OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Russell Mosemann (mose_at_ns.cune.edu)
Date: Tue Aug 06 2002 - 08:53:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 6 Aug 2002, Marshal Newrock wrote:

    > On Tue, 6 Aug 2002, Rudolf Wolf wrote:
    >
    > > Then I want to have my box better secured, I change the permission on
    > > main.cf from rw-r--r-- to rw------- for root only. But sendmail process
    > > said, that it wasn't correct and it could't access main.cf. The error
    > > message was: Aug 6 12:37:51 sova postfix/sendmail[7792]: fatal: open
    > > /etc/postfix/main.cf: Permission denied
    >
    > I'm not the LDAP admin, but what we did was to set up an LDAP mailproxy
    > account which has read-only access to the specific attributes that postfix
    > needs. Also to consider would be a peername parameter which allows
    > specified machines to bind anonymously to LDAP.

    We, too, use anonymous bind for read-only access to all of the "public"
    information, such as the email address, the mail host and the full name of
    the user. We don't allow access to our OpenLDAP servers from the
    Internet, and on our LAN, we currently only allow the ldap servers to talk
    to each other (with tcp_wrappers compiled in). The servers happen to be
    the same computers where postfix and imap are running.

    Anonymous access makes it easier to configure all of the various programs
    we run (postfix, perdition imap, courier imap, twig, etc.). If that's too
    open, the peername or tcp_wrappers approach are good ideas.

    No logins beyond administrators are allowed on those computers. Our users
    are probably not sophosticated enough (or interested) to be able to access
    the ldap servers. Even if we let them read the "public" information, it
    would be the same thing that's in the internal telephone directory,
    anyway.

    As a final thought, I'm seeing more requests on lists lately for web email
    interfaces to support contact lists through ldap. If we eventually allow
    that, everyone will need to read the "public" information, anyway.

    *By "public" information here, I mean information that everyone knows
    internally but may not be available to someone on the Internet. 

    ----
Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska
"Tact is the ability to tell someone they have an open mind
 when they have a hole in their head."

    -
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users