Univention Bugzilla – Full Text Bug Listing |
Summary: | (4.2) postfix listfilter.py fails for email addresses as sasl_username | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | Assignee: | Sönke Schwardt-Krummrich <schwardt> | |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P5 | CC: | best, birkefeld, botner, gohmann, mathieu.simon, scheinig, schwardt, troeder |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.2-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.091 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017060721000558 | Bug group (optional): | External feedback |
Max CVSS v3 score: | |||
Bug Depends on: | 41055 | ||
Bug Blocks: |
Description
Sönke Schwardt-Krummrich
2017-09-20 11:56:13 CEST
Nice. The 'mail' attribute should not be used in the filter though, as it is just the "contact" address. (In reply to Daniel Tröder from comment #1) > Nice. > > The 'mail' attribute should not be used in the filter though, as it is just > the "contact" address. IIRC this is/was a undocumented feature. It's possible to select users without mailPrimaryAddress but with mail attribute. This way users with external mail addresses ("contact addresses") were be also allowed to send mail to the mailing list. I'm still unsure if we break a current use case if "mail" is removed. (In reply to Sönke Schwardt-Krummrich from comment #2) > (In reply to Daniel Tröder from comment #1) > > Nice. > > > > The 'mail' attribute should not be used in the filter though, as it is just > > the "contact" address. > > IIRC this is/was a undocumented feature. It's possible to select users > without mailPrimaryAddress but with mail attribute. This way users with > external mail addresses ("contact addresses") were be also allowed to send > mail to the mailing list. > > I'm still unsure if we break a current use case if "mail" is removed. That makes sense: it mimics the mailman feature of allowing additional addresses to send to a restricted mailing list. $ ucr get mail/cyrus yes $ ucr get mail/dovecot → nothing $ ucr set mail/postfix/policy/listfilter/debug=yes mail/postfix/policy/listfilter/use_sasl_username=yes mail/postfix/policy/listfilter=yes $ systemctl restart postfix.service # check basics $ /usr/share/ucs-test/40_mail/00delivery01group -f && /usr/share/ucs-test/40_mail/23_mail_to_ldap_group -f && /usr/share/ucs-test/40_mail/35_mail_to_nested_groups -f && /usr/share/ucs-test/40_mail/37_sender_restrictions_for_groups -f $ eval $(ucr shell) $ udm groups/group create --position cn=groups,$ldap_base --set name=testgr01 --set mailAddress=testgr1m@uni.dtr # from host not in mail/postfix/mynetworks: $ swaks --from test@example.com --to user01m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01m@uni.dtr --ap univention $ swaks --from test@example.com --to user01m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01 --ap univention # on server: $ ls /var/spool/cyrus/mail/domain/u/uni.dtr/u/user/user01m/ # from host not in mail/postfix/mynetworks: $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user02m@uni.dtr --ap univention Oct 17 11:32:22 m10 listfilter[23321]: listfilter: sender='user02m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:32:22 m10 listfilter[23321]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_send er': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.1.18', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'sommar', 'etrn_domain': '', 'instance': '5b14.59e5ce25.e66db.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user02m@uni.dtr', 'stress': '', 'sender': 'test@example.com', 'request': 'smtpd_access_policy'} Oct 17 11:32:22 m10 listfilter[23321]: listfilter: action=DUNNO no restrictions Oct 17 11:32:22 m10 postfix/smtpd[23316]: 1A09C44FB3: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user02m@uni.dtr →→→→ allowed (user02, no restrictions: allowedEmailUsers and allowedEmailGroups empty) $ udm groups/group modify --dn cn=testgr01,cn=groups,dc=uni,dc=dtr --append allowedEmailUsers=uid=user01,cn=users,dc=uni,dc=dtr $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user02m@uni.dtr --ap univention → <~* 554 5.7.1 <testgr1m@uni.dtr>: Recipient address rejected: Access denied for user02m@uni.dtr to restricted list testgr1m@uni.dtr Oct 17 11:31:33 m10 listfilter[23321]: listfilter: sender='user02m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:31:33 m10 listfilter[23321]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_send er': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.1.18', 'size': '0', 'prot ocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'sommar', 'etrn_domain': '', 'instance': '5b14.59e5cdf5.8e2fc.0', 'encryption_ke ysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprin t': '', 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user02m@uni.dtr', 'stress': '', 'sender': 'test@example.c om', 'request': 'smtpd_access_policy'} Oct 17 11:31:33 m10 listfilter[23321]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[] Oct 17 11:31:33 m10 listfilter[23321]: listfilter: user_dn='uid=user02,cn=users,dc=uni,dc=dtr' Oct 17 11:31:33 m10 listfilter[23321]: listfilter: action=REJECT Access denied for user02m@uni.dtr to restricted list testgr1m@uni.dtr →→→→ not allowed (user02) $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01m@uni.dtr --ap univention Oct 17 11:12:51 m10 listfilter[22688]: listfilter: sender='user01m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:12:51 m10 listfilter[22688]: listfilter: attrib={..., 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user01m@uni.dtr', 'sender': 'test@example.com', ...} Oct 17 11:12:51 m10 listfilter[22688]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[] Oct 17 11:12:51 m10 listfilter[22688]: listfilter: user_dn='uid=user01,cn=users,dc=uni,dc=dtr' Oct 17 11:12:51 m10 listfilter[22688]: listfilter: action=DUNNO allowed per user dn Oct 17 11:12:51 m10 postfix/smtpd[22685]: 60EDD400E4: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user01m@uni.dtr →→→→ allowed (with mPA: sasl_username=user01m@uni.dtr) $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01 --ap univention Oct 17 11:13:26 m10 listfilter[22688]: listfilter: sender='user01' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:13:26 m10 listfilter[22688]: listfilter: attrib={..., 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user01', 'sender': 'test@example.com', ...} Oct 17 11:13:26 m10 listfilter[22688]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[] Oct 17 11:13:26 m10 listfilter[22688]: listfilter: user_dn='uid=user01,cn=users,dc=uni,dc=dtr' Oct 17 11:13:26 m10 listfilter[22688]: listfilter: action=DUNNO allowed per user dn Oct 17 11:13:26 m10 postfix/smtpd[22685]: BAE124010B: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user01 →→→→ allowed (with uid: sasl_username=user01) b49a0264: handle Cyrus SASL in listfilter.py 645146c4: advisory univention-mail-postfix 11.0.1-18A~4.2.0.201710171216 Hi The target milestone says 4.2-3-errata, does that indicate it should have been released with 4.2-3 or can we expect 11.0.1-18A~4.2.0.201710171216 to be included with a later errata release? (I've skimmed through the 4.2-3 repositories but couldn't yet find this version. Best regards Mathieu (In reply to Mathieu Simon from comment #6) > Hi > > The target milestone says 4.2-3-errata, does that indicate it should have > been released with 4.2-3 or can we expect 11.0.1-18A~4.2.0.201710171216 to > be included with a later errata release? > > (I've skimmed through the 4.2-3 repositories but couldn't yet find this > version. > > Best regards > Mathieu Hello Mathieu, the fix is not included in the UCS 4.2-3 release. We are releasing it as an erratum upgrade for UCS 4.2-3 and most likely also for UCS 4.2-3. The target milestone has just been adjusted because of the release of UCS 4.2-3 yesterday. Is there a reason to use the static LDAP filter for user accounts instead of using the UDM library to determine the currently correct one (as mentioned within the original bug description)? import univention.admin.modules univention.admin.modules.update() usersmod = univention.admin.modules.get("users/user") subfilter = filter_format('(|(uid=%s)(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))', (sender, sender, sender, sender)) print str(usersmod.lookup_filter(filter_s=subfilter) [4.2-3 775830776a9] Bug #45422: use UDM users/user filter [4.2-3 c8fb3f44762] Bug #45422: try possible result before next LDAP query [4.2-3 12e897585a1] Bug #45422: changelog [4.2-3 cd5793bbc2e] Bug #45422: advisory update [4.2-3 ffa288aebb2] Bug #45422: fix typo [4.2-3 dbb3b266533] Bug #45422: advisory update univention-mail-postfix 11.0.2-3A~4.2.0.201801291023 Commits were merged to 4.3-0 and built (12.0.0-10). (In reply to Daniel Tröder from comment #9) > [4.2-3 775830776a9] Bug #45422: use UDM users/user filter > [4.2-3 c8fb3f44762] Bug #45422: try possible result before next LDAP query > [4.2-3 12e897585a1] Bug #45422: changelog > [4.2-3 cd5793bbc2e] Bug #45422: advisory update > [4.2-3 ffa288aebb2] Bug #45422: fix typo > [4.2-3 dbb3b266533] Bug #45422: advisory update > > univention-mail-postfix 11.0.2-3A~4.2.0.201801291023 OK: advisory (has been updated) OK: code change OK: functional test OK: no ucs-test script required (due to UCS 4.3) > Commits were merged to 4.3-0 and built (12.0.0-10). OK: commits merged → in UCS 4.2-2, 4.2-3 and 4.3-0 is no dependency from univention-mail-postfix to python-univention-directory-manager → added in 4.3-0, 4.2-3 and 4.2-2: univention-mail-postfix (11.0.2-4) 22fd32c2d0ba | Bug #45422: add missing dependency Package: univention-mail-postfix Version: 11.0.2-4A~4.2.0.201802061735 Branch: ucs_4.2-0 Scope: errata4.2-3 univention-mail-postfix (12.0.0-11) beb98a7a5358 | Bug #45422: add missing dependency Package: univention-mail-postfix Version: 12.0.0-11A~4.3.0.201802061738 Branch: ucs_4.3-0 → waiting for jenkins results OK: add missing dependency OK: merge to 4.3 OK: jenkins results for 40_mail/12_delivery_to_mailing_list and 40_mail/36_sender_restrictions_for_mailing_lists are stable in 4.2-3 and 4.3-0. |