> On 20 Dec 2020, at 10:03, Gilles CHEHADE <gil...@poolp.org> wrote:
>
>
>> On 20 Dec 2020, at 07:19, Theo de Raadt <dera...@openbsd.org> wrote:
>>
>> There are thousands of people with smtpd configurations, and sysmerge
>> is not going to handle this.
>>
>> We cannot expect them all to change their files. This is madness.
>>
>> Gilles, I think you should be adding an option that blocks it optionally,
>> and then some operators can use that. If they wish. I am surprised you
>> think this can be a default, when as Sebastien points out the base system
>> uses it today...
>>
>
> I know that this isn’t convenient and my first version of the diff was a
> “disalllow-forward-file” option but:
>
> The diff was to discuss what I think is the right way of doing it, not the
> one I find the most convenient.
> If this is not desired, I can submit a diff for the convenient way but I
> would have hated not showing what I think is right first.
>
> In addition, my diff is a turn on a feature explicitly whereas the
> “disallow-forward-file” option is a turn off an implicit behaviour,
> and when I see that some people don’t even know that .forward files are a
> thing, I feel it’s the wrong way around. People who
> want forward files know they exist and can ask for it, whereas people who
> don’t know they exist or who don’t request it will
> get it behind their backs.
>
> As I said to semarie@ and millert@, the default configuration could be
> adapted to add forward-file to the mbox action,
> and this diff could be adapted to not ignore .forward files but warn that
> they are used on a rule without the keyword to
> give people two releases to adapt since we can’t expect everyone to change
> their files but we can expect them to upgrade
> at least every two releases.
>
> Also, what doesn’t show on this diff is that if we rely on the implicit
> behaviour and a “disallow-forward-file” it kind of makes
> other features backwards too in terms of configuration.
>
> Assuming disallow-forward-file, then do we add an option to disallow
> execution of an mda or do we add an option to allow it ?
> Does the default behaviour of forward files is to execute custom commands or
> not ?
> If not, then how do we express it if there’s no option visible in the conf ?
>
> It makes the grammar very weird :-/
I’d like to add something I forgot to mention, there are two bonus benefits to
do this:
1- the forward file handling requires an indirection through the parent process
to obtain an fd to the .forward file,
an indirection through a privileged process which would be completely
bypassed for all users who do not explicitly
require it.
2- if we make the feature explicit, then it becomes easier to add some security
safe-guards in the parent process
right before execution of an MDA: if it is asked to execute a custom
command but the configuration states there
Is no .forward file allowed, then we can detect something is fishy and
refuse to fork a child process for delivery.
