postfixadmin-devel

[Postfixadmin-devel] fetchmail support

[Christian B. <pos...@cb...>]

Hello,

Viktor Gotwig (info AT symateam.de) has sent me a patch to add fetchmail=20
support to Postfixadmin. I just commited the major parts of it. The=20
only thing I left out is the menu entry (templates/menu.tpl)
   <li><a target=3D"_top" href=3D"fetchmail.php">
      <?php print $PALANG['pMenu_fetchmail']; ?></a></li>
which should be wrapped by a nice "if ($CONF[fetchmail_whatever'])".

=46or now, you have to type fetchmail.php in your browser to use the=20
script.

The original patch (against 2.1) is attached to this mail; I had to do=20
some minor changes to make it work with the SVN version.

This is the original mail Viktor sent me:
(some additional comments are listed below)

=2D---------  Weitergeleitete Nachricht  ----------

Betreff: postfixadmin 2.1.0
Datum: Montag, 24. September 2007
Von: Viktor Gotwig
An: Christian Boltz

Hello mister Boltz,

I have taken some improvements on postfixadmin-2.1.0 to add an fetchmail
interface. May be, you can also reuse it.

Many small/middle companies have only an dynamical IP connection to the
internet (DSL etc.) and are not able directly receive their emails from
outside with postfix. Fetchmail is very handly, but does not have some
possibility for an sql configuration.

My approach was to run an cronjob "job.pl" (each 5 minutes), that create
an .fetchmailrc configuration on the fly for each account, runs
"fetchmail" with that and saves returned text protocol message from
fetchmail back into the table.

Security things:
1) the file .fetchmailrc does not contains passwords or another sensible
data from different users at a time,
2) it will be deleted at the end of cron job,
3) the passwords are stored base64-encoded to protect against accident
read/remember by administrators working on the DB. Is of course not
secure, helps against accidents only.

ToDo for me: the fetchmail option "MDA" is not tested yet. We plan to
write some custom email filter scripts, it may be conveniently to use
that option here.

Thanks a lot for the program, it is really very useful. Sorry for
perhaps to quick and dirty code, I have had very little time for that.
And polite request to you: Please find some time to check/protect the
code against sql injections, there are really a lot of places in code
where injections are possible.

I will be like to hear something from you :)


Good luck,

Viktor.

P.S. For the info: I have already send this patch to mister Peters
(because their email address was first that I found on some source
files), but he answered not to work on this project any more.
=2D------------------------------------------------------

Additions from some later mails (in german, therefore not quoted here):

"legal"
=2D he has allowed to publish his code/patch under GPL
=2D we are allowed to do any change we find useful
=2D he would be happy if we list his name somewhere[tm]

technical:
=2D the "Extra options" and "MDA" can be dangerous (example MDA=20
  "rm -rf /") - so these fields should be locked unless a special
  $CONF setting is enabled.
  Another option would be to offer some options in a dropdown list,
  populated by a config.inc.php setting.
=2D the user interface differs from the current Postfixadmin style (try=20
  yourself ;-)  (yes, we should change it to follow the current=20
  Postfixadmin style)
=2D fetchmail.tpl uses an interesting method to call helper functions,
  judge yourself (I'll add my opition later)
=2D known bug: several "undefined offset" and "undefined index" notices
=2D the database definition for fetchmail currently resides in a comment
  in fetchmail.php
=2D lots of strings are not translatable yet


Regards,

Christian Boltz
=2D-=20
> > Ich habe auf diese Soap Opera hier eigentlich keine Lust...
> Dann mach Deinen Rechner aus, das Fenster auf und bef=F6rdere diesen
> aus dem selbigen.
wieso Fenster auf?
[>> su...@ni..., > Michael Raab und Michael Schulz in suse-linux]

Re: [Postfixadmin-devel] fetchmail support

[Christian B. <pos...@cb...>]

Hello,

as you might have seen, I have done some changes on fetchmail.php and=20
fetchmail.tpl tonight.

Status:
=2D all SQL queries use escape_string
=2D the layout now looks more postfixadmin-like :-)  (separate editing=20
  page instead of "embedding" it in the list view)
=2D no more "undefined index" warnings (see below)
=2D known bug: adding a new entry is totally broken right now :-(  -=20
  probably I applied too much quoting to the SQL query...
=2D ToDo: insert a domain dropdown to only display fetchmail setup of a=20
  specific domain
=2D ToDo: fetchmail.php and fetchmail.tpl contain lots of tabs which need=20
  to be converted to spaces. I'll do a separate commit just for these=20
  whitespace changes.

Note 1:
=46eel free to use the safeget/safepost/safeserver functions at other=20
places too ;-)

    $var =3D safeget('var');
is easier to use than
    $var =3D "";
    if (isset($_GET['var'])) $var =3D $_GET['var'];

Optionally you can specify a default value which will be returned if the=20
$_GET variable is not set:
    $var =3D safeget('var', 'default');


Note 2:
$fm_struct in fetchmail.php is a really useful array once you understand=20
how to use it. We should consider to use similar arrays for the other=20
tables (something for after the 2.2 release).


Regards,

Christian Boltz
=2D-=20
PS: Achja, Du schuldest mir eine neue Tischplatte... Warum mu=DFte ich=20
heute morgen nur den SuSE-Ordner =F6ffnen? [Helga Fischer in suse-linux]

Re: [Postfixadmin-devel] safeget etc

[David G. <da...@co...>]

<snip>
> Note 1:
> Feel free to use the safeget/safepost/safeserver functions at other=20
> places too ;-)
>=20
>     $var =3D safeget('var');
> is easier to use than
>     $var =3D "";
>     if (isset($_GET['var'])) $var =3D $_GET['var'];
>=20
> Optionally you can specify a default value which will be returned if the=
=20
> $_GET variable is not set:
>     $var =3D safeget('var', 'default');

It's name (safeget) implies (to me) that it will return something
safe.... and probably doesn't need to have escape_string applied on it.
I know this isn't the case.

Would it be more useful to do something like Zend_Filter - namely
ensuring that a field matches a given type as well.

function safeget($name, $type, $default =3D null)
or something; so you could ensure you had e.g. an int back?

>=20
> Note 2:
> $fm_struct in fetchmail.php is a really useful array once you understand=
=20
> how to use it. We should consider to use similar arrays for the other=20
> tables (something for after the 2.2 release).

Guess I'll have to read the code sometime then :)

(Sorry I've not done much lately, I'll pull my finger out one day soon)

Thanks
David.
--=20
David Goodwin=20

[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk       ]

Re: [Postfixadmin-devel] safeget etc

[Christian B. <pos...@cb...>]

Hello,

Am Dienstag, 23. Oktober 2007 schrieb David Goodwin:
> > Note 1:
> > Feel free to use the safeget/safepost/safeserver functions at other
> > places too ;-)
[...]
> It's name (safeget) implies (to me) that it will return something
> safe.... and probably doesn't need to have escape_string applied on
> it. I know this isn't the case.

Hmm, I'm using this function names in some other projects and homepages=20
I'm involved in, and you are the first one who complains about the=20
name ;-)

"safeget" because you won't get any "undefined index" warnings and you=20
have a sane dafault as fallback. (We could also think about including=20
stripslashes if magic_quotes are on.)

Anyhow: If you know better names for these functions, just tell me ;-)

> Would it be more useful to do something like Zend_Filter - namely
> ensuring that a field matches a given type as well.
>
> function safeget($name, $type, $default =3D null)
> or something; so you could ensure you had e.g. an int back?

I usually do this using
    $var =3D (int) safeget('var');

Doing it inside safeget would make things more difficult - it would need=20
some if or case switching. And you never know which types you need and=20
will have to add another type every now and then. (I'm not even talking=20
about values that must validate against a regex etc.)

> > Note 2:
> > $fm_struct in fetchmail.php is a really useful array once you
> > understand how to use it. We should consider to use similar arrays
> > for the other tables (something for after the 2.2 release).
>
> Guess I'll have to read the code sometime then :)

Yes ;-)
Hint: read the comments around the array definition, and then read the=20
template file. Or simply play a bit with the values and reload the=20
fetchmail page in your browser...

> (Sorry I've not done much lately, I'll pull my finger out one day
> soon)

No problem. As long as nobody pays you, nobody can/will force you to do=20
lots of work ;-)


Regards,

Christian Boltz
=2D-=20
> > Wow consensus in less than 24 hours....imagine if it always
> > worked that way....:-)
> Something smells fishy here ;-)
Do you have the solution(tm) for the "Kanzlerfrage"? :)
[>> Peter Flodin, > Andreas J=E4ger und Christoph Thiel in opensuse]