[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: exclude 127.0.0.1 from smtpd_tls_auth_only = yes
From:       wietse () porcupine ! org (Wietse Venema)
Date:       2013-07-06 22:57:18
Message-ID: 3bnpGQ3QtFzjymG () spike ! porcupine ! org
[Download RAW message or body]

Viktor Dukhovni:
> On Sat, Jul 06, 2013 at 03:46:48PM +0200, Pol Hallen wrote:
> 
> > So, what should be do? I'm confused :-/
> > 
> > How clone submission service?
> 
> I already answered this question, in my original follow-up to
> Wietse's advice, which indeed works on Solaris, and various other
> systems, but not on Linux where wildcard listeners preclude
> per-address listeners on the same port (otherwise an X11 server
> listening on port 6000 may be intercepted by rogue listeners that
> listen on port 6000 at each of the machine's actual interface
> addresses).  So the Linux behaviour is actually sensible for a
> change :-)

I don't buy that argument. If their purpose was to address rogue
listeners, then they would have compared the UIDs that create the
sockets.

As it is now, no user, not even root, can override their own wildcard
bind with a more specific bind. And that is a bug.

	Wietse
[prev in list] [next in list] [prev in thread] [next in thread]