|
|
|
|
|
|
| Author |
Message |
Michaylov Michael
*nix forums beginner
Joined: 02 Mar 2005
Posts: 4
|
 Posted: Wed Mar 02, 2005 1:46 pm Post subject:
Maybe design error in lookup mechanism
|
|
|
Hi
[System]
Postfix 2.1.5
AUXLIBS='-L/usr/local/lib -lldap -L/usr/local/lib -llber
-L/usr/local/lib -lsasl2 -L/usr/local/lib -lpcre'
CCARGS='-I/usr/local/include -DHAS_LDAP -DUSE_SASL_AUTH
-I/usr/local/include/sasl -DHAS_PCRE -I/usr/local/include'
[Description]
Access should be distributed between those "vtg.com.ua" domain users,
who can send mail over domain boundaries and those who can send mail
only within domain boundaries.
[Realization]
smtpd_restriction_classes = local, remote
local = check_recipient_access pcre:/usr/local/etc/postfix/maps/local
remote = check_recipient_access pcre:/usr/local/etc/postfix/maps/remote
/usr/local/etc/postfix/maps/local has:
/vtg.com.ua/ OK
/.*/ REJECT local account
/usr/local/etc/postfix/maps/remote has:
/.*/ OK
smtpd_recipient_restrictions =
check_sender_access ldap:/usr/local/etc/postfix/sender.cf,
local,
reject
where /usr/local/etc/postfix/sender.cf has
search_base = cn=remote, ou=groups, dc=vtg
query_filter = member=uid=%u
result_attribute = cn
Record format in ldap base:
member=uid=<username1>
member=uid=<username2>
member=uid=<username3>
....
cn=remote
Workflow is following:
username part of email address, which is valid for sending mail over
domain boundaries, is stored in directory "cn=remote,ou=groups,dc=vtg"
On successful search completition, a "cn" field containing mentioned
above class "remote" should return.
[Trouble]
Trouble is inclosed in the following search procedure (log file sample):
dict_ldap_lookup: Searching with filter member=uid=strait
dict_ldap_lookup: Search returned nothing
dict_ldap_lookup: Searching with filter member=uid=it.vtg
dict_ldap_lookup: Search returned nothing
dict_ldap_lookup: Searching with filter member=uid=vtg (*)
dict_ldap_lookup: Search returned remote
as we see, search is accomplished not only with %u key in
"query_filter = member=uid=%u", but with all words in mail address.
There is a vtg@vtg.com.ua mail present in access group "member=uid=vtg"
As a result we get a collision between domain part "vtg" and user part
"vtg" (see (*) )
And any mail would be send over domain boundaries in spite of user
presence/absence in access group.
By the way, postmap command works fine:
If username is in access group,
postmap -q username@domain.vtg ldap:/usr/local/etc/postfix/sender.cf
returns "remote", in other case it returns nothing.
More detailed output with -v key shows only one search (not 3 as in
smtpd log) with "query_filter = member=uid=username"
[Conclusion]
I think implementation of lookup method in "smtpd/smtpd_check.c function
check_mail_access" does not correspond to usage of %[usd] keys
ideology for query_filter, Maybe this mechanism should be revised.
As for me, postmap lookup method seems to be more accurate.
P.S. Am I right? If so I may write some patch |
|
| Back to top |
|
 |
Victor Duchovni
*nix forums Guru
Joined: 28 Feb 2005
Posts: 2927
|
| Posted: Wed Mar 02, 2005 2:24 pm Post subject:
Re: Maybe design error in lookup mechanism
|
|
|
On Wed, Mar 02, 2005 at 04:46:06PM +0200, Michaylov Michael wrote:
| Quote: | [Description]
Access should be distributed between those "vtg.com.ua" domain users,
who can send mail over domain boundaries and those who can send mail
only within domain boundaries.
[Realization]
smtpd_restriction_classes = local, remote
local = check_recipient_access pcre:/usr/local/etc/postfix/maps/local
remote = check_recipient_access pcre:/usr/local/etc/postfix/maps/remote
/usr/local/etc/postfix/maps/local has:
/vtg.com.ua/ OK
/.*/ REJECT local account
/usr/local/etc/postfix/maps/remote has:
/.*/ OK
smtpd_recipient_restrictions =
check_sender_access ldap:/usr/local/etc/postfix/sender.cf,
local,
reject
|
Stop right there and go back to basics. Read books, online docs, list
archives, ... until you understand restrictions a lot better. This
is wrong on so many levels it is hard to know where to start.
http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
http://www.postfix.org/SMTPD_ACCESS_README.html
http://www.postfix.org/RESTRICTION_CLASS_README.html
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@postfix.org?body=unsubscribe%20postfix-users> |
|
| Back to top |
|
|
Michaylov Michael
*nix forums beginner
Joined: 02 Mar 2005
Posts: 4
|
| Posted: Wed Mar 02, 2005 2:55 pm Post subject:
Re: Maybe design error in lookup mechanism
|
|
|
| Quote: | Stop right there and go back to basics. Read books, online docs, list
archives, ... until you understand restrictions a lot better. This
is wrong on so many levels it is hard to know where to start.
|
first i used this paper
(http://www.postfix.org/RESTRICTION_CLASS_README.html)
second
my scheme works fine with hash where only username part is used
username1@ remote
username2@ remote
(in above link full mail address is used)
username1@some.domain some_class
username2@some.domain some_class
problem rises only if i use ldap
after deep debug i've noticed that no matter %u key was set in
query_filter the search procedure always uses all words in address
(multiple times) and this condition leads to collision |
|
| Back to top |
|
|
Victor Duchovni
*nix forums Guru
Joined: 28 Feb 2005
Posts: 2927
|
| Posted: Wed Mar 02, 2005 3:04 pm Post subject:
Re: Maybe design error in lookup mechanism
|
|
|
On Wed, Mar 02, 2005 at 05:55:22PM +0200, Michaylov Michael wrote:
| Quote: | first i used this paper
(http://www.postfix.org/RESTRICTION_CLASS_README.html)
second
my scheme works fine with hash where only username part is used
username1@ remote
username2@ remote
(in above link full mail address is used)
username1@some.domain some_class
username2@some.domain some_class
|
You are down in the weeds with details, but the whole approach
is fundamentally flawed.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@postfix.org?body=unsubscribe%20postfix-users> |
|
| Back to top |
|
|
Michaylov Michael
*nix forums beginner
Joined: 02 Mar 2005
Posts: 4
|
| Posted: Wed Mar 02, 2005 3:16 pm Post subject:
Re: Maybe design error in lookup mechanism
|
|
|
| Quote: | but the whole approach is fundamentally flawed.
|
really ?
in a matter of case we talk about search method...
if there were something idiologically wrong - a "whole thing" would not
work with ANY table lookup |
|
| Back to top |
|
|
Victor Duchovni
*nix forums Guru
Joined: 28 Feb 2005
Posts: 2927
|
| Posted: Wed Mar 02, 2005 3:53 pm Post subject:
Re: Maybe design error in lookup mechanism
|
|
|
On Wed, Mar 02, 2005 at 06:16:48PM +0200, Michaylov Michael wrote:
| Quote: | but the whole approach is fundamentally flawed.
really ?
in a matter of case we talk about search method...
if there were something idiologically wrong - a "whole thing" would not
work with ANY table lookup
|
Even higher up than that. The structure of your proposed restrictions
is wrong regardless of the table contents.
Redesign the smtpd_mumble_restrictions to something sensible and only
then return to restriction classes.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo@postfix.org?body=unsubscribe%20postfix-users> |
|
| Back to top |
|
|
Michaylov Michael
*nix forums beginner
Joined: 02 Mar 2005
Posts: 4
|
| Posted: Wed Mar 02, 2005 4:49 pm Post subject:
Re: Maybe design error in lookup mechanism
|
|
|
huh, ok let me explain my vision:
(hope you know what is pcre)
command check_recipient_access sets recipient address and i define it by
regex template
this is for class called LOCAL:
/vtg.com.ua/ OK # match all addresses that have string
"vtg.com.ua"
/.*/ REJECT # all other addresses would be
rejected
I can use hash:local_domains with content
@vtg.com.ua OK
and, reject after it, but this is the same like my pcre:local !
check_recipient_access hash:local_domains, reject
REMOTE means ANY addresses proceed:
/.*/ OK # any number of any chars
now we have smtpd_recipient_restrictions =
as it was said in
http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions
Restrictions are applied in the order(!) as specified; the first
restriction that matches wins.
so, if "check_sender_access" returns something then search ends
if search returns nothing, postfix checks next condition - class LOCAL.
all other conditions would never be reached.
that means that if user is in access list (hash, ldap, anything...) he
would be able to send mail anywhere (/.*/)
if user is not in access list then he would be able send mail only to
address which contains /vtg.com.ua/
what is wrong in my sight ? |
|
| Back to top |
|
|
mouss
*nix forums Guru
Joined: 27 Feb 2005
Posts: 1947
|
| Posted: Wed Mar 02, 2005 6:07 pm Post subject:
Re: Maybe design error in lookup mechanism
|
|
|
Michaylov Michael wrote:
| Quote: | smtpd_recipient_restrictions =
check_sender_access ldap:/usr/local/etc/postfix/sender.cf,
local,
|
there's no such thing as "local" in smtpd_muble_restrictions. back to
postconf(5)? use _only_ one of the allowed statements.
| Quote: | huh, ok let me explain my vision:
(hope you know what is pcre)
|
"PinaColada Regular Entertainment"?
| Quote: | so, if "*check_sender_access*" returns something then search ends
if search returns nothing, postfix checks next condition - class LOCAL.
|
no, it won't. It's ok for a check to return a class, it's not ok for a
class to turn a check...
| Quote: | what is wrong in my sight ?
|
smtpd_restriction_classes = local_only, ...
local_only =
reject_unauth_destination
permit_mynetworks
permit_sasl_authenticated
reject
smtpd_recipient_restrictions =
...
check_sender_access hash:..../user_access.db
...
check_recipient_access hash:..../user_access.db
...
# cat user_access
foo@bar local_only
badguy@badsite reject
of course, no entry should return a permit. |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Jan 10, 2009 2:58 am | All times are GMT
|
|
Loans | Neopets Cheats, Games and Neopoints | Credit Scores | Debt Consolidation | Credit Cards
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Postfix
