The acceptutils patch adds several standalone programs for
authenticating SMTP message submission. It's intended to avoid patch
conflicts, add new user-controlled features, and perhaps offer desirable
security properties.
Its user-controlled features and security properties both stem from
relying on checkpassword as designed: to drop privileges to the
authenticated user.
In this context, old tools gain new powers. For instance, vanilla ofmipd
can consult a CDB in each user's $HOME. And with a small patch,
pymsgauth can process messages submitted via SMTP AUTH.
You can evaluate acceptutils without needing to remove your current SMTP
AUTH patch first. If it works well for you, remove your previous patch
(and the setuid bit from checkpassword) at leisure. Then you'll have an
easier time tracking the latest TLS patch.
I'm equally happy to hear about difficulties, bugs, and successes. I'd
be especially grateful for careful security review.
If you're looking for a more qmail-ish design for SMTP AUTH, and/or the
pleasant run- and compile-time side effects of such a design, this patch
may be useful to you.
https://schmonz.com/qmail/acceptutils/
authenticating SMTP message submission. It's intended to avoid patch
conflicts, add new user-controlled features, and perhaps offer desirable
security properties.
Its user-controlled features and security properties both stem from
relying on checkpassword as designed: to drop privileges to the
authenticated user.
In this context, old tools gain new powers. For instance, vanilla ofmipd
can consult a CDB in each user's $HOME. And with a small patch,
pymsgauth can process messages submitted via SMTP AUTH.
You can evaluate acceptutils without needing to remove your current SMTP
AUTH patch first. If it works well for you, remove your previous patch
(and the setuid bit from checkpassword) at leisure. Then you'll have an
easier time tracking the latest TLS patch.
I'm equally happy to hear about difficulties, bugs, and successes. I'd
be especially grateful for careful security review.
If you're looking for a more qmail-ish design for SMTP AUTH, and/or the
pleasant run- and compile-time side effects of such a design, this patch
may be useful to you.
https://schmonz.com/qmail/acceptutils/