[diff] src/usr.sbin/smtpd: add allow-exec to explicitly allow custom mda

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[diff] src/usr.sbin/smtpd: add allow-exec to explicitly allow custom mda

Gilles Chehade-7
Hello,

As is done in other MTA, smtpd allows execution of a custom command in forward files so
users can plug their procmail, fdm and other. It is currently not possible to allow the
users to forward their mail through a .forward file without also allowing them to run a
custom mda.

This diff builds on top of the previous one, it removes the ability to execute a custom
command from a ~/.forward file by default unless admin explicitly allows it in config:

    action "local_users" maildir forward-file allow-exec

If a user adds a command, the session will be rejected with a temporary failure until
the .forward file is fixed.


diff --git a/usr.sbin/smtpd/lka_session.c b/usr.sbin/smtpd/lka_session.c
index ff328441957..aea0780017e 100644
--- a/usr.sbin/smtpd/lka_session.c
+++ b/usr.sbin/smtpd/lka_session.c
@@ -482,6 +482,15 @@ lka_expand(struct lka_session *lks, struct rule *le, struct expandnode *xn)
  lks->error = LKA_TEMPFAIL;
  break;
  }
+
+ if (xn->parent->forwarded) {
+ if (! dsp->u.local.allow_forward_exec) {
+ log_trace(TRACE_EXPAND, "expand: matched forward with no allow-exec");
+ lks->error = LKA_TEMPFAIL;
+ break;
+ }
+ }
+
  log_trace(TRACE_EXPAND, "expand: lka_expand: filter: %s "
     "[depth=%d]", xn->u.buffer, xn->depth);
  lka_submit(lks, rule, xn);
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 752c3376b77..908c189c93d 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -173,7 +173,7 @@ typedef struct {
 
 %}
 
-%token ACTION ADMD ALIAS ANY ARROW AUTH AUTH_OPTIONAL
+%token ACTION ADMD ALIAS ALLOW_EXEC ANY ARROW AUTH AUTH_OPTIONAL
 %token BACKUP BOUNCE BYPASS
 %token CA CERT CHAIN CHROOT CIPHERS COMMIT COMPRESSION CONNECT
 %token DATA DATA_LINE DHE DISCONNECT DOMAIN
@@ -200,7 +200,7 @@ typedef struct {
 %token <v.string> STRING
 %token  <v.number> NUMBER
 %type <v.table> table
-%type <v.number> size negation
+%type <v.number> size negation allow_exec
 %type <v.table> tables tablenew tableref
 %%
 
@@ -580,6 +580,10 @@ SRS KEY STRING {
 ;
 
 
+allow_exec : ALLOW_EXEC { $$ = 1; }
+ | /* empty */ { $$ = 0; }
+ ;
+
 dispatcher_local_option:
 USER STRING {
  if (dispatcher->u.local.is_mbox) {
@@ -669,12 +673,13 @@ USER STRING {
  }
  dispatcher->u.local.mda_wrapper = $2;
 }
-| FORWARD_FILE {
+| FORWARD_FILE allow_exec {
  if (dispatcher->u.local.forward_file) {
  yyerror("forward-file already specified for this dispatcher");
  YYERROR;
  }
  dispatcher->u.local.forward_file = 1;
+ dispatcher->u.local.allow_forward_exec = $2;
 }
 ;
 
@@ -2628,6 +2633,7 @@ lookup(char *s)
  { "action", ACTION },
  { "admd", ADMD },
  { "alias", ALIAS },
+ { "allow-exec", ALLOW_EXEC },
  { "any", ANY },
  { "auth", AUTH },
  { "auth-optional",     AUTH_OPTIONAL },
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index fa98e13e158..c2ef5f568ca 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -173,8 +173,12 @@ Use the mapping
 for
 .Xr aliases 5
 expansion.
-.It Cm forward-file
+.It Cm forward-file Op Cm allow-exec
 Allow the use of a .forward file in user home directory .
+.Pp
+If
+.Cm allow-exec
+is specified, the .forward file is allowed to execute a custom command.
 .It Xo
 .Cm ttl
 .Sm off
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 8225f3ff157..57a8bebec79 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1161,6 +1161,8 @@ struct dispatcher_local {
  uint8_t forward_only;
  uint8_t forward_file;
 
+ uint8_t allow_forward_exec;
+
  char *mda_wrapper;
  char *command;