Re: Virtual users or system users for a mail server

To: debian-isp@lists.debian.org
Subject: Re: Virtual users or system users for a mail server
From: Sven Hartge <sven@svenhartge.de>
Date: Mon, 29 Sep 2014 19:19:51 +0200
Message-id: <[🔎] ab1eolhkm2v8@mids.svenhartge.de>
References: <[🔎] CA+DCN_ux+WmmKFvN7=7apvBX0o=dVdoFHoEJ7A=pUWJAXoYL4Q@mail.gmail.com> <[🔎] 0b17010nofv8@mids.svenhartge.de> <[🔎] CA+DCN_sE0yUG5WdDv032qTxp9jRLiQseBwKmYCF-E6FtcdLZgg@mail.gmail.com> <[🔎] 7b1ebs9km2v8@mids.svenhartge.de> <[🔎] ACE3DFD9-6AB7-451C-BFEA-BA9CE890F8C3@bhatia.at>

Raoul Bhatia <raoul@bhatia.at> wrote:
> On 29 September 2014 15:32:16 CEST, Sven Hartge <sven@svenhartge.de> wrote:
>> Marc Aymerich <glicerinu@gmail.com> wrote:

>>> One thing that I'm not quite sure about is how to deal with user
>>> provided procmails, since the process which executes them has
>>> privileges for all vmailboxes, this sounds like a security problem.
>>> Perhaps I'm mistaken or missing something here. Do you guys need to
>>> provide this kind of service on your mail servers (user provider
>>> procmail or sieve) ?

>> Solution is simple: don't provide procmail as filtering solution, use
>> Sieve to allow users to filter their mails.

> AFAIRC there is a virtual uid mapping available which can query a
> database, LDAP etc..

Still: procmail is "evil" and full of security nightmares if you try to
use it inside a virtual user context. 

It was initially built to be used from the .forward file of a user and
to be run as the specific user the mail was delivered to.

And then there is the problem of how to allow users to provide their own
procmailrc. Because procmail is so powerful and its configuration syntax
is so complex, it will be very difficult to write a parser to detect a)
malformed config files and b) harmful config files.

Of course you can write a very simple web interface, only allowing
filtering of mails by specific criteria into specific folders, thus
limiting the attack vectors by limiting the used features of procmail.

But then you may also use Sieve in the first place, which provides a
well-defined protocol to allow the users to securely update the filter
file themselves.

Sieve on the other hand was designed with virtual users in mind. If
implemented correctly, no user is able to write to a different mailbox
than his own. Also per default you cannot execute any commands on the
host and also limit the possibility to redirect mails to other
(external) mail-adresses.

All in all: procmail is dead (at least in a virtual user multi hosting
scenario), all hail Sieve!

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Reply to:

References:
- Virtual users or system users for a mail server
  - From: Marc Aymerich <glicerinu@gmail.com>
- Re: Virtual users or system users for a mail server
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Virtual users or system users for a mail server
  - From: Marc Aymerich <glicerinu@gmail.com>
- Re: Virtual users or system users for a mail server
  - From: Sven Hartge <sven@svenhartge.de>
- Re: Virtual users or system users for a mail server
  - From: Raoul Bhatia <raoul@bhatia.at>

Prev by Date: Re: Virtual users or system users for a mail server
Previous by thread: Re: Virtual users or system users for a mail server
Next by thread: Asyraf Wajdi Bijak Kali ini...
Index(es):
- Date
- Thread