Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manage Unix socket #73

Open
sveyret opened this issue May 3, 2020 · 4 comments
Open

Manage Unix socket #73

sveyret opened this issue May 3, 2020 · 4 comments

Comments

@sveyret
Copy link

sveyret commented May 3, 2020

Hi,
I am using nullmailer on my home servers to forwards local e-mails (e.g. cron) to the main server, which has a full postfix installation. In order for this communication between nullmailer and postfix to be secured, I want to use Unix socket instead of TCP socket.
I made a modification in the source in order to add this ability, and will provide a PR. That would be great if it could be integrated in nullmailer.
Thank you.
@sveyret sveyret mentioned this issue May 3, 2020
Open
@jahir
Copy link

jahir commented May 4, 2020

patch looks ok (on a quick glance) and is little intrusive, but could you elaborate on why you need this and how this is used?
For secure communication, nullmailer already supports TLS (and uses it by default).
Unix sockets can only be used for local communication, i.e. between processes on the same host. Sure, you can export a unix socket with NFS or use something like stunnel to forward the connection via TCP, but that's not "communicating over a unix socket" any more and only adds complexity without any security gain.

@sveyret
Copy link
Author

sveyret commented May 4, 2020

I can explain, but it's a long story… 😉 I'll try to sum up.
I was previously using TLS with certificate checking, all certificates must be emitted by a home root CA. This needs some maintenance, because certificates (even the root CA) are regularly renewed. I also have a problem with some docker containers that need to send e-mails but for which I do not really control the valid certificates.
So I found it easier (and and somehow safer) to create a SSH connexion (acting as a tunnel, even if not really one) between the secondary servers and the main one (using socat for input/output to be on linux socket). The SSH tunnel can be opened easily using public key exchange, and can even be shared by hosted docker containers. The users opening the tunnel have restricted rights, and ordinary users cannot access to the open socket. So there is no exposed open port (well, except SSH, of course, but this one was already open).
On the main server side, postfix can already read from a Unix socket. On secondary server, I am currently (successfully) using the patched version of nullmailer to do it.

Now, out of my personal use case, sending to a Unix socket can be interesting in a some situations like:

  • communication between virtual servers (using a host shared socket);
  • e-mail checking with virus checkers or other milters, working on the same host.

@sveyret
Copy link
Author

sveyret commented May 11, 2020

Hi @jahir, any news on this topic ?

@jahir
Copy link

jahir commented May 11, 2020

@sveyret not from me. I'm not sure if this is of much use, but as I said, the patch looks fine and is little intrusive, so it would be fine by me. I have no say in this project, so that's of not much help for you, though...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jahir @sveyret