Re: Debug verbosity not becoming laconic

2019-04-10 Thread James Moe 
On 09/04/2019 10.27 AM, Wietse Venema wrote:

> That's DEBUG-PEER-LIST, not DEBUG-PEER-LEVEL.
>
  Yes, commenting the correct option works.
  Thank you.

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.



signature.asc
Description: OpenPGP digital signature

Re: Postfix users receive spam pretending to be sent from their accounts.

2019-04-10 Thread Dominic Raferd 
On Mon, 8 Apr 2019 at 18:31, Ntek, SIA Janis  wrote:

> Thank you for quick responses!
>
> Dominic Raferd's reply was the most helpful and a good how-to :)
>
> Just to summarize, how many From sender spoofing methods are there?
> 1) envelope-sender (What Viktor said)
> 2) Addres in Header From  (What Dominic said)
> 3) Privileged domain in text of *Header From* (What Dominic said)
>

I don't think there is a definitive list because as soon as there is, those
lovely people out there will think of a new way round it.

Here's another type of From header spoof:
From: Dominic Raferd 

Another trick of theirs is to set From Header text in some encoding because
postfix doesn't decode before processing. But spamassassin does.

Re: TLS client certificates and auth external

2019-04-10 Thread Emmanuel Fusté 

Le 27/03/2019 à 18:10, Emmanuel Fusté a écrit :

Le 27/03/2019 à 17:14, Viktor Dukhovni a écrit :

On Wed, Mar 27, 2019 at 04:31:33PM +0100, Emmanuel Fusté wrote:


The goal is to be as transparent as possible :
- if the client is not found in the relay_clientcerts, act as usual
- if the client is found in the relay_clientcerts, no longer announce
AUTH support, the auth and identity mapping is already done by the
relay_clientcerts map

I believe you're asking Postfix to (when configured to do that)
simulate "AUTH EXTERNAL" when the client has presented a client
certificate, but proceeds from "EHLO" to "MAIL FROM" with no
intevening explicit "AUTH".
Yes exactly, if a hash to sasl id/username mapping is found in the 
relay_clientcerts


The simulated "AUTH EXTERNAL" would never "fail" (5XX), it either
yields an authenticated user or proceeds with the user unauthenticated,
and acts accordingly.

Does that sound right?
Yes, in case of unauthenticated (not present in relay_clientcerts), 
the simulated "AUTH EXTERNAL" must ideally not be performed and AUTH 
support be announced as usual as this is perhaps a client with proper 
AUTH support (otherwise it would be listed with a mapping in 
relay_clientcerts).


Ok, patch attached.
Need to be applied on top of Bastian one.
Work well here, thanks to the hard part done by Bastian !
Please comment.

Emmanuel.
--- postfix-3.4.5/src/smtpd/smtpd_sasl_glue.c   2019-04-10 12:26:39.571554576 
+0200
+++ postfix-3.4.5-cert-auto/src/smtpd/smtpd_sasl_glue.c 2019-04-10 
12:35:26.189153746 +0200
@@ -201,6 +201,7 @@
 static const NAME_CODE sasl_tls_user[] = {
SASL_TLS_USER_NAME_COMMON_NAME, SASL_TLS_USER_COMMON_NAME,
SASL_TLS_USER_NAME_RELAY_CLIENTCERTS, SASL_TLS_USER_RELAY_CLIENTCERTS,
+   SASL_TLS_USER_NAME_RELAY_CLIENTCERTS_AUTO, 
SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO,
0, SASL_TLS_USER_NONE
 };
 #endif
@@ -236,6 +237,7 @@
verified_user = TLS_CERT_IS_TRUSTED(state->tls_context) ? 
state->tls_context->peer_CN : 0;
break;
case SASL_TLS_USER_RELAY_CLIENTCERTS:
+   case SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO:
if ( TLS_CERT_IS_PRESENT(state->tls_context) ) {
int i;
char *prints[2];
@@ -262,6 +264,15 @@
 #endif
 #define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "")
 #define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0)
+   
+if ((name_code(sasl_tls_user, NAME_CODE_FLAG_NONE,
+ var_smtpd_sasl_tls_ccert_username) == 
SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO)
+&& verified_user) {
+
+   smtpd_sasl_login(state, verified_user, "RELAY_CLIENTCERTS_AUTO"); 
+   state->sasl_mechanism_list = mystrdup("");
+   return;
+}
 
 if ((state->sasl_server =
 XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
--- postfix-3.4.5/src/smtpd/smtpd_sasl_glue.h   2019-04-10 12:26:39.571554576 
+0200
+++ postfix-3.4.5-cert-auto/src/smtpd/smtpd_sasl_glue.h 2019-04-10 
11:10:49.054873903 +0200
@@ -26,10 +26,12 @@
 /* for SASL external auth */
 #define SASL_TLS_USER_NAME_COMMON_NAME "commonName"
 #define SASL_TLS_USER_NAME_RELAY_CLIENTCERTS "relay_clientcerts"
+#define SASL_TLS_USER_NAME_RELAY_CLIENTCERTS_AUTO "relay_clientcerts_auto"
 
 #define SASL_TLS_USER_NONE 0
 #define SASL_TLS_USER_COMMON_NAME 1
 #define SASL_TLS_USER_RELAY_CLIENTCERTS 2
+#define SASL_TLS_USER_RELAY_CLIENTCERTS_AUTO 3
 
 /* LICENSE
 /* .ad