October 23, 2020 6:03 PM, "Demi M. Obenour" <[email protected]> wrote:
> Would it be reasonable to allow the admin to configure a list of
> directories MDAs may reside in? I would like to only allow custom MDAs
> (from ~/.forward files) to be run in if they are in /etc/mail/mdas
> or ~/.config/mail/mdas.
>
I'm unsure how to tackle this really.
If you're going that path it will work at odds with what other MTA do and
you need approval from OpenBSD hackers that this is ok.
I'm unconvinced personally because:
- all ports mda are installed in /usr/local/bin on OpenBSD which means it
will almost always be there if people rely on procmail, fdm or other.
- once /usr/local/bin is in there, then you're no longer limiting to them
because any shell installed from ports is also there.
- many people use custom mda which aren't installed system-wide and these
are not going to be part of the allowed directory.
Forward files serve two purposes:
- redirecting to another address
- redirecting to another MDA
What you're doing is restricting the second but I doubt you'll find a way
that's satisfying. If custom MDA scare you, wouldn't it be better then if
you had:
action "foobar" mbox forward no-exec
and toggled it off altogether ?
