Add LDAP_QUERY_FILTER_SENDERS setting for spoof protection with LDAP #1902
Conversation
|
LGTM, but I'm not using LDAP myself. I will request a review. |
|
Setting smtpd_sasl_local_domain to an empty string changes the lookup key for the authentication in case the SMTP client does not send an authentication with a domain name, e.g. if he tries to authenticate with "foo" and smtpd_sasl_local_domain = "bar.com", then he would authenticate with "foo@bar.com" against SASL - see check_sasl_access in postfix manual. Note that SPOOF_PROTECTION=1 does already work on my system using LDAP aliases for my accounts (*), so I think this is more a configuration issue, especially given that you replace all other lookups with a new lookup. Removing the requirement for $mydomain in smtpd_sasl_local_domain leads me to believe that the underlying problem is that your initial lookup maps do not match your domain settings. (*) I'm currently using LDAP with a Kopano-LDAP-schema like so: In my setup, both mail and kopanoAliases attributes contain fully qualified email addresses of my current domain and domains I want to use for relay hosts. The uid is the local part without the domain name. I'm using LDAP_DOMAIN for the same LDAP container you are using with no subdomain. @moqmar Given your original bug report, can you first check your SASLAUTHD_MECHANISMS as the default is "pam" and you either want to use ldap or rimap (with SASLAUTHD_MECH_OPTIONS containing the IP/FQDN of your dovecot). I'm using the latter which should ignore the SASLAUTHD_LDAP_FILTER settings. |
…(can fix docker-mailserver#1340 in some configurations)
|
Ah, your SASLAUTHD_LDAP_FILTER isn't being used at all because you're using rimap. According to https://blog.sys4.de/cyrus-sasl-saslauthdconf-man-page-en.html, When using that TL;DR: SASLAUTHD_LDAP_FILTER doesn't really work reliably in general, and has not much to do with this; when leaving So, it doesn't seem like this solves #1340 (as it seems to be working now in general), but I'd still like to see this merged. The big advantage of the sender filter (even if it works without this PR) is that it just provides a lot more flexibility. I'm using basically the following filter for example: This means that only That kind of flexibility would be impossible to achieve without an additional sender filter table. |
moqmar
force-pushed
the
bugfix/ldap-spoof-protection
branch
from
33c1f47
to
5e1ec62
Compare
There was a problem hiding this comment.
Can you please write another test that shows that your changes work both ways?
This should be the correct file:
https://github.com/docker-mailserver/docker-mailserver/blob/master/test/mail_with_ldap.bats
Marking this with low priority as the mailserver works without your change as well.
wernerfred
added
pr/missing integration tests
|
Test has been added - I set the variable so that additionally to the original behaviour, the user The "rejects sender forging" test then checks if spoofing fails for |
There was a problem hiding this comment.
Thanks for your changes. Really appreciate your contribution and the fact that you wrote some tests!
I will approve this PR BUT I would really like to see the nice explanation you already provided in the documentation.
Can you add this:
The big advantage of the sender filter (even if it works without this PR) is that it just provides
a lot more flexibility. I'm using basically the following filter for example:
(&
(memberOf=cn=employee,ou=groups,dc=example,dc=org)
(|
(&(mail=%u@example.org)(mail=%s))
(mail=noreply@example.org)
(memberOf=cn=admin,ou=groups,dc=example,dc=org)
)
)
This means that only employee members can send any emails (even if others might have an IMAP inbox and can receive emails), only from their email address @example.org (even if they also have an additional @blah.com in the LDAP, and maybe even can receive emails on that address). Also, noreply@example.org and members of the admin group can send emails from any address.That kind of flexibility would be impossible to achieve without an additional sender filter table.
to probably this page (or another one if you find a better spot) before this gets merged?
|
For the LDAP documentation, I'd like to generally create a separate PR as the other variables aren't really explained yet either, is that fine for you? |
Absolutely fine. Would be wonderful if you could give the LDAP documentation some love. Feel free to open the PR as WIP so we can keep track of ongoing changes and support you :) |
Description
This adds an environment variable
LDAP_QUERY_FILTER_SENDERSthat determines if a user is allowed to use a specific identity to send an email - for example, we're using something like(|(mail=%s)(mail=noreply@example.com)), to allow users to send an email if they either have the mail address they want to send as or if they have the mail address noreply@example.com. This applies only if SPOOF_PROTECTION=1.Also, as suggested in #1340, this sets smtpd_sasl_local_domain to an empty string - it seems like without that it won't work, but I couldn't figure out the implications of that, so that might be worth discussing.(that change has been reverted as the issue itself seems to have been fixed in the meantime)If the environment variable is empty, the old sender
smtpd_sender_login_mapsbehaviour will be used.Fixes #1340
Type of change
Bug fix (non-breaking change which fixes an issue)Checklist: