Hello, As is done in other MTA, smtpd allows execution of a custom command in forward files so users can plug their procmail, fdm and other. It is currently not possible to allow the users to forward their mail through a .forward file without also allowing them to run a custom mda.
This diff builds on top of the previous one, it removes the ability to execute a custom command from a ~/.forward file by default unless admin explicitly allows it in config: action "local_users" maildir forward-file allow-exec If a user adds a command, the session will be rejected with a temporary failure until the .forward file is fixed. diff --git a/usr.sbin/smtpd/lka_session.c b/usr.sbin/smtpd/lka_session.c index ff328441957..aea0780017e 100644 --- a/usr.sbin/smtpd/lka_session.c +++ b/usr.sbin/smtpd/lka_session.c @@ -482,6 +482,15 @@ lka_expand(struct lka_session *lks, struct rule *le, struct expandnode *xn) lks->error = LKA_TEMPFAIL; break; } + + if (xn->parent->forwarded) { + if (! dsp->u.local.allow_forward_exec) { + log_trace(TRACE_EXPAND, "expand: matched forward with no allow-exec"); + lks->error = LKA_TEMPFAIL; + break; + } + } + log_trace(TRACE_EXPAND, "expand: lka_expand: filter: %s " "[depth=%d]", xn->u.buffer, xn->depth); lka_submit(lks, rule, xn); diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 752c3376b77..908c189c93d 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -173,7 +173,7 @@ typedef struct { %} -%token ACTION ADMD ALIAS ANY ARROW AUTH AUTH_OPTIONAL +%token ACTION ADMD ALIAS ALLOW_EXEC ANY ARROW AUTH AUTH_OPTIONAL %token BACKUP BOUNCE BYPASS %token CA CERT CHAIN CHROOT CIPHERS COMMIT COMPRESSION CONNECT %token DATA DATA_LINE DHE DISCONNECT DOMAIN @@ -200,7 +200,7 @@ typedef struct { %token <v.string> STRING %token <v.number> NUMBER %type <v.table> table -%type <v.number> size negation +%type <v.number> size negation allow_exec %type <v.table> tables tablenew tableref %% @@ -580,6 +580,10 @@ SRS KEY STRING { ; +allow_exec : ALLOW_EXEC { $$ = 1; } + | /* empty */ { $$ = 0; } + ; + dispatcher_local_option: USER STRING { if (dispatcher->u.local.is_mbox) { @@ -669,12 +673,13 @@ USER STRING { } dispatcher->u.local.mda_wrapper = $2; } -| FORWARD_FILE { +| FORWARD_FILE allow_exec { if (dispatcher->u.local.forward_file) { yyerror("forward-file already specified for this dispatcher"); YYERROR; } dispatcher->u.local.forward_file = 1; + dispatcher->u.local.allow_forward_exec = $2; } ; @@ -2628,6 +2633,7 @@ lookup(char *s) { "action", ACTION }, { "admd", ADMD }, { "alias", ALIAS }, + { "allow-exec", ALLOW_EXEC }, { "any", ANY }, { "auth", AUTH }, { "auth-optional", AUTH_OPTIONAL }, diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index fa98e13e158..c2ef5f568ca 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -173,8 +173,12 @@ Use the mapping for .Xr aliases 5 expansion. -.It Cm forward-file +.It Cm forward-file Op Cm allow-exec Allow the use of a .forward file in user home directory . +.Pp +If +.Cm allow-exec +is specified, the .forward file is allowed to execute a custom command. .It Xo .Cm ttl .Sm off diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 8225f3ff157..57a8bebec79 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1161,6 +1161,8 @@ struct dispatcher_local { uint8_t forward_only; uint8_t forward_file; + uint8_t allow_forward_exec; + char *mda_wrapper; char *command;