Univention Bugzilla – Bug 46176
listfilter.py does not respect use_sasl_username=yes/no
Last modified: 2021-06-30 18:34:00 CEST
listfilter.py does not respect use_sasl_username=yes/no. If the variable is set to yes, the check fails because attr["sender"] and attr["sasl_username"] are empty. This only affects the case, where --test is used. root@master41:~# ucr set mail/postfix/policy/listfilter/use_sasl_username=yes Setting mail/postfix/policy/listfilter/use_sasl_username Multifile: /etc/postfix/main.cf File: /etc/listfilter.secret Multifile: /etc/postfix/master.cf root@master41:~# /usr/share/univention-mail-postfix/listfilter.py -t -s user1mail@nstx.local -r grp1@nstx.local -b dc=nstx,dc=local listfilter: sender=None recipient='grp1@nstx.local' check_sasl_username=True listfilter: attrib={'recipient': 'grp1@nstx.local', 'sender': 'user1mail@nstx.local'} listfilter: allowed_user_dns=['uid=user1,cn=users,dc=nstx,dc=local'] allowed_group_dns=[] action=REJECT Access denied for not authenticated sender to restricted list grp1@nstx.local root@master41:~# ucr set mail/postfix/policy/listfilter/use_sasl_username=no Setting mail/postfix/policy/listfilter/use_sasl_username Multifile: /etc/postfix/main.cf File: /etc/listfilter.secret Multifile: /etc/postfix/master.cf root@master41:~# /usr/share/univention-mail-postfix/listfilter.py -t -s user1mail@nstx.local -r grp1@nstx.local -b dc=nstx,dc=local listfilter: sender='user1mail@nstx.local' recipient='grp1@nstx.local' check_sasl_username=False listfilter: attrib={'recipient': 'grp1@nstx.local', 'sender': 'user1mail@nstx.local'} listfilter: allowed_user_dns=['uid=user1,cn=users,dc=nstx,dc=local'] allowed_group_dns=[] listfilter: user_dn='uid=user1,cn=users,dc=nstx,dc=local' action=DUNNO allowed per user dn --- a/mail/univention-mail-postfix/share/listfilter.py +++ b/mail/univention-mail-postfix/share/listfilter.py @@ -191,6 +191,7 @@ if options.test: parser.print_help() sys.exit(1) attr["sender"] = options.sender + attr["sasl_username"] = options.sender attr["recipient"] = options.recipient action = listfilter(attr) print("action={}\n".format(action))
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Implemented fix on branch troehmey/bug46176_fix_listfilter_test with commit 3d6928f791 Bug #46176: fix listfilter test with use_sasl_username Result with mail/postfix/policy/listfilter/use_sasl_username=yes is now: root@m90:/src/ucs/mail# /usr/share/univention-mail-postfix/listfilter.py --test -s a@school.intranet -r users_demoschool@school.intranet -b dc=school,dc=intranet listfilter: sender='adalbrand.br' recipient='users_demoschool@school.intranet' check_sasl_username=True listfilter: attrib={'recipient': 'users_demoschool@school.intranet', 'sender': 'a@school.intranet', 'sasl_username': 'adalbrand.br'} listfilter: allowed_user_dns=['uid=adalbrand.br,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=school,dc=intranet', 'uid=adalgard.bre,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=school,dc=intranet'] allowed_group_dns=[] listfilter: user_dn='uid=adalbrand.br,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=school,dc=intranet' action=DUNNO allowed per user dn
QA: Some remarks, reopen. Type hints are nice, use them in your code. mail2username -> Could not parse sasl_username from mail address -> Could not parse sasl_username from mail address {} {}:.format(mail, exc) code looks ok, needs rebase UCS: 4.4-8 errata969 Installed: cups=2.2.1 mailserver=12.0 === before fix === ucr set mail/postfix/policy/listfilter/use_sasl_username=yes /usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet listfilter: sender=None recipient='demogroup@wenzel.univention.intranet' check_sasl_username=True ... action=REJECT Access denied for not authenticated sender to restricted list demogroup@wenzel.univention.intranet ucr set mail/postfix/policy/listfilter/use_sasl_username=no /usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet listfilter: sender='demo_student@wenzel-univention.intranet' recipient='demogroup@wenzel.univention.intranet' ... listfilter: user_dn='uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=dc-we,dc=intranet' action=DUNNO allowed per user dn === after fix === listfilter: user_dn='uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=dc-we,dc=intranet' action=DUNNO allowed per user dn /usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet listfilter: sender='demo_student@wenzel-univention.intranet' recipient='demogroup@wenzel.univention.intranet' check_sasl_username=False ... action=DUNNO allowed per user dn /usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet listfilter: sender='demo_student' recipient='demogroup@wenzel.univention.intranet' check_sasl_username=True ... action=DUNNO allowed per user dn
Applied suggestions from comment #3 and converted tabs to spaces with d4777aeb37 Bug #46176: add tabs to spaces commit to .git-blame-ignore-revs e9b8895254 Bug #46176: convert tabs to spaces b4bf325c9b Bug #46176: add type hint
As communicated, I reverted those commits which changed the tabs to spaces with: 9baf10cc4c (HEAD -> troehmey/bug46176_fix_listfilter_test, origin/troehmey/bug46176_fix_listfilter_test) Revert "Bug #46176: convert tabs to spaces" This revert also affects d4777aeb37 Bug #46176: add tabs to spaces commit to .git-blame-ignore-revs
QA looks good please squash, build & merge + clone the bug for ucs5
Merged to 4.4-8 with e208581c4d Bug #46176: added advisories f2c854fe9e Bug #46176: added changelog entry 628e6a9e86 Bug #46176: Merge branch 'troehmey/bug46176_fix_listfilter_test' into 4.4-8 accfedf6c4 Bug #46176: fix listfilter test with use_sasl_username Successful build: Package: univention-mail-postfix Version: 13.0.4-3A~4.4.0.202106221502 Branch: ucs_4.4-0 Scope: errata4.4-8 Cloned bug for UCS5: bug #53463
QA, all OK → verify changelog → OK yaml → OK merge → OK jenkins → mail tests pass
<https://errata.software-univention.de/#/?erratum=4.4x1001>