mailfront new plugin API

Discussion:

Bruce Guenter

2011-07-14 20:34:59 UTC

I've pushed out my current code for the next mailfront API to github as
branch "api3". It incorporate all three suggestions -- plugins can now
handle sender and recipient extra parameters, add capabilities, and add
new commands. The command API is in a bit of flux -- the current fixed
array of commands doesn't work well when the command is only present in
certain cases.

I've also adapted the mailfront ucspi-tls patch to this new API as
"starttls-ucspi". It compiles, but I'm having a little trouble getting
an appropriately patched sslserver setup on Gentoo.

Could somebody test this for me? Just drop the attached file into the
mailfront source directory and type:

./makeso plugin-starttls-ucspi.c -lbg -lbg-sysdeps

and add starttls-ucspi to the mailfront command line.

--
Bruce Guenter <***@untroubled.org> http://untroubled.org/

Bruce Guenter

2011-07-14 22:27:59 UTC

Permalink

Post by Bruce Guenter
I've pushed out my current code for the next mailfront API to github
as branch "api3". ... Just drop the attached file into the mailfront
./makeso plugin-starttls-ucspi.c -lbg -lbg-sysdeps
and add starttls-ucspi to the mailfront command line.

I'm making it too hard on you. I've uploaded a tarball of all the
sources to:

http://untroubled.org/mailfront/mailfront-2.00pre1.tar.gz

--
Bruce Guenter <***@untroubled.org> http://untroubled.org/

Scott Gifford

2011-07-26 03:49:36 UTC

Permalink

Post by Bruce Guenter

I'm making it too hard on you. I've uploaded a tarball of all the
http://untroubled.org/mailfront/mailfront-2.00pre1.tar.gz

Bruce,

I have spent some time playing with this, and so far things look good.

I ran into a few problems with "/home/bruce/dev" sneaking into config files
instead of "/usr/local/bglibs/include", but nothing that was hard to
overcome.

I am working on setting up a new mail server for a client, so this will get
a better workout over the next week or two.

Please let me know if I can be of any help with this, for example by writing
some documentation for plugin-starttls-ucspi.html.

Thanks!

-----Scott.

Scott Gifford

2011-07-27 05:51:50 UTC

Permalink

On Mon, Jul 25, 2011 at 11:49 PM, Scott Gifford

Post by Scott Gifford

Post by Bruce Guenter

I'm making it too hard on you. I've uploaded a tarball of all the
http://untroubled.org/mailfront/mailfront-2.00pre1.tar.gz

OK, I have this up and running for SMTP! Here is a patch with a few
changes:

- Changes "/home/bruce/dev" to "/usr/local/bglibs/include" in some config
files, and adds "-L/usr/local/bglibs/lib" to "conf-ld". Not sure if these
are necessary, but I needed these changes to compile, and it was easier to
leave them in than take them out
- Implements "AUTH_REQUIRES_TLS" environment variable setting for
"plugin-cvm-authenticate.c", where authentication options are only offerred
after encryption is negotiated, preventing sending a password in plaintext
- Fix missing newline after AUTH EHLO response
- After negotiating TLS, remove UCSPITLS from environment, so other
modules can tell TLS has been negotiated
- Flush input buffer after STARTTLS, to avoid
CVE-2011-0411<http://www.postfix.org/CVE-2011-0411.html>
- Added a first draft of documentation for "plugin-starttls-ucspi"

I couldn't find a way to make it work with IMAP or POP3 though. Is that
something that you have planned, or something I should work on myself?

Thanks!

-----Scott.

Bruce Guenter

2011-07-29 04:36:08 UTC

Permalink

Post by Scott Gifford
OK, I have this up and running for SMTP!

Excellent. I was actually just going to do a release without it, and
work it into a later push.

Post by Scott Gifford
- Implements "AUTH_REQUIRES_TLS" environment variable setting for
"plugin-cvm-authenticate.c", where authentication options are only offerred
after encryption is negotiated, preventing sending a password in plaintext

Yeah, that's a good thing to work in. The git source for
cvm-authenticate will disable the AUTH command if no mechanisms are
defined, but there's no good way to do the reverse -- enable a command
after init when the environment changes. I don't want individual
commands to have to ever provide an "unimplemented" response.

Post by Scott Gifford
- Fix missing newline after AUTH EHLO response

Fixed already in git, actually.

Post by Scott Gifford
- After negotiating TLS, remove UCSPITLS from environment, so other
modules can tell TLS has been negotiated

I'd do this with a session variable with session_setnum or the like.

Post by Scott Gifford
I couldn't find a way to make it work with IMAP or POP3 though. Is that
something that you have planned, or something I should work on myself?

There is no support for plugins in either, so it'll have to be added in
in separately, probably using the source patch from Scott Gifford.

--
Bruce Guenter <***@untroubled.org> http://untroubled.org/

Bruce Guenter

2011-07-29 04:38:51 UTC

Permalink

Oh, and thanks BTW

Post by Bruce Guenter

Post by Scott Gifford
I couldn't find a way to make it work with IMAP or POP3 though. Is that
something that you have planned, or something I should work on myself?

There is no support for plugins in either, so it'll have to be added in
in separately, probably using the source patch from Scott Gifford.

... who is exactly who I'm replying too. /facepalm

*sigh* Definitely time for bed. Sorry.

--
Bruce Guenter <***@untroubled.org> http://untroubled.org/

Scott Gifford

2011-07-29 15:02:37 UTC

Permalink

Post by Bruce Guenter
Oh, and thanks BTW

Most welcome, thanks for your work as well!

Post by Bruce Guenter

Post by Scott Gifford
I couldn't find a way to make it work with IMAP or POP3 though. Is

that

Post by Scott Gifford

Post by Scott Gifford
something that you have planned, or something I should work on myself?

There is no support for plugins in either, so it'll have to be added in
in separately, probably using the source patch from Scott Gifford.

... who is exactly who I'm replying too. /facepalm

:-) I will take a look at IMAP and POP3 and see if I can come up with
something a little cleaner than my current patches.

------Scott.