Demi M. Obenour:
> There was a recent vulnerability in OpenBSD due to libc malfunctioning
> in a set-uid-root program under very low resource limits. I would
> prefer to minimize the amount of third-party libraries that are used
> by postdrop. That said, another option would be to error out if the
> resource limits are below what we consider a reasonable minimum.
Another good reason for not using set-uid root programs...
I don't think it is practical for Postfix to have universal minimal
resource limts. You can add some custom OPENBSD code later.
> > If you are thinking of skipping the Postfix dictionary API and
> > crafting your own table lookups, then that is definiitely
> > not going to happen.
>
> Indeed that would be a bad idea.
>
> >> What about allowing everyone to send mail as themselves, and having
> >> a list of users who can send mail as anyone? That is what Sendmail
> >> provides. If a delimiter is specified in the configuration, it would
> >> be honored.
> >
> > By default, a user can send mail as everyone, and that default
> > behavior cannot be changed. So the question becomes: what is the
> > behavior? I think it should behave like smtp_sender_login_maps,
> > because there is no reason to invent new behavior.
>
> Agreed. This also lets us use common code for both ACLs.
>
> > This means the search string is the UNIX username, and the lookup
> > result is a comma-separated list of things (usernames and/or email
> > addresses) that they may specify as the envelope sender address.
> >
> > Your 'identity' mapping then looks like this:
> >
> > /etc/postfix/main.cf:
> > local_sender_login_maps =
> > pcre:/etc/postfix/local_sender_logins
> >
> > /etc/postfix/local_sender_logins
> > /(.+)/ $1, $1...@example.com
> >
> > I.e. a user can send mail only if the envelope sender equals their
> > login name, or usern...@example.com. There will need to be a wildcard
> > pattern that allows all, as would be needed by a content filter
> > that re-injects mail using the Postfix sendmail command.
>
> That looks good. I do wish there was a way (other than allow
> all) to express that Alice can send mail as al...@example.com,
> alice+t...@example.com, alice+te...@example.com, etc. I might just
> not know of such a method, however, and in any case that is not
> related to the current project.
Surprise: Postfix has a strip_addr() function that can remove adress
extensions before enforcing the ACL.
> Is the code in smtpd_check.c a good place to start?
Yes. It also helps you to become familiar with Postfix's
approach to parsing.
Wietse
