On Thu, Jul 23, 2020 at 07:36:01PM -0500, Matt Saladna wrote: > > Replace local submission with some IPC-based mechanism, e.g. SMTP. > > If my understanding is correct, submitting via SMTP would require > credentials then to avoid anonymity of TCP unless there's a specific > service that would work over a UDS so it can pass SO_PEERCRED along to > Postfix.
I don't see why that problem needs to be solved. The SMTP server would accept email only from clients on a local network, the sendmail to SMTP software, would add appropriate trace headers. Sure if some client broke out of the sandbox, and bypassed the sendmail wrapper, speaking SMTP directly, its UID would be unauditable, but I am not convinced this justifies a more complex design. You could of course populate: /var/spool/ccerts/<username>/chain.pem with mode 0400 individual certs for each authorised submission user, and the sendmail wrapper could use these to authenticate to the SMTP service. Is it worth it? -- Viktor.