[Kolab-devel] [issue3549] append_dot_mydomain allows circumventing kolabfilter-verify-from-header

Thomas Arendsen Hein kolab-issues at intevation.de
Wed Apr 8 16:21:20 CEST 2009


New submission from Thomas Arendsen Hein <thomas at intevation.de>:

Kolab Server 2.2.0 and 2.2.1:

Sending an email with "From: boss at invalid" will be rewritten by postfix's
append_dot_mydomain to "From: boss at invalid.example.com" and then masqueraded to
"From: boss at example.com".

It will not be marked as UNTRUSTED, because kolab_smtpdpolicy checks are done
before rewriting.

append_at_myorigin does not seem to be a problem, maybe the policy filter
already is aware of this.

I see various ways of solving this:
1. "append_dot_mydomain = no" in main.cf.template (instead of the default "yes")
2. "local_header_rewrite_clients = permit_mynetworks"
   (instead of the default "permit_inet_interfaces")
3. make the policy filter aware of this

I think I would prefer 2.
Any opinions?

----------
assignedto: thomas
messages: 19575
nosy: bernhard, martin, thomas, wilde, wrobel
priority: critical
status: unread
title: append_dot_mydomain allows circumventing kolabfilter-verify-from-header
topic: filter, server
___________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://www.intevation.de/roundup/kolab/issue3549>
___________________________________________________




More information about the devel mailing list