1 Topic by mlocati

  • mlocati
  • Member
  • Offline
  • Registered: 2014-11-03
  • Posts: 20

Topic: accesspolicy and aliased domains

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Ubuntu 14.04.3 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue:
====

In the database table vmail.alias_domain I have an "alias.com" domain that's an alias of "domain.com".

In the database table vmail.alias I have a list name with the following data:
- address: list@domain.com
- goto: comma-separated list of recipients
- accesspolicy: domain
- domain: domain.com

Accordingly to the "accesspolicy" field, only the domain accounts should be able to send emails to list@domain.com.

The access policy is taken in account in case external senders try to send an email to list@domain.com (the email delivery is refused).

BTW, if an external sender sends an email to list@alias.com, the email gets delivered (the access policy is not taken in account).

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: accesspolicy and aliased domains

mlocati wrote:

BTW, if an external sender sends an email to list@alias.com, the email gets delivered (the access policy is not taken in account).

I will try to reproduce this issue and come back with a fix. Thanks for the feedback.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: accesspolicy and aliased domains

Fixed, and here's patch for iRedAPD-1.6.0. Please let me know whether or not it works for you.

Post's attachments

sql_alias_access_policy.patch 4.38 kb, 3 downloads since 2015-10-14 

You don't have the permssions to download the attachments of this post.

4 Reply by mlocati

  • mlocati
  • Member
  • Offline
  • Registered: 2014-11-03
  • Posts: 20

Re: accesspolicy and aliased domains

I will test it and give you a feedback.

PS: just a minor note: reading the code, it seems that rcpt_alias_domains is defined twice: at line 68 and at line 115 of the patched file.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: accesspolicy and aliased domains

You're correct, please remove either one.

6 Reply by mlocati

  • mlocati
  • Member
  • Offline
  • Registered: 2014-11-03
  • Posts: 20

Re: accesspolicy and aliased domains

I tested it and it works fine for external users.

BTW, now there's another problem:

Let's say we have two alias domains (alias1.com and alias2.com), both alias of the same domain.

If accesspolicy is set to "domain", and I send an email from "user@alias1.com" to "list@alias2.com", iredapd refuses to send the email.
It seems that the problem is here:

    # Get alias domains.
    sql = """SELECT alias_domain
               FROM alias_domain
              WHERE
                    alias_domain='%s'
                    AND target_domain='%s'
              LIMIT 1
              """ % (sender_domain, recipient_domain)

IMHO, instead of recipient_domain we should have real_recipient_domain (and we should be sure that real_recipient_domain is defined even when the "if not policy_record:" at line 73 is not executed.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: accesspolicy and aliased domains

mlocati wrote:

IMHO, instead of recipient_domain we should have real_recipient_domain (and we should be sure that real_recipient_domain is defined even when the "if not policy_record:" at line 73 is not executed.

You're right. here's patch to fix it. WARNING: this patch may not work for iRedAPD-1.6.0, i suggest you modify the file manually.

diff -r e7cb5856e7ce plugins/sql_alias_access_policy.py
--- a/plugins/sql_alias_access_policy.py    Wed Oct 14 15:39:21 2015 +0800
+++ b/plugins/sql_alias_access_policy.py    Wed Oct 14 16:04:32 2015 +0800
@@ -64,6 +64,9 @@
     recipient = kwargs['recipient']
     recipient_domain = kwargs['recipient_domain']
 
+    # used when recipient_domain is an alias domain
+    real_recipient_domain = recipient_domain
+
     policy_record = get_access_policy_and_more(conn, recipient)
 
     # Recipient account doesn't exist.
@@ -119,7 +122,7 @@
                     alias_domain='%s'
                     AND target_domain='%s'
               LIMIT 1
-              """ % (sender_domain, recipient_domain)
+              """ % (sender_domain, real_recipient_domain)
     logger.debug('[SQL] query alias domains: \n%s' % sql)
 
     qr = conn.execute(sql)

8 Reply by mlocati

  • mlocati
  • Member
  • Offline
  • Registered: 2014-11-03
  • Posts: 20

Re: accesspolicy and aliased domains

Here's the log that highlights the problem:

2015-10-14 08:00:11 DEBUG --> Apply plugin: sql_alias_access_policy
2015-10-14 08:00:11 DEBUG [SQL] query access policy:
SELECT accesspolicy, goto, moderators
               FROM alias
              WHERE
                    address='list@alias2.com'
                    AND islist=1
                    AND active=1
              LIMIT 1

2015-10-14 08:00:11 DEBUG SQL query result: None
2015-10-14 08:00:11 DEBUG [SQL] Check whether recipient domain is an alias domain:
SELECT target_domain
                   FROM alias_domain
                  WHERE alias_domain = 'alias2.com'
                  LIMIT 1

2015-10-14 08:00:11 DEBUG [SQL] query result: ('domain.com',)
2015-10-14 08:00:11 DEBUG [SQL] query access policy:
SELECT accesspolicy, goto, moderators
               FROM alias
              WHERE
                    address='list@domain.com'
                    AND islist=1
                    AND active=1
              LIMIT 1

2015-10-14 08:00:11 DEBUG SQL query result: ('domain', 'recipient1@domain.com,recipient2@domain.com', None)
2015-10-14 08:00:11 DEBUG Access policy: domain
2015-10-14 08:00:11 DEBUG members: recipient1@domain.com, recipient2@domain.com
2015-10-14 08:00:11 DEBUG moderators: none
2015-10-14 08:00:11 DEBUG [SQL] query alias domains:
SELECT alias_domain
               FROM alias_domain
              WHERE
                    alias_domain='alias1.com'
                    AND target_domain='alias2.com'
              LIMIT 1

2015-10-14 08:00:11 DEBUG No alias domain.
2015-10-14 08:00:11 DEBUG <-- Result: REJECT Not authorized

As you can see, we should have 

AND target_domain='domain.com'

and not 

AND target_domain='alias2.com'

9 Reply by mlocati

  • mlocati
  • Member
  • Offline
  • Registered: 2014-11-03
  • Posts: 20

Re: accesspolicy and aliased domains

mlocati wrote:

Here's the log that highlights the problem:...

Sorry, I didn't see that you posted a reply

10 Reply by mlocati

  • mlocati
  • Member
  • Offline
  • Registered: 2014-11-03
  • Posts: 20

Re: accesspolicy and aliased domains

Ok, I can confirm that everything is working fine, now, thank you!

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: accesspolicy and aliased domains

Thanks for the feedback and helping test. smile