Hello,
As is done in other MTA, smtpd allows execution of a custom command in forward
files so
users can plug their procmail, fdm and other. It is currently not possible to
allow the
users to forward their mail through a .forward file without also allowing them
to run a
custom mda.
This diff builds on top of the previous one, it removes the ability to execute
a custom
command from a ~/.forward file by default unless admin explicitly allows it in
config:
action "local_users" maildir forward-file allow-exec
If a user adds a command, the session will be rejected with a temporary failure
until
the .forward file is fixed.
diff --git a/usr.sbin/smtpd/lka_session.c b/usr.sbin/smtpd/lka_session.c
index ff328441957..aea0780017e 100644
--- a/usr.sbin/smtpd/lka_session.c
+++ b/usr.sbin/smtpd/lka_session.c
@@ -482,6 +482,15 @@ lka_expand(struct lka_session *lks, struct rule *le,
struct expandnode *xn)
lks->error = LKA_TEMPFAIL;
break;
}
+
+ if (xn->parent->forwarded) {
+ if (! dsp->u.local.allow_forward_exec) {
+ log_trace(TRACE_EXPAND, "expand: matched
forward with no allow-exec");
+ lks->error = LKA_TEMPFAIL;
+ break;
+ }
+ }
+
log_trace(TRACE_EXPAND, "expand: lka_expand: filter: %s "
"[depth=%d]", xn->u.buffer, xn->depth);
lka_submit(lks, rule, xn);
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 752c3376b77..908c189c93d 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -173,7 +173,7 @@ typedef struct {
%}
-%token ACTION ADMD ALIAS ANY ARROW AUTH AUTH_OPTIONAL
+%token ACTION ADMD ALIAS ALLOW_EXEC ANY ARROW AUTH AUTH_OPTIONAL
%token BACKUP BOUNCE BYPASS
%token CA CERT CHAIN CHROOT CIPHERS COMMIT COMPRESSION CONNECT
%token DATA DATA_LINE DHE DISCONNECT DOMAIN
@@ -200,7 +200,7 @@ typedef struct {
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.table> table
-%type <v.number> size negation
+%type <v.number> size negation allow_exec
%type <v.table> tables tablenew tableref
%%
@@ -580,6 +580,10 @@ SRS KEY STRING {
;
+allow_exec : ALLOW_EXEC { $$ = 1; }
+ | /* empty */ { $$ = 0; }
+ ;
+
dispatcher_local_option:
USER STRING {
if (dispatcher->u.local.is_mbox) {
@@ -669,12 +673,13 @@ USER STRING {
}
dispatcher->u.local.mda_wrapper = $2;
}
-| FORWARD_FILE {
+| FORWARD_FILE allow_exec {
if (dispatcher->u.local.forward_file) {
yyerror("forward-file already specified for this dispatcher");
YYERROR;
}
dispatcher->u.local.forward_file = 1;
+ dispatcher->u.local.allow_forward_exec = $2;
}
;
@@ -2628,6 +2633,7 @@ lookup(char *s)
{ "action", ACTION },
{ "admd", ADMD },
{ "alias", ALIAS },
+ { "allow-exec", ALLOW_EXEC },
{ "any", ANY },
{ "auth", AUTH },
{ "auth-optional", AUTH_OPTIONAL },
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index fa98e13e158..c2ef5f568ca 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -173,8 +173,12 @@ Use the mapping
for
.Xr aliases 5
expansion.
-.It Cm forward-file
+.It Cm forward-file Op Cm allow-exec
Allow the use of a .forward file in user home directory .
+.Pp
+If
+.Cm allow-exec
+is specified, the .forward file is allowed to execute a custom command.
.It Xo
.Cm ttl
.Sm off
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 8225f3ff157..57a8bebec79 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1161,6 +1161,8 @@ struct dispatcher_local {
uint8_t forward_only;
uint8_t forward_file;
+ uint8_t allow_forward_exec;
+
char *mda_wrapper;
char *command;
