gunnar: server/perl-kolab/bin kolab_smtpdpolicy.in,1.2,1.3

Tue Jan 5 19:37:40 CET 2010

Author: gunnar

Update of /kolabrepository/server/perl-kolab/bin
In directory doto:/tmp/cvs-serv3360/perl-kolab/bin

Modified Files:
	kolab_smtpdpolicy.in 
Log Message:
MFB: kolab/issue1340 (RFC: restrict users to sending mail only to internal recipients)

Index: kolab_smtpdpolicy.in
===================================================================
RCS file: /kolabrepository/server/perl-kolab/bin/kolab_smtpdpolicy.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3

--- kolab_smtpdpolicy.in	20 Jan 2009 17:22:12 -0000	1.2
+++ kolab_smtpdpolicy.in	5 Jan 2010 18:37:38 -0000	1.3
@@ -281,6 +281,59 @@
   return 1;
 }
 
+sub check_restricted_sender {
+  my $username = shift;
+  my $recipient = shift;
+  my $tries = 0;
+ AGAIN:
+  my $mesg = $ldap->search( base=> $conf_basedn,
+			    scope=> 'sub',
+			    filter=> "(&(objectClass=kolabinetorgperson)(|(mail=$username)(uid=$username)))",
+			    attrs => [ 'kolabAllowSMTPRecipient' ]);
+  if( !$mesg->code && $mesg->count() > 0 ) {
+    mylog($syslog_priority, "LDAP search returned ".$mesg->count()." objects") if $verbose;
+    my $global_permit = 1;
+    foreach my $entry ( $mesg->entries ) {
+      my $allowed_recipient;
+      my $permit;
+      for $allowed_recipient ($entry->get_value('kolabAllowSMTPRecipient')) {
+          mylog($syslog_priority, lc($username." has allowed recipient ".$allowed_recipient)) if $verbose;
+	  # Return early with REJECT if the sender may not send at all ('-')
+	  return undef if $allowed_recipient eq '-';
+	  # Check if the entry is a negation (leading '-')
+	  if ( $allowed_recipient =~ /^-(.*)/ ) {
+	      $permit = undef;
+	      $allowed_recipient = $1;
+	  } else {
+	      # Once there is a non-negating entry we need REJECT if no rule matched
+	      $global_permit = undef;
+	      $permit = 1;
+	  }
+	  if ( $allowed_recipient =~ /@/ ) {
+	      # If the entry contains '@' the leading segment must match
+	      return $permit if  $recipient =~ /^$allowed_recipient/;
+	  } elsif ( $allowed_recipient =~ /^\.(.*)/ ) {
+	      # If the entry starts with '.' the trailing domain must match
+	      return $permit if $recipient =~ /${1}$/;
+	  } else {
+	      # All other entries must match the last part of the mail address
+	      return $permit if $recipient =~ /\@${allowed_recipient}$/;
+	  }
+      }
+    }
+    # Allow sending if there was no entry or no negated entry rejected
+    return $global_permit;
+  } elsif( $mesg->code && $mesg->code != LDAP_NO_SUCH_OBJECT && $tries++ <= $ldap_max_tries ) {
+    mylog($syslog_priority, "LDAP Connection error during CHECKRESTRICTEDSENDER: ".$mesg->error.", trying to reconnect" );
+    ldap_connect;
+    goto AGAIN;
+  } elsif( $mesg->code ) {
+    mylog( $syslog_priority, "LDAP Error during CHECKRESTRICTEDSENDER: ".$mesg->error ) if $verbose;
+    # Just fall through and accept the message in case there was an LDAP problem.
+  }
+  return 1;
+}
+
 #
 # SMTPD access policy routine. The result is an action just like
 # it would be specified on the right-hand side of a Postfix access
@@ -306,6 +359,9 @@
   return "REJECT Access denied" if( !$username && !$conf_allowunauth );
 
   eval{ $username = lookup_uid($username) }; return "DEFER_IF_PERMIT $@" if $@;
+
+  # Check for valid access from a restricted sender
+  return "REJECT Recipient denied" unless check_restricted_sender($username, $recipient);
 
   # See if sender is owned by someone
   my @uids;



