Re: how to proper use content_filter

[Paweł Grzesik]

Ok, now it's starting to be much clear.
Really appreciate your help and time!

Thanks,
Pawel

2016-10-14 11:45 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > It's of course not a production code. I'm only trying to
> > learn and understand how exactly it works.
> >
> > I cannot find anything about "--" in the postfix documentation
> > (or I'm looking on the wrong page?). There is any explanation
> > somewhere? (instead of at the source code).
>
> Look at "man getopt" the, i.e. the SYSTEM LIBRARY function that
> parses command-line options. Without the '--' before the recipients,
> a recipient address starting with '-' would change the way that the
> sendmail command works.
>
> Wietse
>

Re: how to proper use content_filter

[Wietse Venema]

Pawe? Grzesik:
> It's of course not a production code. I'm only trying to
> learn and understand how exactly it works.
> 
> I cannot find anything about "--" in the postfix documentation
> (or I'm looking on the wrong page?). There is any explanation
> somewhere? (instead of at the source code).

Look at "man getopt" the, i.e. the SYSTEM LIBRARY function that
parses command-line options. Without the '--' before the recipients,
a recipient address starting with '-' would change the way that the
sendmail command works.

Wietse

Re: how to proper use content_filter

[Paweł Grzesik]

It's of course not a production code. I'm only trying to
learn and understand how exactly it works.

I cannot find anything about "--" in the postfix documentation
(or I'm looking on the wrong page?). There is any explanation
somewhere? (instead of at the source code).

Thanks for your help!

2016-10-14 1:07 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > I think I can do the same in Ruby using IO.popen like:
> >
> >   IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|
> >
> > as I see in this case I don't even need to use my_str with \" \".
> >
> > But I'm still confused about -f option in master.cf, and characters "--"
> > between ${sender} and ${recipient}.
> > Why is that?
>
> Specify
>
> popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w")
>
> The -- is needed to close a different security hole.
>
> If you don't know about these bugs that go back to 1996 and earlier,
> then please don't write code that handles network data.
>
> Wietse
>

Re: how to proper use content_filter

[Wietse Venema]

Pawe? Grzesik:
> I think I can do the same in Ruby using IO.popen like:
> 
>   IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|
> 
> as I see in this case I don't even need to use my_str with \" \".
> 
> But I'm still confused about -f option in master.cf, and characters "--"
> between ${sender} and ${recipient}.
> Why is that?

Specify 

popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w")

The -- is needed to close a different security hole.

If you don't know about these bugs that go back to 1996 and earlier,
then please don't write code that handles network data.

Wietse

Re: how to proper use content_filter

[Paweł Grzesik]

I think I can do the same in Ruby using IO.popen like:

  IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe|

as I see in this case I don't even need to use my_str with \" \".

But I'm still confused about -f option in master.cf, and characters "--"
between ${sender} and ${recipient}.
Why is that?

Thanks,
Pawel

2016-10-13 21:24 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > Good point. I changed it to:
> >
> > IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
> >
> > So now it should be secure (same as using $@ instead of $*).
> > Am I right? or I'm still missing something?
>
> Sorry, that is still a shell command line. You need an API that
> passes a vector of arguments, not a command line.
>
> Such as Python's
>
> os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").
>
> This bug is actually very old. An early publication is at
> https://www.cert.org/historical/advisories/CA-1996-06.cfm
>
> Wietse
>

Re: how to proper use content_filter

[Wietse Venema]

Pawe? Grzesik:
> Good point. I changed it to:
> 
> IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|
> 
> So now it should be secure (same as using $@ instead of $*).
> Am I right? or I'm still missing something?

Sorry, that is still a shell command line. You need an API that
passes a vector of arguments, not a command line.

Such as Python's

os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w").

This bug is actually very old. An early publication is at 
https://www.cert.org/historical/advisories/CA-1996-06.cfm

Wietse

Re: how to proper use content_filter

[Paweł Grzesik]

Good point. I changed it to:

IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe|

So now it should be secure (same as using $@ instead of $*).
Am I right? or I'm still missing something?

Thanks,
Pawel

2016-10-13 11:50 GMT+01:00 Wietse Venema :

> Pawe? Grzesik:
> > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
>
> And there you have a giant security hole. What happens if an email
> address contains shell special characters? You specify flags=Rq in
> the pipe daemon command, but that quotes email addresses according
> to RFC822, not to make them resistant against shell command injection.
>
> (Note that the shell script example in FILTER_README does not
> have this issue becasue that does not re-parse its arguments).
>
> Wietse
>

Re: how to proper use content_filter

[Wietse Venema]

Pawe? Grzesik:
> IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|

And there you have a giant security hole. What happens if an email
address contains shell special characters? You specify flags=Rq in
the pipe daemon command, but that quotes email addresses according
to RFC822, not to make them resistant against shell command injection.

(Note that the shell script example in FILTER_README does not
have this issue becasue that does not re-parse its arguments).

Wietse

how to proper use content_filter

[Paweł Grzesik]

Hi All,

I'm trying to understand how content_filter works. According to the
documentation I can create a simple script and use content_filter to send
an e-mail to it.

That's my config of master.cf:

proxyunix  -   n   n   -   10  pipe
   flags=Rq user=filter null_sender=
   argv=/usr/local/bin/proxy -f ${sender} ${recipient}

smtp  inet  n   -   n   -   -   smtpd
  -o content_filter=proxy:dummy

So that's exactly the same as an example from to doc.

And now, my script is:

IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe|
pipe.puts @mail_content
pipe.close_write
end

Where my_str is a string of all arguments (sender and recipients):

ARGV.each { |recipient| my_str.concat("#{recipient} ") }

which is basically:
"-f sender@mymail user1@mymail user2@mymail"

The point os using it that way is because I noticed that bcc e-mail is on
that list and in the same way it's not in the mail headers. So I'm sending
that list of all recipients to the sendmail so I can put an e-mail again to
the queue without changing anything (and not losing bcc).

It works fine but when I change it to the Golang and I did mostly the same:

func sendMail(recipients string, maildata []byte) int {
  cmd := exec.Command("/usr/sbin/sendmail", "-G", "-i", recipients)
  pipe, err := cmd.StdinPipe()

  if err != nil {
log.Fatal(err)
  }

  if err = cmd.Start(); err != nil {
log.Fatal(err)
  }

  fmt.Fprintf(pipe, "%s", maildata)
  err = pipe.Close()

  if err != nil {
log.Fatal(err)
  }
  return 0
}

So exactly like in Ruby I'm executing sendmail:
  /usr/sbin/sendmail -G -i (recipients from postfix ARGS)

but that does not work, on the logs I have:
  warning: -f option specified malformed sender: ...
and
  fatal: Recipient addresses must be specified on the command line or via
the -t option

I'm not really sure why is that. Why it works in Ruby and not in Go? I'm
calling it in exactly the same way and I have the same output on the
console. How I should handle it?

Can someone give me some hint?

Thanks,
Pawel