Re: Using postfix w/ mimedefang's Unix socket

2011-12-03 Thread Philip Prindeville
On 12/3/11 7:15 AM, Wietse Venema wrote: > Philip Prindeville: >> Dec 2 20:32:54 localhost postfix/smtpd[9440]: warning: connect >> to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: >> Permission denied > > Does the error go away if you turn off SeLinux? > > Wietse Could have

Re: Using postfix w/ mimedefang's Unix socket

2011-12-03 Thread Wietse Venema
Philip Prindeville: > I'm just wondering why the socket can't be opened before the > set_ugid() drops the additional groups. smtpd(8) does not use set_ugid(), and it does not drop auxiliary group. Wietse

Re: Using postfix w/ mimedefang's Unix socket

2011-12-03 Thread Wietse Venema
Philip Prindeville: > Dec 2 20:32:54 localhost postfix/smtpd[9440]: warning: connect > to Milter service unix:/var/spool/MIMEDefang/mimedefang.sock: > Permission denied Does the error go away if you turn off SeLinux? Wietse

Re: Using postfix w/ mimedefang's Unix socket

2011-12-02 Thread Philip Prindeville
On 12/2/11 8:23 PM, Philip Prindeville wrote: > On 12/2/11 2:19 PM, Wietse Venema wrote: >> Philip Prindeville: >>> Would it make sense to add a parameter of additional gid's that >>> you want smtpd to retain? >> >> Perhaps you can use a class "inet" socket on 127.0.0.1. That >> will have less impa

Re: Using postfix w/ mimedefang's Unix socket

2011-12-02 Thread Philip Prindeville
On 12/2/11 2:19 PM, Wietse Venema wrote: > Philip Prindeville: >> Would it make sense to add a parameter of additional gid's that >> you want smtpd to retain? > > Perhaps you can use a class "inet" socket on 127.0.0.1. That > will have less impact on the Postfix security architecture. > With 64k p

Re: Using postfix w/ mimedefang's Unix socket

2011-12-02 Thread Wietse Venema
Philip Prindeville: > Would it make sense to add a parameter of additional gid's that > you want smtpd to retain? Perhaps you can use a class "inet" socket on 127.0.0.1. That will have less impact on the Postfix security architecture. With 64k ports, you won't run out of them quickly. Wie