Mailing List Archive

filtering ofmipd-submitted messages
Hi!

I submit outbound mail through ofmipd with John R. Levine's SMTP AUTH
patch[1]. (The service is available on the network only via stunnel.) It
runs, like qmail-smtpd, as qmaild.

I'm wanting to run submitted messages through custom filters before
injecting them into the queue. Since this SMTP AUTH patch includes the
QMAILQUEUE patch, no problem there.

Problem is, I'm wanting the custom filters to run as the authenticated
user.

I'm thinking I want to make ofmipd more like qmail-pop3d by extracting
the SMTP AUTH code out of ofmipd into a new "ofmipup" program (analogous
to qmail-popup) that runs as root, calls checkpassword, and execs ofmipd
as the authenticated user for the remainder of the "OFMIP" conversation,
thereby ensuring that custom filters run as that user.

Is this architecture reasonable? In other words, since this is port 587,
not port 25, is it reasonable to reject other SMTP commands (again,
analogous to qmail-popup) until authentication has completed?

Thanks,

- Amitai

[1] http://qmail.gurus.org/mess822-smtp-auth-patch.txt
Re: filtering ofmipd-submitted messages [ In reply to ]
On Thursday 01 Jun 2017 14:23:50 you wrote:
> I submit outbound mail through ofmipd with John R. Levine's SMTP AUTH
> patch[1]. (The service is available on the network only via stunnel.) It
> runs, like qmail-smtpd, as qmaild.

ofmipd + AUTH: FYI my ofmipd-plus also bases its' authentication on John
Levine's SMTP AUTH, you may find it helpful to see what I've done,

http://free.acrconsulting.co.uk/email/ofmipd-plus.html

(see the text there re. TLS-capable version or more minimal non-TLS-capable
version. If TLS, you'll need to track down ucspi-tls, you'll probably find it
in the Internet Archive)

> I'm wanting to run submitted messages through custom filters before
> injecting them into the queue. Since this SMTP AUTH patch includes the
> QMAILQUEUE patch, no problem there.
>
> Problem is, I'm wanting the custom filters to run as the authenticated
> user.
>
> I'm thinking I want to make ofmipd more like qmail-pop3d by extracting
> the SMTP AUTH code out of ofmipd into a new "ofmipup" program (analogous
> to qmail-popup) that runs as root, calls checkpassword, and execs ofmipd
> as the authenticated user for the remainder of the "OFMIP" conversation,
> thereby ensuring that custom filters run as that user.
>
> Is this architecture reasonable? In other words, since this is port 587,
> not port 25, is it reasonable to reject other SMTP commands (again,
> analogous to qmail-popup) until authentication has completed?

I'm not sure about the remainder of your questions though, it's too long since
I produced ofmipd-plus.

cheers,

Andrew.
--
====================================================================
* Custom email solutions * Systems Administration * Networking
http://www.acrconsulting.co.uk/
====================================================================
Re: filtering ofmipd-submitted messages [ In reply to ]
On 2 Jun 2017, at 17:35, Andrew Richards wrote:

> ofmipd + AUTH: FYI my ofmipd-plus also bases its' authentication on
> John
> Levine's SMTP AUTH, you may find it helpful to see what I've done,
>
> http://free.acrconsulting.co.uk/email/ofmipd-plus.html

I hadn't seen that before. Cool. I may borrow a bit en route to my goal,
which is to make the smallest possible changes to mess822 that result in
these configuration options for the sysadmin:

1. SMTP AUTH required: ofmipd runs as the authenticated user
2. SMTP AUTH optional: ofmipd runs as the default user (e.g., qmaild)
unless authenticated
3. SMTP AUTH unavailable: ofmipd runs as it always has

I'm going to try to get there like so:

1. Characterize stock ofmipd's behaviors with automated tests
2. Apply John Levine's SMTP AUTH patch
3. Add more characterization tests around AUTH behaviors
4. Write new tests for what new things I want to happen
5. Make them pass

I intend to factor all the SMTP AUTH behavior out to a new "ofmipup"
program, at the end of which I suspect my ofmipd will be identical (or
very nearly so) to DJB's original, and my three desired config options
will work like so:

1. As root, "ofmipup checkpassword ofmipd"
2. As root, "ofmipup -u qmaild checkpassword ofmipd"
3. As qmaild, "ofmipd"

stunnel has been fine for me, so I plan to avoid learning anything about
TLS while solving this problem. ;-)

- Amitai