Add LDAP_QUERY_FILTER_SENDERS setting for spoof protection with LDAP (#1902)

Dockerfile

@@ -112,6 +112,7 @@ COPY \
   target/postfix/ldap-groups.cf \
   target/postfix/ldap-aliases.cf \
   target/postfix/ldap-domains.cf \
+  target/postfix/ldap-senders.cf \
   /etc/postfix/
 
 # hadolint ignore=SC2016

ENVIRONMENT.md

@@ -417,6 +417,11 @@ Note: The defaults of your fetchmailrc file need to be at the top of the file. O
 - e.g. `(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))`
 - => Specify how ldap should be asked for domains
 
+##### LDAP_QUERY_FILTER_SENDERS
+
+- **empty**  => use user/alias/group maps directly, equivalent to `(|($LDAP_QUERY_FILTER_USER)($LDAP_QUERY_FILTER_ALIAS)($LDAP_QUERY_FILTER_GROUP))`
+- => Override how ldap should be asked if a sender address is allowed for a user
+
 ##### DOVECOT_TLS
 
 - **empty** => no

docs/content/config/advanced/auth-ldap.md

@@ -20,6 +20,7 @@ Have a look at the [`ENVIRONMENT.md`][github-file-env] for information on the de
     - `LDAP_QUERY_FILTER_GROUP`
     - `LDAP_QUERY_FILTER_ALIAS`
     - `LDAP_QUERY_FILTER_DOMAIN`
+    - `LDAP_QUERY_FILTER_SENDERS`
 
 !!! example "saslauthd"
 
@@ -124,4 +125,4 @@ The following example illustrates this for a directory that has the qmail-schema
 - DOVECOT_USER_FILTER=(&(objectClass=qmailUser)(uid=%u)(accountStatus=active))
 ```
 
-[github-file-env]: https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md
+[github-file-env]: https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md

target/postfix/ldap-senders.cf

@@ -0,0 +1,9 @@
+bind             = yes
+bind_dn          = cn=admin,dc=domain,dc=com
+bind_pw          = admin
+query_filter     = (mail=%s)
+result_attribute = mail, uid
+search_base      = ou=people,dc=domain,dc=com
+server_host      = mail.domain.com
+start_tls        = no
+version          = 3

target/scripts/startup/setup-stack.sh

@@ -421,6 +421,7 @@ function _setup_ldap
     /etc/postfix/ldap-groups.cf
     /etc/postfix/ldap-aliases.cf
     /etc/postfix/ldap-domains.cf
+    /etc/postfix/ldap-senders.cf
     /etc/postfix/maps/sender_login_maps.ldap
   )
 
@@ -430,6 +431,7 @@ function _setup_ldap
     [[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
     [[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}"
     [[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}"
+    [[ ${FILE} =~ ldap-senders ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_SENDERS}"
     configomat.sh "LDAP_" "${FILE}"
   done
 
@@ -553,7 +555,11 @@ function _setup_spoof_protection
 
   if [[ ${ENABLE_LDAP} -eq 1 ]]
   then
-    postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf"
+    if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]; then
+      postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf"
+    else
+      postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf"
+    fi
   else
     if [[ -f /etc/postfix/regexp ]]
     then

test/mail_with_ldap.bats

@@ -33,6 +33,7 @@ function setup_file() {
 		-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
 		-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
 		-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
+		-e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
 		-e DOVECOT_TLS=no \
 		-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
 		-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
@@ -191,11 +192,15 @@ function teardown_file() {
   assert_success
 }
 
-# ATTENTION: this test must come after "checking dovecot: ldap mail delivery works" since it will deliver an email which skews the count in said test, leading to failure
+# ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
 @test "checking spoofing: accepts sending as alias" {
   run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
   assert_success
 }
+@test "checking spoofing: uses senders filter" {
+  run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt | grep 'End data with'"
+  assert_success
+}
 
 # saslauthd
 @test "checking saslauthd: sasl ldap authentication works" {

test/test-files/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt

@@ -0,0 +1,15 @@
+EHLO mail
+AUTH LOGIN
+c29tZS51c2VyLmVtYWlsQGxvY2FsaG9zdC5sb2NhbGRvbWFpbgo=
+c2VjcmV0
+MAIL FROM: randomspoofedaddress@localhost.localdomain
+RCPT TO: some.user@localhost.localdomain
+DATA
+From: spoofed_address <randomspoofedaddress@localhost.localdomain>
+To: Existing Local User <some.user@localhost.localdomain>
+Date: Sat, 22 May 2010 07:43:25 -0400
+Subject: Test Message
+This is a test mail from ldap-smtp-auth-spoofed-sender-with-filter-exception.txt
+
+.
+QUIT