sigerson
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Sigerson <[EMAIL PROTECTED]> wrote:
X-Authentication-Warning: eirweb2.chvlva.adelphia.net: apache set
sender to [EMAIL PROTECTED] using -f
The docs indicate that "apache" needs to be added as a "trusted
user", and so I added "apache" to /etc/mail/trusted-users; added
FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make,
and restarted sendmail. (For testing, I also did not include
authwarnings as one of the privacy flags.)
But still, this pesky X-Authentication-Warning will not go away!
You also need to edit submit.mc to add the trusted user feature.
Yours sincerely,
- -- Mark Suter <[EMAIL PROTECTED]> | I have often regretted my
Miju Systems - http://www.miju.com.au/ | speech, never my silence.
mobile 0411 262 316 gnupg key 2C71D63D | Xenocrates (396-314 B.C.)
--
+---+
| John Sigerson |
| EIR News Service, Inc. E-mail: [EMAIL PROTECTED]|
| 60 Sycolin RoadVoice: 703-777-9451 x543 |
| Leesburg, VA 20175 Fax:703-771-3099 or 771-9492 |
| USAWeb:http://www.larouchepub.com |
+---+
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Is sendmail trusted-user feature broken?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 John Sigerson <[EMAIL PROTECTED]> wrote: > X-Authentication-Warning: eirweb2.chvlva.adelphia.net: apache set > sender to [EMAIL PROTECTED] using -f > > The docs indicate that "apache" needs to be added as a "trusted > user", and so I added "apache" to /etc/mail/trusted-users; added > FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make, > and restarted sendmail. (For testing, I also did not include > authwarnings as one of the privacy flags.) > > But still, this pesky X-Authentication-Warning will not go away! You also need to edit submit.mc to add the trusted user feature. Yours sincerely, - -- Mark Suter <[EMAIL PROTECTED]> | I have often regretted my Miju Systems - http://www.miju.com.au/ | speech, never my silence. mobile 0411 262 316 gnupg key 2C71D63D | Xenocrates (396-314 B.C.) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Check Keyservers or http://zwitterion.org/keys/ iD8DBQE++UQGRYso2ixx1j0RAgJ4AJ0f5k+m/CKwADLJMPNZ660eTKa0TwCfZJXR /QqLRGhUCyWV5uPOMGtpPRE= =rTFn -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Is sendmail trusted-user feature broken?
I'm using Debian sendmail distribution 8.12.3-6.4 and I have apache running as user "apache" and group "apache". I'm running a CGI program which calls sendmail using the "-f" switch to set the sender's e-mail address (apache is running a number of virtual servers, each with a separate domain). The problem is that sendmail keeps adding this warning to the mail message header: X-Authentication-Warning: eirweb2.chvlva.adelphia.net: apache set sender to [EMAIL PROTECTED] using -f The docs indicate that "apache" needs to be added as a "trusted user", and so I added "apache" to /etc/mail/trusted-users; added FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make, and restarted sendmail. (For testing, I also did not include authwarnings as one of the privacy flags.) But still, this pesky X-Authentication-Warning will not go away! Any suggestions would be greatly appreciated! I read that the trusted-user feature was entirely disabled in sendmail versions 8.1 through 8.6, but then was revived. Does that have anything to do with it? -- +---+ | John Sigerson | | EIR News Service, Inc. E-mail: [EMAIL PROTECTED]| | 60 Sycolin RoadVoice: 703-777-9451 x543 | | Leesburg, VA 20175 Fax:703-771-3099 or 771-9492 | | USAWeb:http://www.larouchepub.com | +---+
Is sendmail trusted-user feature broken?
I'm using Debian sendmail distribution 8.12.3-6.4 and I have apache running as user "apache" and group "apache". I'm running a CGI program which calls sendmail using the "-f" switch to set the sender's e-mail address (apache is running a number of virtual servers, each with a separate domain). The problem is that sendmail keeps adding this warning to the mail message header: X-Authentication-Warning: eirweb2.chvlva.adelphia.net: apache set sender to [EMAIL PROTECTED] using -f The docs indicate that "apache" needs to be added as a "trusted user", and so I added "apache" to /etc/mail/trusted-users; added FEATURE(`use_ct_file')dnl to /etc/mail/sendmail.mc, did make, and restarted sendmail. (For testing, I also did not include authwarnings as one of the privacy flags.) But still, this pesky X-Authentication-Warning will not go away! Any suggestions would be greatly appreciated! I read that the trusted-user feature was entirely disabled in sendmail versions 8.1 through 8.6, but then was revived. Does that have anything to do with it? -- +---+ | John Sigerson | | EIR News Service, Inc. E-mail: [EMAIL PROTECTED]| | 60 Sycolin RoadVoice: 703-777-9451 x543 | | Leesburg, VA 20175 Fax:703-771-3099 or 771-9492 | | USAWeb:http://www.larouchepub.com | +---+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
