1 (edited by camel1cz 2013-07-03 22:27:47)

Topic: Bug in sender_login_mismatch.py

Hi Zhang,

I have found a bug in the iRedAPd plugin sender_login_mismatch - it compares the sender and sasl username case sensitively.

I have fixed this in my plugin sources like this:

Original sender_login_mismatch.py line 29:

sender = kwargs['sender']

Fixed line 29:

sender = kwargs['sender'].lower()

The idea is as I think clear: as you do lowercase for sasl username, you should do lowercase also to sender address...

It would be also nice to note somewhere how to activate the iRedAPd checks for senders / I added the check as first to the smtpd_sender_restrictions but I'm not sure if it's the best...

Take care

2

Re: Bug in sender_login_mismatch.py

Fixed, always use lower case of sender, recipient, sasl_username:
https://bitbucket.org/zhb/iredapd/commi … 6774483cb1

It's noted in head of plugin file, plugins/reject_sender_login_mismatch.py:

"""Reject sender login mismatch (sender in mail header and SASL username).

*) You should remove "sender_login_mismatch" in Postfix
   "smtpd_sender_restrictions" and let this plugin do it for you.

*) Please list all allowed senders in in iRedAPD config file (settings.py),
   parameter ALLOWED_LOGIN_MISMATCH_SENDERS. For example:

    ALLOWED_LOGIN_MISMATCH_SENDERS = ['user1@here.com', 'user2@here.com']
"""

3

Re: Bug in sender_login_mismatch.py

Thanks - just to the activation of this check. IMHO it's not enough to do the two steps quoted above. I did both and the iredapd wasn't called for authenticated users. First after I put call to iredapd in sender restrictions (quoted below) it started to work as expected.

smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated

Can you please confirm it's correct and/or suggest better way?

4

Re: Bug in sender_login_mismatch.py

*) iRedAPD should be enabled in smtpd_recipient_restrictions by default, you don't need to add it in smtpd_sender_restrictions again.
*) Make sure you place 'check_policy_service inet:127.0.0.1:7777' in smtpd_recipient_restrictions before 'permit_mynetworks'. Default value is:

smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    ...

Some more details:

According to Postfix document[1], 'The "recipient" attribute is available in the "RCPT TO" stage. It is also available in the "DATA" and "END-OF-MESSAGE" stages if Postfix accepted only one recipient for the current message.' so we usually enable Postfix policy server in smtpd_recipient_restrictions, some policy server will be invoked in smtpd_end_of_data_restrictions to get message size and other attributes for restriction.

[1] Postfix SMTP Access Policy Delegation: http://www.postfix.org/SMTPD_POLICY_README.html

5

Re: Bug in sender_login_mismatch.py

How can I active Signature