[Kolab-devel] [issue3549] append_dot_mydomain allows circumventing kolabfilter-verify-from-header
Thomas Arendsen Hein
kolab-issues at intevation.de
Wed Apr 8 16:21:20 CEST 2009
New submission from Thomas Arendsen Hein <thomas at intevation.de>:
Kolab Server 2.2.0 and 2.2.1:
Sending an email with "From: boss at invalid" will be rewritten by postfix's
append_dot_mydomain to "From: boss at invalid.example.com" and then masqueraded to
"From: boss at example.com".
It will not be marked as UNTRUSTED, because kolab_smtpdpolicy checks are done
before rewriting.
append_at_myorigin does not seem to be a problem, maybe the policy filter
already is aware of this.
I see various ways of solving this:
1. "append_dot_mydomain = no" in main.cf.template (instead of the default "yes")
2. "local_header_rewrite_clients = permit_mynetworks"
(instead of the default "permit_inet_interfaces")
3. make the policy filter aware of this
I think I would prefer 2.
Any opinions?
----------
assignedto: thomas
messages: 19575
nosy: bernhard, martin, thomas, wilde, wrobel
priority: critical
status: unread
title: append_dot_mydomain allows circumventing kolabfilter-verify-from-header
topic: filter, server
___________________________________________________
Kolab issue tracker <kolab-issues at intevation.de>
<https://www.intevation.de/roundup/kolab/issue3549>
___________________________________________________
More information about the devel
mailing list