|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Maybe design error in lookup mechanism
From: Michaylov Michael (strait
vtg.com.ua)
Date: Wed Mar 02 2005 - 08:46:06 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi
[System]
Postfix 2.1.5
AUXLIBS='-L/usr/local/lib -lldap -L/usr/local/lib -llber
-L/usr/local/lib -lsasl2 -L/usr/local/lib -lpcre'
CCARGS='-I/usr/local/include -DHAS_LDAP -DUSE_SASL_AUTH
-I/usr/local/include/sasl -DHAS_PCRE -I/usr/local/include'
[Description]
Access should be distributed between those "vtg.com.ua" domain users,
who can send mail over domain boundaries and those who can send mail
only within domain boundaries.
[Realization]
smtpd_restriction_classes = local, remote
local = check_recipient_access pcre:/usr/local/etc/postfix/maps/local
remote = check_recipient_access pcre:/usr/local/etc/postfix/maps/remote
/usr/local/etc/postfix/maps/local has:
/vtg.com.ua/ OK
/.*/ REJECT local account
/usr/local/etc/postfix/maps/remote has:
/.*/ OK
smtpd_recipient_restrictions =
check_sender_access ldap:/usr/local/etc/postfix/sender.cf,
local,
reject
where /usr/local/etc/postfix/sender.cf has
search_base = cn=remote, ou=groups, dc=vtg
query_filter = member=uid=%u
result_attribute = cn
Record format in ldap base:
member=uid=<username1>
member=uid=<username2>
member=uid=<username3>
...
cn=remote
Workflow is following:
username part of email address, which is valid for sending mail over
domain boundaries, is stored in directory "cn=remote,ou=groups,dc=vtg"
On successful search completition, a "cn" field containing mentioned
above class "remote" should return.
[Trouble]
Trouble is inclosed in the following search procedure (log file sample):
dict_ldap_lookup: Searching with filter member=uid=strait
dict_ldap_lookup: Search returned nothing
dict_ldap_lookup: Searching with filter member=uid=it.vtg
dict_ldap_lookup: Search returned nothing
dict_ldap_lookup: Searching with filter member=uid=vtg (*)
dict_ldap_lookup: Search returned remote
as we see, search is accomplished not only with %u key in
"query_filter = member=uid=%u", but with all words in mail address.
There is a vtgvtg.com.ua mail present in access group "member=uid=vtg"
As a result we get a collision between domain part "vtg" and user part
"vtg" (see (*) )
And any mail would be send over domain boundaries in spite of user
presence/absence in access group.
By the way, postmap command works fine:
If username is in access group,
postmap -q usernamedomain.vtg ldap:/usr/local/etc/postfix/sender.cf
returns "remote", in other case it returns nothing.
More detailed output with -v key shows only one search (not 3 as in
smtpd log) with "query_filter = member=uid=username"
[Conclusion]
I think implementation of lookup method in "smtpd/smtpd_check.c function
check_mail_access" does not correspond to usage of %[usd] keys
ideology for query_filter, Maybe this mechanism should be revised.
As for me, postmap lookup method seems to be more accurate.
P.S. Am I right? If so I may write some patch
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]