Bug #2917
Access policy smtpauth still too restrictive
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-mail-common | |||
Target version: | v6.5 | |||
Security class: | Resolution: | |||
Affected version: | v6.5 | NEEDINFO: | No |
Description
If Postfix smtpauth
access policy is enabled, helo
and sender
checks are still enforced.
Those checks should be disabled if SMTPAUTH is provided on port 25, as 587 already does.
Packages:
nethserver-mail-filter-1.2.0-1.ns6.noarch
nethserver-mail-common-1.4.0-1.ns6.noarch
nethserver-mail-server-1.8.1-1.ns6.noarch
Associated revisions
Fixed smtpauth AccessPolicies for helo and client restriction lists. Refs #2917
With smtpauth access policy, an authenticated client should be now
subjected to the same restrictions policy, no matter on what TCP port
it is connected to (25, 587, 465).
Merge branch 'filippocarletti-b2937'. Refs #2917
Skip restrictions if user is authenticated. Refs #2917
- All checks executed after check_client_access /etc/postfix/access
- Enforced on the following restriction lists: recipient, sender,
helo, client
History
#1 Updated by Davide Principi almost 7 years ago
- Category set to nethserver-mail-server
#2 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#3 Updated by Davide Principi almost 7 years ago
- Category changed from nethserver-mail-server to nethserver-mail-common
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
- before update, an authenticated client setting EHLO with non-FQDN host name must fail
- after update to the modified version the same client must succeed
#4 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-mail-common-1.4.0-1.2git942b58b.ns6.noarch.rpm
#5 Updated by Giacomo Sanchietti almost 7 years ago
- Assignee set to Giacomo Sanchietti
#6 Updated by Giacomo Sanchietti almost 7 years ago
- Assignee deleted (
Giacomo Sanchietti)
#7 Updated by Davide Principi almost 7 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
smtpd_sender_restrictions are still enforced: in main.cf (with policy smtpauth enable)
smtpd_sender_restrictions = check_client_access hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
#8 Updated by Davide Principi almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#9 Updated by Davide Principi almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
Before update: run the following command, replacing your credentials:
$ ( TOKEN=`echo -n -e '\0USERNAME\0PASSWORD' | base64`; echo "ehlo test.domain"; sleep 3; echo "AUTH PLAIN $TOKEN"; sleep 5; echo -e "mail from: <root@here>\nrcpt to: <root@localhost>\ndata\n"; sleep 5 ) | openssl s_client -starttls smtp -host 192.168.8.2 -port 25
You get:
[...] 504 5.5.2 <root@here>: Sender address rejected: need fully-qualified address
After update:
[...] 354 End data with <CR><LF>.<CR><LF>
#10 Updated by Davide Principi almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-mail-common-1.4.0-1.3git0ede4ca.ns6.noarch.rpm
#11 Updated by Giacomo Sanchietti almost 7 years ago
- Assignee set to Giacomo Sanchietti
#12 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
VERIFIED
Packages installed:- nethserver-mail-common
- nethserver-mail-server
- nethserver-mail-filter (enforce security checks)
#13 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-mail-common-1.4.1-1.ns6.noarch.rpm