Univention Bugzilla – Full Text Bug Listing |
Summary: | postfix listfilter.py fails for email addresses as sasl_username | ||
---|---|---|---|
Product: | UCS | Reporter: | Daniel Tröder <troeder> |
Component: | Assignee: | Daniel Tröder <troeder> | |
Status: | CLOSED FIXED | QA Contact: | Sönke Schwardt-Krummrich <schwardt> |
Severity: | normal | ||
Priority: | P5 | CC: | best, birkefeld, botner, gohmann, mathieu.simon, olivier.magloire, scheinig, schwardt, stoeckigt, walkenhorst |
Version: | UCS 4.1 | Flags: | troeder:
Patch_Available+
|
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=42804 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 3: Simply Wrong: The implementation doesn't match the docu |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.069 | Enterprise Customer affected?: | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017103021000443 | Bug group (optional): | External feedback |
Max CVSS v3 score: | |||
Bug Depends on: | 29615 | ||
Bug Blocks: | 44760, 45422 | ||
Attachments: | allow to filter with sasl_username=email@address |
Description
Daniel Tröder
2016-04-14 16:10:03 CEST
Created attachment 7593 [details]
allow to filter with sasl_username=email@address
Whats the status of this bug? The patch has been released half a year ago. We should implement a variant of the attached patch (filter_format should be used to escape the values correctly). r74354: code change r74358: advisory r75453: Remove UCS 4.1-3 from YAML file since UCS 4.1-3 is no longer in maintenance (Bug #41055) Maybe I have overlooked something, but it seems to me, that this patch is not required at all. The PAM stack always converts the given username from mailPrimaryAddress to UID. This is confirmed by some debug code, I added to listfilter.py. The following values are passed to listfilter.py: 'reverse_client_name': 'master.nstx.local', 'queue_id': '', 'ccert_subject': '', 'sasl_sender': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.200.18.180', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'master.nstx.local', 'helo_name': 'master.nstx.local', 'etrn_domain': '', 'instance': '4ca7.58751211.39ced.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'mylist1@nstx.local', 'sasl_username': 'user2', 'stress': '', 'sender': 'user1@nstx.local', 'request': 'smtpd_access_policy' # udm users/user list | egrep 'uid|mail' DN: uid=user1,cn=users,dc=nstx,dc=local uid: user1 e-mail: mail1@nstx.local mailPrimaryAddress: mail1@nstx.local […] DN: uid=user2,cn=users,dc=nstx,dc=local uid: user2 e-mail: mail2@nstx.local mailPrimaryAddress: mail2@nstx.local […] # udm mail/lists list DN: cn=mylistA,cn=mailinglists,cn=mail,dc=nstx,dc=local ARG: None name: mylistA allowedEmailUsers: uid=user2,cn=users,dc=nstx,dc=local allowedEmailUsers: uid=user4,cn=users,dc=nstx,dc=local members: userA@gmx.de members: userB@gmx.de mailAddress: mylist1@nstx.local description: None # ucr search --brief /listfilter mail/postfix/policy/listfilter/maxproc: <empty> mail/postfix/policy/listfilter/use_sasl_username: yes mail/postfix/policy/listfilter: yes Mails have been sent via: swaks -server master.nstx.local -a -tls -p 587 --to mylist1@nstx.local \ --from user1@nstx.local -au mail2@nstx.local -ap univention Mails sent with "-au mail2@nstx.local" are accepted (→ correct) and mails from "-au mail1@nstx.local" are rejected (→ correct). Regarding this issue, I do not see any need for a patch. Bonus fact: For some currently unknown reason the authentication via UID is currently broken at least for SMTP. "-au user2" does not work and is rejected by the PAM stack, so listuser.py gets never called. Did I miss any scenario where the mail address is directly passed to listfilter.py? Otherwise: if you can reproduce this behaviour and there is no objection, then please revert the patch and add a comment, that the PAM stack converts the primary mail address to UID, so handling of mail addresses is currently unneeded. I think the use of filter_format should be kept, the rest of the patch should be reverted. Please note: all changes have to be merged to ucs-4.2-0 branch as well! r76425: reverted email address related changes, kept LDAP query filter, merged to 4.2 Build for UCS 4.2-0 was missing OK: code change 4.1-4 OK: code change 4.2-0 ??: functional test FIXED: YAML (In reply to Sönke Schwardt-Krummrich from comment #9) > ??: functional test OK: functional test 37_sender_restrictions_for_groups and 36_sender_restrictions_for_mailing_lists showed no errors. Hi We had to forward-port the attached diff to 4.2-2 (errata 198) since we (again in multiple times with 4.1 series) ran into the very same issue. For the moment for the affected customer we have documented in a way that an update on the package univention-mail-postfix needs a manual check and evantual re-patching of the affected file. I'm looking forward for a proper integration of this patch or a better one. Looking forward to hearing from you Mathieu Simon (In reply to Mathieu Simon from comment #14) Hi Mathieu, this patch will be released for UCS 4.2-2 Errata in Bug #45422, soon. Thanks for your report. |