From owner-freebsd-security  Sun Jun 16 16:20:58 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id QAA26335
          for security-outgoing; Sun, 16 Jun 1996 16:20:58 -0700 (PDT)
Received: from mojo.calyx.net (root@mojo.calyx.net [204.137.148.2])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA26330
          for <freebsd-security@freebsd.org>; Sun, 16 Jun 1996 16:20:54 -0700 (PDT)
Received: from localhost (twc@localhost) by mojo.calyx.net (8.7.5/8.7.3) with SMTP id TAA09034 for <freebsd-security@freebsd.org>; Sun, 16 Jun 1996 19:20:48 -0400 (EDT)
Date: Sun, 16 Jun 1996 19:20:48 -0400 (EDT)
From: TWC <twc@ns.calyx.com>
To: freebsd-security@freebsd.org
Subject: Secure way to do mail
Message-ID: <Pine.NEB.3.94.960616191530.9006A-100000@mojo.calyx.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


Hi.  I have been trying to come up with a (more) secure way to do email.
I was wondering if it was possible as far as anyone knows to have smap
(from the TIS firewall toolkit) answer on port25, take the mail, then hand
it over directly to procmail (which would be setuid) for local delivery.
Then sendmail could be non-setuid and still used for outgoing email.

My reason for not using the standard smap implementation (smap takes the
incoming mail then smapd collects and runs sendmail on it) is that I'd
like to leave a setuid sendmail out of the equation entirely.  Local users
could still exploit it, and there are certain sendmail holes that could be
a problem even in a non-interactive chroot'ed environment.

--
-- TWC -- twc@netpimp.com --