Univention Bugzilla – Bug 45422
(4.2) postfix listfilter.py fails for email addresses as sasl_username
Last modified: 2018-02-14 13:31:40 CET
We were finally able to reproduce the original bug. It looks like cyrus saslauthd always returns the mail address (provided during auth) back to postfix. Whereas dovecot's saslauthd returns the username from the PAM stack. Since the PAM stack modifies the username from mail address to username, saslauthd returns a username to postfix (and therefore to listfilter.py, too). Since usernames may not contain "@" and mail addresses are not valid without "@", we should alter the LDAP filter in listfilter.py accordingly. The following snippet uses the LDAP filter from users/user.py instead of the extremely unspecific "objectclass=posixAccount": import univention.admin.modules univention.admin.modules.update() usersmod = univention.admin.modules.get("users/user") subfilter = filter_format('(|(uid=%s)(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))', (sender, sender, sender, sender)) print str(usersmod.lookup_filter(filter_s=subfilter) (&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(uid=*$))(!(univentionObjectFlag=functional))(|(uid=user@example.com)(mailPrimaryAddress=user@example.com)(mailAlternativeAddress=user@example.com)(mail=user@example.com))) +++ This bug was initially created as a clone of Bug #41055 +++ +++ This bug was initially created as a clone of Bug #29615 +++ With UCS 4.1 we made it the default in the documentation and since 4.0 we support in pam/smtp: using both UNIX username and mailPrimaryAddress as login for SMTP-AUTH. But the implementation of mail/postfix/policy/listfilter/use_sasl_username in Bug #29615 does only support UNIX usernames. Attempts to send to a restricted list with an account on the allowed-list, when logging in with the email address results in: Recipient address rejected: Access denied for <mailPrimaryAddress> to restricted list <group mail address>
Nice. The 'mail' attribute should not be used in the filter though, as it is just the "contact" address.
(In reply to Daniel Tröder from comment #1) > Nice. > > The 'mail' attribute should not be used in the filter though, as it is just > the "contact" address. IIRC this is/was a undocumented feature. It's possible to select users without mailPrimaryAddress but with mail attribute. This way users with external mail addresses ("contact addresses") were be also allowed to send mail to the mailing list. I'm still unsure if we break a current use case if "mail" is removed.
(In reply to Sönke Schwardt-Krummrich from comment #2) > (In reply to Daniel Tröder from comment #1) > > Nice. > > > > The 'mail' attribute should not be used in the filter though, as it is just > > the "contact" address. > > IIRC this is/was a undocumented feature. It's possible to select users > without mailPrimaryAddress but with mail attribute. This way users with > external mail addresses ("contact addresses") were be also allowed to send > mail to the mailing list. > > I'm still unsure if we break a current use case if "mail" is removed. That makes sense: it mimics the mailman feature of allowing additional addresses to send to a restricted mailing list.
$ ucr get mail/cyrus yes $ ucr get mail/dovecot → nothing $ ucr set mail/postfix/policy/listfilter/debug=yes mail/postfix/policy/listfilter/use_sasl_username=yes mail/postfix/policy/listfilter=yes $ systemctl restart postfix.service # check basics $ /usr/share/ucs-test/40_mail/00delivery01group -f && /usr/share/ucs-test/40_mail/23_mail_to_ldap_group -f && /usr/share/ucs-test/40_mail/35_mail_to_nested_groups -f && /usr/share/ucs-test/40_mail/37_sender_restrictions_for_groups -f $ eval $(ucr shell) $ udm groups/group create --position cn=groups,$ldap_base --set name=testgr01 --set mailAddress=testgr1m@uni.dtr # from host not in mail/postfix/mynetworks: $ swaks --from test@example.com --to user01m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01m@uni.dtr --ap univention $ swaks --from test@example.com --to user01m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01 --ap univention # on server: $ ls /var/spool/cyrus/mail/domain/u/uni.dtr/u/user/user01m/ # from host not in mail/postfix/mynetworks: $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user02m@uni.dtr --ap univention Oct 17 11:32:22 m10 listfilter[23321]: listfilter: sender='user02m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:32:22 m10 listfilter[23321]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_send er': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.1.18', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'sommar', 'etrn_domain': '', 'instance': '5b14.59e5ce25.e66db.0', 'encryption_keysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprint': '', 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user02m@uni.dtr', 'stress': '', 'sender': 'test@example.com', 'request': 'smtpd_access_policy'} Oct 17 11:32:22 m10 listfilter[23321]: listfilter: action=DUNNO no restrictions Oct 17 11:32:22 m10 postfix/smtpd[23316]: 1A09C44FB3: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user02m@uni.dtr →→→→ allowed (user02, no restrictions: allowedEmailUsers and allowedEmailGroups empty) $ udm groups/group modify --dn cn=testgr01,cn=groups,dc=uni,dc=dtr --append allowedEmailUsers=uid=user01,cn=users,dc=uni,dc=dtr $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user02m@uni.dtr --ap univention → <~* 554 5.7.1 <testgr1m@uni.dtr>: Recipient address rejected: Access denied for user02m@uni.dtr to restricted list testgr1m@uni.dtr Oct 17 11:31:33 m10 listfilter[23321]: listfilter: sender='user02m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:31:33 m10 listfilter[23321]: listfilter: attrib={'reverse_client_name': 'unknown', 'queue_id': '', 'ccert_subject': '', 'sasl_send er': '', 'protocol_state': 'RCPT', 'encryption_protocol': 'TLSv1.2', 'ccert_issuer': '', 'client_address': '10.205.1.18', 'size': '0', 'prot ocol_name': 'ESMTP', 'client_name': 'unknown', 'helo_name': 'sommar', 'etrn_domain': '', 'instance': '5b14.59e5cdf5.8e2fc.0', 'encryption_ke ysize': '256', 'encryption_cipher': 'ECDHE-RSA-AES256-GCM-SHA384', 'ccert_fingerprint': '', 'recipient_count': '0', 'ccert_pubkey_fingerprin t': '', 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user02m@uni.dtr', 'stress': '', 'sender': 'test@example.c om', 'request': 'smtpd_access_policy'} Oct 17 11:31:33 m10 listfilter[23321]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[] Oct 17 11:31:33 m10 listfilter[23321]: listfilter: user_dn='uid=user02,cn=users,dc=uni,dc=dtr' Oct 17 11:31:33 m10 listfilter[23321]: listfilter: action=REJECT Access denied for user02m@uni.dtr to restricted list testgr1m@uni.dtr →→→→ not allowed (user02) $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01m@uni.dtr --ap univention Oct 17 11:12:51 m10 listfilter[22688]: listfilter: sender='user01m@uni.dtr' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:12:51 m10 listfilter[22688]: listfilter: attrib={..., 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user01m@uni.dtr', 'sender': 'test@example.com', ...} Oct 17 11:12:51 m10 listfilter[22688]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[] Oct 17 11:12:51 m10 listfilter[22688]: listfilter: user_dn='uid=user01,cn=users,dc=uni,dc=dtr' Oct 17 11:12:51 m10 listfilter[22688]: listfilter: action=DUNNO allowed per user dn Oct 17 11:12:51 m10 postfix/smtpd[22685]: 60EDD400E4: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user01m@uni.dtr →→→→ allowed (with mPA: sasl_username=user01m@uni.dtr) $ swaks --from test@example.com --to testgr1m@uni.dtr --server 10.200.3.10 --port 587 --tls --au user01 --ap univention Oct 17 11:13:26 m10 listfilter[22688]: listfilter: sender='user01' recipient='testgr1m@uni.dtr' check_sasl_username=True Oct 17 11:13:26 m10 listfilter[22688]: listfilter: attrib={..., 'sasl_method': 'LOGIN', 'recipient': 'testgr1m@uni.dtr', 'sasl_username': 'user01', 'sender': 'test@example.com', ...} Oct 17 11:13:26 m10 listfilter[22688]: listfilter: allowed_user_dns=['uid=user01,cn=users,dc=uni,dc=dtr'] allowed_group_dns=[] Oct 17 11:13:26 m10 listfilter[22688]: listfilter: user_dn='uid=user01,cn=users,dc=uni,dc=dtr' Oct 17 11:13:26 m10 listfilter[22688]: listfilter: action=DUNNO allowed per user dn Oct 17 11:13:26 m10 postfix/smtpd[22685]: BAE124010B: client=unknown[10.205.1.18], sasl_method=LOGIN, sasl_username=user01 →→→→ allowed (with uid: sasl_username=user01)
b49a0264: handle Cyrus SASL in listfilter.py 645146c4: advisory univention-mail-postfix 11.0.1-18A~4.2.0.201710171216
Hi The target milestone says 4.2-3-errata, does that indicate it should have been released with 4.2-3 or can we expect 11.0.1-18A~4.2.0.201710171216 to be included with a later errata release? (I've skimmed through the 4.2-3 repositories but couldn't yet find this version. Best regards Mathieu
(In reply to Mathieu Simon from comment #6) > Hi > > The target milestone says 4.2-3-errata, does that indicate it should have > been released with 4.2-3 or can we expect 11.0.1-18A~4.2.0.201710171216 to > be included with a later errata release? > > (I've skimmed through the 4.2-3 repositories but couldn't yet find this > version. > > Best regards > Mathieu Hello Mathieu, the fix is not included in the UCS 4.2-3 release. We are releasing it as an erratum upgrade for UCS 4.2-3 and most likely also for UCS 4.2-3. The target milestone has just been adjusted because of the release of UCS 4.2-3 yesterday.
Is there a reason to use the static LDAP filter for user accounts instead of using the UDM library to determine the currently correct one (as mentioned within the original bug description)? import univention.admin.modules univention.admin.modules.update() usersmod = univention.admin.modules.get("users/user") subfilter = filter_format('(|(uid=%s)(mailPrimaryAddress=%s)(mailAlternativeAddress=%s)(mail=%s))', (sender, sender, sender, sender)) print str(usersmod.lookup_filter(filter_s=subfilter)
[4.2-3 775830776a9] Bug #45422: use UDM users/user filter [4.2-3 c8fb3f44762] Bug #45422: try possible result before next LDAP query [4.2-3 12e897585a1] Bug #45422: changelog [4.2-3 cd5793bbc2e] Bug #45422: advisory update [4.2-3 ffa288aebb2] Bug #45422: fix typo [4.2-3 dbb3b266533] Bug #45422: advisory update univention-mail-postfix 11.0.2-3A~4.2.0.201801291023 Commits were merged to 4.3-0 and built (12.0.0-10).
(In reply to Daniel Tröder from comment #9) > [4.2-3 775830776a9] Bug #45422: use UDM users/user filter > [4.2-3 c8fb3f44762] Bug #45422: try possible result before next LDAP query > [4.2-3 12e897585a1] Bug #45422: changelog > [4.2-3 cd5793bbc2e] Bug #45422: advisory update > [4.2-3 ffa288aebb2] Bug #45422: fix typo > [4.2-3 dbb3b266533] Bug #45422: advisory update > > univention-mail-postfix 11.0.2-3A~4.2.0.201801291023 OK: advisory (has been updated) OK: code change OK: functional test OK: no ucs-test script required (due to UCS 4.3) > Commits were merged to 4.3-0 and built (12.0.0-10). OK: commits merged → in UCS 4.2-2, 4.2-3 and 4.3-0 is no dependency from univention-mail-postfix to python-univention-directory-manager → added in 4.3-0, 4.2-3 and 4.2-2: univention-mail-postfix (11.0.2-4) 22fd32c2d0ba | Bug #45422: add missing dependency Package: univention-mail-postfix Version: 11.0.2-4A~4.2.0.201802061735 Branch: ucs_4.2-0 Scope: errata4.2-3 univention-mail-postfix (12.0.0-11) beb98a7a5358 | Bug #45422: add missing dependency Package: univention-mail-postfix Version: 12.0.0-11A~4.3.0.201802061738 Branch: ucs_4.3-0 → waiting for jenkins results
OK: add missing dependency OK: merge to 4.3 OK: jenkins results for 40_mail/12_delivery_to_mailing_list and 40_mail/36_sender_restrictions_for_mailing_lists are stable in 4.2-3 and 4.3-0.
<http://errata.software-univention.de/ucs/4.2/288.html>