From: russell@coker.com.au (Russell Coker) Date: Mon, 23 Feb 2009 11:21:35 +1100 Subject: [refpolicy] procmail etc Message-ID: <200902231121.38116.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I believe that in retrospect it was a mistake to use the domain procmail_t for procmail. There are several other programs providing essentially the same functionality, I am now using Courier "maildrop" on one important server and will soon evaluate "deliver" from Dovecot. It seems to me that there is no benefit in trying to isolate the different LDAs from each other. The only situation in which it seems possible to have more than one LDA in use is from a .forward file (under local user control) which therefore has Unix permissions to isolate the different instances. It would be good to have extensions to some popular MTAs to use a user specific context for the LDA, which could be something like user_lda_t, staff_lda_t, etc. While it would be quite possible to extend the courier and dovecot policies to support maildrop and deliver, I think that would be the wrong approach. I believe that the right thing to do is to start by renaming procmail to lda and then adding support for maildrop and deliver, and I'll write the policy and send a patch after giving people time to comment. -- russell at coker.com.au http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog