On Wed, Nov 26, 2008 at 08:48:31PM +0100, Jan P. Kessler wrote: > Victor Duchovni schrieb: > >On Wed, Nov 26, 2008 at 06:50:13PM +0100, Jan P. Kessler wrote: > > > > > >>would it be possible/valuable to enhance xforward by additional > >>attributes reflecting the tls parameters of the upstream smtp session? > >>Background is the current development of a content/proxyfilter. > >> > > > >What problem would this solve? If you need the client certificate > >fingerprint consider the following: > > > Thank you. Of course it would be easy to add a header (or use the one > from smtpd_tls_received_header) but that information could be forged > easily.
No it can easily be forged, because you always add your own Received header which is at the top of the message, and cannot be forged. PREPEND actions in restrictions insert above that header, so this too cannot be forged. X-TLS-Client-Fingerprint: ... Received: from ... (using <SSLprotocol> ... ) by your-MTA ... The topmost header "by your-MTA" is trustworthy, as are any headers above it. > It would be nice to have reliable data for a > proxy/content_filter that combines session and content based information. Headers (parsed properly) can be trusted, and offer more flexibility than XFORWARD. It is not always easy to get the content you need into headers, but when you can PREPEND the required data, headers are a fine interface. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:[EMAIL PROTECTED]> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.