smtpd_sender_login_maps is missing in proxy_read_maps

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpd_sender_login_maps is missing in proxy_read_maps

Zhang Huangbin
Hi, all.

smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
idea to add it by default? so that we can use proxymap(8) in  
smtpd_sender_login_maps (with default proxy_read_maps).


--
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_sender_login_maps is missing in proxy_read_maps

Wietse Venema
Zhang Huangbin:
> Hi, all.
>
> smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
> idea to add it by default? so that we can use proxymap(8) in  
> smtpd_sender_login_maps (with default proxy_read_maps).

I see no problem with doing this.

        Wietse

>
> --
> Best Regards.
>
> Zhang Huangbin
>
> - Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
>    CentOS, Debian, Ubuntu: http://www.iredmail.org/
>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_sender_login_maps is missing in proxy_read_maps

Victor Duchovni
On Tue, Oct 13, 2009 at 01:05:18PM -0400, Wietse Venema wrote:

> Zhang Huangbin:
> > Hi, all.
> >
> > smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
> > idea to add it by default? so that we can use proxymap(8) in  
> > smtpd_sender_login_maps (with default proxy_read_maps).
>
> I see no problem with doing this.

Currently proxy_read_maps includes the various (non security sensitive)
"rewriting" related tables, and not others:

    #define DEF_PROXY_READ_MAPS     "$" VAR_LOCAL_RCPT_MAPS \
                                    " $" VAR_MYDEST \
                                    " $" VAR_VIRT_ALIAS_MAPS \
                                    " $" VAR_VIRT_ALIAS_DOMS \
                                    " $" VAR_VIRT_MAILBOX_MAPS \
                                    " $" VAR_VIRT_MAILBOX_DOMS \
                                    " $" VAR_RELAY_RCPT_MAPS \
                                    " $" VAR_RELAY_DOMAINS \
                                    " $" VAR_CANONICAL_MAPS \
                                    " $" VAR_SEND_CANON_MAPS \
                                    " $" VAR_RCPT_CANON_MAPS \
                                    " $" VAR_RELOCATED_MAPS \
                                    " $" VAR_TRANSPORT_MAPS \
                                    " $" VAR_MYNETWORKS \
                                    " $" VAR_SEND_BCC_MAPS \
                                    " $" VAR_RCPT_BCC_MAPS \
                                    " $" VAR_SMTP_GENERIC_MAPS \
                                    " $" VAR_LMTP_GENERIC_MAPS

How comprehensive should the default list be?
If smtpd_sender_login_maps is included, what else should be added?

    address_verify_sender_dependent_relayhost_maps
    address_verify_transport_maps
    fallback_transport_maps
    lmtp_discard_lhlo_keyword_address_maps
    lmtp_pix_workaround_maps
    lmtp_sasl_password_maps
    lmtp_tls_policy_maps
    mailbox_transport_maps
    rbl_reply_maps
    sender_dependent_relayhost_maps
    smtp_discard_ehlo_keyword_address_maps
    smtp_pix_workaround_maps
    smtp_sasl_password_maps
    smtp_tls_policy_maps
    smtpd_discard_ehlo_keyword_address_maps
    smtpd_sender_login_maps

Perhaps, more, the above are just the candidate parameters not listed
whose names end in "_maps". There are at least also:

        lmtp_tls_per_site
        smtp_tls_per_site
        relay_clientcerts

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_sender_login_maps is missing in proxy_read_maps

Wietse Venema
Victor Duchovni:

> On Tue, Oct 13, 2009 at 01:05:18PM -0400, Wietse Venema wrote:
>
> > Zhang Huangbin:
> > > Hi, all.
> > >
> > > smtpd_sender_login_maps is missing in proxy_read_maps, is it a good  
> > > idea to add it by default? so that we can use proxymap(8) in  
> > > smtpd_sender_login_maps (with default proxy_read_maps).
> >
> > I see no problem with doing this.
>
> Currently proxy_read_maps includes the various (non security sensitive)
> "rewriting" related tables, and not others:
>
>     #define DEF_PROXY_READ_MAPS     "$" VAR_LOCAL_RCPT_MAPS \
>    " $" VAR_MYDEST \
>    " $" VAR_VIRT_ALIAS_MAPS \
>    " $" VAR_VIRT_ALIAS_DOMS \
>    " $" VAR_VIRT_MAILBOX_MAPS \
>    " $" VAR_VIRT_MAILBOX_DOMS \
>    " $" VAR_RELAY_RCPT_MAPS \
>    " $" VAR_RELAY_DOMAINS \
>    " $" VAR_CANONICAL_MAPS \
>    " $" VAR_SEND_CANON_MAPS \
>    " $" VAR_RCPT_CANON_MAPS \
>    " $" VAR_RELOCATED_MAPS \
>    " $" VAR_TRANSPORT_MAPS \
>    " $" VAR_MYNETWORKS \
>    " $" VAR_SEND_BCC_MAPS \
>    " $" VAR_RCPT_BCC_MAPS \
>    " $" VAR_SMTP_GENERIC_MAPS \
>    " $" VAR_LMTP_GENERIC_MAPS
>
> How comprehensive should the default list be?
> If smtpd_sender_login_maps is included, what else should be added?
>
>     address_verify_sender_dependent_relayhost_maps
>     address_verify_transport_maps
>     fallback_transport_maps
>     lmtp_discard_lhlo_keyword_address_maps
>     lmtp_pix_workaround_maps
>     lmtp_sasl_password_maps
>     lmtp_tls_policy_maps
>     mailbox_transport_maps
>     rbl_reply_maps
>     sender_dependent_relayhost_maps
>     smtp_discard_ehlo_keyword_address_maps
>     smtp_pix_workaround_maps
>     smtp_sasl_password_maps
>     smtp_tls_policy_maps
>     smtpd_discard_ehlo_keyword_address_maps
>     smtpd_sender_login_maps
>
> Perhaps, more, the above are just the candidate parameters not listed
> whose names end in "_maps". There are at least also:
>
> lmtp_tls_per_site
> smtp_tls_per_site
> relay_clientcerts

A little background may be in order.

Postfix has table-driven mechanisms (some security-sensitive such
as alias_maps or virtual_uid_maps) and table lookup mechanisms
(some unsuitable for security-sensitive features, such as proxy:
or tcp:  maps).

The purpose of proxy_read maps is to access maps with "delayed
open" semantics (such as passwd or group) that would break when
used in chrooted daemons, and to reduce the number of handles
for "expensive" maps (such as *SQL or LDAP).

With proxy_write_maps the primary purpose is "single updater"
semantics (allowing read/write access without need for locks,
because the proxywrite server *is* the lock).

As of several years the security-sensitive table-driven mechanisms
won't allow lookups from proxy: or tcp: maps, so we don't have to
worry about that.  

So the main purpose of the proxy_read_maps list is damage control:
to avoid read access to the entire file system by a compromised
chrooted process. We also may may not want to list maps with
passwords here, but it is not the end of the world if we do.

In the case of proxy_write_maps it may also be desirable to limit
the list for damage-control purposes, and list only maps where it
is OK to accept updates from arbitrary Postfix daemon processes.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: smtpd_sender_login_maps is missing in proxy_read_maps

Zhang Huangbin

On Oct 14, 2009, at 4:42 AM, Wietse Venema wrote:
>
> A little background may be in order.

Thanks Victor and Wietse for your detail description.

In my case, smtpd_sender_login_maps only lookup username field in LDAP/
MYSQL, so i think it's safe to add it in proxy_read_maps manually.  
right?

--
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

Reply | Threaded
Open this post in threaded view
|

Re: smtpd_sender_login_maps is missing in proxy_read_maps

Victor Duchovni
On Wed, Oct 14, 2009 at 10:25:49AM +0800, Zhang Huangbin wrote:

>
> On Oct 14, 2009, at 4:42 AM, Wietse Venema wrote:
>>
>> A little background may be in order.
>
> Thanks Victor and Wietse for your detail description.
>
> In my case, smtpd_sender_login_maps only lookup username field in
> LDAP/MYSQL, so i think it's safe to add it in proxy_read_maps manually.
> right?

Yes.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.