On Thu, Jul 23, 2020 at 07:36:01PM -0500, Matt Saladna wrote:
> > Replace local submission with some IPC-based mechanism, e.g. SMTP.
>
> If my understanding is correct, submitting via SMTP would require
> credentials then to avoid anonymity of TCP unless there's a specific
> service that would work over a UDS so it can pass SO_PEERCRED along to
> Postfix.
I don't see why that problem needs to be solved. The SMTP server would
accept email only from clients on a local network, the sendmail to SMTP
software, would add appropriate trace headers.
Sure if some client broke out of the sandbox, and bypassed the sendmail
wrapper, speaking SMTP directly, its UID would be unauditable, but I am
not convinced this justifies a more complex design.
You could of course populate:
/var/spool/ccerts/<username>/chain.pem
with mode 0400 individual certs for each authorised submission user, and
the sendmail wrapper could use these to authenticate to the SMTP
service. Is it worth it?
--
Viktor.
