OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Content filter wants to know sender's IP
From: Wietse Venema (wietseporcupine.org)
Date: Mon Jun 05 2000 - 07:39:05 CDT

Alexander Nosenko:
> It looks like content inspection via SMTP has some security deficiencies.

You mean SMTP is an insecure protocol? How terrible.

> Inspector can't get access to all info MTA has collected already :-(. All it
> knows is message headers (possibly forged). Besides, some evil program on
> localhost (or somewhere else, depending on firewalling) can connect to 10025
> port (or even 10026 port, what a horror ;-) and have a free run, so

No. Postfix binds to localhost:10002xx. These ports are not open
to everyone. Also, it doesn't take a great deal of change to make
this work over UNIX-domain sockets instead of TCP sockets. I just
haven't gotten around to do that. With UNIX-domain sockets you can
get more privacy already.

And if the master can be told to chown a socket to the content
inspector account, then it can be pretty much shielded from local
users.

> inspector can't trust even it's clients. The pipe mailer is _the secure way_
> and extendable too (thanks for the idea).
> Is the secure protocol to move all content inspection to another host yet
> to be invented? That's another topic, of course.

Sure. It just seems a waste of time to run SSL locally. Local IPC
should have kernel support to look up the credentials of the remote
process. On some systems, UNIX-domain sockets have this ability.

        Wietse