Univention Bugzilla – Bug 41055
postfix listfilter.py fails for email addresses as sasl_username
Last modified: 2017-10-30 16:27:04 CET
+++ This bug was initially created as a clone of Bug #29615 +++ With UCS 4.1 we made it the default in the documentation and since 4.0 we support in pam/smtp: using both UNIX username and mailPrimaryAddress as login for SMTP-AUTH. But the implementation of mail/postfix/policy/listfilter/use_sasl_username in Bug #29615 does only support UNIX usernames. Attempts to send to a restricted list with an account on the allowed-list, when logging in with the email address results in: Recipient address rejected: Access denied for <mailPrimaryAddress> to restricted list <group mail address>
Created attachment 7593 [details] allow to filter with sasl_username=email@address
Whats the status of this bug? The patch has been released half a year ago.
We should implement a variant of the attached patch (filter_format should be used to escape the values correctly).
r74354: code change r74358: advisory
r75453: Remove UCS 4.1-3 from YAML file since UCS 4.1-3 is no longer in maintenance (Bug #41055)
Maybe I have overlooked something, but it seems to me, that this patch is not required at all. The PAM stack always converts the given username from mailPrimaryAddress to UID. This is confirmed by some debug code, I added to listfilter.py. The following values are passed to listfilter.py: 'reverse_client_name': 'master.nstx.local', 'queue_id': '', 'ccert_subject': '', 'sasl_sender': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.200.18.180', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'master.nstx.local', 'helo_name': 'master.nstx.local', 'etrn_domain': '', 'instance': '4ca7.58751211.39ced.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'mylist1@nstx.local', 'sasl_username': 'user2', 'stress': '', 'sender': 'user1@nstx.local', 'request': 'smtpd_access_policy' # udm users/user list | egrep 'uid|mail' DN: uid=user1,cn=users,dc=nstx,dc=local uid: user1 e-mail: mail1@nstx.local mailPrimaryAddress: mail1@nstx.local […] DN: uid=user2,cn=users,dc=nstx,dc=local uid: user2 e-mail: mail2@nstx.local mailPrimaryAddress: mail2@nstx.local […] # udm mail/lists list DN: cn=mylistA,cn=mailinglists,cn=mail,dc=nstx,dc=local ARG: None name: mylistA allowedEmailUsers: uid=user2,cn=users,dc=nstx,dc=local allowedEmailUsers: uid=user4,cn=users,dc=nstx,dc=local members: userA@gmx.de members: userB@gmx.de mailAddress: mylist1@nstx.local description: None # ucr search --brief /listfilter mail/postfix/policy/listfilter/maxproc: <empty> mail/postfix/policy/listfilter/use_sasl_username: yes mail/postfix/policy/listfilter: yes Mails have been sent via: swaks -server master.nstx.local -a -tls -p 587 --to mylist1@nstx.local \ --from user1@nstx.local -au mail2@nstx.local -ap univention Mails sent with "-au mail2@nstx.local" are accepted (→ correct) and mails from "-au mail1@nstx.local" are rejected (→ correct). Regarding this issue, I do not see any need for a patch. Bonus fact: For some currently unknown reason the authentication via UID is currently broken at least for SMTP. "-au user2" does not work and is rejected by the PAM stack, so listuser.py gets never called. Did I miss any scenario where the mail address is directly passed to listfilter.py? Otherwise: if you can reproduce this behaviour and there is no objection, then please revert the patch and add a comment, that the PAM stack converts the primary mail address to UID, so handling of mail addresses is currently unneeded.
I think the use of filter_format should be kept, the rest of the patch should be reverted. Please note: all changes have to be merged to ucs-4.2-0 branch as well!
r76425: reverted email address related changes, kept LDAP query filter, merged to 4.2
Build for UCS 4.2-0 was missing OK: code change 4.1-4 OK: code change 4.2-0 ??: functional test FIXED: YAML
(In reply to Sönke Schwardt-Krummrich from comment #9) > ??: functional test OK: functional test 37_sender_restrictions_for_groups and 36_sender_restrictions_for_mailing_lists showed no errors.
<http://errata.software-univention.de/ucs/4.1/394.html>
Hi We had to forward-port the attached diff to 4.2-2 (errata 198) since we (again in multiple times with 4.1 series) ran into the very same issue. For the moment for the affected customer we have documented in a way that an update on the package univention-mail-postfix needs a manual check and evantual re-patching of the affected file. I'm looking forward for a proper integration of this patch or a better one. Looking forward to hearing from you Mathieu Simon
(In reply to Mathieu Simon from comment #14) Hi Mathieu, this patch will be released for UCS 4.2-2 Errata in Bug #45422, soon. Thanks for your report.