Univention Bugzilla – Bug 44922
Add logging to mailinglist/groups listfilter
Last modified: 2018-02-14 13:31:38 CET
It is difficult to debug problems with listfilter.py because nothing gets logged. Logging should be optional (UCRV) and go to the mail facility.
The listfilter policy service can now write debugging information to the mail log, when the UCR variable mail/postfix/policy/listfilter/debug is set to "yes". code: 877544176258f4f8836f588d183ac368bd97fd45 advisory: 158a6c0c8d85f110e96d9acdbec26f2543101927 Package: univention-mail-postfix Version: 11.0.1-16A~4.2.0.201709111427 Branch: ucs_4.2-0 Scope: errata4.2-2
Cannot test this. listfilter seems to be broken on my OX system: root@master50:/etc/postfix# ucr search mail/postfix/policy/listfilter mail/postfix/policy/listfilter/debug: yes mail/postfix/policy/listfilter/maxproc: <empty> mail/postfix/policy/listfilter/use_sasl_username: yes mail/postfix/policy/listfilter: yes User uid=foobar uses foobar@nstx.local as mailPrimaryAddress: swaks -s 10.200.18.50 -t grp1@nstx.local -tlsc -p 465 \ -au foobar@nstx.local -ap univention → Aug 12 14:52:26 master50 postfix/smtpd[9392]: connect from unknown[10.205.2.20] Aug 12 14:52:26 master50 listfilter[9398]: listfilter: sender='foobar@nstx.local' recipient='grp1@nstx.local' check_sasl_username=True Aug 12 14:52:26 master50 listfilter[9398]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_sender': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.2.20', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'dave.knut.univention.de', 'etrn_domain': '', 'instance': '24b0.598efa0a.9ce4c.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'grp1@nstx.local', 'sasl_username': 'foobar@nstx.local', 'stress': '', 'sender': 'sschwardt@dave.knut.univention.de', 'request': 'smtpd_access_policy'} Aug 12 14:52:26 master50 listfilter[9398]: listfilter: allowed_user_dns=['uid=foobar,cn=users,dc=nstx,dc=local', 'uid=oxuser100,cn=users,dc=nstx,dc=local'] allowed_group_dns=[] Aug 12 14:52:26 master50 listfilter[9398]: listfilter: action=REJECT Access denied for foobar@nstx.local to restricted list grp1@nstx.local Aug 12 14:52:26 master50 postfix/smtpd[9392]: NOQUEUE: reject: RCPT from unknown[10.205.2.20]: 554 5.7.1 <grp1@nstx.local>: Recipient address rejected: Access denied for foobar@nstx.local to restricted list grp1@nstx.local; from=<sschwardt@dave.knut.univention.de> to=<grp1@nstx.local> proto=ESMTP helo=<dave.knut.univention.de> Aug 12 14:52:26 master50 postfix/smtpd[9392]: disconnect from unknown[10.205.2.20]
Can you please verify that the same test succeeds with the previous listfilter.py version?
(In reply to Sönke Schwardt-Krummrich from comment #2) > Cannot test this. listfilter seems to be broken on my OX system: Fails because of Bug #45422.
Successfully verified: # ucr set mail/postfix/policy/listfilter/debug=yes mail/postfix/policy/listfilter/use_sasl_username=yes mail/postfix/policy/listfilter=yes # service postfix restart 2 Users have been created: uid=user1 mailPrimaryAddress=user1mail@nstx.local uid=user2 mailPrimaryAddress=user2mail@nstx.local Both users are member of the group "grp1" with mail address grp1@nstx.local, but only "user1" has permission to send to the group. The following command created the following output in mail.log: # swaks -s 10.200.18.41 -t grp1@nstx.local -tlsc -p 465 -au user2mail@nstx.local -ap univention Jan 26 17:07:23 master41 postfix/smtpd[19886]: connect from unknown[10.205.2.20] Jan 26 17:07:23 master41 listfilter[19897]: listfilter: sender='user2' recipient='grp1@nstx.local' check_sasl_username=True Jan 26 17:07:23 master41 listfilter[19897]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_sender': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.2.20', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'dave.knut.univention.de', 'etrn_domain': '', 'instance': '4dae.5a6b523b.a7c6d.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'grp1@nstx.local', 'sasl_username': 'user2', 'stress': '', 'sender': 'sschwardt@dave.knut.univention.de', 'request': 'smtpd_access_policy'} Jan 26 17:07:23 master41 listfilter[19897]: listfilter: allowed_user_dns=['uid=user1,cn=users,dc=nstx,dc=local'] allowed_group_dns=[] Jan 26 17:07:23 master41 listfilter[19897]: listfilter: user_dn='uid=user2,cn=users,dc=nstx,dc=local' Jan 26 17:07:23 master41 listfilter[19897]: listfilter: action=REJECT Access denied for user2 to restricted list grp1@nstx.local Jan 26 17:07:23 master41 postfix/smtpd[19886]: NOQUEUE: reject: RCPT from unknown[10.205.2.20]: 554 5.7.1 <grp1@nstx.local>: Recipient address rejected: Access denied for user2 to restricted list grp1@nstx.local; from=<sschwardt@dave.knut.univention.de> to=<grp1@nstx.local> proto=ESMTP helo=<dave.knut.univention.de> Jan 26 17:07:23 master41 postfix/smtpd[19886]: disconnect from unknown[10.205.2.20] # swaks -s 10.200.18.41 -t grp1@nstx.local -tlsc -p 465 -au user1mail@nstx.local -ap univention Jan 26 17:07:41 master41 postfix/smtpd[19886]: connect from unknown[10.205.2.20] Jan 26 17:07:41 master41 listfilter[19897]: listfilter: sender='user1' recipient='grp1@nstx.local' check_sasl_username=True Jan 26 17:07:41 master41 listfilter[19897]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_sender': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.2.20', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'dave.knut.univention.de', 'etrn_domain': '', 'instance': '4dae.5a6b524d.49a10.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'grp1@nstx.local', 'sasl_username': 'user1', 'stress': '', 'sender': 'sschwardt@dave.knut.univention.de', 'request': 'smtpd_access_policy'} Jan 26 17:07:41 master41 listfilter[19897]: listfilter: allowed_user_dns=['uid=user1,cn=users,dc=nstx,dc=local'] allowed_group_dns=[] Jan 26 17:07:41 master41 listfilter[19897]: listfilter: user_dn='uid=user1,cn=users,dc=nstx,dc=local' Jan 26 17:07:41 master41 listfilter[19897]: listfilter: action=DUNNO allowed per user dn Jan 26 17:07:41 master41 postfix/smtpd[19886]: 56554FFDAD: client=unknown[10.205.2.20], sasl_method=LOGIN, sasl_username=user1 Jan 26 17:07:41 master41 postfix/cleanup[19898]: 56554FFDAD: message-id=<20180126170746.014388@dave.knut.univention.de> Jan 26 17:07:41 master41 postfix/qmgr[19625]: 56554FFDAD: from=<sschwardt@dave.knut.univention.de>, size=484, nrcpt=2 (queue active) Jan 26 17:07:41 master41 postfix/smtpd[19886]: disconnect from unknown[10.205.2.20] Jan 26 17:07:41 master41 postfix/smtpd[19902]: connect from localhost[127.0.0.1] Jan 26 17:07:41 master41 postfix/smtpd[19902]: 9DB89FFDB6: client=localhost[127.0.0.1], orig_queue_id=56554FFDAD, orig_client=unknown[10.205.2.20] Jan 26 17:07:41 master41 postfix/cleanup[19898]: 9DB89FFDB6: message-id=<20180126170746.014388@dave.knut.univention.de> Jan 26 17:07:41 master41 postfix/qmgr[19625]: 9DB89FFDB6: from=<sschwardt@dave.knut.univention.de>, size=1069, nrcpt=2 (queue active) Jan 26 17:07:41 master41 amavis[16171]: (16171-01) Passed CLEAN {RelayedInternal}, LOCAL [10.205.2.20]:58718 <sschwardt@dave.knut.univention.de> -> <user1mail@nstx.local>,<user2mail@nstx.local>, Queue-ID: 56554FFDAD, Message-ID: <20180126170746.014388@dave.knut.univention.de>, mail_id: MOnFry3lZpC6, Hits: -1, size: 484, queued_as: 9DB89FFDB6, 265 ms Jan 26 17:07:41 master41 postfix/smtp[19899]: 56554FFDAD: to=<user1mail@nstx.local>, orig_to=<grp1@nstx.local>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.37, delays=0.08/0.01/0.03/0.25, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9DB89FFDB6) Jan 26 17:07:41 master41 postfix/smtp[19899]: 56554FFDAD: to=<user2mail@nstx.local>, orig_to=<grp1@nstx.local>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.37, delays=0.08/0.01/0.03/0.25, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9DB89FFDB6) Jan 26 17:07:41 master41 postfix/qmgr[19625]: 56554FFDAD: removed Jan 26 17:07:41 master41 postfix/lmtp[19903]: 9DB89FFDB6: to=<user1mail@nstx.local>, relay=master41.nstx.local[private/dovecot-lmtp], delay=0.06, delays=0.02/0.02/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <user1mail@nstx.local> Dl1yKE1Sa1rATQAAr8fBQQ Saved) Jan 26 17:07:41 master41 postfix/lmtp[19903]: 9DB89FFDB6: to=<user2mail@nstx.local>, relay=master41.nstx.local[private/dovecot-lmtp], delay=0.07, delays=0.02/0.02/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 <user2mail@nstx.local> Dl1yKE1Sa1rATQAAr8fBQQ Saved) Jan 26 17:07:41 master41 postfix/qmgr[19625]: 9DB89FFDB6: removed CLI logging is working but I found bug 46176. Advisory is ok; code is identical with 4.2-2 and 4.3-0. No manual modification required. No special ucs-test required.
<http://errata.software-univention.de/ucs/4.2/288.html>