Demi M. Obenour:
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
> On 2020-09-30 10:08, Wietse Venema wrote:
> > Demi M. Obenour:
> >
> > Checking application/pgp-signature: FAILURE
> >> When a message is submitted using postdrop, Postfix is obviously aware
> >> of which user submitted it, as it includes the UID in the Received:
> >> header. Is it possible to use this information in a canonical(5)
> >> table, or is a milter required?
> >>
> >> Thank you,
> >
> > You mean the numerical UID that that is shown in a comment:
> >
> > Received: by mail.example.com (Postfix, from userid 1001)
> > id 4C1dKq2WvyzJrNw; Wed, 30 Sep 2020 10:04:31 -0400 (EDT)
> >
> > Postfix address rewriting is limited to headers that contain only
> > addresses: From:, To:, Cc:, Reply-To:, and the like. And address
> > rewriting never looks at the content of comments.
> >
> > For everything else Postfix can only replace entire headers (through
> > header checks or milter header delete/insert actions).
> >
> > Wietse
>
> Darn. I was hoping that I could get by without a milter, but now it
> is clear that a milter will be needed, at least with current Postfix.
>
> How difficult would it be to implement this natively in Postfix?
> More specifically:
>
> - If a message arrives via the SMTPS or submission ports, I
> want to replace the address part of the user-supplied From:
> header with the envelope From: header. This allows me to use
> reject-sender-login-mismatch to prevent users from sending messages
> with forged From: addresses.
There are two parts to this:
1) Locking down the envelope.from.
With authenticated smtp submission, the envelope.from can be
constrained by smtpd_sender_login_maps.
With sendmail/postdrop submission the UNIX login name can be
overidden with "sendmail -f". There is no code in Postfix to
lock down "sendmail -f", and there is no 'plugin' interface that
could do this, either. I don't like the idea of adding complex
logic to the set-gid postdrop command to lock down "sendmail
-f". Doing the lockdown in the pickup daemon would be more
secure but has the problem that the 'reject' happens too late.
2) Locking down the header.from. based on rge envelope.from.
You need a way to restrict the values of header.from that may
be used with a given envelope.from. There is no such code
Postfix, but this can be done with a plugin such as a Milter.
SO it looks pretty hopeless as a feature request to me.
Wietse
