Demi M. Obenour:
> Nit: Given the quoted localpart TODO, it might be a good idea to
> suggest limiting the character set that will be matched. On a system
> I ran, I would use:
>
> /etc/postfix/login_senders:
> # Allow both the bare username and user@domain forms.
> /([A-Za-z][A-Za-z0-9_-]*)$/iAE $1, $1...@example.com
>
> but the regex will of course be system-dependent. I say "might"
> because one could reasonably argue that if a user is allowed to login
> with a username containing a comma or space, something has already
> gone wrong.
That requires that Postfix security or system secuity are compromised:
the user can manipulate the setgid postdrop process, or they modified
the system library, or they modified the passsword file. Postfix
does not have to defend against broken security assumptions or
against a hostile super-user.
Wietse
