Complete Contents
About This Guide
Chapter 1 Getting Started with Netscape Messaging Server
Chapter 2 Configuring POP, IMAP, and HTTP Services
Chapter 3 Configuring SMTP Services
Chapter 4 Managing Mail Users and Mailing Lists
Chapter 5 Managing the Message Store
Chapter 6 Security and Access Control
Chapter 7 Working with SMTP Plugins
Chapter 8 Filtering Unsolicited Bulk Email
Chapter 9 Message Routing
Chapter 10 Monitoring and Maintaining Your Server
Chapter 11 Logging and Log Analysis
Chapter 12 Program Delivery
Chapter 13 Messaging Multiplexor
Appendix A Command Line Utilities
Appendix B sendmail Migration and Compatibility
Appendix C SNMP MIB
Glossary
Index
Messaging Server Administrator's Guide: Program Delivery
Previous Next Contents Index


Chapter 12 Program Delivery

This appendix explains how to set up Netscape Messaging Server to deliver incoming messages to external programs. Because program delivery has significant system security implications, administrators should carefully review and thoroughly understand the security implications before enabling program delivery.

This appendix discusses the following topics:


About Program Delivery
This section gives general overview information about the Netscape Messaging Server program delivery feature.

In this section, the term program refers to:

By default, incoming messages are put in the inbox of the mail account the message is addressed to. Accounts can be configured to perform various operations with the messages it receives, for example putting incoming messages in particular mail folders, forwarding them somewhere else, or generating an automatic response.

To accommodate the needs of advanced users who want more sophisticated control over the handling of their mail, Netscape Messaging Server offers the ability to deliver mail to external programs that can carry out these additional tasks. This is called program delivery. For example:

When you or a user specifies program delivery as an account option, as described in Using Program Delivery to Handle Incoming Mail, one or more programs are run whenever mail addressed to that account is received. Messaging Server starts the program and the mail is handed over to it. The program then performs whatever it is designed to do with incoming messages.

As described in the following sections, an administrator must first enable program delivery on Messaging Server. Once program delivery is enabled, users can select one or more programs to be run when messages addressed to their account are received.

Program Delivery and Mailbox Delivery

Program delivery is independent of, and separate from, delivery of messages to the account's mailbox. An account can use one or both. For example, if both POP/IMAP delivery and program delivery are selected, then incoming messages are delivered to the mailbox and also processed by program delivery.

Program Delivery Failures

If an incoming message is addressed to an account using program delivery, and for some reason program delivery fails, the incoming message is returned to the sender and a "delivery failed" type error message is generated. This might occur, for example, if a particular program is designated to handle incoming messages but the program delivery module cannot find that program because it has been moved or deleted from the directory where program delivery expects to find it.

Because program delivery and mailbox delivery are two separate and distinct operations, messages will be bounced back to senders if one fails even though the other succeeds. For example, if an account is using both program delivery and mailbox delivery, and program delivery fails, an incoming message will be bounced back to the sender with an "undeliverable" notice even though a copy of the message may be successfully delivered to the account's mailbox.


Security Considerations
Because users can specify that program delivery automatically execute one or more programs in response to incoming messages, program delivery could compromise system security if not properly administered. For this reason, program delivery is disabled by default and must be explicitly turned on by an administrator as explained in Enabling the Program Delivery Module.

Trusted Programs and Directory

A trusted program is one that is assumed to function properly when used with program delivery. Before designating a program as trusted, you should carefully inspect it to make sure that program delivery can automatically run it without risking system problems or reducing network security.

The program delivery module looks for trusted programs in a special directory known as the trusted directory. Any program or executable file stored in the trusted directory is assumed to be a trusted program. In other words, you designate a program as trusted by storing it in the trusted directory.

The location of the trusted directory cannot be changed. The location of the trusted directory is:

As an administrator, you must ensure that each trusted program is well understood and known to be safe before placing it in the trusted directory. Make sure that every program stored in the trusted directory does nothing that will compromise security. When examining programs for security problems, keep in mind that system security involves more than just keeping messages and data out of unauthorized hands. An innocent mistake in a poorly written or configured program can cause serious system problems.

When running in secure mode, the program delivery module ignores any path specified in the user's account and only runs programs stored in the trusted directory. This allows an administrator to determine the exact executable files the program delivery feature will run.

For example, if Windows NT users want to set up a program delivery application that notifies them when new mail arrives, they can specify it for their account as:

\bin\new_mail.exe

or simply as

new_mail.exe

Regardless of how users specify new_mail.exe, the program delivery module will only execute the trusted version of new_mail.exe that is stored in the trusted program directory. If there is no version of new_mail.exe in the trusted directory, program delivery exits with an error message to the mail administrator.

Trusted Directory and Operating Modes

Guarding the Trusted Directory

By default, only administrators with root access (Unix), or administrator privileges (NT), can add or change programs in the trusted directory. Netscape recommends that this protection be maintained, and that the permissions for this directory never be relaxed to allow anyone else to add or modify programs in the trusted directory.

In regards to program delivery, the most important aspect of security is preventing unauthorized access to the trusted directory. Because program delivery assumes that any program stored in the trusted directory is secure and safe, it is essential that unauthorized persons are prevented from adding or modifying files in the trusted directory.

Scripts and Batch Files

Unix Environments

In Unix environments, scripts and batch files can be used by program delivery, but extra care should be taken to ensure that they are safe.

Scripts and batch files can run programs that are not stored in the trusted directory. If you use a script or batch file for program delivery, and it calls commands or programs that have not been inspected for safety and stored in the trusted directory, you run the risk of someone substituting or changing that command or program to detrimental effect.

Programs that interpret their input as a sequence of commands to execute (such as sh, tcsh, or perl) should not be used as trusted programs. However, some scripts that run under such programs can be considered safe after careful inspection. For example, it is risky to set up perl as a trusted program, but a carefully inspected perl script might be safe to use.

NT Environments

In Windows NT environments, Netscape recommends that you do not use scripts or batch files for program delivery.


Enabling the Program Delivery Module
For security reasons, program delivery is disabled by default and must be explicitly turned on by an administrator.

In both Unix and Windows NT environments, you enable the program delivery module by placing one or more programs in the trusted directory.

In Unix environments, there are two additional ways of enabling the program delivery module other than placing an executable file in the trusted directory:


Using Program Delivery to Handle Incoming Mail
This section describes how to designate one or more software programs to process incoming messages for an account.

To designate programs to handle incoming mail, the program delivery module must first be set up and enabled as described in Setting Up Program Delivery (Unix) and Setting Up Program Delivery (NT).

Once program delivery is set up and enabled:

Administrators

Administrators can specify program delivery for any account. This can be done through the Create User tab at the time the mail account is created, or through the Edit User tab for an account that already exists.

  1. Before establishing program delivery for a user:
  2. Make sure program delivery has been enabled as explained in Enabling the Program Delivery Module.

    Make sure the programs to be used for this account have been inspected for safety and placed in the trusted directory. (In Unix environments, you can choose to run program delivery in non-secure mode. In that case, the programs do not have to be stored in the trusted directory.)

  3. Go to the Create User or Edit User tab.
  4. Choose Mail from the menu and click on the Delivery tab.
  5. Check the box labeled "Program delivery." The Properties button is activated.
  6. POP/IMAP delivery. If the "Enable POP/IMAP delivery" box is also checked, mail will continue to be delivered to the mailbox regardless of program delivery. In other words, if both the "Program delivery" and the "POP/IMAP delivery" boxes are checked, incoming mail will be processed by program delivery and also delivered to the mailbox.

    Unix delivery. The "Unix delivery" box has nothing to do with program delivery. Do not check this box simply because you are operating in a Unix environment. For information on when and why to check the "Unix delivery" box, see Configuring Delivery Options in Chapter 4.

  7. Click the Properties button next to the Program Delivery option. The Program Delivery dialog box is displayed.
  8. In the Program Delivery dialog box, enter the command (program) that is to process incoming messages for this account.
  9. Unix secure mode. When running program delivery in secure mode, you need only enter the command name, you do not need to enter a path. For example, to run the program named mymail stored in the trusted directory, you enter mymail.

    Unix non-secure mode. When running program delivery in non-secure mode, you must enter an absolute path for the program to run. (Program delivery does not make any use of paths in the account owner's environment.) For example, to run the program named mymail stored in the /usr/bin directory, you enter /usr/bin/mymail.

    NT. You must enter the filename exactly as the filename exists in the trusted directory (including the filename extension). You do not need to enter a path. For example, to run the mymail.exe stored in the trusted directory you enter mymail.exe. program delivery.

  10. To run multiple programs, enter each program on a separate line by itself. Programs will be run in the order you specify. For example, to first run the new_mail.exe program, and then the sort_mail.cmd program, simply enter:
  11.    new_mail.exe
    sort_mail.cmd

  12. Now click on OK.
Note: Messaging Server will allow you to enter the name of a program that has not been placed in the trusted directory (or a program with an incorrect path if running in Unix non-secure mode). But program delivery will fail when it tries to use that program. At that point a "delivery failed" type error message will be sent to the mail administrator and the incoming message bounced back to the sender with an "undeliverable" type notice.

To stop using program delivery to handle incoming messages for this account, simply delete the programs from the dialog box and uncheck the Program Delivery box.

To change the programs that program delivery runs for this account, simply add, delete, or change the programs listed in the dialog box.

Users and Account Owners

End users can designate program delivery for their accounts through the end user Server Account Management forms. To designate one or more programs to handle incoming mail for their accounts, end users should follow these steps:

  1. Check with the appropriate administrator to:
  2. Go to the Delivery Options tab of the Server Account Manager.
  3. In the Extra Processing pane of the Delivery Options tab, check the box labeled "Filter all incoming messages through one or more programs."
  4. Note that program delivery is separate from, and independent of, mailbox delivery. If either the "Your POP3/IMAP mailbox" or "Your UNIX mailbox" boxes are also checked, mail will continue to be delivered to the end users mailbox regardless of program delivery. In other words, if both the "Filter all..." and the "POP3/IMAP mailbox" boxes are checked, incoming mail will be processed by program delivery and also be delivered to the user's mailbox.

  5. In the dialog box, enter the command (program) that will process incoming messages for this account:
  6. Unix secure mode. By default, program delivery runs in secure mode in Unix environments. Check with the administrator to confirm that it is running in secure-mode. Under secure-mode, users need only enter the command name; they do not need to enter a path. For example, to run the program named mymail stored in the trusted directory, enter mymail.

    Unix non-secure mode. If program delivery is running in non-secure mode, users must enter an absolute path locating the program to be run. (Program delivery does not make any use of the user path as stored in the user environment.) For example, to run the program named mymail stored in the /usr/bin directory, enter /usr/bin/mymail.

    NT. In NT environments, the user must enter the filename exactly as the filename exists in the trusted directory (including the filename extension). Users do not need to enter a path. For example, to run the mymail.exe stored in the trusted directory, enter mymail.exe.

    To run multiple programs, enter each program on a separate line by itself. Programs will be run in the order you specify. For example, to first run the new_mail.exe program, and then the sort_mail.cmd program, simply enter:

       new_mail.exe
    sort_mail.cmd

  7. Click Change.
Note: Messaging Server will allow users to enter the name of a program that has not been placed in the trusted directory (or a program with an incorrect path if running in Unix non-secure mode). But program delivery will fail when it tries to use that program. At that point an error message is sent to the mail administrator and the incoming message bounced back to the sender with an "undeliverable" type notice.

To stop using program delivery to handle incoming messages for this account, simply uncheck the "Filter all..." box and delete the names of the program, or programs, listed in the dialog box. Then click Change.

To change the programs that program delivery runs for your mail, simply add, delete, or change the programs listed in the dialog box; then click Change.


Program Delivery in Unix Environments
This section discusses the following topics:

Program Delivery and Unix

The following factors should be considered when using program delivery in Unix environments:

Messaging Server therefore won't run commands for users who aren't normally allowed to log in and type the commands themselves.

How Program Delivery Works (Unix)

When a program is run in response to an incoming message, that program is run under the user ID of the owner of the account the message is addressed to. For example, if a message is addressed to the salesdata account, the program is run under the user ID of the owner of the salesdata account. Note, however, that for security reasons, program delivery will not run programs under the root user ID. For additional information on running programs for the root account, see Specifying the User ID for Root (Unix).

The following algorithm is used to handle incoming mail when program delivery has been specified as a delivery option for incoming mail:

  1. Messaging Server sets up a restricted environment consisting of only the variables TZ and AGENT.
  2. Messaging Server permanently gives up root permissions by changing to those of the controlling user (using setuid(2)). The controlling user is the owner of the account the incoming message is addressed to. If the account is owned by root, the controlling user is the designated user as described in Specifying the User ID for Root (Unix). Messaging Server changes to the controlling user's home directory if possible (it remains in /tmp if a failure occurs).
  3. Messaging Server performs two checks:
  4. Messaging Server starts the program.
  5. Messaging Server feeds the message to the program.
  6. If the user has designated multiple programs, each program is run in the sequence the user specified.
If the program exits abnormally or produces any output, an error message is generated.

Secure and Non-secure Modes (Unix)

For general security-related information that applies to both the Unix and NT versions of program delivery, see Security Considerations.

The program delivery module in Netscape Messaging Server can operate in one of two security modes:

In this context, an executable file is any Unix file with execute permission or a link (hard or soft) to an executable file. In other words, program delivery treats links to programs as if they were the programs themselves.

Netscape recommends that you run program delivery in secure mode. Secure mode allows you as an administrator to specify that program delivery only run those executables that you have examined for security problems and placed in the trusted directory.

Netscape recommends against running program delivery in non-secure mode. In this mode any program anywhere on the network can be used by program delivery and there is no way to ensure that those programs are safe.

Secure Mode

Program delivery runs in secure mode by default.

When running in secure mode, the program delivery module ignores any path specified in the user's account and runs the version of the program that is stored in the trusted directory. This allows the administrator to specify the exact executable files that the program delivery feature will run. If the program is not stored in the trusted directory, program delivery exits with an error message.

For example, if users want to set up a program named sort_mail to sort new mail into folders as it arrives, they can specify it in their account as:

/usr/local/bin/sort_mail

or as

sort_mail

Regardless of whether or not the user specifies a path, if program delivery is running in secure mode (as Netscape recommends) program delivery will only execute the version of sort_mail in the trusted directory.

Non-secure Mode

When running in non-secure mode, program delivery will run programs stored anywhere on the network, not just those stored in the trusted directory.

Non-secure mode allows any user to have program delivery run any program, or any version of any program. If users can create (or modify) programs for program delivery to automatically run in response to an incoming message, there is no way to ensure that those programs are safe. Therefore, Netscape cautions that running in non-secure mode endangers system and network security.

To run program delivery in non-secure mode, simply place a file named INSECURE-PROGRAM-DELIVERIES in the trusted directory. The contents of this file do not matter and it does not have to be executable. The name of the file is case-sensitive and must be exactly as shown.

To create this file:

touch INSECURE-PROGRAM-DELIVERIES

If a file named INSECURE-PROGRAM-DELIVERIES is present in the trusted directory, program delivery runs the program identified by the absolute path specified by the user (or administrator). In other words, when program delivery is running in non-secure mode, programs must be qualified by an absolute path in the program delivery dialog box as explained in Using Program Delivery to Handle Incoming Mail.

In non-secure mode, program delivery relies entirely on the specified path. Even if there is a version of the program in the trusted directory, unless the absolute path points to that directory, program delivery will not run it. If no path is specified, or the path is incorrect, program delivery fails and an error message is generated. When program delivery fails, the incoming message is returned to the sender with an "undeliverable" type notice.

To stop running program delivery in non-secure mode and return to secure mode, simply remove the INSECURE-PROGRAM-DELIVERIES file from the trusted directory.

Running Programs as root

For security reasons, program delivery will not run programs as root. In order to use program delivery for an account owned by root, you must designate an alternate user ID to run programs for mail addressed to an account owned by root. For details, see Specifying the User ID for Root (Unix).

Setting Up Program Delivery (Unix)

For security reasons, the program delivery module is disabled by default and must be explicitly activated by an administrator who is logged in on Messaging Server as root.

The administrator must perform the following procedures to set up program delivery:

  1. Enable the program delivery module as described in Enabling the Program Delivery Module.
  2. Select the programs that program delivery is going to work with, and make sure that they are safe to run.
  3. Install the inspected programs in the trusted directory as described in Installing Trusted Programs (Unix). (Or if you want to run program delivery in non-secure mode, place a file named INSECURE-PROGRAM-DELIVERIES in the trusted directory.)
  4. Specify the shells that can be used with program delivery as described in Setting up the List of Valid Shells (Unix).
  5. If program delivery is going to be used for accounts owned by root, designate an alternate user ID under which to run programs as described in Specifying the User ID for Root (Unix).
Once these steps have been completed and program delivery is set up, program delivery can be used to handle incoming mail as described in Using Program Delivery to Handle Incoming Mail.

Installing Trusted Programs (Unix)

Before installing a program in the trusted directory, first inspect it to make sure it is safe for program delivery to automatically run in response to an incoming message.

Then move or copy the inspected program into the trusted directory.

You can use a link in the trusted directory to a program stored somewhere else, but using a link may weaken security. By default, only administrators with root privileges can modify or replace a program in the trusted directory, but if you link to a program stored in a directory that grants broader access privileges, you run the risk of someone substituting a poorly written, corrupt, or unauthorized version of the program.

Setting up the List of Valid Shells (Unix)

If you want to allow users with login shells other than sh, csh, or ksh to use the program delivery feature, you need to set up /etc/shells.

If you're creating the /etc/shells file for the first time, you need to include entries for any of the six default shells that you want to allow.

Here is an example of a /etc/shells file:

/bin/csh
/bin/sh
/bin/ksh
/usr/bin/sh
/bin/tcsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tcsh

Specifying the User ID for Root (Unix)

Program delivery will not run programs as root. If you are setting up program delivery for a mail account owned by root, you must specify an alternate user ID under which to run programs.

To specify the user ID for accounts owned by root, follow these steps:

  1. Create a special user ID for running programs for mail accounts owned by root. For example, a user named progdel. Limit the permissions on this account to just those needed to run the programs.
  2. Go to the SMTP System tab and enter the user ID for accounts owned by root in the Program Delivery pane. For example, enter progdel in the Safe user ID for running programs box. For details, see Chapter 3, Configuring SMTP Services.
  3. (Optional.) If you wish, you can also specify a group ID for running programs for accounts owned by root.
(Note that the pane labeled Unix delivery, has nothing to do with the program delivery module being described in this appendix.)

Suspending Program Delivery (Unix)

You can temporarily suspend all program deliveries by placing a file named SUSPEND-PROGRAM-DELIVERIES in the trusted directory. The contents of this file do not matter and it does not have to be executable. The name of the file is case-sensitive and must be exactly as shown.

When program delivery is suspended, incoming messages are not bounced back to the sender, instead they simply queue up waiting for program delivery to be resumed. Therefore, administrators are cautioned not to suspend program delivery for long periods of time.

To resume program delivery, simply remove the SUSPEND-PROGRAM-DELIVERIES file from the trusted directory.

Disabling Program Delivery (Unix)

To disable program delivery, simple remove all files from the trusted directory.

If program delivery is disabled, messages addressed to accounts that have specified program delivery as a delivery option are bounced back to the sender. This occurs even if the account has also enabled POP/IMAP mailbox delivery. In other words, if both program mailbox delivery are set up for an account, and all files are removed from the trusted directory, one copy of an incoming message will be placed in the account's mailbox and the message will also be bounced back to the sender with an "undeliverable" type notice.


Program Delivery in NT Environments
This section discusses the following topics:

How Program Delivery Works (NT)

When a program is run in response to an incoming message, that program is run under the server account specified at installation time. You can also use the SMTP System tab to specify an account to run programs.

The following algorithm is used to handle incoming mail when the program delivery has be specified as a delivery option for incoming mail:

  1. Before running a program, the program delivery module performs two checks:
  2. Messaging Server runs the trusted program.
  3. Messaging Server feeds the message to the running program.
  4. If the user has designated multiple programs, each program is run in the sequence the user specified.
If the program exits abnormally or produces any output, an error message is generated and the incoming message is bounced back to the sender with an "undeliverable" type notice.

Setting Up Program Delivery (NT)

For security reasons, the program delivery module is disabled by default and must be explicitly activated by an administrator who is logged on Messaging Server with administrator privileges.

The administrator must perform the following procedures to set up program delivery:

  1. Enable the program delivery module as described in Enabling the Program Delivery Module.
  2. Select the programs that the program delivery module is going to work with and make sure that they are safe to run.
  3. Install the inspected programs in the trusted directory as described in Installing Trusted Programs (NT).
Once these steps have been completed and program delivery is set up, users can pick the trusted programs that they want program delivery to run when they receive messages. For information on how users select program delivery, see Using Program Delivery to Handle Incoming Mail.

Installing Trusted Programs (NT)

You must install in the trusted directory the trusted programs that you want to make available to the program delivery module. First inspect each program to make sure it is safe for program delivery to automatically run in response to an incoming message. Then move or copy the inspected program into the trusted directory.

For example, to enable the program delivery module to use a filter program named mail-filter.exe, follow these steps:

  1. Make sure that mail-filter.exe is safe to run
  2. cd server-root\msg-instance\smtp-bin\delivery
  3. copy \bin\mail-filter.exe mail-filter.exe
Suspending Program Delivery (NT)

You can temporarily suspend all program deliveries by placing a file named SUSPEND-PROGRAM-DELIVERIES in the trusted directory. The contents of this file do not matter and it does not have to be executable. The name of the file is case-sensitive and must be exactly as shown.

When program delivery is suspended, incoming messages are not bounced back to the sender, instead they simply queue up waiting for program delivery to be resumed. Therefore, administrators are cautioned not to suspend program delivery for long periods of time.

To resume program delivery, simply remove the SUSPEND-PROGRAM-DELIVERIES file from the trusted directory.

Disabling Program Delivery (NT)

To disable program delivery, simply remove all files from the trusted directory.

If program delivery is disabled, messages addressed to accounts that have specified program delivery as a delivery option are bounced back to the sender. This occurs even if the account has also enabled POP/IMAP mailbox delivery. In other words, if both program mailbox delivery are setup for an account, and all files are removed from the trusted directory, one copy of an incoming message will be placed in the account's mailbox and the message will also be bounced back to the sender with an "undeliverable" type notice.

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.