[exim-dev] XCLIENT patch to Exim; Cambridge

Góra strony
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
Dla: exim-dev
CC: Tony Finch, Vsevolod Stakhov
Temat: [exim-dev] XCLIENT patch to Exim; Cambridge
FreeBSD is carrying a local patch to Exim, adding XCLIENT support.

The ticket requesting its addition is at:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=133891
and there's no indication given there about why this was aimed directly
at one OS's packaging, rather than at upstream.

The feature documentation is:
http://www.postfix.org/XCLIENT_README.html
The patch can be found at:
https://github.com/freebsd/freebsd-ports/blob/master/mail/exim/files/extra-patch-xclient

This should probably be considered as a parallel to the proxy protocol
support which we have.

Aside from security review, the biggest issue is likely to be that the
patch wasn't given to us and is currently a standalone work without a
license statement, so we'd need to chase down the original author and
ask about permission to include as part of Exim, under GPL.

In 2008 there was discussion on exim-users, subject "XCLIENT supported
by exim?"; Nigel summarized the state as zero previous discussion, no
patches, so no apparent interest. The tone of the response I see was
generally "oh that's a Postfix thing, we just connect Exim directly to
the Internet without anything in front of it".

One of the last posts referenced an existing patch by Vsevolod Stakhov:
http://cebka.pp.ru/blog/2007/12/xclient-exim.html
http://cebka.pp.ru/blog/patch-exim-xclient
but there's no longer any DNS for that host; however, the initial report
in the FreeBSD PR #133891 referenced
<http://cebka.pp.ru/blog/2009/01/-eximxclient.html> so it seems that the
history of this patch in FreeBSD traces back to then, even though the
FreeBSD patch has been maintained as it's patched for more recent Exim
releases.

I think that the biggest problem is that most postmaster folks back then
didn't see the benefit of siting an Exim behind a front-end proxy,
especially since this was presented as a security proxy adding features,
where all the features _could_ be done in Exim already. Since then,
with the widening spread of protocol-generic front-end loadbalancers,
we've seen the haproxy Proxy Protocol take off, the approach of setting
normally-from-getsockopt vars based upon remote data _if_ the connecting
host passes an ACL has been validated and seen not to be a security
issue (well, unless someone allows the extension from the open Internet,
instead of just from the local trusted proxies) and I think that this is
_much_ less controversial.

It looks like the "Vsevolod Stakhov" from the original report is
probably the gentleman by that name now at the University of Cambridge
(oh, it's the same guy who did the cool libucl config library stuff,
that's why the name was familiar :) ).

On this basis, I'm going to explicitly CC Tony, also at UoC who could
perhaps chat with Vsevolod, and the address found on
<https://github.com/vstakhov>.

Guys, okay to pull this patch into Exim?

-Phil