> On Jan 12, 2019, at 6:02 PM, Pali Rohár <pali.ro...@gmail.com> wrote:
>
> Meanwhile I decoded postdrop protocol and come up with more easier
> solution:
>
> I renamed postdrop binary to postdrop.real and implemented simple
> postdrop wrapper which reads stdin, injects "R" command and pass it to
> postdrop.real binary.
Your untrusted users can invoke "postdrop.real" directly. What's your
threat model? Are you hosting users, or just sloppy software you can't
easily fix that emits the wrong envelope sender?
To enforce use of your wrapper, you'd have to move the setgid bit from
the real postdrop(8) to your wrapper, and make sure your wrapper is
sufficiently robust to not admit exploits.
The supported way to handle the rewrites you're looking for is via a
content-filter or milter.
--
Viktor.
