After today's occurrence of missing tls_wrappermode configuration
I was thinking about Postfix SMTP server support to detect a TLS
handshake where an SMTP command is expected.
Such a feature should be enabled by default, otherwise it would not
be useful. It should also be configurable by default, because of
Postfix qualify standards.
We already have smtpd_forbidden_commands which is enabled by default
to allow CONNECT etc. commands from malware that scans for open
proxies.
Unfortunately, smtpd_forbidden_commands has a limitation that it
can support pcre etc. tables only as an external file. Which is
not good for a feature that is preferably enabled by default.
I then realized that we could make Postfix map support a little
smarter with only minor changes to internals.
Suppose that in main.cf a table is specified as
pcre:{{/pattern/ value}, ...}
cidr:{{net/mask value}, ...}
blah:{text...}
Here, the pcre:, cidr:, and so on are followed by '{text}' instead
of a pathname. Postfix already has code that can read and write an
in-memory file. There only needs to be a conversion from {text}
into a form that can be handled by the pcre, regexp, cidr, etc.
implementations that currently read a table definition from file.
Wietse
