Re: how to proper use content_filter
Ok, now it's starting to be much clear. Really appreciate your help and time! Thanks, Pawel 2016-10-14 11:45 GMT+01:00 Wietse Venema: > Pawe? Grzesik: > > It's of course not a production code. I'm only trying to > > learn and understand how exactly it works. > > > > I cannot find anything about "--" in the postfix documentation > > (or I'm looking on the wrong page?). There is any explanation > > somewhere? (instead of at the source code). > > Look at "man getopt" the, i.e. the SYSTEM LIBRARY function that > parses command-line options. Without the '--' before the recipients, > a recipient address starting with '-' would change the way that the > sendmail command works. > > Wietse >
Re: how to proper use content_filter
Pawe? Grzesik: > It's of course not a production code. I'm only trying to > learn and understand how exactly it works. > > I cannot find anything about "--" in the postfix documentation > (or I'm looking on the wrong page?). There is any explanation > somewhere? (instead of at the source code). Look at "man getopt" the, i.e. the SYSTEM LIBRARY function that parses command-line options. Without the '--' before the recipients, a recipient address starting with '-' would change the way that the sendmail command works. Wietse
Re: how to proper use content_filter
It's of course not a production code. I'm only trying to learn and understand how exactly it works. I cannot find anything about "--" in the postfix documentation (or I'm looking on the wrong page?). There is any explanation somewhere? (instead of at the source code). Thanks for your help! 2016-10-14 1:07 GMT+01:00 Wietse Venema: > Pawe? Grzesik: > > I think I can do the same in Ruby using IO.popen like: > > > > IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe| > > > > as I see in this case I don't even need to use my_str with \" \". > > > > But I'm still confused about -f option in master.cf, and characters "--" > > between ${sender} and ${recipient}. > > Why is that? > > Specify > > popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w") > > The -- is needed to close a different security hole. > > If you don't know about these bugs that go back to 1996 and earlier, > then please don't write code that handles network data. > > Wietse >
Re: how to proper use content_filter
Pawe? Grzesik: > I think I can do the same in Ruby using IO.popen like: > > IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe| > > as I see in this case I don't even need to use my_str with \" \". > > But I'm still confused about -f option in master.cf, and characters "--" > between ${sender} and ${recipient}. > Why is that? Specify popen(["/usr/sbin/sendmail", "-G", "-i", "-f", sender, "--", my_str, "w") The -- is needed to close a different security hole. If you don't know about these bugs that go back to 1996 and earlier, then please don't write code that handles network data. Wietse
Re: how to proper use content_filter
I think I can do the same in Ruby using IO.popen like: IO.popen(["/usr/sbin/sendmail", "-G", "-i", my_str], "w") do |pipe| as I see in this case I don't even need to use my_str with \" \". But I'm still confused about -f option in master.cf, and characters "--" between ${sender} and ${recipient}. Why is that? Thanks, Pawel 2016-10-13 21:24 GMT+01:00 Wietse Venema: > Pawe? Grzesik: > > Good point. I changed it to: > > > > IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe| > > > > So now it should be secure (same as using $@ instead of $*). > > Am I right? or I'm still missing something? > > Sorry, that is still a shell command line. You need an API that > passes a vector of arguments, not a command line. > > Such as Python's > > os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w"). > > This bug is actually very old. An early publication is at > https://www.cert.org/historical/advisories/CA-1996-06.cfm > > Wietse >
Re: how to proper use content_filter
Pawe? Grzesik: > Good point. I changed it to: > > IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe| > > So now it should be secure (same as using $@ instead of $*). > Am I right? or I'm still missing something? Sorry, that is still a shell command line. You need an API that passes a vector of arguments, not a command line. Such as Python's os.popen(["/usr/sbin/sendmail", "-G", "-i", ...], "w"). This bug is actually very old. An early publication is at https://www.cert.org/historical/advisories/CA-1996-06.cfm Wietse
Re: how to proper use content_filter
Good point. I changed it to: IO.popen("/usr/sbin/sendmail -G -i \"#{my_str}\"", "w") do |pipe| So now it should be secure (same as using $@ instead of $*). Am I right? or I'm still missing something? Thanks, Pawel 2016-10-13 11:50 GMT+01:00 Wietse Venema: > Pawe? Grzesik: > > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe| > > And there you have a giant security hole. What happens if an email > address contains shell special characters? You specify flags=Rq in > the pipe daemon command, but that quotes email addresses according > to RFC822, not to make them resistant against shell command injection. > > (Note that the shell script example in FILTER_README does not > have this issue becasue that does not re-parse its arguments). > > Wietse >
Re: how to proper use content_filter
Pawe? Grzesik: > IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe| And there you have a giant security hole. What happens if an email address contains shell special characters? You specify flags=Rq in the pipe daemon command, but that quotes email addresses according to RFC822, not to make them resistant against shell command injection. (Note that the shell script example in FILTER_README does not have this issue becasue that does not re-parse its arguments). Wietse
how to proper use content_filter
Hi All, I'm trying to understand how content_filter works. According to the documentation I can create a simple script and use content_filter to send an e-mail to it. That's my config of master.cf: proxyunix - n n - 10 pipe flags=Rq user=filter null_sender= argv=/usr/local/bin/proxy -f ${sender} ${recipient} smtp inet n - n - - smtpd -o content_filter=proxy:dummy So that's exactly the same as an example from to doc. And now, my script is: IO.popen("/usr/sbin/sendmail -G -i #{my_str}", "w") do |pipe| pipe.puts @mail_content pipe.close_write end Where my_str is a string of all arguments (sender and recipients): ARGV.each { |recipient| my_str.concat("#{recipient} ") } which is basically: "-f sender@mymail user1@mymail user2@mymail" The point os using it that way is because I noticed that bcc e-mail is on that list and in the same way it's not in the mail headers. So I'm sending that list of all recipients to the sendmail so I can put an e-mail again to the queue without changing anything (and not losing bcc). It works fine but when I change it to the Golang and I did mostly the same: func sendMail(recipients string, maildata []byte) int { cmd := exec.Command("/usr/sbin/sendmail", "-G", "-i", recipients) pipe, err := cmd.StdinPipe() if err != nil { log.Fatal(err) } if err = cmd.Start(); err != nil { log.Fatal(err) } fmt.Fprintf(pipe, "%s", maildata) err = pipe.Close() if err != nil { log.Fatal(err) } return 0 } So exactly like in Ruby I'm executing sendmail: /usr/sbin/sendmail -G -i (recipients from postfix ARGS) but that does not work, on the logs I have: warning: -f option specified malformed sender: ... and fatal: Recipient addresses must be specified on the command line or via the -t option I'm not really sure why is that. Why it works in Ruby and not in Go? I'm calling it in exactly the same way and I have the same output on the console. How I should handle it? Can someone give me some hint? Thanks, Pawel