Add LDAP_QUERY_FILTER_SENDERS setting for spoof protection with LDAP (#1902)

This commit is contained in:
Moritz Marquardt 2021-04-17 22:40:19 +02:00 committed by GitHub
parent 6fbd1967d1
commit 271d94a37e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 45 additions and 3 deletions

View file

@ -112,6 +112,7 @@ COPY \
target/postfix/ldap-groups.cf \ target/postfix/ldap-groups.cf \
target/postfix/ldap-aliases.cf \ target/postfix/ldap-aliases.cf \
target/postfix/ldap-domains.cf \ target/postfix/ldap-domains.cf \
target/postfix/ldap-senders.cf \
/etc/postfix/ /etc/postfix/
# hadolint ignore=SC2016 # hadolint ignore=SC2016

View file

@ -417,6 +417,11 @@ Note: The defaults of your fetchmailrc file need to be at the top of the file. O
- e.g. `(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))` - e.g. `(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))`
- => Specify how ldap should be asked for domains - => Specify how ldap should be asked for domains
##### LDAP_QUERY_FILTER_SENDERS
- **empty** => use user/alias/group maps directly, equivalent to `(|($LDAP_QUERY_FILTER_USER)($LDAP_QUERY_FILTER_ALIAS)($LDAP_QUERY_FILTER_GROUP))`
- => Override how ldap should be asked if a sender address is allowed for a user
##### DOVECOT_TLS ##### DOVECOT_TLS
- **empty** => no - **empty** => no

View file

@ -20,6 +20,7 @@ Have a look at the [`ENVIRONMENT.md`][github-file-env] for information on the de
- `LDAP_QUERY_FILTER_GROUP` - `LDAP_QUERY_FILTER_GROUP`
- `LDAP_QUERY_FILTER_ALIAS` - `LDAP_QUERY_FILTER_ALIAS`
- `LDAP_QUERY_FILTER_DOMAIN` - `LDAP_QUERY_FILTER_DOMAIN`
- `LDAP_QUERY_FILTER_SENDERS`
!!! example "saslauthd" !!! example "saslauthd"

View file

@ -0,0 +1,9 @@
bind = yes
bind_dn = cn=admin,dc=domain,dc=com
bind_pw = admin
query_filter = (mail=%s)
result_attribute = mail, uid
search_base = ou=people,dc=domain,dc=com
server_host = mail.domain.com
start_tls = no
version = 3

View file

@ -421,6 +421,7 @@ function _setup_ldap
/etc/postfix/ldap-groups.cf /etc/postfix/ldap-groups.cf
/etc/postfix/ldap-aliases.cf /etc/postfix/ldap-aliases.cf
/etc/postfix/ldap-domains.cf /etc/postfix/ldap-domains.cf
/etc/postfix/ldap-senders.cf
/etc/postfix/maps/sender_login_maps.ldap /etc/postfix/maps/sender_login_maps.ldap
) )
@ -430,6 +431,7 @@ function _setup_ldap
[[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}" [[ ${FILE} =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
[[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}" [[ ${FILE} =~ ldap-aliases ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_ALIAS}"
[[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}" [[ ${FILE} =~ ldap-domains ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_DOMAIN}"
[[ ${FILE} =~ ldap-senders ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_SENDERS}"
configomat.sh "LDAP_" "${FILE}" configomat.sh "LDAP_" "${FILE}"
done done
@ -553,7 +555,11 @@ function _setup_spoof_protection
if [[ ${ENABLE_LDAP} -eq 1 ]] if [[ ${ENABLE_LDAP} -eq 1 ]]
then then
postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf" if [[ -z ${LDAP_QUERY_FILTER_SENDERS} ]]; then
postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf"
else
postconf -e "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf"
fi
else else
if [[ -f /etc/postfix/regexp ]] if [[ -f /etc/postfix/regexp ]]
then then

View file

@ -33,6 +33,7 @@ function setup_file() {
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \ -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \ -e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \ -e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
-e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
-e DOVECOT_TLS=no \ -e DOVECOT_TLS=no \
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
@ -191,11 +192,15 @@ function teardown_file() {
assert_success assert_success
} }
# ATTENTION: this test must come after "checking dovecot: ldap mail delivery works" since it will deliver an email which skews the count in said test, leading to failure # ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
@test "checking spoofing: accepts sending as alias" { @test "checking spoofing: accepts sending as alias" {
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'" run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
assert_success assert_success
} }
@test "checking spoofing: uses senders filter" {
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt | grep 'End data with'"
assert_success
}
# saslauthd # saslauthd
@test "checking saslauthd: sasl ldap authentication works" { @test "checking saslauthd: sasl ldap authentication works" {

View file

@ -0,0 +1,15 @@
EHLO mail
AUTH LOGIN
c29tZS51c2VyLmVtYWlsQGxvY2FsaG9zdC5sb2NhbGRvbWFpbgo=
c2VjcmV0
MAIL FROM: randomspoofedaddress@localhost.localdomain
RCPT TO: some.user@localhost.localdomain
DATA
From: spoofed_address <randomspoofedaddress@localhost.localdomain>
To: Existing Local User <some.user@localhost.localdomain>
Date: Sat, 22 May 2010 07:43:25 -0400
Subject: Test Message
This is a test mail from ldap-smtp-auth-spoofed-sender-with-filter-exception.txt
.
QUIT