Bug 46176 – listfilter.py does not respect use_sasl_username=yes/no

Bug 46176 - listfilter.py does not respect use_sasl_username=yes/no


Summary:	listfilter.py does not respect use_sasl_username=yes/no

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Mail
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-8-errata
Assigned To:	Toni Röhmeyer
QA Contact:	Tobias Wenzel

URL:
Keywords:

Depends on:
Blocks:	53463
	Show dependency tree / graph

Reported:	2018-01-26 17:29 CET by Sönke Schwardt-Krummrich
Modified:	2021-06-30 18:34 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2018-01-26 17:29:41 CET

listfilter.py does not respect use_sasl_username=yes/no. If the variable is set to yes, the check fails because attr["sender"] and attr["sasl_username"] are empty. This only affects the case, where --test is used.

root@master41:~# ucr set mail/postfix/policy/listfilter/use_sasl_username=yes
Setting mail/postfix/policy/listfilter/use_sasl_username
Multifile: /etc/postfix/main.cf
File: /etc/listfilter.secret
Multifile: /etc/postfix/master.cf
root@master41:~# /usr/share/univention-mail-postfix/listfilter.py -t -s user1mail@nstx.local -r grp1@nstx.local -b dc=nstx,dc=local
listfilter: sender=None recipient='grp1@nstx.local' check_sasl_username=True
listfilter: attrib={'recipient': 'grp1@nstx.local', 'sender': 'user1mail@nstx.local'}
listfilter: allowed_user_dns=['uid=user1,cn=users,dc=nstx,dc=local'] allowed_group_dns=[]
action=REJECT Access denied for not authenticated sender to restricted list grp1@nstx.local

root@master41:~# ucr set mail/postfix/policy/listfilter/use_sasl_username=no
Setting mail/postfix/policy/listfilter/use_sasl_username
Multifile: /etc/postfix/main.cf
File: /etc/listfilter.secret
Multifile: /etc/postfix/master.cf
root@master41:~# /usr/share/univention-mail-postfix/listfilter.py -t -s user1mail@nstx.local -r grp1@nstx.local -b dc=nstx,dc=local
listfilter: sender='user1mail@nstx.local' recipient='grp1@nstx.local' check_sasl_username=False
listfilter: attrib={'recipient': 'grp1@nstx.local', 'sender': 'user1mail@nstx.local'}
listfilter: allowed_user_dns=['uid=user1,cn=users,dc=nstx,dc=local'] allowed_group_dns=[]
listfilter: user_dn='uid=user1,cn=users,dc=nstx,dc=local'
action=DUNNO allowed per user dn

--- a/mail/univention-mail-postfix/share/listfilter.py
+++ b/mail/univention-mail-postfix/share/listfilter.py
@@ -191,6 +191,7 @@ if options.test:
 		parser.print_help()
 		sys.exit(1)
 	attr["sender"] = options.sender
+	attr["sasl_username"] = options.sender
 	attr["recipient"] = options.recipient
 	action = listfilter(attr)
 	print("action={}\n".format(action))

Comment 1 Ingo Steuwer

2020-07-03 20:51:52 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.

Comment 2 Toni Röhmeyer

2021-04-29 10:35:15 CEST

Implemented fix on branch troehmey/bug46176_fix_listfilter_test with commit

3d6928f791 Bug #46176: fix listfilter test with use_sasl_username


Result with mail/postfix/policy/listfilter/use_sasl_username=yes is now:

root@m90:/src/ucs/mail# /usr/share/univention-mail-postfix/listfilter.py --test -s a@school.intranet -r users_demoschool@school.intranet -b dc=school,dc=intranet
listfilter: sender='adalbrand.br' recipient='users_demoschool@school.intranet' check_sasl_username=True
listfilter: attrib={'recipient': 'users_demoschool@school.intranet', 'sender': 'a@school.intranet', 'sasl_username': 'adalbrand.br'}
listfilter: allowed_user_dns=['uid=adalbrand.br,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=school,dc=intranet', 'uid=adalgard.bre,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=school,dc=intranet'] allowed_group_dns=[]
listfilter: user_dn='uid=adalbrand.br,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=school,dc=intranet'
action=DUNNO allowed per user dn

Comment 3 Tobias Wenzel

2021-05-21 11:20:54 CEST

QA: Some remarks, reopen.


Type hints are nice, use them in your code.

mail2username -> 
Could not parse sasl_username from mail address
-> Could not parse sasl_username from mail address {} {}:.format(mail, exc)

code looks ok, needs rebase


UCS: 4.4-8 errata969
Installed: cups=2.2.1 mailserver=12.0

=== before fix ===

ucr set mail/postfix/policy/listfilter/use_sasl_username=yes
/usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet
listfilter: sender=None recipient='demogroup@wenzel.univention.intranet' check_sasl_username=True
...
action=REJECT Access denied for not authenticated sender to restricted list demogroup@wenzel.univention.intranet


ucr set mail/postfix/policy/listfilter/use_sasl_username=no
/usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet
listfilter: sender='demo_student@wenzel-univention.intranet' recipient='demogroup@wenzel.univention.intranet' 
...
listfilter: user_dn='uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=dc-we,dc=intranet'
action=DUNNO allowed per user dn


=== after fix ===


listfilter: user_dn='uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,dc=dc-we,dc=intranet'
action=DUNNO allowed per user dn

/usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet
listfilter: sender='demo_student@wenzel-univention.intranet' recipient='demogroup@wenzel.univention.intranet' check_sasl_username=False
...
action=DUNNO allowed per user dn


/usr/share/univention-mail-postfix/listfilter.py -t -s demo_student@wenzel-univention.intranet -r demogroup@wenzel.univention.intranet -b dc=dc-we,dc=intranet
listfilter: sender='demo_student' recipient='demogroup@wenzel.univention.intranet' check_sasl_username=True
...
action=DUNNO allowed per user dn

Comment 4 Toni Röhmeyer

2021-06-11 11:33:35 CEST

Applied suggestions from comment #3 and converted tabs to spaces with

d4777aeb37 Bug #46176: add tabs to spaces commit to .git-blame-ignore-revs
e9b8895254 Bug #46176: convert tabs to spaces
b4bf325c9b Bug #46176: add type hint

Comment 5 Toni Röhmeyer

2021-06-21 13:35:03 CEST

As communicated, I reverted those commits which changed the tabs to spaces with:

9baf10cc4c (HEAD -> troehmey/bug46176_fix_listfilter_test, origin/troehmey/bug46176_fix_listfilter_test) Revert "Bug #46176: convert tabs to spaces"

This revert also affects 
d4777aeb37 Bug #46176: add tabs to spaces commit to .git-blame-ignore-revs

Comment 6 Tobias Wenzel

2021-06-22 09:05:18 CEST

QA

looks good 
please squash, build & merge + clone the bug for ucs5

Comment 7 Toni Röhmeyer

2021-06-22 15:14:00 CEST

Merged to 4.4-8 with 

e208581c4d Bug #46176: added advisories
f2c854fe9e Bug #46176: added changelog entry
628e6a9e86 Bug #46176: Merge branch 'troehmey/bug46176_fix_listfilter_test' into 4.4-8
accfedf6c4 Bug #46176: fix listfilter test with use_sasl_username


Successful build:

Package: univention-mail-postfix
Version: 13.0.4-3A~4.4.0.202106221502
Branch: ucs_4.4-0
Scope: errata4.4-8


Cloned bug for UCS5:
bug #53463

Comment 8 Tobias Wenzel

2021-06-24 08:48:24 CEST

QA, all OK → verify

changelog → OK
yaml → OK
merge → OK
jenkins → mail tests pass

Comment 9 Erik Damrose

2021-06-30 18:34:00 CEST

<https://errata.software-univention.de/#/?erratum=4.4x1001>