diff --git a/HISTORY b/HISTORY
index 73db63f..bfc98a1 100644
--- a/HISTORY
+++ b/HISTORY
@@ -13599,3 +13599,9 @@ Apologies for any names omitted.
prevent dovecot-auth memory wastage. Timo Sirainen. File:
xsasl/xsasl_dovecot_server.c.
+20080725
+
+ Paranoia: defer delivery when a mailbox file is not owned
+ by the recipient. Requested by Sebastian Krahmer, SuSE.
+ Specify "strict_mailbox_ownership=no" to ignore ownership
+ discrepancies. Files: local/mailbox.c, virtual/mailbox.c.
diff --git a/RELEASE_NOTES b/RELEASE_NOTES
index cf371e5..fb5f4cd 100644
--- a/RELEASE_NOTES
+++ b/RELEASE_NOTES
@@ -11,6 +11,14 @@ instead, a new snapshot is released.
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
+Incompatibility with Postfix 2.4.7
+==================================
+
+When a mailbox file is not owned by its recipient, the local and
+virtual delivery agents now log a warning and defer delivery.
+Specify "strict_mailbox_ownership = no" to ignore such ownership
+discrepancies.
+
Incompatibility with Postfix 2.4.4
==================================
diff --git a/html/local.8.html b/html/local.8.html
index de3fd4f..9cece01 100644
--- a/html/local.8.html
+++ b/html/local.8.html
@@ -394,6 +394,12 @@ LOCAL(8) LOCAL(8)
attempt; do not update the Delivered-To: address
while expanding aliases or .forward files.
+ Available in Postfix version 2.4.7-r1 and later:
+
+ strict_mailbox_ownership (yes)
+ Defer delivery when a mailbox file is not owned by
+ its recipient.
+
DELIVERY METHOD CONTROLS
The precedence of local(8) delivery methods from high to
low is: aliases, .forward files, mailbox_transport_maps,
@@ -532,6 +538,12 @@ LOCAL(8) LOCAL(8)
agent allows in $name expansions of $command_execu-
tion_directory.
+ Available in Postfix version 2.4.7-r1 and later:
+
+ strict_mailbox_ownership (yes)
+ Defer delivery when a mailbox file is not owned by
+ its recipient.
+
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and
diff --git a/html/postconf.5.html b/html/postconf.5.html
index a19b6b3..7952563 100644
--- a/html/postconf.5.html
+++ b/html/postconf.5.html
@@ -11602,6 +11602,17 @@ This feature is available in Postfix 2.0 and later.
+strict_mailbox_ownership
+(default: yes)
+
+ Defer delivery when a mailbox file is not owned by its recipient.
+The default setting is not backwards compatible.
+
+ This feature is available in Postfix 2.4.7-r1 and later.
+
+
+
+
strict_mime_encoding_domain
(default: no)
diff --git a/html/virtual.8.html b/html/virtual.8.html
index 3d7e526..0341911 100644
--- a/html/virtual.8.html
+++ b/html/virtual.8.html
@@ -200,9 +200,15 @@ VIRTUAL(8) VIRTUAL(8)
destination for final delivery to domains listed
with $virtual_mailbox_domains.
+ Available in Postfix version 2.4.7-r1 and later:
+
+ strict_mailbox_ownership (yes)
+ Defer delivery when a mailbox file is not owned by
+ its recipient.
+
LOCKING CONTROLS
virtual_mailbox_lock (see 'postconf -d' output)
- How to lock a UNIX-style virtual(8) mailbox before
+ How to lock a UNIX-style virtual(8) mailbox before
attempting delivery.
deliver_lock_attempts (20)
@@ -210,41 +216,41 @@ VIRTUAL(8) VIRTUAL(8)
sive lock on a mailbox file or bounce(8) logfile.
deliver_lock_delay (1s)
- The time between attempts to acquire an exclusive
+ The time between attempts to acquire an exclusive
lock on a mailbox file or bounce(8) logfile.
stale_lock_time (500s)
- The time after which a stale exclusive mailbox
+ The time after which a stale exclusive mailbox
lockfile is removed.
RESOURCE AND RATE CONTROLS
virtual_destination_concurrency_limit ($default_destina-
tion_concurrency_limit)
- The maximal number of parallel deliveries to the
- same destination via the virtual message delivery
+ The maximal number of parallel deliveries to the
+ same destination via the virtual message delivery
transport.
virtual_destination_recipient_limit ($default_destina-
tion_recipient_limit)
- The maximal number of recipients per delivery via
+ The maximal number of recipients per delivery via
the virtual message delivery transport.
virtual_mailbox_limit (51200000)
- The maximal size in bytes of an individual mailbox
+ The maximal size in bytes of an individual mailbox
or maildir file, or zero (no limit).
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
- The default location of the Postfix main.cf and
+ The default location of the Postfix main.cf and
master.cf configuration files.
daemon_timeout (18000s)
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
delay_logging_resolution_limit (2)
- The maximal number of digits after the decimal
+ The maximal number of digits after the decimal
point when logging sub-second delay values.
ipc_timeout (3600s)
@@ -252,33 +258,33 @@ VIRTUAL(8) VIRTUAL(8)
over an internal communication channel.
max_idle (100s)
- The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
+ The maximum amount of time that an idle Postfix
+ daemon process waits for an incoming connection
before terminating voluntarily.
max_use (100)
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
+ The maximal number of incoming connections that a
+ Postfix daemon process will service before termi-
nating voluntarily.
process_id (read-only)
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
process_name (read-only)
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
queue_directory (see 'postconf -d' output)
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
@@ -291,20 +297,20 @@ VIRTUAL(8) VIRTUAL(8)
VIRTUAL_README, domain hosting howto
LICENSE
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
HISTORY
- This delivery agent was originally based on the Postfix
- local delivery agent. Modifications mainly consisted of
- removing code that either was not applicable or that was
- not safe in this context: aliases, ~user/.forward files,
+ This delivery agent was originally based on the Postfix
+ local delivery agent. Modifications mainly consisted of
+ removing code that either was not applicable or that was
+ not safe in this context: aliases, ~user/.forward files,
delivery to "|command" or to /file/name.
The Delivered-To: message header appears in the qmail sys-
tem by Daniel Bernstein.
- The maildir structure appears in the qmail system by
+ The maildir structure appears in the qmail system by
Daniel Bernstein.
AUTHOR(S)
diff --git a/man/man5/postconf.5 b/man/man5/postconf.5
index 7af763b..ba9f36a 100644
--- a/man/man5/postconf.5
+++ b/man/man5/postconf.5
@@ -7062,6 +7062,11 @@ This feature should not be enabled on a general purpose mail server,
because it is likely to reject legitimate email.
.PP
This feature is available in Postfix 2.0 and later.
+.SH strict_mailbox_ownership (default: yes)
+Defer delivery when a mailbox file is not owned by its recipient.
+The default setting is not backwards compatible.
+.PP
+This feature is available in Postfix 2.4.7-r1 and later.
.SH strict_mime_encoding_domain (default: no)
Reject mail with invalid Content-Transfer-Encoding: information
for the message/* or multipart/* MIME content types. This blocks
diff --git a/man/man8/local.8 b/man/man8/local.8
index 4452007..5af15a9 100644
--- a/man/man8/local.8
+++ b/man/man8/local.8
@@ -412,6 +412,10 @@ Update the \fBlocal\fR(8) delivery agent's idea of the Delivered-To:
address (see prepend_delivered_header) only once, at the start of
a delivery attempt; do not update the Delivered-To: address while
expanding aliases or .forward files.
+.PP
+Available in Postfix version 2.4.7-r1 and later:
+.IP "\fBstrict_mailbox_ownership (yes)\fR"
+Defer delivery when a mailbox file is not owned by its recipient.
.SH "DELIVERY METHOD CONTROLS"
.na
.nf
@@ -510,7 +514,7 @@ Restrict \fBlocal\fR(8) mail delivery to external commands.
Restrict \fBlocal\fR(8) mail delivery to external files.
.IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR"
Restrict the characters that the \fBlocal\fR(8) delivery agent allows in
-$name expansions of $mailbox_command.
+$name expansions of $mailbox_command and $command_execution_directory.
.IP "\fBdefault_privs (nobody)\fR"
The default rights used by the \fBlocal\fR(8) delivery agent for delivery
to external file or command.
@@ -522,6 +526,10 @@ Available in Postfix version 2.2 and later:
.IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR"
Restrict the characters that the \fBlocal\fR(8) delivery agent allows
in $name expansions of $command_execution_directory.
+.PP
+Available in Postfix version 2.4.7-r1 and later:
+.IP "\fBstrict_mailbox_ownership (yes)\fR"
+Defer delivery when a mailbox file is not owned by its recipient.
.SH "MISCELLANEOUS CONTROLS"
.na
.nf
diff --git a/man/man8/virtual.8 b/man/man8/virtual.8
index b45ac26..22e41b5 100644
--- a/man/man8/virtual.8
+++ b/man/man8/virtual.8
@@ -213,6 +213,10 @@ mail is delivered via the $virtual_transport mail delivery transport.
.IP "\fBvirtual_transport (virtual)\fR"
The default mail delivery transport and next-hop destination for
final delivery to domains listed with $virtual_mailbox_domains.
+.PP
+Available in Postfix version 2.4.7-r1 and later:
+.IP "\fBstrict_mailbox_ownership (yes)\fR"
+Defer delivery when a mailbox file is not owned by its recipient.
.SH "LOCKING CONTROLS"
.na
.nf
diff --git a/mantools/postlink b/mantools/postlink
index b4771d9..e2503ca 100755
--- a/mantools/postlink
+++ b/mantools/postlink
@@ -496,6 +496,7 @@ while (<>) {
s;\bstrict_8bitmime\b;$&;g;
s;\bstrict_8bitmime_body\b;$&;g;
s;\bstrict_mime_encoding_domain\b;$&;g;
+ s;\bstrict_mailbox_ownership\b;$&;g;
s;\bstrict_rfc821_envelopes\b;$&;g;
s;\bsun_mailtool_compatibility\b;$&;g;
s;\bswap_bangpath\b;$&;g;
diff --git a/proto/postconf.proto b/proto/postconf.proto
index f5a90ed..7761e7e 100644
--- a/proto/postconf.proto
+++ b/proto/postconf.proto
@@ -10586,3 +10586,10 @@ to the SASL authcid, but this causes inter-operability problems
with some SMTP servers.
This feature is available in Postfix 2.4.4 and later.
+
+%PARAM strict_mailbox_ownership yes
+
+ Defer delivery when a mailbox file is not owned by its recipient.
+The default setting is not backwards compatible.
+
+ This feature is available in Postfix 2.4.7-r1 and later.
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
index 2785921..9cf6216 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -2783,6 +2783,13 @@ extern char *var_milt_v;
#define DEF_INT_FILT_CLASSES ""
extern char *var_int_filt_classes;
+ /*
+ * Mailbox ownership.
+ */
+#define VAR_STRICT_MBOX_OWNER "strict_mailbox_ownership"
+#define DEF_STRICT_MBOX_OWNER 1
+extern bool var_strict_mbox_owner;
+
/* LICENSE
/* .ad
/* .fi
diff --git a/src/global/mail_version.h b/src/global/mail_version.h
index ae94ab9..7ceadad 100644
--- a/src/global/mail_version.h
+++ b/src/global/mail_version.h
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20080131"
-#define MAIL_VERSION_NUMBER "2.4.7"
+#define MAIL_RELEASE_DATE "20080726"
+#define MAIL_VERSION_NUMBER "2.4.7-r1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff --git a/src/local/local.c b/src/local/local.c
index 557be6f..72ea49f 100644
--- a/src/local/local.c
+++ b/src/local/local.c
@@ -378,6 +378,10 @@
/* address (see prepend_delivered_header) only once, at the start of
/* a delivery attempt; do not update the Delivered-To: address while
/* expanding aliases or .forward files.
+/* .PP
+/* Available in Postfix version 2.4.7-r1 and later:
+/* .IP "\fBstrict_mailbox_ownership (yes)\fR"
+/* Defer delivery when a mailbox file is not owned by its recipient.
/* DELIVERY METHOD CONTROLS
/* .ad
/* .fi
@@ -468,7 +472,7 @@
/* Restrict \fBlocal\fR(8) mail delivery to external files.
/* .IP "\fBcommand_expansion_filter (see 'postconf -d' output)\fR"
/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in
-/* $name expansions of $mailbox_command.
+/* $name expansions of $mailbox_command and $command_execution_directory.
/* .IP "\fBdefault_privs (nobody)\fR"
/* The default rights used by the \fBlocal\fR(8) delivery agent for delivery
/* to external file or command.
@@ -480,6 +484,10 @@
/* .IP "\fBexecution_directory_expansion_filter (see 'postconf -d' output)\fR"
/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows
/* in $name expansions of $command_execution_directory.
+/* .PP
+/* Available in Postfix version 2.4.7-r1 and later:
+/* .IP "\fBstrict_mailbox_ownership (yes)\fR"
+/* Defer delivery when a mailbox file is not owned by its recipient.
/* MISCELLANEOUS CONTROLS
/* .ad
/* .fi
@@ -641,6 +649,7 @@ int var_mailtool_compat;
char *var_mailbox_lock;
int var_mailbox_limit;
bool var_frozen_delivered;
+bool var_strict_mbox_owner;
int local_cmd_deliver_mask;
int local_file_deliver_mask;
@@ -887,6 +896,7 @@ int main(int argc, char **argv)
VAR_STAT_HOME_DIR, DEF_STAT_HOME_DIR, &var_stat_home_dir,
VAR_MAILTOOL_COMPAT, DEF_MAILTOOL_COMPAT, &var_mailtool_compat,
VAR_FROZEN_DELIVERED, DEF_FROZEN_DELIVERED, &var_frozen_delivered,
+ VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner,
0,
};
diff --git a/src/local/mailbox.c b/src/local/mailbox.c
index 92bd79d..d35ef66 100644
--- a/src/local/mailbox.c
+++ b/src/local/mailbox.c
@@ -194,6 +194,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
vstream_fclose(mp->fp);
dsb_simple(why, "5.2.0",
"destination %s is not a regular file", mailbox);
+ } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) {
+ vstream_fclose(mp->fp);
+ dsb_simple(why, "4.2.0",
+ "destination %s is not owned by recipient", mailbox);
+ msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
+ VAR_STRICT_MBOX_OWNER);
} else {
end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
diff --git a/src/virtual/mailbox.c b/src/virtual/mailbox.c
index 09fc54b..f0ad6eb 100644
--- a/src/virtual/mailbox.c
+++ b/src/virtual/mailbox.c
@@ -125,6 +125,12 @@ static int deliver_mailbox_file(LOCAL_STATE state, USER_ATTR usr_attr)
msg_warn("recipient %s: destination %s is not a regular file",
state.msg_attr.rcpt.address, usr_attr.mailbox);
dsb_simple(why, "5.3.5", "mail system configuration error");
+ } else if (var_strict_mbox_owner && st.st_uid != usr_attr.uid) {
+ vstream_fclose(mp->fp);
+ dsb_simple(why, "4.2.0",
+ "destination %s is not owned by recipient", usr_attr.mailbox);
+ msg_warn("specify \"%s = no\" to ignore mailbox ownership mismatch",
+ VAR_STRICT_MBOX_OWNER);
} else {
end = vstream_fseek(mp->fp, (off_t) 0, SEEK_END);
mail_copy_status = mail_copy(COPY_ATTR(state.msg_attr), mp->fp,
diff --git a/src/virtual/virtual.c b/src/virtual/virtual.c
index 7d6e1b8..57b4098 100644
--- a/src/virtual/virtual.c
+++ b/src/virtual/virtual.c
@@ -183,6 +183,10 @@
/* .IP "\fBvirtual_transport (virtual)\fR"
/* The default mail delivery transport and next-hop destination for
/* final delivery to domains listed with $virtual_mailbox_domains.
+/* .PP
+/* Available in Postfix version 2.4.7-r1 and later:
+/* .IP "\fBstrict_mailbox_ownership (yes)\fR"
+/* Defer delivery when a mailbox file is not owned by its recipient.
/* LOCKING CONTROLS
/* .ad
/* .fi
@@ -329,6 +333,7 @@ char *var_virt_mailbox_base;
char *var_virt_mailbox_lock;
int var_virt_mailbox_limit;
char *var_mail_spool_dir; /* XXX dependency fix */
+bool var_strict_mbox_owner;
/*
* Mappings.
@@ -504,6 +509,10 @@ int main(int argc, char **argv)
VAR_VIRT_MAILBOX_LOCK, DEF_VIRT_MAILBOX_LOCK, &var_virt_mailbox_lock, 1, 0,
0,
};
+ static const CONFIG_BOOL_TABLE bool_table[] = {
+ VAR_STRICT_MBOX_OWNER, DEF_STRICT_MBOX_OWNER, &var_strict_mbox_owner,
+ 0,
+ };
/*
* Fingerprint executables and core dumps.
@@ -513,6 +522,7 @@ int main(int argc, char **argv)
single_server_main(argc, argv, local_service,
MAIL_SERVER_INT_TABLE, int_table,
MAIL_SERVER_STR_TABLE, str_table,
+ MAIL_SERVER_BOOL_TABLE, bool_table,
MAIL_SERVER_PRE_INIT, pre_init,
MAIL_SERVER_POST_INIT, post_init,
MAIL_SERVER_PRE_ACCEPT, pre_accept,