Chapter 12 Program Delivery

This appendix explains how to set up Netscape Messaging Server to deliver incoming messages to external programs. Because program delivery has significant system security implications, administrators should carefully review and thoroughly understand the security implications before enabling program delivery.

• About Program Delivery
• Security Considerations


• Enabling the Program Delivery Module


• Using Program Delivery to Handle Incoming Mail


• Program Delivery in Unix Environments


• Program Delivery in NT Environments

• Unix. Any executable file (including scripts).
• NT. Any Windows application. For example, any file with the filename extension of .exe, .com, or .cmd.

• Program delivery can be used to help sort mail. If you receive a great deal of mail, you might consider using a mail filter that sorts and delivers incoming mail to one or more folders. An automatic filter can usually sort messages based on the sender or topic of the message. With this type of program delivery, messages are delivered to the filtering program as they arrive.
• Program delivery can also be used as a mail file server. Some sites have a lot of information that they wish to make publicly available. The most common way to share files on the Internet is to make them available through the File Transfer Protocol (FTP) or the World Wide Web (WWW). But not everyone has FTP or web access. You can make files available to those who only have mail with a file server that selects and mails documents in response to mail requests.

A request sent to a typical mail file server consists of one or more commands such as this:

   SEND /documents/internet/rfc/rtc822.txt

Program delivery is independent of, and separate from, delivery of messages to the account's mailbox. An account can use one or both. For example, if both POP/IMAP delivery and program delivery are selected, then incoming messages are delivered to the mailbox and also processed by program delivery.

If an incoming message is addressed to an account using program delivery, and for some reason program delivery fails, the incoming message is returned to the sender and a "delivery failed" type error message is generated. This might occur, for example, if a particular program is designated to handle incoming messages but the program delivery module cannot find that program because it has been moved or deleted from the directory where program delivery expects to find it.

A trusted program is one that is assumed to function properly when used with program delivery. Before designating a program as trusted, you should carefully inspect it to make sure that program delivery can automatically run it without risking system problems or reducing network security.

• Unix: server-root/msg-instance/smtp-bin/delivery
• NT: server-root\msg-instance\smtp-bin\delivery

\bin\new_mail.exe

new_mail.exe

• NT. In NT environments, program delivery will only run in secure mode. This means that it will only run programs stored in the trusted directory.
• Unix. In Unix environments, program delivery can run in one of two operating modes: secure and non-secure. In secure mode, program delivery will only run programs stored in the trusted directory. In non-secure mode, program delivery can run programs stored anywhere on the network. For details, see Secure and Non-secure Modes (Unix).

By default, only administrators with root access (Unix), or administrator privileges (NT), can add or change programs in the trusted directory. Netscape recommends that this protection be maintained, and that the permissions for this directory never be relaxed to allow anyone else to add or modify programs in the trusted directory.

Unix Environments

In Unix environments, scripts and batch files can be used by program delivery, but extra care should be taken to ensure that they are safe.

In Windows NT environments, Netscape recommends that you do not use scripts or batch files for program delivery.

• Disabled. If the trusted directory is empty, the program delivery module is disabled and no one can use programs to process incoming mail.
• Enabled. If one or more files are stored in the trusted directory, the program module is enabled. Programs can be designated to process incoming mail if properly set up as described in Setting Up Program Delivery (Unix) and Setting Up Program Delivery (NT).

• Store a link to an executable file in the trusted directory.
• Store a non-executable file named INSECURE-PROGRAM-DELIVERIES in the trusted directory. Note, however, that the presence of this file causes program delivery to run in non-secure mode which significantly increases security risks. For details, see Secure and Non-secure Modes (Unix).

• An administrator can designate one or more programs to handle incoming mail for any account.
• An account owner can designate programs to process incoming mail for the account.

Administrators can specify program delivery for any account. This can be done through the Create User tab at the time the mail account is created, or through the Edit User tab for an account that already exists.

1. Before establishing program delivery for a user:

Make sure program delivery has been enabled as explained in Enabling the Program Delivery Module.

Make sure the programs to be used for this account have been inspected for safety and placed in the trusted directory. (In Unix environments, you can choose to run program delivery in non-secure mode. In that case, the programs do not have to be stored in the trusted directory.)

2. Go to the Create User or Edit User tab.
3. Choose Mail from the menu and click on the Delivery tab.
4. Check the box labeled "Program delivery." The Properties button is activated.

POP/IMAP delivery. If the "Enable POP/IMAP delivery" box is also checked, mail will continue to be delivered to the mailbox regardless of program delivery. In other words, if both the "Program delivery" and the "POP/IMAP delivery" boxes are checked, incoming mail will be processed by program delivery and also delivered to the mailbox.

Unix delivery. The "Unix delivery" box has nothing to do with program delivery. Do not check this box simply because you are operating in a Unix environment. For information on when and why to check the "Unix delivery" box, see Configuring Delivery Options in Chapter 4.

5. Click the Properties button next to the Program Delivery option. The Program Delivery dialog box is displayed.
6. In the Program Delivery dialog box, enter the command (program) that is to process incoming messages for this account.

Unix secure mode. When running program delivery in secure mode, you need only enter the command name, you do not need to enter a path. For example, to run the program named mymail stored in the trusted directory, you enter mymail.

Unix non-secure mode. When running program delivery in non-secure mode, you must enter an absolute path for the program to run. (Program delivery does not make any use of paths in the account owner's environment.) For example, to run the program named mymail stored in the /usr/bin directory, you enter /usr/bin/mymail.

NT. You must enter the filename exactly as the filename exists in the trusted directory (including the filename extension). You do not need to enter a path. For example, to run the mymail.exe stored in the trusted directory you enter mymail.exe. program delivery.

7. To run multiple programs, enter each program on a separate line by itself. Programs will be run in the order you specify. For example, to first run the new_mail.exe program, and then the sort_mail.cmd program, simply enter:

   new_mail.exe
   sort_mail.cmd

8. Now click on OK.

End users can designate program delivery for their accounts through the end user Server Account Management forms. To designate one or more programs to handle incoming mail for their accounts, end users should follow these steps:

1. Check with the appropriate administrator to:

• Make sure program delivery has been enabled for Messaging Server.
• Find out if the program (or programs) they want to use have been placed in the trusted directory. (In Unix environments, this may not be necessary if you have set up program delivery to use any program, not just those stored in the trusted directory.)
• Obtain the machine name and port number of the Administration Server.
2. Go to the Delivery Options tab of the Server Account Manager.
3. In the Extra Processing pane of the Delivery Options tab, check the box labeled "Filter all incoming messages through one or more programs."

Note that program delivery is separate from, and independent of, mailbox delivery. If either the "Your POP3/IMAP mailbox" or "Your UNIX mailbox" boxes are also checked, mail will continue to be delivered to the end users mailbox regardless of program delivery. In other words, if both the "Filter all..." and the "POP3/IMAP mailbox" boxes are checked, incoming mail will be processed by program delivery and also be delivered to the user's mailbox.

4. In the dialog box, enter the command (program) that will process incoming messages for this account:

Unix secure mode. By default, program delivery runs in secure mode in Unix environments. Check with the administrator to confirm that it is running in secure-mode. Under secure-mode, users need only enter the command name; they do not need to enter a path. For example, to run the program named mymail stored in the trusted directory, enter mymail.

Unix non-secure mode. If program delivery is running in non-secure mode, users must enter an absolute path locating the program to be run. (Program delivery does not make any use of the user path as stored in the user environment.) For example, to run the program named mymail stored in the /usr/bin directory, enter /usr/bin/mymail.

NT. In NT environments, the user must enter the filename exactly as the filename exists in the trusted directory (including the filename extension). Users do not need to enter a path. For example, to run the mymail.exe stored in the trusted directory, enter mymail.exe.

To run multiple programs, enter each program on a separate line by itself. Programs will be run in the order you specify. For example, to first run the new_mail.exe program, and then the sort_mail.cmd program, simply enter:

   new_mail.exe
   sort_mail.cmd

5. Click Change.

• Program Delivery and Unix
• How Program Delivery Works (Unix)


• Secure and Non-secure Modes (Unix)


• Setting Up Program Delivery (Unix)


• Suspending Program Delivery (Unix)


• Disabling Program Delivery (Unix)

The following factors should be considered when using program delivery in Unix environments:

• Restricted environment: Many programs (especially shells such as /bin/sh and others) use information from environment variables to modify their behavior. For security reasons, the only environment variables passed to an external program are TZ (time zone information), AGENT= Messaging Server (for compatibility with sendmail), and sometimes PATH.
• Setuid-root program: Some programs need more permissions than those of the user who executes them. Such programs acquire root permissions when they are run. Setuid programs can be identified by an s as the user-execute permission in the output of ls -l, as shown here:

   -r-s--x--- 1 root mta 70064 Feb 17 10:32 sort_my_mail

• Valid shell: Before running a program, the login shell of the user the message is addressed to is checked against the list of valid shells found in the /etc/shells file. The /etc/shells file is simply a list of shells, one per line, that can be used to log into the system. If this file is missing or empty, the user's shell is checked against the following default list:

   /bin/sh
   /usr/bin/sh
   /bin/csh
   /usr/bin/csh
   /bin/ksh 
   /usr/bin/ksh

When a program is run in response to an incoming message, that program is run under the user ID of the owner of the account the message is addressed to. For example, if a message is addressed to the salesdata account, the program is run under the user ID of the owner of the salesdata account. Note, however, that for security reasons, program delivery will not run programs under the root user ID. For additional information on running programs for the root account, see Specifying the User ID for Root (Unix).

1. Messaging Server sets up a restricted environment consisting of only the variables TZ and AGENT.
2. Messaging Server permanently gives up root permissions by changing to those of the controlling user (using setuid(2)). The controlling user is the owner of the account the incoming message is addressed to. If the account is owned by root, the controlling user is the designated user as described in Specifying the User ID for Root (Unix). Messaging Server changes to the controlling user's home directory if possible (it remains in /tmp if a failure occurs).
3. Messaging Server performs two checks:

• It checks that the program to be run is located in the trusted directory. If the program is not in the trusted directory, it checks the trusted directory for the presence of a file named INSECURE-PROGRAM-DELIVERIES. If that file is present, it runs the program as specified by the user with an absolute path. If neither the program nor the INSECURE-PROGRAM-DELIVERIES file is present in the trusted directory, program delivery aborts and an error message is sent to the administrator.
• It makes sure there are no special characters in the command. The special characters it checks for are $ ^ & ( ) | \Q ; < > CR and LF. So, for example, you won't be able to run two programs connected by a pipe. If one of these disallowed characters are present, program delivery fails and the incoming message is bounced back to the sender with an "undeliverable" type notice.
4. Messaging Server starts the program.
5. Messaging Server feeds the message to the program.
6. If the user has designated multiple programs, each program is run in the sequence the user specified.

For general security-related information that applies to both the Unix and NT versions of program delivery, see Security Considerations.

• Secure mode. In secure mode, program delivery will only run the executable files (programs) that are stored in the trusted directory. For details, see Secure Mode.
• Non-secure mode. In non-secure mode, program delivery will run any executable file (program) stored anywhere on the network. For details, see Non-secure Mode.

Program delivery runs in secure mode by default.

/usr/local/bin/sort_mail

sort_mail

When running in non-secure mode, program delivery will run programs stored anywhere on the network, not just those stored in the trusted directory.

touch INSECURE-PROGRAM-DELIVERIES

For security reasons, program delivery will not run programs as root. In order to use program delivery for an account owned by root, you must designate an alternate user ID to run programs for mail addressed to an account owned by root. For details, see Specifying the User ID for Root (Unix).

For security reasons, the program delivery module is disabled by default and must be explicitly activated by an administrator who is logged in on Messaging Server as root.

1. Enable the program delivery module as described in Enabling the Program Delivery Module.
2. Select the programs that program delivery is going to work with, and make sure that they are safe to run.
3. Install the inspected programs in the trusted directory as described in Installing Trusted Programs (Unix). (Or if you want to run program delivery in non-secure mode, place a file named INSECURE-PROGRAM-DELIVERIES in the trusted directory.)
4. Specify the shells that can be used with program delivery as described in Setting up the List of Valid Shells (Unix).
5. If program delivery is going to be used for accounts owned by root, designate an alternate user ID under which to run programs as described in Specifying the User ID for Root (Unix).

Before installing a program in the trusted directory, first inspect it to make sure it is safe for program delivery to automatically run in response to an incoming message.

If you want to allow users with login shells other than sh, csh, or ksh to use the program delivery feature, you need to set up /etc/shells.

/bin/csh
/bin/sh
/bin/ksh
/usr/bin/sh
/bin/tcsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tcsh

Program delivery will not run programs as root. If you are setting up program delivery for a mail account owned by root, you must specify an alternate user ID under which to run programs.

1. Create a special user ID for running programs for mail accounts owned by root. For example, a user named progdel. Limit the permissions on this account to just those needed to run the programs.
2. Go to the SMTP System tab and enter the user ID for accounts owned by root in the Program Delivery pane. For example, enter progdel in the Safe user ID for running programs box. For details, see Chapter 3, Configuring SMTP Services.
3. (Optional.) If you wish, you can also specify a group ID for running programs for accounts owned by root.

You can temporarily suspend all program deliveries by placing a file named SUSPEND-PROGRAM-DELIVERIES in the trusted directory. The contents of this file do not matter and it does not have to be executable. The name of the file is case-sensitive and must be exactly as shown.

To disable program delivery, simple remove all files from the trusted directory.

• How Program Delivery Works (NT)
• Setting Up Program Delivery (NT)


• Suspending Program Delivery (NT)


• Disabling Program Delivery (NT)

When a program is run in response to an incoming message, that program is run under the server account specified at installation time. You can also use the SMTP System tab to specify an account to run programs.

1. Before running a program, the program delivery module performs two checks:

• It makes sure that the program to be run is stored in the trusted directory. If there is no version of the program in the trusted directory, program delivery exits with an error message to the mail administrator and the incoming message is returned to the sender with an "undeliverable" type notice.
• It makes sure there are no special characters in the specified command. The special characters is looks for are $ ^ & ( ) | \ ; < > CR and LF. So, for example, program delivery will not accept two programs connected by a pipe. If one of these disallowed characters are present, program delivery fails and the incoming message is bounced back to the sender with an "undeliverable" type notice.
2. Messaging Server runs the trusted program.
3. Messaging Server feeds the message to the running program.
4. If the user has designated multiple programs, each program is run in the sequence the user specified.

For security reasons, the program delivery module is disabled by default and must be explicitly activated by an administrator who is logged on Messaging Server with administrator privileges.

1. Enable the program delivery module as described in Enabling the Program Delivery Module.
2. Select the programs that the program delivery module is going to work with and make sure that they are safe to run.
3. Install the inspected programs in the trusted directory as described in Installing Trusted Programs (NT).

You must install in the trusted directory the trusted programs that you want to make available to the program delivery module. First inspect each program to make sure it is safe for program delivery to automatically run in response to an incoming message. Then move or copy the inspected program into the trusted directory.

1. Make sure that mail-filter.exe is safe to run
2. cd server-root\msg-instance\smtp-bin\delivery
3. copy \bin\mail-filter.exe mail-filter.exe

You can temporarily suspend all program deliveries by placing a file named SUSPEND-PROGRAM-DELIVERIES in the trusted directory. The contents of this file do not matter and it does not have to be executable. The name of the file is case-sensitive and must be exactly as shown.

To disable program delivery, simply remove all files from the trusted directory.