pkgs: patch postfix to implement CCERTS action in access tables

author: Alejandro Soto <alejandro@34project.org> 2024-07-27 14:57:26 -0600
committer: Alejandro Soto <alejandro@34project.org> 2024-07-27 20:10:00 -0600
commit: 14c56a9dd2b67102ac4c6c5648e4afb53b144eaa (patch)
tree: cf9dd2bb0f583baf5233253e2505cde183ce6110 /pkgs
parent: ecdd297868a6a7df5b61ae38bace9462961e5b4f (diff)
3 files changed, 64 insertions, 0 deletions
diff --git a/pkgs/default.nix b/pkgs/default.nix
index 1c3bac2..45b3f4f 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -37,6 +37,8 @@ in
     home-assistant-custom-lovelace-modules = prev.home-assistant-custom-lovelace-modules // {
       xiaomi-vacuum-map-card = final.callPackage ./lovelace-xiaomi-vacuum-map-card { };
     };
+
+    postfix = callPackage ./postfix { inherit (prev) postfix; };
   } // (
     let
       makePyOverrides = version:
diff --git a/pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch b/pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch
new file mode 100644
index 0000000..ceec3dc
--- /dev/null
+++ b/pkgs/postfix/0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch
@@ -0,0 +1,55 @@
+From e50dd20ed36e3031a049e1fdb99894d2a974adfa Mon Sep 17 00:00:00 2001
+From: Alejandro Soto <alejandro@34project.org>
+Date: Sat, 27 Jul 2024 14:42:37 -0600
+Subject: [PATCH] smtpd: implement CCERTS action for access(5) tables
+
+Permits access if a valid TLS client certificate is present and matches
+any item from a space or comma-separated list of certificate
+fingerprints given as argument. Otherwise, behaves as DUNNO.
+
+Example usage:
+
+/etc/postfix/sender_ccerts:
+    user@example.com CCERTS AA:BB:CC:DD:EE:FF:12:34:56:67:2E:FB:3F:34:99:90:AB:CD:EF:4C
+---
+ postfix/src/smtpd/smtpd_check.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c
+index 6aeda7475..b4232194d 100644
+--- a/src/smtpd/smtpd_check.c
++++ b/src/smtpd/smtpd_check.c
+@@ -2677,6 +2677,30 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
+ 	}
+     }
+ 
++    // Advertencia: buf para value usa un límite de 10 chars (ver inicio de esta función)
++    // FIXME: Posible timing attack, solo determinaría fingerprint
++    if (STREQUAL(value, "CCERTS", cmd_len)) {
++#ifdef USE_TLS
++	if (TLS_CERT_IS_PRESENT(state->tls_context)) {
++	    const char *fprint = state->tls_context->peer_cert_fprint;
++	    if (fprint && *fprint) {
++		size_t fprint_len = strlen(fprint);
++
++		const char *ccerts = cmd_text;
++		while (*ccerts) {
++		    size_t ccert_len = strcspn(ccerts, ", \t");
++		    if (ccert_len == fprint_len && strncmp(ccerts, fprint, fprint_len) == 0)
++			return (smtpd_acl_permit(state, STR(buf), reply_class, reply_name,
++						 "from %s", table));
++
++		    ccerts += ccert_len + strspn(ccerts + ccert_len, ", \t");
++		}
++	    }
++	}
++#endif
++	return (SMTPD_CHECK_DUNNO);
++    }
++
+     /*
+      * All-numeric result probably means OK - some out-of-band authentication
+      * mechanism uses this as time stamp.
+-- 
+2.44.1
+
diff --git a/pkgs/postfix/default.nix b/pkgs/postfix/default.nix
new file mode 100644
index 0000000..39481e7
--- /dev/null
+++ b/pkgs/postfix/default.nix
@@ -0,0 +1,7 @@
+{ postfix }:
+postfix.overrideAttrs {
+  # Nota: hay que cambiar prefix postfix/src/ -> src/ en el patch porque las release tarballs vienen así
+  patches = (postfix.patches or [ ]) ++ [
+    ./0001-smtpd-implement-CCERTS-action-for-access-5-tables.patch
+  ];
+}
author	Alejandro Soto <alejandro@34project.org>	2024-07-27 14:57:26 -0600
committer	Alejandro Soto <alejandro@34project.org>	2024-07-27 20:10:00 -0600
commit	14c56a9dd2b67102ac4c6c5648e4afb53b144eaa (patch)
tree	cf9dd2bb0f583baf5233253e2505cde183ce6110 /pkgs
parent	ecdd297868a6a7df5b61ae38bace9462961e5b4f (diff)