Error in milter documentation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Error in milter documentation

Jose Borges Ferreira
Following the thread "sign auto-reply vacation with OpenDKIM" , I read the MILTER_README where it's stated :

"Postfix currently does not apply content filters to mail that is forwarded or aliased internally, or to mail that is generated internally such as bounces or Postmaster notifications. This may be a problem when you want to apply a signing Milter to such mail."

Since I have OpenDKIM signing my bounces I believe this was true up to some version.
Instead it should mention that  internal_mail_filter_classes should be set to bounce.

José Borges Ferreira
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Wietse Venema
Jose Borges Ferreira:

> Following the thread "sign auto-reply vacation with OpenDKIM" , I read the
> MILTER_README where it's stated :
>
> "Postfix currently does not apply content filters to mail that is forwarded
> or aliased internally, or to mail that is generated internally such as
> bounces or Postmaster notifications. This may be a problem when you want to
> apply a signing Milter to such mail."
>
> Since I have OpenDKIM signing my bounces I believe this was true up to some
> version.
> Instead it should mention that  internal_mail_filter_classes should be set
> to bounce.

That will break when mail is bounced due to content inspection.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Jose Borges Ferreira



On Sun, Oct 20, 2013 at 1:39 PM, Wietse Venema <[hidden email]> wrote:
Jose Borges Ferreira:
> Following the thread "sign auto-reply vacation with OpenDKIM" , I read the
> MILTER_README where it's stated :
>
> "Postfix currently does not apply content filters to mail that is forwarded
> or aliased internally, or to mail that is generated internally such as
> bounces or Postmaster notifications. This may be a problem when you want to
> apply a signing Milter to such mail."
>
> Since I have OpenDKIM signing my bounces I believe this was true up to some
> version.
> Instead it should mention that  internal_mail_filter_classes should be set
> to bounce.

That will break when mail is bounced due to content inspection.

        Wietse

Even so, the documentation is misleading. Postfix applies bounces to content filter, it may break but applies :p

Btw , can you enumerate under which conditions it will break ? I've made some mistakes configuring OpenDKIM and couldn't made Postfix misbehave.  
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Wietse Venema
Jose Borges Ferreira:
> Since I have OpenDKIM signing my bounces I believe this was true
> up to some version.  Instead it should mention that
> internal_mail_filter_classes should be set to bounce.

Wietse:
> That will break when mail is bounced due to content inspection.

Jose Borges Ferreira:
> Even so, the documentation is misleading. Postfix applies bounces to
> content filter, it may break but applies :p

Postfix does not filter bounces by default, precisely for the reasons
stated in my response above.

> Btw , can you enumerate under which conditions it will break ?

That is the wrong question. The right question when enabling a
feature is **will this feature be safe to use**.

I will give one example of why it is not safe: Postfix accepts mail
into the queue and then bounces it later. When this bounce is blocked
by a filter, it will disappear into a black hole, which violates
the SMTP standard.

That is only one example; that is sufficient to demonstrate that
something is unsafe. Showing that something is safe requires a more
detailed analysis. I have no time for that.

> I've made some mistakes configuring OpenDKIM and couldn't made
> Postfix misbehave.

Not all mistakes result in the loss of mail. I have put a lot of
thought into the Postfix architecture to make it safe to use.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Jose Borges Ferreira
On 10/20/2013 03:21 PM, Wietse Venema wrote:

That is the wrong question. The right question when enabling a feature
is **will this feature be safe to use**. I will give one example of
why it is not safe: Postfix accepts mail into the queue and then
bounces it later. When this bounce is blocked by a filter, it will
disappear into a black hole, which violates the SMTP standard. That is
only one example; that is sufficient to demonstrate that something is
unsafe. Showing that something is safe requires a more detailed
analysis. I have no time for that.


Ok, I understand that you don't have time to explain Postfix internals
but the subject was regarding documentation and the MILTER_README is
wrong.

And btw, if you think that blocking bounces is evil ( not saying you
are not right ), check the EXAMPLES section in
http://www.postfix.org/header_checks.5.html.

José Borges Ferreira
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Wietse Venema
Jose Borges Ferreira:

> On 10/20/2013 03:21 PM, Wietse Venema wrote:
>
> That is the wrong question. The right question when enabling a feature
> is **will this feature be safe to use**. I will give one example of
> why it is not safe: Postfix accepts mail into the queue and then
> bounces it later. When this bounce is blocked by a filter, it will
> disappear into a black hole, which violates the SMTP standard. That is
> only one example; that is sufficient to demonstrate that something is
> unsafe. Showing that something is safe requires a more detailed
> analysis. I have no time for that.
>
> Ok, I understand that you don't have time to explain Postfix internals
> but the subject was regarding documentation and the MILTER_README is
> wrong.

Well, the text wasn't wrong. It is not safe to "filter" bounce
messages until someone does a detailed analysis to determine under
what conditions it is safe. And if they can't explain that in a few
lines then it is irrelevant, because no-one will understand it.

Apart from that, I don't think that signing bounce messages makes
much sense to begin with.

> And btw, if you think that blocking bounces is evil ( not saying you
> are not right ), check the EXAMPLES section in
> http://www.postfix.org/header_checks.5.html.

These examples block dangerous MIME types and an old IFRAME exploit.
If you apply these header_checks rules for new mail and for bounces
that Postfix itself generates, then these rules should not block
those bounces.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Wietse Venema
Wietse Venema:
> Jose Borges Ferreira:
> > Ok, I understand that you don't have time to explain Postfix internals
> > but the subject was regarding documentation and the MILTER_README is
> > wrong.
>
> Well, the text wasn't wrong. It is not safe to "filter" bounce
> messages until someone does a detailed analysis to determine under
> what conditions it is safe.

I don't have time for that full analysis, but it looks like
internal_mail_filter_classes=bounce can be safe (more on that at
the end of this email).

Postfix internal_mail_filter_classes was thrown in alongside with
Milter support but it does not provide the right interface for
signing mail (a result of pressure to work on other things).

Why would one want to turn on header checks when all you want is
to sign mail with a Milter? internal_mail_filter_classes needs
to be replaced by a tool that is more precise.

> > And btw, if you think that blocking bounces is evil ( not saying you
> > are not right ), check the EXAMPLES section in
> > http://www.postfix.org/header_checks.5.html.
>
> These examples block dangerous MIME types and an old IFRAME exploit.
> If you apply these header_checks rules for new mail and for bounces
> that Postfix itself generates, then these rules should not block
> those bounces.

As long as you don't have header/body_checks rules that reject only
text that appears in bounce messages, internal_mail_filter_classes=bounce
should be safe to use.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Jose Borges Ferreira
On Mon, Oct 21, 2013 at 4:40 PM, Wietse Venema <[hidden email]> wrote:
> I don't have time for that full analysis, but it looks like
> internal_mail_filter_classes=bounce can be safe (more on that at
> the end of this email).

So, can I assume that is safe as long as the Milter server don't block
the email ?

> Why would one want to turn on header checks when all you want is
> to sign mail with a Milter? internal_mail_filter_classes needs
> to be replaced by a tool that is more precise.

You stated that passing bounces throught a Milter is unsafe because it
could be blocked.
The header_check was only an example on how someone could block
bounces regardless of the Milter.

Regards,
José Borges Ferreira
Reply | Threaded
Open this post in threaded view
|

Re: Error in milter documentation

Wietse Venema
Jose Borges Ferreira:
> On Mon, Oct 21, 2013 at 4:40 PM, Wietse Venema <[hidden email]> wrote:
> > I don't have time for that full analysis, but it looks like
> > internal_mail_filter_classes=bounce can be safe (more on that at
> > the end of this email).
>
> So, can I assume that is safe as long as the Milter server don't block
> the email ?

internal_mail_filter_classes enables content inspection with both
Milters and header/body_checks.  As long as all those content
inspectors are also used while receiving mail, and as long as none
of those content inspectors blocks stuff that appears only in bounces
generated by Postfix itself, then "internal_mail_filter_classes=bounce"
should be safe, i.e. should not result result in the loss of mail.

> > Why would one want to turn on header checks when all you want is
> > to sign mail with a Milter? internal_mail_filter_classes needs
> > to be replaced by a tool that is more precise.
>
> You stated that passing bounces throught a Milter is unsafe because it
> could be blocked.

No. I stated that filtering bounces GENERATED BY POSTFIX ITSELF is
unsafe because blocking those would result in the loss of mail.

This is unsafe in principle, until it can be shown that it is safe
to use for certain use cases. I think I have outlined such a use
case above. I also think that the need for such an analysis shows
that the feature is not optimally designed. Postfix should be easy
to use safely, and hard to use incorrectly.

> The header_check was only an example on how someone could block
> bounces regardless of the Milter.

The discussion is about internal_mail_filter_classes, and enabling
Milters and header/body_checks for bounce messages generated by
Postfix itself. The discussion of header_checks is appropriate
where there is concern about loss of mail.

        Wietse