I'm starting to write some of my first scripts, and I have a lot to learn in the areas of efficiency and security. I'm trying to do my homework on those topics. I've been searching the web and reading newsgroups and trying to get some background. I don't fully appreciate Terra's list here:
http://www.aota.net/ubb/Forum5/HTML/001229-2.html

but I'm working on it.

Anyhow, here's my question:

I'm writing my script in Python and there are two ways for me to send the mail, after I've composed the message.
(1) a statement that basically writes to "sendmail" like this:

f = open(PathToSENDMAIL + ' -t', 'w')
f.write(text)
f.close()

where "text" is the text string that is the message.

-OR-

(2) use the smtplib module for Python. This basically opens a SMTP connection to the designated host (a socket?), which could be the local host or a remote host. Obviously, if the host is remote, this is the only way to go (option (1) won't work in this case). However, if the host is local, I have a choice of methods.

I was asking about security, actually, in comp.lang.python, when someone made these comments:

Using the smtplib module is more secure and less system overhead.
Asking for further explanation, he added:


Sheila King wrote:
>
> Less system overhead? That is exactly the opposite
> information from what I got,
> [..]
> And I'd have to say that my experimenting confirms this.

Hmm, might be indeed less latency to call the sendmail executable
than doing the whole SMTP connection. Personally I'm a little bit
scared about forking shells in a CGI-BIN (system overhead). And I
don't like to install a MTA on all web servers.

So, I'm asking for advice, here. Which would be easier on the server? Opening a file and writing to sendmail? Or, opening a socket connection? (The former makes my script run a lot faster. However, as far as the script is concerned, it is less secure, and perhaps harder on system resources?)

OK, maybe my first post was too long, or I shouldn't have said "Python", or everyone is just too busy talking about spam...

Let me rephrase and put it much more concisely:
Which is less taxing on the server:
(1) To open a pipe to sendmail and send an outbound email by writing to a file object that is pointing to sendmail,
-OR-
(2) To open a socket to a SMTP host and send the email that way.

<edit: added> Let me clarify, that in the case that the SMTP host is the localhost. In other words, through both methods I'm still delivering to the localhost. Which is more server friendly? </edit: added>

???????

Also, if anyone knows of any good Communities/BBS/MailingLists, etc. for CGI script authors that don't mind helping out newbies, I would appreciate a point in the right direction. If it is only about Perl scripting, that wouldn't help me a whole lot, but if they tolerate *general* questions about CGI scripting, not particular to a given language, that would be a fantastic resource.

I don't understand the whole fork/exec stuff real well. Does anyone have a reference on that? I have a copy of O'Reilly's &quot;Running Linux, 2nd ed.&quot; here, but the terms: fork, exec, socket
do not appear in the index. It seems more of a book for administration (i.e. proper commands and how they work), rather than about the theory of machine architecture and how the system actually operates (underlying stuff).


[This message has been edited by sheila (edited 04-05-01@11:05 am)]

I'm not sure we know for sure the difference in server load from using sendmail to opening the smtp port...

...however, I'm pretty sure the smtp port-opening would be considerably more secure than running sendmail.

For sending an e-mail from a script to your FQ account, which is what it sounds like you're doing, I suspect either one is going to be relatively low-load. The smtp port open is generally less overhead when you're communicating with an external host, because instead of spawning another process to run sendmail, you're using the already-running-process to talk to the external host. In this situation, whether you use sendmail, or use smtp and talk to the server, you're opening a process on the same machine.

As for places to talk about general CGI: I don't know of ANY. The world seems convinced that CGI is &quot;Perl&quot; and vice versa. On the other hand, Perl >IS< worth knowing, and a good way to advocate for a language is to spend time amongst its competitor's fans so you know where they're coming from... :)

The world seems convinced that CGI is &quot;Perl&quot; and vice versa
Huh? You mean they're not the same? :)

I, too, am confused as to when things fork and when they do not and I have not found any good references for them.

As far as security is concerned, I'm not convinced that either method would be more or less secure than the other. If what is being sent is plain text then the security should be the same with either choice. If what is being sent has already been encrypted, then, again, the security would be the same with either method.

If it were a choice between using a library module that I may not be familiar with and do not know what it might (or might not) be doing Vs. piping to the sendmail program on the server maintained by the FQ admins, I would have to choose the pipe since I would have more faith and confidence in this. In this respect, I believe using a distributed library module would be less secure--unless of course, you have investigated thoroughly how it is written and what it does.

Rich

[This message has been edited by Rich (edited 04-05-01@1:44 pm)]

Hi Rich and Paul! :)

For sending an e-mail from a script to your FQ account, which is what it sounds like you're doing,[nbsp][nbsp]I suspect either one is going to be relatively low-load. OK, I'm not going to worry about the server-stress end of it, too much, then. I have received conflicting advice on comp.lang.python, and it seems that people sometimes have their minds made up about something, and just give short little quips of replies, without explaining their reasoning. And then when advice conflicts, I'm not sure what to conclude! But I think you are right. The quote I had above, someone talked about &quot;forking&quot; in the CGI-BIN being something he didn't want to put his server through unnecessarily (could be potential server stress?). But, it seems to me, that to open a socket, the machine has to run a process anyhow, also? So I don't see why one would be easier on the machine than the other.

Yes, I'm trying to have a cgi script send an e-mail to my SMTP host here at FQ.

Rich: A SMTP connection is WAY more secure than piping to sendmail, but I think you are thinking of a different type of security issue than I am. Merchant/SSL guy that you are, you are thinking of encrypting data, instead of passing it back and forth in the clear. That usually isn't the security issue of concern, when it comes to CGI scripting. The security issue there, is that someone would break into/hack the server.

The reason sending to a SMTP port is more secure than piping to sendmail:
Sendmail is accessed via a commandline prompt, and takes switches, arguments, additional parameters. Maybe some hacker type can think of something to enter, so that he gets command line control. I still don't think that is going to be an issue in my script, since I don't let the user input the path to sendmail. However, why take chances?

The SMTP access, on the other hand, opens a TCP/IP connection to a SMTP host that only understands SMTP commands, and nothing else. There is no way to get command line control in that situation. As a matter of fact, due to the very limited number of SMTP commands, and the strict requirements on the format of the data exchange, any data that does not fit the required format basically causes the receiving server to say, &quot;Huh?&quot; and issue an error message.

Of course, at FQ we aren't really using sendmail anyhow, but I'm planning on releasing this script at some point, and not everyone is smart enough to use Qmail instead.

You do mention, that you'd want to be certain about the SMTP library module you are using, and that is probably good advice. I've looked over the code for the Python SMTP module, and it looks solid to me. It basically opens a socket, and in telnet type fashion, sends commands back and forth with the receiving SMTP host, following the SMTP protocol outlined in RFC 822.

There is a SMTP module available for Perl, as well. I hear that it works great.

As for Perl == CGI, it sure seems that most people see it that way. I'm sure that Perl will be useful to me at some point. Just not this week. (Actually, I do want to learn to read the code a bit better. I'm running several Perl scripts on my site, that I got from various places, and sometimes I like to go in and adust the code and tweak it a bit. I think it would be a lot easier to do that, if I understood Perl a bit better.)