diff --git a/Dockerfile b/Dockerfile index 54b2de44..4001bc85 100644 --- a/Dockerfile +++ b/Dockerfile @@ -112,6 +112,7 @@ COPY \ target/postfix/ldap-groups.cf \ target/postfix/ldap-aliases.cf \ target/postfix/ldap-domains.cf \ + target/postfix/ldap-senders.cf \ /etc/postfix/ # hadolint ignore=SC2016 diff --git a/ENVIRONMENT.md b/ENVIRONMENT.md index 9fbfb885..ba949513 100644 --- a/ENVIRONMENT.md +++ b/ENVIRONMENT.md @@ -417,6 +417,11 @@ Note: The defaults of your fetchmailrc file need to be at the top of the file. O - e.g. `(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))` - => Specify how ldap should be asked for domains +##### LDAP_QUERY_FILTER_SENDERS + +- **empty** => use user/alias/group maps directly, equivalent to `(|($LDAP_QUERY_FILTER_USER)($LDAP_QUERY_FILTER_ALIAS)($LDAP_QUERY_FILTER_GROUP))` +- => Override how ldap should be asked if a sender address is allowed for a user + ##### DOVECOT_TLS - **empty** => no diff --git a/docs/content/config/advanced/auth-ldap.md b/docs/content/config/advanced/auth-ldap.md index 66e641e1..91f4efba 100644 --- a/docs/content/config/advanced/auth-ldap.md +++ b/docs/content/config/advanced/auth-ldap.md @@ -20,6 +20,7 @@ Have a look at the [`ENVIRONMENT.md`][github-file-env] for information on the de - `LDAP_QUERY_FILTER_GROUP` - `LDAP_QUERY_FILTER_ALIAS` - `LDAP_QUERY_FILTER_DOMAIN` + - `LDAP_QUERY_FILTER_SENDERS` !!! example "saslauthd" @@ -124,4 +125,4 @@ The following example illustrates this for a directory that has the qmail-schema - DOVECOT_USER_FILTER=(&(objectClass=qmailUser)(uid=%u)(accountStatus=active)) ``` -[github-file-env]: https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md \ No newline at end of file +[github-file-env]: https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md diff --git a/target/postfix/ldap-senders.cf b/target/postfix/ldap-senders.cf new file mode 100644 index 00000000..5f1ed6f5 --- /dev/null +++ b/target/postfix/ldap-senders.cf @@ -0,0 +1,9 @@ +bind = yes +bind_dn = cn=admin,dc=domain,dc=com +bind_pw = admin +query_filter = (mail=%s) +result_attribute = mail, uid +search_base = ou=people,dc=domain,dc=com +server_host = mail.domain.com +start_tls = no +version = 3 diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh index c95b27cd..b48c5c34 100644 --- a/target/scripts/startup/setup-stack.sh +++ b/target/scripts/startup/setup-stack.sh @@ -421,6 +421,7 @@ function _setup_ldap /etc/postfix/ldap-groups.cf /etc/postfix/ldap-aliases.cf /etc/postfix/ldap-domains.cf + /etc/postfix/ldap-senders.cf /etc/postfix/maps/sender_login_maps.ldap ) @@ -430,6 +431,7 @@ function _setup_ldap [[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}" [[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}" [[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}" + [[ ${FILE} =~ ldap-senders ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_SENDERS}" configomat.sh "LDAP_" "${FILE}" done @@ -553,7 +555,11 @@ function _setup_spoof_protection if [[ ${ENABLE_LDAP} -eq 1 ]] then - postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf" + if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]; then + postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf" + else + postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf" + fi else if [[ -f /etc/postfix/regexp ]] then diff --git a/test/mail_with_ldap.bats b/test/mail_with_ldap.bats index 408a7188..3ff75f8b 100644 --- a/test/mail_with_ldap.bats +++ b/test/mail_with_ldap.bats @@ -33,6 +33,7 @@ function setup_file() { -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \ -e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \ -e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \ + -e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \ -e DOVECOT_TLS=no \ -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ @@ -191,11 +192,15 @@ function teardown_file() { assert_success } -# ATTENTION: this test must come after "checking dovecot: ldap mail delivery works" since it will deliver an email which skews the count in said test, leading to failure +# ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure @test "checking spoofing: accepts sending as alias" { run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'" assert_success } +@test "checking spoofing: uses senders filter" { + run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt | grep 'End data with'" + assert_success +} # saslauthd @test "checking saslauthd: sasl ldap authentication works" { diff --git a/test/test-files/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt b/test/test-files/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt new file mode 100644 index 00000000..bc0447af --- /dev/null +++ b/test/test-files/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt @@ -0,0 +1,15 @@ +EHLO mail +AUTH LOGIN +c29tZS51c2VyLmVtYWlsQGxvY2FsaG9zdC5sb2NhbGRvbWFpbgo= +c2VjcmV0 +MAIL FROM: randomspoofedaddress@localhost.localdomain +RCPT TO: some.user@localhost.localdomain +DATA +From: spoofed_address +To: Existing Local User +Date: Sat, 22 May 2010 07:43:25 -0400 +Subject: Test Message +This is a test mail from ldap-smtp-auth-spoofed-sender-with-filter-exception.txt + +. +QUIT