Prev: Postfix redirection after aliase resolution
Next: Spam from the same domain
From: Victor Duchovni on 26 Mar 2010 17:17
On Fri, Mar 26, 2010 at 04:54:00PM -0400, Wietse Venema wrote:

> > Don't pass non-ASCII user names to your LDAP table.
>
> Hmm. If the Postfix LDAP driver handles only non-ASCII query keys
> then we should have a smarter response from the mail system.

Agreed. By the time I read your message, I had already implemented this
idea. Arguably, something similar should be done for MySQL and PgSQL,
since even with the databases willing to convert local encodings to
UTF-8, the data Postfix sends into the query is not known to be in the
local character-set, and so all such queries are dubious.

How useful is support for non-ASCII "RCPT TO" and "MAIL FROM"? It seems
to me that it may be best to just reject them as invalid SMTP syntax long
before we get to the database layer.

Index: src/global/dict_ldap.c
--- src/global/dict_ldap.c 10 Mar 2010 04:39:57 -0000 1.1.1.1.12.1
+++ src/global/dict_ldap.c 26 Mar 2010 21:10:55 -0000
@@ -1180,12 +1180,21 @@
static VSTRING *result;
int rc = 0;
int sizelimit;
+ const char *cp;

dict_errno = 0;

if (msg_verbose)
msg_info("%s: In dict_ldap_lookup", myname);

+ for (cp = name; *cp; ++cp)
+ if (!ISASCII(*cp)) {
+ if (msg_verbose)
+ msg_info("%s: %s: Skipping lookup of non-ASCII key '%s'",
+ myname, dict_ldap->parser->name, name);
+ return (0);
+ }
+
/*
* Optionally fold the key.
*/
@@ -1203,7 +1212,8 @@
*/
if (db_common_check_domain(dict_ldap->ctx, name) == 0) {
if (msg_verbose)
- msg_info("%s: Skipping lookup of '%s'", myname, name);
+ msg_info("%s: %s: Skipping lookup of key '%s': domain mismatch",
+ myname, dict_ldap->parser->name, name);
return (0);
}
#define INIT_VSTR(buf, len) do { \

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Wietse Venema on 27 Mar 2010 20:53
Victor Duchovni:
> On Fri, Mar 26, 2010 at 04:54:00PM -0400, Wietse Venema wrote:
>
> > > Don't pass non-ASCII user names to your LDAP table.
> >
> > Hmm. If the Postfix LDAP driver handles only non-ASCII query keys
> > then we should have a smarter response from the mail system.
>
> Agreed. By the time I read your message, I had already implemented this
> idea. Arguably, something similar should be done for MySQL and PgSQL,
> since even with the databases willing to convert local encodings to
> UTF-8, the data Postfix sends into the query is not known to be in the
> local character-set, and so all such queries are dubious.

Currently, sites that send valid UTF-8 in MAIL/RCPT commands can
make meaningful LDAP queries in Postfix. Lots of MTAs are 8-bit
clean internally, so this can actually work today.

Do we want to remove this ability from Postfix, or should we add
a valid_utf_8() routine in anticipation of a future standardization
of UTF8SMTP?

Wietse

From: Stefan Foerster on 28 Mar 2010 06:05
* Wietse Venema <wietse(a)porcupine.org>:
> Currently, sites that send valid UTF-8 in MAIL/RCPT commands can
> make meaningful LDAP queries in Postfix. Lots of MTAs are 8-bit
> clean internally, so this can actually work today.
>
> Do we want to remove this ability from Postfix, or should we add
> a valid_utf_8() routine in anticipation of a future standardization
> of UTF8SMTP?

As of today, is user(a)schön.example.com the same user as
user(a)xn--schn-7qa.example.com, as far as e.g. access(5) maps are
concerned?


Stefan

From: Wietse Venema on 28 Mar 2010 08:38
Stefan Foerster:
> As of today, is user(a)sch?n.example.com the same user as
> user(a)xn--schn-7qa.example.com, as far as e.g. access(5) maps are
> concerned?

No, they are, and have always been, different.

If xn--schn-7qa.example.com is what Postfix receives, then
xn--schn-7qa.example.com is what Postfix will use.

If sch?n.example.com is what Postfix receives, then sch?n.example.com
is what will use.

sch?n.example.com is not valid according to current SMTP standards,
so Postfix can do whatever it wants.

Wietse

From: Victor Duchovni on 14 Apr 2010 12:29
On Sat, Mar 27, 2010 at 08:53:03PM -0400, Wietse Venema wrote:

> Currently, sites that send valid UTF-8 in MAIL/RCPT commands can
> make meaningful LDAP queries in Postfix. Lots of MTAs are 8-bit
> clean internally, so this can actually work today.
>
> Do we want to remove this ability from Postfix, or should we add
> a valid_utf_8() routine in anticipation of a future standardization
> of UTF8SMTP?

I am a bit reluctant at this time to assume that untyped data coming in
that looks like UTF-8, really is UTF-8. Even if the LDAP lookup returns
plausibly useful results, will the UTF-8 envelope survive related
processing in Postfix?

- PCRE lookups don't currently request UTF-8 support

- Logs don't support non-destructive recording of UTF-8
envelopes.

- What is the character-set of mailbox content?

- What character set should pipe(8) commands expect?

So I think we are quite far from really supporting UTF-8, and issues
deeper than LDAP table support probably need to be handled first.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: Postfix redirection after aliase resolution
Next: Spam from the same domain