reinjection via unix socket

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

reinjection via unix socket

Lars Täuber
Hello,

our mail server does local content_filtering via lmtp over unix socket.
This filter is capable of reinjecting the result via unix socket too.
I'd like to use this.

But I come across a problem.
The inet-way of reinjection is defined in our master.cf as follows:

127.0.0.1:10026
          inet  n       -       n       -       3       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o smtpd_authorized_xforward_hosts=127.0.0.0/8
  -o smtpd_tls_security_level=none

Now I translated this into unix socket:
backdoor
          unix  -       -       n       -       3       smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=
  -o smtpd_sender_restrictions=
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
  -o smtpd_tls_security_level=none

The problem is how to translate the following:
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

I'd like to do something
* smtpd_recipient_restrictions=permit_mynetworks,reject
translated to
* smtpd_recipient_restrictions=permit,reject
* smtpd_helo_required=yes
* smtpd_helo_restrictions=check_helo_access hash:/etc/postfix/backdoor
(whats the master.cf syntax as command line option - no spaces allowed)

And with the X-Headers:
* smtpd_authorized_xforward_hosts=127.0.0.0/8
translated to
* smtpd_authorized_xforward_hosts=unix

But this seems not to be supported, isn't it?
Will this be supported in a future version?

Thanks
Lars

PS: Wietse thanks for this great postfix system!
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Wietse Venema
Lars T?uber:
> Now I translated this into unix socket:
> backdoor
>           unix  -       -       n       -       3       smtpd
>   -o content_filter=

That may work, but I wonder what the SMTP client hostname and
address look like. That will ultimately determine what you
can use in your access rules.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Wietse Venema
Wietse Venema:
> Lars T?uber:
> > Now I translated this into unix socket:
> > backdoor
> >           unix  -       -       n       -       3       smtpd
> >   -o content_filter=
>
> That may work, but I wonder what the SMTP client hostname and
> address look like. That will ultimately determine what you
> can use in your access rules.

If the connection is not AF_INET or AF_INET6, Postfix pretends it
is localhost[127.0.0.1]. This should probably be made configurable
because at some point using a fake AF_INET6 address would become a
better choice.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Lars Täuber
Hello Wietse,

Am Thu, 14 Jul 2011 12:08:34 -0400 (EDT)
Wietse Venema <[hidden email]> schrieb:
> If the connection is not AF_INET or AF_INET6, Postfix pretends it
> is localhost[127.0.0.1].

thanks. This helps a lot!
I just had a quick scan over the docs and couldn't find this info.

Thanks
Lars
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Wietse Venema
Lars T?uber:
> Hello Wietse,
>
> Am Thu, 14 Jul 2011 12:08:34 -0400 (EDT)
> Wietse Venema <[hidden email]> schrieb:
> > If the connection is not AF_INET or AF_INET6, Postfix pretends it
> > is localhost[127.0.0.1].
>
> thanks. This helps a lot!
> I just had a quick scan over the docs and couldn't find this info.

This is part of first-generation hard-coded behavior that still
needs to be finished (in this case, the surrogate name and address
will need to be configurable).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Lars Täuber
Hi Wietse,

the unix socket can't be used by other users than root or postfix.
Is there a way to configure ownership and/or permissions for the socket?

I thought under Linux the filesystem permissions reflect the permissions to
the unix socket.

Here is my config and the socket:
master.cf:
backdoor
          unix  n       -       n       -       3       smtpd

# ls -l /var/spool/postfix/public/backdoor
srw-rw-rw- 1 postfix postdrop 0 2011-07-19 14:15 /var/spool/postfix/public/backdoor
# sudo -u dspam /usr/bin/socat - UNIX-CONNECT:/var/spool/postfix/public/backdoor
2011/07/19 16:53:44 socat[23143] E connect(3, AF=1 "/var/spool/postfix/public/backdoor", 36): Permission denied

Am I doing something wrong?

Thanks again
Lars
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Matthias Andree
Am 19.07.2011 17:02, schrieb Lars Täuber:

> Hi Wietse,
>
> the unix socket can't be used by other users than root or postfix.
> Is there a way to configure ownership and/or permissions for the socket?
>
> I thought under Linux the filesystem permissions reflect the permissions to
> the unix socket.
>
> Here is my config and the socket:
> master.cf:
> backdoor
>           unix  n       -       n       -       3       smtpd
>
> # ls -l /var/spool/postfix/public/backdoor
> srw-rw-rw- 1 postfix postdrop 0 2011-07-19 14:15 /var/spool/postfix/public/backdoor
> # sudo -u dspam /usr/bin/socat - UNIX-CONNECT:/var/spool/postfix/public/backdoor
> 2011/07/19 16:53:44 socat[23143] E connect(3, AF=1 "/var/spool/postfix/public/backdoor", 36): Permission denied
>
> Am I doing something wrong?

Don't forget about the directory permissions. The dspam user needs
execute permission for all containing directories, i. e.
/var/spool/postfix/public, /var/spool/postfix, /var/spool, /var, and /.

I supposed your dspam system user probably doesn't have access to the
/var/spool/postfix/public directory (1), which check.

If that's indeed the situation, review the security implications; you
can either use ACLs to permit the dspam user execute permission fix that
up (if supported and enabled on your /var filesystem), or you can
consider making dspam a member of the postdrop group.


(1) mine looks like this on Postfix 2.8:

drwx--s--- 2 postfix postdrop 4096 2011-07-19 00:44
/var/spool/postfix/public
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Lars Täuber
Hi Matthias,

Am Tue, 19 Jul 2011 17:11:57 +0200
Matthias Andree <[hidden email]> schrieb:

> Am 19.07.2011 17:02, schrieb Lars Täuber:
> > Hi Wietse,
> >
> > the unix socket can't be used by other users than root or postfix.
> > Is there a way to configure ownership and/or permissions for the socket?
> >
> > I thought under Linux the filesystem permissions reflect the permissions
> > to the unix socket.
> >
> > Here is my config and the socket:
> > master.cf:
> > backdoor
> >           unix  n       -       n       -       3       smtpd
> >
> > # ls -l /var/spool/postfix/public/backdoor
> > srw-rw-rw- 1 postfix postdrop 0 2011-07-19
> > 14:15 /var/spool/postfix/public/backdoor
> > # sudo -u dspam /usr/bin/socat -
> > # UNIX-CONNECT:/var/spool/postfix/public/backdoor
> > 2011/07/19 16:53:44 socat[23143] E connect(3, AF=1
> > "/var/spool/postfix/public/backdoor", 36): Permission denied
> >
> > Am I doing something wrong?
>
> Don't forget about the directory permissions. The dspam user needs
> execute permission for all containing directories, i. e.
> /var/spool/postfix/public, /var/spool/postfix, /var/spool, /var, and /.
>
> I supposed your dspam system user probably doesn't have access to the
> /var/spool/postfix/public directory (1), which check.
>
> If that's indeed the situation, review the security implications; you
> can either use ACLs to permit the dspam user execute permission fix that
> up (if supported and enabled on your /var filesystem), or you can
> consider making dspam a member of the postdrop group.

thanks. That's it. I just put dspam in the postdrop group.

 
>
> (1) mine looks like this on Postfix 2.8:
>
> drwx--s--- 2 postfix postdrop 4096 2011-07-19 00:44
> /var/spool/postfix/public

Sunny greatings from Berlin
Lars
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Victor Duchovni
In reply to this post by Lars Täuber
On Tue, Jul 19, 2011 at 05:02:34PM +0200, Lars T??uber wrote:

> The unix socket can't be used by other users than root or postfix.
> Is there a way to configure ownership and/or permissions for the socket?

No, the parent directory: $queue_directory/private, must be protected
from users other than "postfix" (or "root").

> I thought under Linux the filesystem permissions reflect the permissions to
> the unix socket.

The entire path to the unix socket, including parent directories.

$ ls -ld /var/spool/postfix/private/ /var/spool/postfix/public/
drwx------  2 postfix root     4096 Jun  7 17:59 /var/spool/postfix/private/
drwx--x---  2 postfix postdrop 4096 Jun  7 17:59 /var/spool/postfix/public/

> Am I doing something wrong?

To run an smtpd in a less restricted directory, you need to place the
socket in a new location. You can create

        /var/spool/postfix/world

owner postfix, mode 0755, and in master.cf use:

        ../world/sname unix ...

instead of

        sname unix ...

with this any user will be able to access the socket. Of course at that
point, why not just use "inet" instead with a loopback address?

The only group available to Postfix when it binds listening unix-domain
sockets is the primary group of the postfix user. You could in principle
create:

drwxr-x---  2 postfix postfix  4096 Jun  7 17:59 /var/spool/postfix/shared/

instead of "world", and give some users a second group of "postfix".
AFAIK nothing in the Postfix system assigns special permissions to
this group (as opposed to the "postdrop" group, which must not be
the primary group of the "postfix" user).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Victor Duchovni
In reply to this post by Matthias Andree
On Tue, Jul 19, 2011 at 05:11:57PM +0200, Matthias Andree wrote:

> If that's indeed the situation, review the security implications; you
> can either use ACLs to permit the dspam user execute permission fix that
> up (if supported and enabled on your /var filesystem), or you can
> consider making dspam a member of the postdrop group.
>
> (1) mine looks like this on Postfix 2.8:
>
> drwx--s--- 2 postfix postdrop 4096 2011-07-19 00:44
> /var/spool/postfix/public

I think it is unwise to add "dspam" to the "postdrop" group. This would
give "dspam" unwanted additional rights, e.g. to write the maildrop
directory.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Victor Duchovni
In reply to this post by Lars Täuber
On Tue, Jul 19, 2011 at 05:29:57PM +0200, Lars T??uber wrote:

> > If that's indeed the situation, review the security implications; you
> > can either use ACLs to permit the dspam user execute permission fix that
> > up (if supported and enabled on your /var filesystem), or you can
> > consider making dspam a member of the postdrop group.
>
> thanks. That's it. I just put dspam in the postdrop group.

Without thinking about it too much, since it is reasonably expedient. :-(

My advice: just use a privileged port bound to the loopback interface,
there are many free ports near 25: 24, 26, 27, 28, 29. If you want to
prevent spoofing of the service by unprivileged users, use one of those.

Are you really concerned about local bypass of the filter? If so, SASL
may be more robust than messing around with directory permissions.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Lars Täuber
In reply to this post by Victor Duchovni
Hello Victor,

Am Tue, 19 Jul 2011 11:37:56 -0400
Victor Duchovni <[hidden email]> schrieb:

> On Tue, Jul 19, 2011 at 05:02:34PM +0200, Lars T??uber wrote:
>
> > The unix socket can't be used by other users than root or postfix.
> > Is there a way to configure ownership and/or permissions for the socket?
>
> No, the parent directory: $queue_directory/private, must be protected
> from users other than "postfix" (or "root").
>
> > I thought under Linux the filesystem permissions reflect the permissions
> > to the unix socket.
>
> The entire path to the unix socket, including parent directories.
>
> $ ls -ld /var/spool/postfix/private/ /var/spool/postfix/public/
> drwx------  2 postfix root     4096 Jun  7 17:59 /var/spool/postfix/private/
> drwx--x---  2 postfix postdrop 4096 Jun  7 17:59 /var/spool/postfix/public/
>
> > Am I doing something wrong?
>
> To run an smtpd in a less restricted directory, you need to place the
> socket in a new location. You can create
>
> /var/spool/postfix/world
>
> owner postfix, mode 0755, and in master.cf use:
>
> ../world/sname unix ...
>
> instead of
>
> sname unix ...

thanks for this hint.

I try your approach but have connection problems.

This is what I did:
$ ls -ld /var/spool/postfix/dspam/
drwx-ws--T 2 postfix dspam 4096 2011-07-20 11:27 /var/spool/postfix/dspam/

$ ls -l /var/spool/postfix/dspam/
total 0
srw-rw-rw- 1 postfix dspam 0 2011-07-20 11:26 backdoor
srwxrwxrwx 1 dspam   dspam 0 2011-07-20 11:27 filter

master.cf:
../dspam/backdoor
          unix  n       -       n       -       3       smtpd
[...]

Now it is possible to talk to the dspam filter:
# sudo -u postfix /usr/bin/socat -
# UNIX-CONNECT:/var/spool/postfix/dspam/filter
220 DSPAM LMTP 3.6.8 Ready
quit
221 2.0.0 OK


But I don't get any answer from the postfix backdoor:
# sudo -u dspam /usr/bin/socat - UNIX-CONNECT:/var/spool/postfix/dspam/backdoor
sdfdsds
s
^C

Any more things to consider?

> with this any user will be able to access the socket. Of course at that
> point, why not just use "inet" instead with a loopback address?

I try to avoid the usage of AF_INET-sockets because of CPU and traffic overhead.

Lars
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Lars Täuber
Sorry I had the automatic linebreaking activated in my mail program.
The correct command line was this:

# sudo -u postfix /usr/bin/socat - UNIX-CONNECT:/var/spool/postfix/dspam/filter
220 DSPAM LMTP 3.6.8 Ready
quit
221 2.0.0 OK


Best wishes
Lars
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Lars Täuber
In reply to this post by Victor Duchovni
Hi Victor,

Am Tue, 19 Jul 2011 11:37:56 -0400
Victor Duchovni <[hidden email]> schrieb:

> On Tue, Jul 19, 2011 at 05:02:34PM +0200, Lars T??uber wrote:
>
> > The unix socket can't be used by other users than root or postfix.
> > Is there a way to configure ownership and/or permissions for the socket?
>
> No, the parent directory: $queue_directory/private, must be protected
> from users other than "postfix" (or "root").
>
> > I thought under Linux the filesystem permissions reflect the permissions
> > to the unix socket.
>
> The entire path to the unix socket, including parent directories.
>
> $ ls -ld /var/spool/postfix/private/ /var/spool/postfix/public/
> drwx------  2 postfix root     4096 Jun  7 17:59 /var/spool/postfix/private/
> drwx--x---  2 postfix postdrop 4096 Jun  7 17:59 /var/spool/postfix/public/
>
> > Am I doing something wrong?
>
> To run an smtpd in a less restricted directory, you need to place the
> socket in a new location. You can create
>
> /var/spool/postfix/world
>
> owner postfix, mode 0755, and in master.cf use:
>
> ../world/sname unix ...
>
> instead of
>
> sname unix ...

using this leads me into this error message:
mail.err:
[...] postfix/smtpd[29046]: fatal: open lock file pid/unix.../world/sname:
cannot create file exclusively: No such file or directory

I couldn't find locking options for smtpd.

How can this be solved?

Thanks
Lars
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Wietse Venema
Lars T?uber:

> > $ ls -ld /var/spool/postfix/private/ /var/spool/postfix/public/
> > drwx------  2 postfix root     4096 Jun  7 17:59 /var/spool/postfix/private/
> > drwx--x---  2 postfix postdrop 4096 Jun  7 17:59 /var/spool/postfix/public/
> >
> > > Am I doing something wrong?
> >
> > To run an smtpd in a less restricted directory, you need to place the
> > socket in a new location. You can create
> >
> > /var/spool/postfix/world

Surprisingly, Postfix supports only the two socket directories that
it was designed for.

Before I even consider adding socket directories to Postfix I would
like to see the result of a competently done benchmark across
multiple operating system stacks (i.e. not just linux) that shows
that loopback (127.0.0.1) performance is inadequate.

With competent I mean a benchmark that does not ruin the performance
of loopback sockets with Nagle delays because of improper buffering.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Lars Täuber
Hello everybody,

Am Wed, 20 Jul 2011 08:43:29 -0400 (EDT)
Wietse Venema <[hidden email]> schrieb:

> Lars T?uber:
> > > $ ls -ld /var/spool/postfix/private/ /var/spool/postfix/public/
> > > drwx------  2 postfix root     4096 Jun  7
> > > 17:59 /var/spool/postfix/private/ drwx--x---  2 postfix postdrop 4096
> > > Jun  7 17:59 /var/spool/postfix/public/
> > >
> > > > Am I doing something wrong?
> > >
> > > To run an smtpd in a less restricted directory, you need to place the
> > > socket in a new location. You can create
> > >
> > > /var/spool/postfix/world
>
> Surprisingly, Postfix supports only the two socket directories that
> it was designed for.
>
> Before I even consider adding socket directories to Postfix I would
> like to see the result of a competently done benchmark across
> multiple operating system stacks (i.e. not just linux) that shows
> that loopback (127.0.0.1) performance is inadequate.

I made some quick and dirty tests with socat and unix sockets, tcp over
loopback and tcp over local network (real IP on eth0 on same machine) and see
nearly no difference between loopback and unix socket.

Only between loopback and local network is something measurable on the
client side.

So I switch back to loopback.

Thanks
Lars
Reply | Threaded
Open this post in threaded view
|

Re: reinjection via unix socket

Victor Duchovni
In reply to this post by Lars Täuber
On Wed, Jul 20, 2011 at 01:49:20PM +0200, Lars T??uber wrote:

> using this leads me into this error message:
> mail.err:
> [...] postfix/smtpd[29046]: fatal: open lock file pid/unix.../world/sname:
> cannot create file exclusively: No such file or directory
>
> I couldn't find locking options for smtpd.
>
> How can this be solved?

Oops, sorry, I guess that trick won't work. Loopback is really much
simpler.

--
        Viktor.