Victor Duchovni:
> On Tue, Oct 13, 2009 at 01:05:18PM -0400, Wietse Venema wrote:
>
> > Zhang Huangbin:
> > > Hi, all.
> > >
> > > smtpd_sender_login_maps is missing in proxy_read_maps, is it a good
> > > idea to add it by default? so that we can use proxymap(8) in
> > > smtpd_sender_login_maps (with default proxy_read_maps).
> >
> > I see no problem with doing this.
>
> Currently proxy_read_maps includes the various (non security sensitive)
> "rewriting" related tables, and not others:
>
> #define DEF_PROXY_READ_MAPS "$" VAR_LOCAL_RCPT_MAPS \
> " $" VAR_MYDEST \
> " $" VAR_VIRT_ALIAS_MAPS \
> " $" VAR_VIRT_ALIAS_DOMS \
> " $" VAR_VIRT_MAILBOX_MAPS \
> " $" VAR_VIRT_MAILBOX_DOMS \
> " $" VAR_RELAY_RCPT_MAPS \
> " $" VAR_RELAY_DOMAINS \
> " $" VAR_CANONICAL_MAPS \
> " $" VAR_SEND_CANON_MAPS \
> " $" VAR_RCPT_CANON_MAPS \
> " $" VAR_RELOCATED_MAPS \
> " $" VAR_TRANSPORT_MAPS \
> " $" VAR_MYNETWORKS \
> " $" VAR_SEND_BCC_MAPS \
> " $" VAR_RCPT_BCC_MAPS \
> " $" VAR_SMTP_GENERIC_MAPS \
> " $" VAR_LMTP_GENERIC_MAPS
>
> How comprehensive should the default list be?
> If smtpd_sender_login_maps is included, what else should be added?
>
> address_verify_sender_dependent_relayhost_maps
> address_verify_transport_maps
> fallback_transport_maps
> lmtp_discard_lhlo_keyword_address_maps
> lmtp_pix_workaround_maps
> lmtp_sasl_password_maps
> lmtp_tls_policy_maps
> mailbox_transport_maps
> rbl_reply_maps
> sender_dependent_relayhost_maps
> smtp_discard_ehlo_keyword_address_maps
> smtp_pix_workaround_maps
> smtp_sasl_password_maps
> smtp_tls_policy_maps
> smtpd_discard_ehlo_keyword_address_maps
> smtpd_sender_login_maps
>
> Perhaps, more, the above are just the candidate parameters not listed
> whose names end in "_maps". There are at least also:
>
> lmtp_tls_per_site
> smtp_tls_per_site
> relay_clientcerts
A little background may be in order.
Postfix has table-driven mechanisms (some security-sensitive such
as alias_maps or virtual_uid_maps) and table lookup mechanisms
(some unsuitable for security-sensitive features, such as proxy:
or tcp: maps).
The purpose of proxy_read maps is to access maps with "delayed
open" semantics (such as passwd or group) that would break when
used in chrooted daemons, and to reduce the number of handles
for "expensive" maps (such as *SQL or LDAP).
With proxy_write_maps the primary purpose is "single updater"
semantics (allowing read/write access without need for locks,
because the proxywrite server *is* the lock).
As of several years the security-sensitive table-driven mechanisms
won't allow lookups from proxy: or tcp: maps, so we don't have to
worry about that.
So the main purpose of the proxy_read_maps list is damage control:
to avoid read access to the entire file system by a compromised
chrooted process. We also may may not want to list maps with
passwords here, but it is not the end of the world if we do.
In the case of proxy_write_maps it may also be desirable to limit
the list for damage-control purposes, and list only maps where it
is OK to accept updates from arbitrary Postfix daemon processes.
Wietse
