This appendix explains how to set up the messaging server to deliver incoming
messages to external programs.
Note
Program delivery is currently available only on the Unix platform. This feature is disabled by default and must be enabled before it can be used.
Here's what you'll read about in this appendix:
You can configure each account in the messaging server to do a variety of things with messages it receives. Usually this involves putting the message in a mailbox, forwarding it somewhere else, or generating an automatic response. To accommodate the needs of advanced users who want tighter control over the handling of their mail or to create autonomous services such as a file server, Netscape Messaging Server offers the ability to deliver mail to external programs that can carry out these additional tasks.
When you set up program delivery for an account, a custom program will be run whenever mail arrives for that account. The messaging server starts the program as if it were logged in to the host as the recipient of the mail, and the mail is handed over to the program. The following two examples describe situations in which program deliveries are helpful.
Program delivery can be used to help sort mail. If you receive a great deal of email, you might want to consider using a mail filter. In this type of program delivery, messages are delivered to the filtering program as they arrive. The mail filter scans each message to determine into which of several mailboxes it should be put, and then delivers it there.
An automatic filter can usually sort messages based on the sender or the topic of the message.
Program delivery can also be used as an email file server. Some sites have a lot of information that they wish to make publicly available. The most common way to share files on the Internet is to make them available through the File Transfer Protocol (FTP) or the World Wide Web (WWW).
Many people, however, have only email access to the Internet and can't benefit from such services. You can make files available to these people with a file server that can send documents in response to received email requests. A request sent to your typical email file server consists of one or more commands such as this:
SEND /documents/internet/rfc/rfc0822.txt
The following terms are used throughout this section:
-r-s--x--- 1 root mta 70064 Feb 17 10:32 Program-Deliver
/usr/local/bin/new_mail
/home/user3/bin/new_mail
new_mail
and the trusted version of the new_mail program found in the trusted program directory will be executed. The details of how to set up the trusted program directory are included later in this appendix.
/bin/sh /usr/bin/sh
/bin/csh /usr/bin/csh
/bin/ksh /usr/bin/ksh
The messaging server therefore won't run commands for users who aren't normally allowed to log in and type the commands themselves.
The program delivery module in the messaging server can operate in one of two modes, either trusted or untrusted, depending on the level of security desired. The module determines which operating mode to use by checking for programs in the trusted program directory.
If no programs are found, the system operates in trusted mode and lets users run any command on the system. If at least one file is in the trusted program directory, the system runs in untrusted mode and restricts users to running only the trusted programs. Only the system administrator (that is, root) of the machine is allowed to add or remove trusted programs, so the untrusted mode is very secure. Regardless of how accounts are set up, because the trusted programs are the only programs on the system that the mail delivery module will run, the security vulnerability of a system running the messaging server is limited to this small collection of programs.
The system administrator will ensure that each trusted program is well understood and known to be safe. In particular, programs that interpret their input as a sequence of commands (such as shells like sh and csh or scripting languages like perl and tclsh) are not usually set up as trusted programs.
The following algorithm is used to deliver mail to a user with a valid shell when the messaging server is set up in untrusted mode:
As server administrator, you are less likely to run the program delivery module in trusted mode. This is because trusted mode bypasses some of the security systems that systems administrators use. For example, in trusted mode users can set up accounts with improper system permissions, because they can assign an arbitrary Unix login to any account. Such an account could then be used to run commands as the assigned user, provided the user has a valid shell. Trusted mode can also open the doors to system invasion via the Internet.
When using trusted mode, you and the system administrator can take precautions that minimize the risks. First, set up the messaging server to run in the untrusted mode by default; this is done by adding selected programs to the trusted program directory. Second, set up special accounts such as bin, sys, adm, and so forth with shells that aren't valid for delivering mail to programs. (Note that leaving the shell field blank doesn't accomplish this because a default of /bin/sh is assumed.) In the trusted mode, it's especially important not to override the checking of valid shells in /etc/shells.
The following algorithm is used by the messaging server when delivering mail through the program delivery facility to a user with a valid shell:
The following instructions explain the steps that must be performed to enable program deliveries. Server administrators and system administrators must work together to complete these steps. Because of the security issues involved, the program delivery module is disabled by default and must be activated explicitly by the system administrator.
The commands shown in the examples assume that the executable programs have been installed in /opt/NscpMail. In the executable directory are several subdirectories, including local/ and trusted/, where the program delivery module and the trusted program directory, respectively, are located.
The program delivery module is activated by performing two simple steps as root. The resulting mode of operation is the trusted mode, so further configuration is required to set up the untrusted mode (which is highly recommended for most situations) with a list of trusted programs.
Whenever the program delivery module finds a file in the trusted program directory named No Program Deliveries, it refuses to deliver mail to any program. If a mail user attempts to deliver mail to a program (by setting the option on the Account or Information form), the messaging server generates an error message to the "postmaster."
You or the system administrator must remove this file for program deliveries to work.
cd /usr/netscape/suitespot/trusted
rm NO-PROGRAM-DELIVERIES
Note
The filename must be typed exactly as shown in all capital letters and with dashes.
To run programs as a controlling user, the program delivery module needs to be setuid-root. This step probably must be completed by your system administrator. If the setuid-root permission bit isn't set, messages destined for users' programs are deferred until either the setuid bit is enabled or the maximum queue time expires and the message is returned to the sender.
cd /usr/netscape/suitespot/local
chmod u+s Program-Deliver
If you want to set up the messaging server to run in the more secure untrusted mode, you must set up some trusted programs. To do this, you or the system administrator must copy each program to the trusted program directory or create a link in the directory to the program. This short example shows one way to set up a program called mail-filter as a trusted program:
cd /usr/netscape/suitespot/trusted
ln -s /usr/bin/mail-filter mail-filter
Note
It's important to remember that programs that interpret their input as a sequence of commands to execute (such as sh, tclsh, or perl) should not be set up as trusted programs. However, some scripts that run under such programs can be considered safe after careful inspection.
If you want to allow users with login shells other
than sh, csh, or ksh to use the program delivery feature, you need to set
up /etc/shells. Your system administrator may wish to perform
this task. Note that if you're creating the
/etc/shells file for the first time, you need to include entries
for any of the six default shells that you want to allow. Here's an example
of a possible
/etc/shells file:
% cat /etc/shells
/bin/csh
/bin/ksh
/bin/tcsh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/tcsh
%
You or your system administrator can disable the program delivery module by replacing the No Program Deliveries file. As long as this file remains in the trusted program directory, the messaging server will not deliver any mail to programs.
cd /usr/netscape/suitespot/trusted
touch NO-PROGRAM-DELIVERIES
Note
Type the filename exactly as shown (in all capital letters with dashes: NO- PROGRAM-DELIVERIES) to disable the program delivery feature.
The server administrator sets up program deliveries by using the Mail User Information section of the New User form, in the Administration Server's Users & Groups menu. To do this, you will need a Unix login that has a valid shell. One or more programs should be listed in the trusted program directory.
Note
The program delivery facility is disabled by default, so you or the system administrator must turn it on before setting up any program deliveries.
This section assumes that you've already set up an account. To implement program delivery, you should select program delivery as a delivery option in the Mail User Information portion of the New User form.
The command-line argument in the Program Deliveries field should indicate a program that is listed in the trusted program directory, unless the module is configured in trusted mode. In untrusted mode, you can't use characters in the command that have special meaning to a shell.
The Unix LoginName field must be a valid Unix login name.
The Unix form, which is available from the Messaging Server's System Settings menu of forms, provides settings related to program delivery.
Note
Because program delivery is available only on Unix systems, Windows NT users will not be able to access this form.
The "Interface to the Unix mail system" section of the Unix form allows the server administrator to specify the local mail delivery program used onsite. The "program delivery options" section allows the server administrator or system administrator to further define the security of the program delivery module. Netscape Messaging Server, by default, will not allow a mail program to be run as root, even if it is specified in the Unix login for the account. For program delivery, the Messaging Server allows for a "safe" account, one that is not a member of any group and has no access to user directories, that will be considered the default ID for a user with root permissions.
System administrators can create an isolated account, with no access to sensitive directories or groups, and server administrators or system administrators can specify that user ID and group ID in this section. If the Messaging Server is asked to deliver mail for a root user, these default user and group IDs are used.
For the latest technical information on Sun-Netscape Alliance products, go to: http://developer.iplanet.com
For more Internet development resources, try Netscape TechSearch.