public inbox for pmg-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Christoph Heiss <c.heiss@proxmox.com>
To: Stoiko Ivanov <s.ivanov@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api 1/3] fix #2437: config: Add inbound TLS policy option
Date: Mon, 20 Mar 2023 09:21:20 +0100	[thread overview]
Message-ID: <20230320082120.qm35vsdy4syexx7s@maui.proxmox.com> (raw)
In-Reply-To: <20230316135041.4de4316e@rosa.proxmox.com>

On Thu, Mar 16, 2023 at 01:50:41PM +0100, Stoiko Ivanov wrote:
> On Thu,  9 Mar 2023 11:18:44 +0100
> Christoph Heiss <c.heiss@proxmox.com> wrote:
>
> > Add a new configuration file /etc/pmg/tls_inbound_policy, which is a
> > postfix map containing all domains having `reject_plaintext_session`
> > action set, which is then used in smtpd_sender_restriction in the
> > main.cf template.
> >
> > Also add the accompanying API endpoint for modifying it.
> I usually split this out into a patch of its own.
Ack.

>
> One thing that is missing is adding the new file to the cluster sync (`git
> grep tls_policy`).
Thanks, didn't know that - will fix this for the next revision!

>
>
> > [..]
> > +sub read_tls_inbound_policy {
> > +    my ($filename, $fh) = @_;
> > +
> > +    return {} if !defined($fh);
> > +
> > +    my $tls_policy = {};
> > +
> > +    while (defined(my $line = <$fh>)) {
> > +	chomp $line;
> > +	next if $line =~ m/^\s*$/;
> > +	next if $line =~ m/^#(.*)\s*$/;
> > +
> > +	my $parse_error = sub {
> > +	    my ($err) = @_;
> > +	    die "parse error in '$filename': $line - $err";
> > +	};
> > +
> > +	if ($line =~ m/^(\S+)\s+.+\s*$/) {
> The matching seems odd - IIRC + is greedy so '.+' above would match
> everything anyways - making \s* superfluous?
I mostly copied this straight from read_tls_policy(), so that's why ..

>
> Why not explicitly match for 'reject_plain_text_session'? - since we write
> this literally into the file it should be there.
> (erroring out on unexpected content is better than to clobber it and
> replace what the users wrote there with 'reject_plaintext_session' upon
> any next update (and hopefully motivates the users to not use this
> particular file for other unrelated ACL entries))
That seems _very_ sensible, especially erroring out on entries with
anything other than `reject_plaintext_session` set to prevent users from
mis-using this file.

I will rework this for v2.

>
> [..]
>




  reply	other threads:[~2023-03-20  8:21 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-03-09 10:18 [pmg-devel] [PATCH pmg-{api, gui, docs} 0/3] fix #2437: Add TLS inbound policy for sender domains Christoph Heiss
2023-03-09 10:18 ` [pmg-devel] [PATCH pmg-api 1/3] fix #2437: config: Add inbound TLS policy option Christoph Heiss
2023-03-16 12:50   ` Stoiko Ivanov
2023-03-20  8:21     ` Christoph Heiss [this message]
2023-03-09 10:18 ` [pmg-devel] [PATCH pmg-gui 2/3] fix #2437: proxy: Add 'TLS Inbound Policy' panel Christoph Heiss
2023-03-16 12:32   ` Stoiko Ivanov
2023-03-20  8:36     ` Christoph Heiss
2023-03-20  8:42       ` Stoiko Ivanov
2023-03-09 10:18 ` [pmg-devel] [PATCH pmg-docs 3/3] pmgconfig: Explain new TLS inbound policy configuration Christoph Heiss
2023-03-16 12:28 ` [pmg-devel] [PATCH pmg-{api, gui, docs} 0/3] fix #2437: Add TLS inbound policy for sender domains Stoiko Ivanov
2023-03-20  8:14   ` Christoph Heiss
2023-03-20  8:36     ` Stoiko Ivanov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230320082120.qm35vsdy4syexx7s@maui.proxmox.com \
    --to=c.heiss@proxmox.com \
    --cc=pmg-devel@lists.proxmox.com \
    --cc=s.ivanov@proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal