Bug 45422 - (4.2) postfix listfilter.py fails for email addresses as sasl_username
(4.2) postfix listfilter.py fails for email addresses as sasl_username
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Sönke Schwardt-Krummrich
Daniel Tröder
:
Depends on: 41055
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-20 11:56 CEST by Sönke Schwardt-Krummrich
Modified: 2018-02-14 13:31 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017060721000558
Bug group (optional): External feedback
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2017-09-20 11:56:13 CEST
We were finally able to reproduce the original bug. It looks like cyrus saslauthd always returns the mail address (provided during auth) back to postfix. Whereas dovecot's saslauthd returns the username from the PAM stack. Since the PAM stack modifies the username from mail address to username, saslauthd returns a username to postfix (and therefore to listfilter.py, too).

Since usernames may not contain "@" and mail addresses are not valid without "@", we should alter the LDAP filter in listfilter.py accordingly. The following snippet uses the LDAP filter from users/user.py instead of the extremely unspecific "objectclass=posixAccount":

import univention.admin.modules
univention.admin.modules.update()
usersmod = univention.admin.modules.get("users/user")
subfilter = filter_format('(|(uid=%s)(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))', (sender, sender, sender, sender))
print str(usersmod.lookup_filter(filter_s=subfilter)

(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(uid=*$))(!(univentionObjectFlag=functional))(|(uid=user@example.com)(mailPrimaryAddress=user@example.com)(mailAlternativeAddress=user@example.com)(mail=user@example.com)))



+++ This bug was initially created as a clone of Bug #41055 +++

+++ This bug was initially created as a clone of Bug #29615 +++

With UCS 4.1 we made it the default in the documentation and since 4.0 we support in pam/smtp: using both UNIX username and mailPrimaryAddress as login for SMTP-AUTH.

But the implementation of mail/postfix/policy/listfilter/use_sasl_username in Bug #29615 does only support UNIX usernames. Attempts to send to a restricted list with an account on the allowed-list, when logging in with the email address results in:

Recipient address rejected: Access denied for <mailPrimaryAddress> to restricted list <group mail address>
Comment 1 Daniel Tröder univentionstaff 2017-09-22 08:16:51 CEST
Nice.

The 'mail' attribute should not be used in the filter though, as it is just the "contact" address.
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2017-09-22 20:35:56 CEST
(In reply to Daniel Tröder from comment #1)
> Nice.
> 
> The 'mail' attribute should not be used in the filter though, as it is just
> the "contact" address.

IIRC this is/was a undocumented feature. It's possible to select users without mailPrimaryAddress but with mail attribute. This way users with external mail addresses ("contact addresses") were be also allowed to send mail to the mailing list.

I'm still unsure if we break a current use case if "mail" is removed.
Comment 3 Daniel Tröder univentionstaff 2017-09-25 08:24:19 CEST
(In reply to Sönke Schwardt-Krummrich from comment #2)
> (In reply to Daniel Tröder from comment #1)
> > Nice.
> > 
> > The 'mail' attribute should not be used in the filter though, as it is just
> > the "contact" address.
> 
> IIRC this is/was a undocumented feature. It's possible to select users
> without mailPrimaryAddress but with mail attribute. This way users with
> external mail addresses ("contact addresses") were be also allowed to send
> mail to the mailing list.
> 
> I'm still unsure if we break a current use case if "mail" is removed.
That makes sense: it mimics the mailman feature of allowing additional addresses to send to a restricted mailing list.
Comment 4 Daniel Tröder univentionstaff 2017-10-17 12:11:44 CEST
$ ucr get mail/cyrus
yes
$ ucr get mail/dovecot
→ nothing

$ ucr set mail/postfix/policy/listfilter/debug=yes mail/postfix/policy/listfilter/use_sasl_username=yes mail/postfix/policy/listfilter=yes
$ systemctl restart postfix.service 

# check basics
$ /usr/share/ucs-test/40_mail/00delivery01group -f && /usr/share/ucs-test/40_mail/23_mail_to_ldap_group -f && /usr/share/ucs-test/40_mail/35_mail_to_nested_groups -f && /usr/share/ucs-test/40_mail/37_sender_restrictions_for_groups -f

$ eval $(ucr shell)
$ udm groups/group create --position cn=groups,$ldap_base --set name=testgr01 --set mailAddress=testgr1m@uni.dtr 

# from host not in mail/postfix/mynetworks:
$ swaks --from test@example.com --to user01m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01m@uni.dtr --ap univention
$ swaks --from test@example.com --to user01m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01 --ap univention
# on server:
$ ls /var/spool/cyrus/mail/domain/u/uni.dtr/u/user/user01m/

# from host not in mail/postfix/mynetworks:
$ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user02m@uni.dtr --ap univention

Oct 17 11:32:22 m10 listfilter[23321]: listfilter: sender='user02m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True
Oct 17 11:32:22 m10 listfilter[23321]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_send
er': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.1.18', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'sommar', 'etrn_domain': '', 'instance': '5b14.59e5ce25.e66db.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user02m@uni.dtr', 'stress': '', 'sender': 'test@example.com', 'request': 'smtpd_access_policy'}
Oct 17 11:32:22 m10 listfilter[23321]: listfilter: action=DUNNO no restrictions
Oct 17 11:32:22 m10 postfix/smtpd[23316]: 1A09C44FB3: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user02m@uni.dtr

→→→→ allowed (user02, no restrictions: allowedEmailUsers and allowedEmailGroups empty)

$ udm groups/group modify --dn cn=testgr01,cn=groups,dc=uni,dc=dtr --append allowedEmailUsers=uid=user01,cn=users,dc=uni,dc=dtr

$ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user02m@uni.dtr --ap univention

→ <~* 554 5.7.1 <testgr1m@uni.dtr>: Recipient address rejected: Access denied for user02m@uni.dtr to restricted list testgr1m@uni.dtr
Oct 17 11:31:33 m10 listfilter[23321]: listfilter: sender='user02m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True
Oct 17 11:31:33 m10 listfilter[23321]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_send
er': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.1.18', 'size': '0', 'prot
ocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'sommar', 'etrn_domain': '', 'instance': '5b14.59e5cdf5.8e2fc.0', 'encryption_ke
ysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprin
t': '', 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user02m@uni.dtr', 'stress': '', 'sender': 'test@example.c
om', 'request': 'smtpd_access_policy'}
Oct 17 11:31:33 m10 listfilter[23321]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[]
Oct 17 11:31:33 m10 listfilter[23321]: listfilter: user_dn='uid=user02,cn=users,dc=uni,dc=dtr'
Oct 17 11:31:33 m10 listfilter[23321]: listfilter: action=REJECT Access denied for user02m@uni.dtr to restricted list testgr1m@uni.dtr

→→→→ not allowed (user02)

$ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01m@uni.dtr --ap univention
Oct 17 11:12:51 m10 listfilter[22688]: listfilter: sender='user01m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True
Oct 17 11:12:51 m10 listfilter[22688]: listfilter: attrib={..., 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user01m@uni.dtr', 'sender': 'test@example.com', ...}
Oct 17 11:12:51 m10 listfilter[22688]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[]
Oct 17 11:12:51 m10 listfilter[22688]: listfilter: user_dn='uid=user01,cn=users,dc=uni,dc=dtr'
Oct 17 11:12:51 m10 listfilter[22688]: listfilter: action=DUNNO allowed per user dn
Oct 17 11:12:51 m10 postfix/smtpd[22685]: 60EDD400E4: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user01m@uni.dtr

→→→→ allowed (with mPA: sasl_username=user01m@uni.dtr)

$ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01 --ap univention

Oct 17 11:13:26 m10 listfilter[22688]: listfilter: sender='user01' recipient='testgr1m@uni.dtr' check_sasl_username=True
Oct 17 11:13:26 m10 listfilter[22688]: listfilter: attrib={..., 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user01', 'sender': 'test@example.com', ...}
Oct 17 11:13:26 m10 listfilter[22688]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[]
Oct 17 11:13:26 m10 listfilter[22688]: listfilter: user_dn='uid=user01,cn=users,dc=uni,dc=dtr'
Oct 17 11:13:26 m10 listfilter[22688]: listfilter: action=DUNNO allowed per user dn
Oct 17 11:13:26 m10 postfix/smtpd[22685]: BAE124010B: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user01

→→→→ allowed (with uid: sasl_username=user01)
Comment 5 Daniel Tröder univentionstaff 2017-10-17 12:18:47 CEST
b49a0264: handle Cyrus SASL in listfilter.py
645146c4: advisory

univention-mail-postfix 11.0.1-18A~4.2.0.201710171216
Comment 6 Mathieu Simon 2017-11-29 16:28:05 CET
Hi

The target milestone says 4.2-3-errata, does that indicate it should have been released with 4.2-3 or can we expect 11.0.1-18A~4.2.0.201710171216 to be included with a later errata release?

(I've skimmed through the 4.2-3 repositories but couldn't yet find this version.

Best regards
Mathieu
Comment 7 Florian Best univentionstaff 2017-11-29 16:37:49 CET
(In reply to Mathieu Simon from comment #6)
> Hi
> 
> The target milestone says 4.2-3-errata, does that indicate it should have
> been released with 4.2-3 or can we expect 11.0.1-18A~4.2.0.201710171216 to
> be included with a later errata release?
> 
> (I've skimmed through the 4.2-3 repositories but couldn't yet find this
> version.
> 
> Best regards
> Mathieu

Hello Mathieu,

the fix is not included in the UCS 4.2-3 release. We are releasing it as an erratum upgrade for UCS 4.2-3 and most likely also for UCS 4.2-3. The target milestone has just been adjusted because of the release of UCS 4.2-3 yesterday.
Comment 8 Sönke Schwardt-Krummrich univentionstaff 2018-01-26 17:44:34 CET
Is there a reason to use the static LDAP filter for user accounts instead of using the UDM library to determine the currently correct one (as mentioned within the original bug description)?

import univention.admin.modules
univention.admin.modules.update()
usersmod = univention.admin.modules.get("users/user")
subfilter = filter_format('(|(uid=%s)(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))', (sender, sender, sender, sender))
print str(usersmod.lookup_filter(filter_s=subfilter)
Comment 9 Daniel Tröder univentionstaff 2018-01-29 10:28:56 CET
[4.2-3 775830776a9] Bug #45422: use UDM users/user filter
[4.2-3 c8fb3f44762] Bug #45422: try possible result before next LDAP query
[4.2-3 12e897585a1] Bug #45422: changelog
[4.2-3 cd5793bbc2e] Bug #45422: advisory update
[4.2-3 ffa288aebb2] Bug #45422: fix typo
[4.2-3 dbb3b266533] Bug #45422: advisory update

univention-mail-postfix 11.0.2-3A~4.2.0.201801291023

Commits were merged to 4.3-0 and built (12.0.0-10).
Comment 10 Sönke Schwardt-Krummrich univentionstaff 2018-02-06 17:39:56 CET
(In reply to Daniel Tröder from comment #9)
> [4.2-3 775830776a9] Bug #45422: use UDM users/user filter
> [4.2-3 c8fb3f44762] Bug #45422: try possible result before next LDAP query
> [4.2-3 12e897585a1] Bug #45422: changelog
> [4.2-3 cd5793bbc2e] Bug #45422: advisory update
> [4.2-3 ffa288aebb2] Bug #45422: fix typo
> [4.2-3 dbb3b266533] Bug #45422: advisory update
> 
> univention-mail-postfix 11.0.2-3A~4.2.0.201801291023

OK: advisory (has been updated)
OK: code change
OK: functional test
OK: no ucs-test script required (due to UCS 4.3)
 
> Commits were merged to 4.3-0 and built (12.0.0-10).

OK: commits merged

→ in UCS 4.2-2, 4.2-3 and 4.3-0 is no dependency from univention-mail-postfix to 
  python-univention-directory-manager
→ added in 4.3-0, 4.2-3 and 4.2-2:

univention-mail-postfix (11.0.2-4)
22fd32c2d0ba | Bug #45422: add missing dependency

Package: univention-mail-postfix
Version: 11.0.2-4A~4.2.0.201802061735
Branch: ucs_4.2-0
Scope: errata4.2-3

univention-mail-postfix (12.0.0-11)
beb98a7a5358 | Bug #45422: add missing dependency

Package: univention-mail-postfix
Version: 12.0.0-11A~4.3.0.201802061738
Branch: ucs_4.3-0

→ waiting for jenkins results
Comment 11 Daniel Tröder univentionstaff 2018-02-13 09:53:45 CET
OK: add missing dependency
OK: merge to 4.3
OK: jenkins results for 40_mail/12_delivery_to_mailing_list and 40_mail/36_sender_restrictions_for_mailing_lists are stable in 4.2-3 and 4.3-0.
Comment 12 Arvid Requate univentionstaff 2018-02-14 13:31:40 CET
<http://errata.software-univention.de/ucs/4.2/288.html>