Bug 51343 – Possibility to configure a bounce of deactivated users

Bug 51343 - Possibility to configure a bounce of deactivated users


Summary:	Possibility to configure a bounce of deactivated users

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Mail
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Mail maintainers
QA Contact:	Mail maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-05-22 09:42 CEST by Dirk Schnick
Modified:	2020-11-20 10:50 CET (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020052021001009
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schnick

2020-05-22 09:42:15 CEST

A customer asks for the configuration option of a check when accepting mails by Postfix whether a user is in deactivated. The customer wants to reject the mail in this case. It might be useful to keep the action configurable as well. Forwarding would be an alternative to bounce for other customers.
From my point of view the implementation of this feature request (https://forge.univention.org/bugzilla/show_bug.cgi?id=44359) is also a very good alternative in this context.

Comment 1 Felix Bartels (Kopano) 2020-08-12 07:48:31 CEST

A simple way to implement this would be by extending `smtpd_recipient_restrictions` with `check_recipient_access hash:/etc/postfix/denied_recipients` in `main.cf`.

This file then could have a structure as followed:

```
user@domain.com REJECT <optional message>
```

Comment 2 Daniel Tröder

2020-08-13 17:02:40 CEST

I tried this, and it worked:

------------------- /etc/postfix/main.cf -------------------
smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_unlisted_recipient,
        check_recipient_access hash:/etc/postfix/denied_recipients,
        check_policy_service inet:127.0.0.1:12340
----------------------------------------------------------------------

------------------- /etc/postfix/denied_recipients ------
test007@uni.dtr REJECT The optional message to the user.
---------------------------------------------------------

$ postmap /etc/postfix/denied_recipients
$ service postfix restart

------------------- from my notebook -------------------
$ swaks --to testgr01@uni.dtr --server 10.200.3.11
=== Trying 10.200.3.11:25...
=== Connected to 10.200.3.11.
<-  220 m11.uni.dtr ESMTP Postfix
 -> EHLO sommar
<-  250-m11.uni.dtr
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> MAIL FROM:<dtroeder@sommar>
<-  250 2.1.0 Ok
 -> RCPT TO:<test007@uni.dtr>
<** 554 5.7.1 <test007@uni.dtr>: Recipient address rejected: The optional message to the user.
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.
--------------------------------------------------------

This does not work for group addresses, where the user is part of the group.
Mails to the groups address still go through and the user receives the message in its inbox. But that's not the scope of this bug.


The good thing is, that this doesn't produce a bounce, but a reject during the SMTP dialogue.

Comment 3 Daniel Tröder

2020-08-13 17:14:18 CEST

To reject all direct mails for a user all its mailPrimaryAddress and mailAternativeAddress(es) must be listed in the file.

Comment 4 Daniel Tröder

2020-09-17 16:40:09 CEST

When adding '(!(krb5KDCFlags=254))(!(shadowExpire=1))' to the "query_filter" in /etc/postfix/ldap.virtual_mailbox and /etc/postfix/ldap.virtual Postfix will not accept emails for deactivated users in TO/CC anymore, as they are unknown:
-------------------------------------------------------------------------------
550 5.1.1 <user2m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table
-------------------------------------------------------------------------------

It will still accept emails for groups containing those users, but when the group is resolved into individual emails, Postfix will reject the deactivated users as unknown and create a bounce email to the sender.

Unfortunately that email will reveal all members of the group:

(Content partially sanitized of private data, complete
message will be attached as private attachment.)
----------------------------------------------------------------------
Subject: Delivery status notification, MTA-BLOCKED
From: amavisd-new <postmaster@m11.uni.dtr>
To: <sender>

Your message WAS SUCCESSFULLY RELAYED to:
  <user1m@uni.dtr>
  <user3m@uni.dtr>
  <user5m@uni.dtr>

The message WAS NOT relayed to:
  <user2m@uni.dtr>: [[127.0.0.1]:10025] said:
   550 5.1.1 id=14011-04 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 550 5.1.1 <user2m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table
  <user4m@uni.dtr>: [[127.0.0.1]:10025] said:
   550 5.1.1 id=14011-04 - Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025): 550 5.1.1 <user4m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table

This delivery report was generated by the program amavisd-new at host
m11.uni.dtr. Our internal reference code for your message is
14011-04/fmMEw3nUIaeu

Return-Path: <sender>
From: sender
Message-ID: <20200917163052.1805629@sommar>
Subject: test Thu, 17 Sep 2020 16:30:52 +0200
----
----
Attachment: dsn_status.dsn 
...

Diagnostic-Code: smtp; 550 5.1.1 <user2m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table
Diagnostic-Code: smtp; 550 5.1.1 <user4m@uni.dtr>: Recipient address rejected: User unknown in virtual mailbox table
...
----------------------------------------------------------------------

So now the sender knows all 5 users of that group:
active: user1m@uni.dtr, user3m@uni.dtr and user5m@uni.dtr
deactivated: user2m@uni.dtr and user4m@uni.dtr

IMHO that is a severe privacy problem.

Comment 7 Daniel Tröder

2020-09-18 15:33:50 CEST

The message above was generated by Amavis. Its template can be edited (see /etc/amavis/en_US/template-dsn.txt).

Comment 8 Daniel Tröder

2020-09-18 15:45:44 CEST

To also catch users deactivated by an expiry date, the LDAP query would have to be adjusted each day. It would have to contain something like this:

(!(|(sambaKickoffTime<TODAY)(krb5ValidEnd<TODAY)(shadowExpire<TODAY)))

Comment 9 Sönke Schwardt-Krummrich

2020-09-22 17:11:37 CEST

(In reply to Daniel Tröder from comment #8)
> To also catch users deactivated by an expiry date, the LDAP query would have
> to be adjusted each day. It would have to contain something like this:
> 
> (!(|(sambaKickoffTime<TODAY)(krb5ValidEnd<TODAY)(shadowExpire<TODAY)))

A simple solution could be a cron job that commits the postfix config files with LDAP search filters each night shortly after midnight.

Comment 10 Daniel Tröder

2020-09-23 09:19:21 CEST

Not tested yet: if Amavis is disabled, IMHO Postfix will expand the mailinglist/group addresses directly during the SMTP-dialogue. It should accept the email and respond with the addresses that were rejected. The senders email server would then create a bounce message for the sender with those.
It is also possible, that the expansion takes place after accepting the mail. Then the UCS Postfix would create the bounce message when requeuing the expanded addresses.
This scenario must be tested.

Comment 11 Benjamin Fels

2020-11-20 10:50:45 CET

Requested by a customer