> On Nov 12, 2019, at 3:56 PM, Ján Lalinský <lalin...@c4.cz> wrote:
>
> To achieve this, I'd like to set up Postfix+Linux -based outgoing mail
> server, possibly with some helper daemon. Any incoming TCP connection on
> localhost:25 where Postfix listens will be handled in a way dependent on the
> UID of the process that initiated it. In short, I want to police the emails
> based not on the sender email address or IP address, but based on the sender
> UNIX UID.
The bad news is that on a multi-processing Linux system it is
not possible to reliably determine the UID at the other end of
a loopback TCP connection. The data in /proc/net/tcp or
exposed via AF_NETLINK lacks the read/write barriers required
to ensure that the client pid/uid are visible on the server's
CPU at the time that the server accepts the client's connection.
Some time back a feature was proposed on LKML to impleemnt the
SO_PEERCRED socket option for loopback TCP, but this was (wrongly)
rejected. We're therefore left with no good options when clients
are limited to TCP and cannot be configured to use unix-domain
sockets.
You can determine the peer uid only some (perhaps even most, depending
on system load, ...) of the time, but all the available mechanisms are
subject to race conditions.
--
Viktor.
