On Mon, Sep 05, 2016 at 07:52:02PM +0800, Eric Abrahamsen wrote: > I have a postfix/dovecot installation on the same server as my company's > webapp. This webapp involves a lot of regular data entry, which is a > real pain to do using HTML forms. What I would really like to do is be > able to send structured emails to the server, and have postfix pass them > through a transport to the webapp (a Django site), which would parse the > emails and do CRUD stuff with the database. > > I can figure the details out myself, but I'm hoping to get advice on one > particular question: security. > > I guess the safest thing would be to require logged-in users: presumably > I could find a way to only accept emails from a local account, but that > would require everyone who had access to this system to have an account > on the server. > > The other option would be to maintain a list of authorized email > addresses, and then check incoming messages against this list. This > would be preferable, in that I don't have to bother users to create and > set up (and remember to use) a separate email account. My question is, > is there a truly secure way of only accepting emails from authorized > addresses? Or should I just go with option one and require users to have > accounts?
Envelope sender / From: field is not to be trusted. Anyone can submit a message with any envelope sender to an unauthenticated mail server. I can see two ways of handling this. One is to implement standard submission port authentication / TLS on this machine, possibly with virtual users to prevent the need for all users to have local accounts. The other way is to configure the machine to only accept incoming mail from your organization's main mail server(s). That way, your regular mail servers will perform the sender authentication, and then you can rely on the envelope sender (presuming your main mail servers do not allow sender spoofing). --Sean
