On 2020-09-30 16:35, Wietse Venema wrote: > Demi M. Obenour: >> - If a message arrives via the SMTPS or submission ports, I >> want to replace the address part of the user-supplied From: >> header with the envelope From: header. This allows me to use >> reject-sender-login-mismatch to prevent users from sending messages >> with forged From: addresses. > > There are two parts to this: > > 1) Locking down the envelope.from. > > With authenticated smtp submission, the envelope.from can be > constrained by smtpd_sender_login_maps. > > With sendmail/postdrop submission the UNIX login name can be > overidden with "sendmail -f". There is no code in Postfix to > lock down "sendmail -f", and there is no 'plugin' interface that > could do this, either. I don't like the idea of adding complex > logic to the set-gid postdrop command to lock down "sendmail > -f". Doing the lockdown in the pickup daemon would be more > secure but has the problem that the 'reject' happens too late.
I looked at the postdrop source code to see what locking down "sendmail -f" would entail. Checking that the current user can use `-f` seems to be just looking up the current username in an ACL, which postdrop already does for authorized_submit_users. Checking that -f was not passed looks to just be a string equality check, unless I am missing something. Of course, converting the same UID to a username three times is not a good idea performance-wise, but that can be fixed with some minor refactoring. Another option is to emit a good error message from sendmail, and then do the security check in pickup. If a user calls postdrop directly, the reject will happen late, but my understanding is that this isn't supported. Would you be interested in a patch that implemented either of these options? > 2) Locking down the header.from. based on rge envelope.from. > > You need a way to restrict the values of header.from that may > be used with a given envelope.from. There is no such code > Postfix, but this can be done with a plugin such as a Milter. It looks like this can be implemented (without changes to Postfix itself) by using header_checks(5) to ignore the From: header. cleanup(8) will then insert its own From: header. Is this a good idea? It worked for me when I used sendmail(1). Doing it on mails received via SMTP would not be a good idea, and I don’t see a non_smtp_header_checks, but there might be an alternative that I am missing. Thank you for your time and effort. Sincerely, Demi
signature.asc
Description: OpenPGP digital signature
