Univention Bugzilla – Bug 40353
4.1 policy of listfilter can be bypassed by NULL sender (sender=<>)
Last modified: 2016-09-27 12:33:27 CEST
+++ This bug was initially created as a clone of Bug #39488 +++ It is possible to bypass the rules of a mailinglist by send a mail as the so called null sender (sender=<>). This can be used to send SPAM and unauthorized mails to a list. First a successful state of listfilter: # telnet mail.example.com 25 Trying 10.200.34.31... Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ESMTP Postfix HELO foobar 250 mail.example.com MAIL FROM:<test@example.com> 250 2.1.0 Ok RCPT TO:<maillinglist@example.com> 554 5.7.1 <maillinglist@example.com>: Recipient address rejected: Access denied for test@example.com to restricted list maillinglist@example.com Second a successful send to the same list with NULL sender, which should not work: # telnet mail.example.com 25 Trying 10.200.34.31... Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ESMTP Postfix HELO foobar 250 mail.example.com MAIL FROM:<> 250 2.1.0 Ok RCPT TO:<maillinglist@example.com> 250 2.1.5 Ok The test with listfilter.py is therefor not correct: /usr/share/univention-mail-postfix/listfilter.py -b dc=example,dc=com -t -s '<>' -r maillinglist@example.com action=REJECT Access denied for <> to restricted list maillinglist@example.com I don't know exactly what the Postfix policy delegation protocol send in a case with the NULL sender, and what the script listfilter.py does with this information (see http://www.postfix.org/SMTPD_POLICY_README.html). Maybe this bug can be irrelevant, if bug 29615 will be implemented.
/usr/share/univention-mail-postfix/listfilter.py was modified to check for empty sender addresses. Commit: 66566 Advisory: 66566 + 66567
If mail/postfix/policy/listfilter=yes is set, ALL mails are checked via listfilter.py. Because of this, sending mails with null sender to specific users (recipient == mailPrimaryAddress of user) will be rejected. listfilter.py has to determine first, if the recipient is a mailing list with restrictions and if this is the case, then the sender has to be checked. Otherwise allowed mails will be unexpectedly rejected. REOPEN: code change REOPEN: functional test → see ucs-test in UCS 4.1-0: improved 36_sender_restrictions_for_mailing_lists and 37_sender_restrictions_for_groups (OK): YAML ucs-test (6.0.31-7): r66598 | Bug #40353: added additional checks for listfilter
Created attachment 7392 [details] Suggested fix The attached patch is a suggestion for a possible fix: - the check of "sender" is delayed until the recipient address has been looked up and it is clear that the recipient is a mailing list *with* sender restrictions. - for performance reasons, the lookup of the sender and its groups is delayed until it is clear that the recipient is a mailing list *with* sender restrictions. Otherwise this check is done unnecessarily for every mail.
Created attachment 7393 [details] Improved patch
Patch applied, some pep8 fixes, rebuilt: 66602, 66609
OK: code change (incl. cleanup) OK: functional change OK: YAML
OK: univention-mail-postfix.yaml
<http://errata.software-univention.de/ucs/4.1/51.html>