Disclaimer variables passed from amavis to altermime.

Mark Martinec Mark.Martinec+amavis at ijs.si
Fri Jun 29 16:42:47 CEST 2012 

Frank,

> I am running a basic iredmail install with amavis, postfix, dovecot.
> I want to use the declaimer feature to automatically append a disclaimer
> (in our case a signature).
> The reasoning for this is that clients (ipad, outlook, etc) don't have to
> be configured with signature settings, and that we have corporate control
> over the actual signatures that are posted.
> 
> Instead of:
> 'boss at domain.com' => 'boss.domain.com.txt'
> 
> I am trying to get to
> %mailbox + '@' + %domain =>  %mailbox + "." + %domain + '.txt'
> 
> This way we can simply use a script to generate the .txt / .htm signature
> files using just mysql / php.

Well, the following could *almost* work, thanks to righthand-side
replacements in hash lookups:

  # make_query_keys:
  # $1 = User+Foo at Sub.Example.COM
  # $2 = User+Foo
  # $3 = user  (lc if localpart_is_case_sensitive)
  # $4 = +foo  (lc if localpart_is_case_sensitive)
  # $5 = sub.example.com (lowercased unconditionally)

  $policy_bank{'MYNETS'} = {
     originating => 1,
     allow_disclaimers => 1,
  };
  $altermime = '/usr/local/bin/altermime';
  $defang_maps_by_ccat{+CC_CATCHALL} = [ 'disclaimer' ];
  @disclaimer_options_bysender_maps = ( { '.' => '$3.$5' } );
  @altermime_args_disclaimer =
    qw(--disclaimer=/etc/_OPTION_.txt --disclaimer-html=/etc/_OPTION_.html);

The downside is that the sender's mail address comes from SMTP protocol,
i.e. an untrusted external source, and as such it is tainted (in a Perl
sense) and can contain any junk (malicious or not). In consequence
the $3 and $5 are tainted and the replacement string for the _OPTION_
placeholder becomes tainted, so the invocation of an external program
(altermime, or some lookalike script) will fail because its
command line arguments are tainted.

If you know that the invoked altermime or its lookalike script
will not be fooled by an untrusted command line argument,
a hack could be to replace:
  $disclaimer_options = $opt;
by:
  $disclaimer_options = untaint($opt);
in sub prepare_modified_mail, file amavisd.

(btw, there is no shell involved when amavisd launches an external
program, so the danger is not in exec, but in a launched program
itself)

  Mark

More information about the amavis-users mailing list