[Vmail-discuss] Security note for exim and MySQL

Eric Renfro psi-jack@xxxxxxxxxxxxx
Sun, 11 Nov 2001 15:27:37 -0600

Hash: SHA1

|On Sun, Nov 11, 2001 at 01:45:06PM -0600, Eric Renfro wrote:
|> Just in case, I noticed from the documentation of vmail-sql, and 
|> exim's setup:
|> mysql_servers = host/user/pass
|> This alone, is insecure, and should be prepended with the hide 
|> directive to look more like:
|> hide mysql_servers = host/user/pass
|> This will hide that from even just running exim -bP, which any
|> user  could normally run, regardless if they have read access to
|> the conf  file of exim.
|Good point - thanks for that.  Is this option a recent 
|addition to exim? Our 3.13 installation doesn't seem to support it.

Yes, I do believe it is.
It's in my exim-mysql 3.32. I just checked the Changelog in my source
tree for it. The 'hide' pre-directive was added in exim 3.164, for
security reasons.

BTW, Paul.  I must admit. This vmail-sql approach to using SQL
queries GREATLY reduces the amount of configuration directives in my
original flat-file system. I used to use several TRANSPORTS, and
several DIRECTORS to do the same thing, but, so far, from what I'm
seeing, and playing with by juggling the selects manually to test
them out, it looks fairly solid and fully implemented.
I never thought a MySQL approach could be so handy. And since exim's
mysql backend approach allows you to literally set the entire query,
it's the ultimate approach to doing it. I used to have
/etc/virtual/$domain/[aliases|filter|passwd], and
/etc/mail/[userdomains|virtualdomains] all used to do all that.

I'm adding to vmail-sql, for allowing relaying through
virtual-domains as well, and if you would like, I will submit my
sketched changes so you, and everyone else interested, may scan
through it, and look at it, and use it as desired.

- ---
Eric Renfro - Myrddin Computers & Designs
713-595-2104 X2261

Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment:   -- Psi-Jack <Encrypting the Net/Securely>