Re: question on xforward

2008-11-27 Thread Jan P. Kessler 

Victor Duchovni schrieb:
Is there any good reason why smtpd_tls_received_header does not include 
the ccert_fingerprint when available?
  
Perhaps it is because software does not grow on trees and 
actually needs to be created first?



Hey - no offense, we're in the same business! This was just a serious 
question because I noticed that you (very experienced developers) 
decided not to include that type of information and so I said to me 
"should ask them, if there was a good reason for it that I (less 
experienced developer) am not aware of".



This is too much information to include by default. To make the ccert
available, the Received header annotations would have to be configurable.
I am not sure this is a win.
  


I see. Well, postfix has anything I need on board (prepend, policy 
delegation). I definately would prefer a solution without prepending a 
header at data stage but now I am able to implement what I want. Thank 
you for your help.

Re: question on xforward

2008-11-26 Thread Victor Duchovni 
On Wed, Nov 26, 2008 at 06:45:53PM -0500, Wietse Venema wrote:

> Jan P. Kessler:
> > Victor Duchovni schrieb:
> > > The topmost header "by your-MTA" is trustworthy, as are any headers
> > > above it.
> > >   
> > 
> > That makes sense, of course.
> > 
> > Is there any good reason why smtpd_tls_received_header does not include 
> > the ccert_fingerprint when available?
> 
> Perhaps it is because software does not grow on trees and 
> actually needs to be created first?

This is too much information to include by default. To make the ccert
available, the Received header annotations would have to be configurable.
I am not sure this is a win.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: question on xforward

2008-11-26 Thread Wietse Venema 
Jan P. Kessler:
> Victor Duchovni schrieb:
> > The topmost header "by your-MTA" is trustworthy, as are any headers
> > above it.
> >   
> 
> That makes sense, of course.
> 
> Is there any good reason why smtpd_tls_received_header does not include 
> the ccert_fingerprint when available?

Perhaps it is because software does not grow on trees and 
actually needs to be created first?

Wietse

Re: question on xforward

2008-11-26 Thread Jan P. Kessler 

Victor Duchovni schrieb:

The topmost header "by your-MTA" is trustworthy, as are any headers
above it.
  


That makes sense, of course.

Is there any good reason why smtpd_tls_received_header does not include 
the ccert_fingerprint when available?

Re: question on xforward

2008-11-26 Thread mouss 
Jan P. Kessler a écrit :
> Victor Duchovni schrieb:
>> On Wed, Nov 26, 2008 at 06:50:13PM +0100, Jan P. Kessler wrote:
>>
>>  
>>> would it be possible/valuable to enhance xforward by additional
>>> attributes reflecting the tls parameters of the upstream smtp
>>> session? Background is the current development of a content/proxyfilter.
>>> 
>>
>> What problem would this solve? If you need the client certificate
>> fingerprint consider the following:
>>   
> Thank you. Of course it would be easy to add a header (or use the one
> from smtpd_tls_received_header) but that information could be forged
> easily. It would be nice to have reliable data for a
> proxy/content_filter that combines session and content based information.
> 

Only examine the first Received header, which you are sure is generated
by postfix.

Re: question on xforward

2008-11-26 Thread Victor Duchovni 
On Wed, Nov 26, 2008 at 08:48:31PM +0100, Jan P. Kessler wrote:

> Victor Duchovni schrieb:
> >On Wed, Nov 26, 2008 at 06:50:13PM +0100, Jan P. Kessler wrote:
> >
> >  
> >>would it be possible/valuable to enhance xforward by additional 
> >>attributes reflecting the tls parameters of the upstream smtp session? 
> >>Background is the current development of a content/proxyfilter.
> >>
> >
> >What problem would this solve? If you need the client certificate
> >fingerprint consider the following:
> >  
> Thank you. Of course it would be easy to add a header (or use the one 
> from smtpd_tls_received_header) but that information could be forged 
> easily.

No it can easily be forged, because you always add your own Received
header which is at the top of the message, and cannot be forged. PREPEND
actions in restrictions insert above that header, so this too cannot
be forged.

X-TLS-Client-Fingerprint: ...
Received: from ...
(using  ... )
by your-MTA ...

The topmost header "by your-MTA" is trustworthy, as are any headers
above it.

> It would be nice to have reliable data for a 
> proxy/content_filter that combines session and content based information.

Headers (parsed properly) can be trusted, and offer more flexibility than
XFORWARD. It is not always easy to get the content you need into headers,
but when you can PREPEND the required data, headers are a fine interface.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Re: question on xforward

2008-11-26 Thread Jan P. Kessler 

Victor Duchovni schrieb:

On Wed, Nov 26, 2008 at 06:50:13PM +0100, Jan P. Kessler wrote:

  
would it be possible/valuable to enhance xforward by additional 
attributes reflecting the tls parameters of the upstream smtp session? 
Background is the current development of a content/proxyfilter.



What problem would this solve? If you need the client certificate
fingerprint consider the following:
  
Thank you. Of course it would be easy to add a header (or use the one 
from smtpd_tls_received_header) but that information could be forged 
easily. It would be nice to have reliable data for a 
proxy/content_filter that combines session and content based information.

Re: question on xforward

2008-11-26 Thread Victor Duchovni 
On Wed, Nov 26, 2008 at 06:50:13PM +0100, Jan P. Kessler wrote:

> would it be possible/valuable to enhance xforward by additional 
> attributes reflecting the tls parameters of the upstream smtp session? 
> Background is the current development of a content/proxyfilter.

What problem would this solve? If you need the client certificate
fingerprint consider the following:

/etc/postfix/main.cf:
smtpd_data_restrictions =
check_ccert_access pcre:/etc/postfix/add_fprint_header.pcre

/etc/postfix/add_fprint_header.pcre:
/^(.*)$/PREPEND X-TLS-Client-Fingerprint: ${1}

Additional information is recorded in Received headers when
$smtpd_tls_received_header=yes.

-- 
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:


If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.