On Sat, Dec 19, 2020 at 11:19:10PM -0700, Theo de Raadt wrote: > There are thousands of people with smtpd configurations, and sysmerge > is not going to handle this. > > We cannot expect them all to change their files. This is madness.
Well, it wouldn't be the first time. But I agree that such changes should be rare and have really good reason for. So yes, even if the option is desirable and being off-by-default would be a good default, the flag-day way for handling it is complex. Regarding the option itself, if I recall correctly some descriptions made by Gilles about smtpd, opening ~/.forward is one of the few tasks done by the priviligied process of smtpd. So it could make sense to avoid it if not need. Gilles, could you confirm that having an option to remove .forward capability (whatever the default value of the option is) could effectively help to reduce the attack surface of smtpd ? For example, as immediate consequence, I see no reason for smtpd priviliegied process to keep a full filesystem view: it might be possible to restricted it to few directories with unveil(2) (I assume priviliegied process is still need for bsd_auth, and bsd_auth will have some requirements). Thanks. -- Sebastien Marie