Demi M. Obenour:
Checking application/pgp-signature: FAILURE
-- Start of PGP signed section.
> On 2020-09-30 16:35, Wietse Venema wrote:
> > Demi M. Obenour:
> >> - If a message arrives via the SMTPS or submission ports, I
> >> want to replace the address part of the user-supplied From:
> >> header with the envelope From: header. This allows me to use
> >> reject-sender-login-mismatch to prevent users from sending messages
> >> with forged From: addresses.
> >
> > There are two parts to this:
> >
> > 1) Locking down the envelope.from.
> >
> > With authenticated smtp submission, the envelope.from can be
> > constrained by smtpd_sender_login_maps.
> >
> > With sendmail/postdrop submission the UNIX login name can be
> > overidden with "sendmail -f". There is no code in Postfix to
> > lock down "sendmail -f", and there is no 'plugin' interface that
> > could do this, either. I don't like the idea of adding complex
> > logic to the set-gid postdrop command to lock down "sendmail
> > -f". Doing the lockdown in the pickup daemon would be more
> > secure but has the problem that the 'reject' happens too late.
>
> I looked at the postdrop source code to see what locking down "sendmail
> -f" would entail. Checking that the current user can use `-f` seems
> to be just looking up the current username in an ACL, which postdrop
> already does for authorized_submit_users. Checking that -f was not
> passed looks to just be a string equality check, unless I am missing
> something. Of course, converting the same UID to a username three
> times is not a good idea performance-wise, but that can be fixed with
> some minor refactoring.
>
> Another option is to emit a good error message from sendmail, and then
> do the security check in pickup. If a user calls postdrop directly,
> the reject will happen late, but my understanding is that this isn't
> supported.
>
> Would you be interested in a patch that implemented either of these
> options?
I think that the envelope.from lockdown should be enforced in pickup
or before pickup but not both. If it is both then the code in the
pickup daemon will be a NOOP. WHen code is usually a NOOP no-one will
notice when they break it.
If a sender_login_maps feature can be implemented in postdrop
without giving an untrusted user control over the programn, then
let's try that.
Note that /usr/sbin/sendmail submission path has not been optimized
for performance, so adding another getpwuid() call should not be a
deal breaker.
> > 2) Locking down the header.from. based on rge envelope.from.
> >
> > You need a way to restrict the values of header.from that may
> > be used with a given envelope.from. There is no such code
> > Postfix, but this can be done with a plugin such as a Milter.
>
> It looks like this can be implemented (without changes to Postfix
> itself) by using header_checks(5) to ignore the From: header.
> cleanup(8) will then insert its own From: header.
>
> Is this a good idea? It worked for me when I used sendmail(1).
This will break email that legitmately overrides the envelope sender
address, such as mailing list managers.
You could specify "pickup -o cleanup_service=local_cleanup" and
define a custome cleanup service with a custom header_checks action.
Wietse
