OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: "resubmission" feature
From: Lutz Vieweg (lkvisg.de)
Date: Mon Jul 10 2000 - 09:36:13 CDT

Wietse Venema wrote:

> > The simple and sufficient criterion for me to decide whether the
> > sender is allowed to place such a "resubmission" is the IP-address
> > of the peer contacting the SMTP server. Only local ones would be
> > allowed.
>
> Eh? You are assuming that the entire mail infrastructure consists
> of one server.

It currently does and probably will for quite some time.

> Your firewall relay has a local IP address, too,
> but that does not mean that all mail from the firewall comes from
> a local sender.

But that's a known address. I could restrict the possibility to
issue resubmissions to local addresses _excepting_ of course any other
relay that might exist.

> > But how can an external pipe transport find out this peer address -
> > is there any header postfix adds that I could rely on? Maybe because
> > it is in a certain position?
>
> The client IP address is not sufficient for finding out if a user
> is local.

Of course there would be better solutions - such as using a x509 client
certificate to authenticate the sender. If there's enough time one day
to implement that, I'll happily do that.

But assuming that currently checking the IP of the SMTP partner is sufficient
for us - is there a way for an external pipe transport to get it?

Regards,

Lutz Vieweg 

--
 Dipl. Phys. Lutz Vieweg | email: lkvisg.de
 Innovative Software AG  | Phone/Fax: +49-69-505030 -20/-50
 Feuerbachstrasse 26-32  | http://www.isg.de/persons/lkv/
 60325 Frankfurt am Main | ^^^ PGP key available here ^^^