mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Add LDAP_QUERY_FILTER_SENDERS setting for spoof protection with LDAP (#1902)
This commit is contained in:
parent
6fbd1967d1
commit
271d94a37e
|
@ -112,6 +112,7 @@ COPY \
|
||||||
target/postfix/ldap-groups.cf \
|
target/postfix/ldap-groups.cf \
|
||||||
target/postfix/ldap-aliases.cf \
|
target/postfix/ldap-aliases.cf \
|
||||||
target/postfix/ldap-domains.cf \
|
target/postfix/ldap-domains.cf \
|
||||||
|
target/postfix/ldap-senders.cf \
|
||||||
/etc/postfix/
|
/etc/postfix/
|
||||||
|
|
||||||
# hadolint ignore=SC2016
|
# hadolint ignore=SC2016
|
||||||
|
|
|
@ -417,6 +417,11 @@ Note: The defaults of your fetchmailrc file need to be at the top of the file. O
|
||||||
- e.g. `(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))`
|
- e.g. `(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))`
|
||||||
- => Specify how ldap should be asked for domains
|
- => Specify how ldap should be asked for domains
|
||||||
|
|
||||||
|
##### LDAP_QUERY_FILTER_SENDERS
|
||||||
|
|
||||||
|
- **empty** => use user/alias/group maps directly, equivalent to `(|($LDAP_QUERY_FILTER_USER)($LDAP_QUERY_FILTER_ALIAS)($LDAP_QUERY_FILTER_GROUP))`
|
||||||
|
- => Override how ldap should be asked if a sender address is allowed for a user
|
||||||
|
|
||||||
##### DOVECOT_TLS
|
##### DOVECOT_TLS
|
||||||
|
|
||||||
- **empty** => no
|
- **empty** => no
|
||||||
|
|
|
@ -20,6 +20,7 @@ Have a look at the [`ENVIRONMENT.md`][github-file-env] for information on the de
|
||||||
- `LDAP_QUERY_FILTER_GROUP`
|
- `LDAP_QUERY_FILTER_GROUP`
|
||||||
- `LDAP_QUERY_FILTER_ALIAS`
|
- `LDAP_QUERY_FILTER_ALIAS`
|
||||||
- `LDAP_QUERY_FILTER_DOMAIN`
|
- `LDAP_QUERY_FILTER_DOMAIN`
|
||||||
|
- `LDAP_QUERY_FILTER_SENDERS`
|
||||||
|
|
||||||
!!! example "saslauthd"
|
!!! example "saslauthd"
|
||||||
|
|
||||||
|
|
9
target/postfix/ldap-senders.cf
Normal file
9
target/postfix/ldap-senders.cf
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
bind = yes
|
||||||
|
bind_dn = cn=admin,dc=domain,dc=com
|
||||||
|
bind_pw = admin
|
||||||
|
query_filter = (mail=%s)
|
||||||
|
result_attribute = mail, uid
|
||||||
|
search_base = ou=people,dc=domain,dc=com
|
||||||
|
server_host = mail.domain.com
|
||||||
|
start_tls = no
|
||||||
|
version = 3
|
|
@ -421,6 +421,7 @@ function _setup_ldap
|
||||||
/etc/postfix/ldap-groups.cf
|
/etc/postfix/ldap-groups.cf
|
||||||
/etc/postfix/ldap-aliases.cf
|
/etc/postfix/ldap-aliases.cf
|
||||||
/etc/postfix/ldap-domains.cf
|
/etc/postfix/ldap-domains.cf
|
||||||
|
/etc/postfix/ldap-senders.cf
|
||||||
/etc/postfix/maps/sender_login_maps.ldap
|
/etc/postfix/maps/sender_login_maps.ldap
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -430,6 +431,7 @@ function _setup_ldap
|
||||||
[[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
|
[[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
|
||||||
[[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}"
|
[[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}"
|
||||||
[[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}"
|
[[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}"
|
||||||
|
[[ ${FILE} =~ ldap-senders ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_SENDERS}"
|
||||||
configomat.sh "LDAP_" "${FILE}"
|
configomat.sh "LDAP_" "${FILE}"
|
||||||
done
|
done
|
||||||
|
|
||||||
|
@ -553,7 +555,11 @@ function _setup_spoof_protection
|
||||||
|
|
||||||
if [[ ${ENABLE_LDAP} -eq 1 ]]
|
if [[ ${ENABLE_LDAP} -eq 1 ]]
|
||||||
then
|
then
|
||||||
|
if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]; then
|
||||||
postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf"
|
postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf"
|
||||||
|
else
|
||||||
|
postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf"
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
if [[ -f /etc/postfix/regexp ]]
|
if [[ -f /etc/postfix/regexp ]]
|
||||||
then
|
then
|
||||||
|
|
|
@ -33,6 +33,7 @@ function setup_file() {
|
||||||
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
|
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
|
||||||
-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
|
-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
|
||||||
-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
|
-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
|
||||||
|
-e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
|
||||||
-e DOVECOT_TLS=no \
|
-e DOVECOT_TLS=no \
|
||||||
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||||
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||||
|
@ -191,11 +192,15 @@ function teardown_file() {
|
||||||
assert_success
|
assert_success
|
||||||
}
|
}
|
||||||
|
|
||||||
# ATTENTION: this test must come after "checking dovecot: ldap mail delivery works" since it will deliver an email which skews the count in said test, leading to failure
|
# ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
|
||||||
@test "checking spoofing: accepts sending as alias" {
|
@test "checking spoofing: accepts sending as alias" {
|
||||||
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
|
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
|
||||||
assert_success
|
assert_success
|
||||||
}
|
}
|
||||||
|
@test "checking spoofing: uses senders filter" {
|
||||||
|
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt | grep 'End data with'"
|
||||||
|
assert_success
|
||||||
|
}
|
||||||
|
|
||||||
# saslauthd
|
# saslauthd
|
||||||
@test "checking saslauthd: sasl ldap authentication works" {
|
@test "checking saslauthd: sasl ldap authentication works" {
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
EHLO mail
|
||||||
|
AUTH LOGIN
|
||||||
|
c29tZS51c2VyLmVtYWlsQGxvY2FsaG9zdC5sb2NhbGRvbWFpbgo=
|
||||||
|
c2VjcmV0
|
||||||
|
MAIL FROM: randomspoofedaddress@localhost.localdomain
|
||||||
|
RCPT TO: some.user@localhost.localdomain
|
||||||
|
DATA
|
||||||
|
From: spoofed_address <randomspoofedaddress@localhost.localdomain>
|
||||||
|
To: Existing Local User <some.user@localhost.localdomain>
|
||||||
|
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||||
|
Subject: Test Message
|
||||||
|
This is a test mail from ldap-smtp-auth-spoofed-sender-with-filter-exception.txt
|
||||||
|
|
||||||
|
.
|
||||||
|
QUIT
|
Loading…
Reference in a new issue