|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Timo Boettcher (spida_at_gmx.net)
Date: Tue Aug 06 2002 - 11:02:04 CDT
Hi Russell,
Nachricht vom Dienstag, 6. August 2002, 15:53:09:
RM> On Tue, 6 Aug 2002, Marshal Newrock wrote:
>> On Tue, 6 Aug 2002, Rudolf Wolf wrote:
>>
>> > Then I want to have my box better secured, I change the permission on
>> > main.cf from rw-r--r-- to rw------- for root only. But sendmail process
>> > said, that it wasn't correct and it could't access main.cf. The error
>> > message was: Aug 6 12:37:51 sova postfix/sendmail[7792]: fatal: open
>> > /etc/postfix/main.cf: Permission denied
>>
>> I'm not the LDAP admin, but what we did was to set up an LDAP mailproxy
>> account which has read-only access to the specific attributes that postfix
>> needs. Also to consider would be a peername parameter which allows
>> specified machines to bind anonymously to LDAP.
RM> We, too, use anonymous bind for read-only access to all of the "public"
RM> information, such as the email address, the mail host and the full name of
RM> the user. We don't allow access to our OpenLDAP servers from the
RM> Internet, and on our LAN, we currently only allow the ldap servers to talk
RM> to each other (with tcp_wrappers compiled in). The servers happen to be
RM> the same computers where postfix and imap are running.
RM> Anonymous access makes it easier to configure all of the various programs
RM> we run (postfix, perdition imap, courier imap, twig, etc.). If that's too
RM> open, the peername or tcp_wrappers approach are good ideas.
RM> No logins beyond administrators are allowed on those computers. Our users
RM> are probably not sophosticated enough (or interested) to be able to access
RM> the ldap servers. Even if we let them read the "public" information, it
RM> would be the same thing that's in the internal telephone directory,
RM> anyway.
RM> As a final thought, I'm seeing more requests on lists lately for web email
RM> interfaces to support contact lists through ldap. If we eventually allow
RM> that, everyone will need to read the "public" information, anyway.
RM> *By "public" information here, I mean information that everyone knows
RM> internally but may not be available to someone on the Internet.
RM> ----
RM> Russell Mosemann, Ph.D. * Computing Services * Concordia University, Nebraska
RM> "Tact is the ability to tell someone they have an open mind
RM> when they have a hole in their head."
I have everything I need in Ldap, which is Login and mailbox data for
courier, aliases and mailbox for postfix, preferences for imp and
login and home for ftp (different password than the rest).
Each user has modify rights for him self (via some protected
php-interface), and every daemon has a read-only account with per
attribute rights for just what he needs.
I couldn't think of any safer way...
Timo
-
To unsubscribe, send mail to majordomo
postfix.org with content
(not subject): unsubscribe postfix-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]