> On 20 Dec 2020, at 10:14, Sebastien Marie <[email protected]> wrote:
>
> On Sat, Dec 19, 2020 at 11:19:10PM -0700, Theo de Raadt wrote:
>> There are thousands of people with smtpd configurations, and sysmerge
>> is not going to handle this.
>>
>> We cannot expect them all to change their files. This is madness.
>
> Well, it wouldn't be the first time. But I agree that such changes
> should be rare and have really good reason for.
>
> So yes, even if the option is desirable and being off-by-default would
> be a good default, the flag-day way for handling it is complex.
I really want to emphasise that I don’t suggest off-by-default on OpenBSD but
just making the feature explicit.
The default smtpd.conf could still have the option to retain the default
behaviour.
> Regarding the option itself, if I recall correctly some descriptions
> made by Gilles about smtpd, opening ~/.forward is one of the few tasks
> done by the priviligied process of smtpd. So it could make sense to
> avoid it if not need.
>
> Gilles, could you confirm that having an option to remove .forward
> capability (whatever the default value of the option is) could
> effectively help to reduce the attack surface of smtpd ?
Yes, this is one of the benefits.
Setups that don’t ask for forward-file don’t go through the parent process at
every recipient submitted in a session,
that’s one imsg less handled by the privileged process.
> For example, as immediate consequence, I see no reason for smtpd
> priviliegied process to keep a full filesystem view: it might be
> possible to restricted it to few directories with unveil(2) (I assume
> priviliegied process is still need for bsd_auth, and bsd_auth will
> have some requirements).
Yes !
