0

I am working on a project where I would like to allow certain persons to modify certain entries of Sendmail's virtusertable via a web interface. I originally thought this wouldn't be a problem until I read the following:

/etc/aliases vs virtusertable

The second answer in this post claims that the right hand side of an entry in the virtusertable database could be a file. If this is true, I have to be extremely cautious, because (for example) if it works with a file, it probably works with a pipe as well, and we all know what could happen then.

Although having researched for several hours now, I didn't find one single example of a virtusertable where the RHS is a file, and no other hint regarding this feature or how to use it. So my questions are:

1) Is it true that that the RHS of a virtusertable entry can be a file?

2) If yes, how does Sendmail distinguish if the RHS of an entry is a local user, a full email address or a file (obviously, I can have files named root or joe@example.com somewhere in my file system)?

As a side note, I am aware that this post eventually could be moved to security.stackexchange.com, but I've decided to leave it here since the two questions above might be interesting to administrators even when not being in my situation (i.e. when the virtusertable can be changed only by themselves (and not via web interface as well)).

Update (2016-08-21)

Supported by the comments below, I have written an email to the FreeBSD documentation team. I hope they will get back to me soon. I'll add an update when this happens.

Binarus
  • 558
  • 5
  • 16
  • @Andrzej A. Filip Please forgive me, but in your first sentence, did you really mean "does", or did you mean "doesn't"? The further sentences of your explanation sound as if you actually wanted to say "doesn't" in your first sentence ... – Binarus Aug 20 '16 at 18:07
  • [CORRECTED] AFAIK: virtusertable does NOT handle "file as RHS". Aliases can handle it. Some sendmail tricks use chain of virtusertable/alias lookups – AnFi Aug 20 '16 at 18:15
  • @Andrzej A. Filip Thank you very much. So the [BSD manual is wrong](https://www.freebsd.org/doc/handbook/sendmail.html) (surprisingly). I think I will drop them an email or subscribe to some list to get this corrected. I believe this could be important to others, too. – Binarus Aug 20 '16 at 18:21
  • The manual seems right but the wording may be confusing/misleading. It uses phrase "virtual mailboxes" describing **aliases** (/etc/mail/aliases). – AnFi Aug 20 '16 at 20:27
  • Not sure if I got you right: The section "/etc/mail/virtusertable" of the manual begins with the words: "This database file maps mail addresses for virtual domains and users to real mailboxes. These mailboxes can be local, remote, aliases defined in /etc/mail/aliases, **or files**." I couldn't find the phrase "virtual mailboxes" in that section of the document, and actually it is the section which deals with virtusertable; the section which deals with /etc/mail/aliases is a separate section (two sections ahead). Did I misunderstand something? – Binarus Aug 20 '16 at 21:45

0 Answers0