On 2020-10-04 19:55, Wietse Venema wrote: > Demi M. Obenour: > > Checking application/pgp-signature: FAILURE > -- Start of PGP signed section. >> On 2020-09-30 16:35, Wietse Venema wrote: >>> Demi M. Obenour: >>>> - If a message arrives via the SMTPS or submission ports, I >>>> want to replace the address part of the user-supplied From: >>>> header with the envelope From: header. This allows me to use >>>> reject-sender-login-mismatch to prevent users from sending messages >>>> with forged From: addresses. >>> >>> There are two parts to this: >>> >>> 1) Locking down the envelope.from. >>> >>> With authenticated smtp submission, the envelope.from can be >>> constrained by smtpd_sender_login_maps. >>> >>> With sendmail/postdrop submission the UNIX login name can be >>> overidden with "sendmail -f". There is no code in Postfix to >>> lock down "sendmail -f", and there is no 'plugin' interface that >>> could do this, either. I don't like the idea of adding complex >>> logic to the set-gid postdrop command to lock down "sendmail >>> -f". Doing the lockdown in the pickup daemon would be more >>> secure but has the problem that the 'reject' happens too late. >> >> I looked at the postdrop source code to see what locking down "sendmail >> -f" would entail. Checking that the current user can use `-f` seems >> to be just looking up the current username in an ACL, which postdrop >> already does for authorized_submit_users. Checking that -f was not >> passed looks to just be a string equality check, unless I am missing >> something. Of course, converting the same UID to a username three >> times is not a good idea performance-wise, but that can be fixed with >> some minor refactoring. >> >> Another option is to emit a good error message from sendmail, and then >> do the security check in pickup. If a user calls postdrop directly, >> the reject will happen late, but my understanding is that this isn't >> supported. >> >> Would you be interested in a patch that implemented either of these >> options? > > I think that the envelope.from lockdown should be enforced in pickup > or before pickup but not both. If it is both then the code in the > pickup daemon will be a NOOP. WHen code is usually a NOOP no-one will > notice when they break it. > > If a sender_login_maps feature can be implemented in postdrop > without giving an untrusted user control over the programn, then > let's try that.
I would be willing to try, but I suggest we only support “simple” maps here. Postfix supports a wide variety of map types, and I would rather not expose that much attack surface in postdrop. Furthermore, in all of the use cases I can think of, a simple policy is fine. What about allowing everyone to send mail as themselves, and having a list of users who can send mail as anyone? That is what Sendmail provides. If a delimiter is specified in the configuration, it would be honored. > Note that /usr/sbin/sendmail submission path has not been optimized > for performance, so adding another getpwuid() call should not be a > deal breaker. > >>> 2) Locking down the header.from. based on rge envelope.from. >>> >>> You need a way to restrict the values of header.from that may >>> be used with a given envelope.from. There is no such code >>> Postfix, but this can be done with a plugin such as a Milter. >> >> It looks like this can be implemented (without changes to Postfix >> itself) by using header_checks(5) to ignore the From: header. >> cleanup(8) will then insert its own From: header. >> >> Is this a good idea? It worked for me when I used sendmail(1). > > This will break email that legitmately overrides the envelope sender > address, such as mailing list managers. Indeed it would, which is why I was hoping to only specify it for mail submitted via the submission service, rather than mail coming on port 25. That said, for mail not generated locally, this might lose phrases in From: headers. OpenSMTPD can be configured to replace the From: header address with the envelope MAIL FROM address, and hopefully this would not be too hard to add to Postfix. > You could specify "pickup -o cleanup_service=local_cleanup" and > define a custome cleanup service with a custom header_checks action. Good idea, thanks! > Wietse Thank you, Demi
signature.asc
Description: OpenPGP digital signature
