Bug #2917

Access policy smtpauth still too restrictive

Added by Davide Principi about 5 years ago. Updated almost 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-mail-common
Target version:v6.5
Security class: Resolution:
Affected version:v6.5 NEEDINFO:No

Description

If Postfix smtpauth access policy is enabled, helo and sender checks are still enforced.

Those checks should be disabled if SMTPAUTH is provided on port 25, as 587 already does.

Packages:
nethserver-mail-filter-1.2.0-1.ns6.noarch
nethserver-mail-common-1.4.0-1.ns6.noarch
nethserver-mail-server-1.8.1-1.ns6.noarch

Associated revisions

Revision 942b58bc
Added by Davide Principi almost 5 years ago

Fixed smtpauth AccessPolicies for helo and client restriction lists. Refs #2917

With smtpauth access policy, an authenticated client should be now
subjected to the same restrictions policy, no matter on what TCP port
it is connected to (25, 587, 465).

Revision 693abb4c
Added by Giacomo Sanchietti almost 5 years ago

Merge branch 'filippocarletti-b2937'. Refs #2917

Revision 0ede4ca5
Added by Davide Principi almost 5 years ago

Skip restrictions if user is authenticated. Refs #2917

  • All checks executed after check_client_access /etc/postfix/access
  • Enforced on the following restriction lists: recipient, sender,
    helo, client

History

#1 Updated by Davide Principi about 5 years ago

  • Category set to nethserver-mail-server

#2 Updated by Davide Principi almost 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#3 Updated by Davide Principi almost 5 years ago

  • Category changed from nethserver-mail-server to nethserver-mail-common
  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

  • before update, an authenticated client setting EHLO with non-FQDN host name must fail
  • after update to the modified version the same client must succeed

#4 Updated by Davide Principi almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-mail-common-1.4.0-1.2git942b58b.ns6.noarch.rpm

#5 Updated by Giacomo Sanchietti almost 5 years ago

  • Assignee set to Giacomo Sanchietti

#6 Updated by Giacomo Sanchietti almost 5 years ago

  • Assignee deleted (Giacomo Sanchietti)

#7 Updated by Davide Principi almost 5 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

smtpd_sender_restrictions are still enforced: in main.cf (with policy smtpauth enable)

smtpd_sender_restrictions = check_client_access hash:/etc/postfix/access,
 check_sender_access hash:/etc/postfix/sender_access,
 reject_non_fqdn_sender,
 reject_unknown_sender_domain

#8 Updated by Davide Principi almost 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#9 Updated by Davide Principi almost 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

Before update: run the following command, replacing your credentials:

$ ( TOKEN=`echo -n -e '\0USERNAME\0PASSWORD' | base64`; echo "ehlo test.domain"; sleep 3; echo "AUTH PLAIN $TOKEN"; sleep 5; echo -e "mail from: <root@here>\nrcpt to: <root@localhost>\ndata\n"; sleep 5 ) | openssl s_client -starttls smtp -host 192.168.8.2 -port 25

You get:

[...]
504 5.5.2 <root@here>: Sender address rejected: need fully-qualified address

After update:

[...]
354 End data with <CR><LF>.<CR><LF>

#10 Updated by Davide Principi almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-mail-common-1.4.0-1.3git0ede4ca.ns6.noarch.rpm

#11 Updated by Giacomo Sanchietti almost 5 years ago

  • Assignee set to Giacomo Sanchietti

#12 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

VERIFIED

Packages installed:
  • nethserver-mail-common
  • nethserver-mail-server
  • nethserver-mail-filter (enforce security checks)

#13 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-mail-common-1.4.1-1.ns6.noarch.rpm

Also available in: Atom PDF