[PATCH] Host whitelist using postfix $mynetworks

Bo Thorsen bo at thorsen-consulting.dk
Tue Apr 15 09:19:32 CEST 2008 

You should make an entry in the Kolab bug tracker with this: 
https://www.intevation.de/roundup/kolab/

Bo.

On tirsdag den 15. April 2008, Diego Woitasen wrote:
> I want to share this patch. It would be useful for somebody else.
>
> The idea is to use the postfix-mynetworks value in LDAP
> (k=kolab,dc=foo,dc=bar) as whitelist for kolabfilter.
>
> Steps:
>
> 1- /kolab/bin/pear Net_IPv4
> 2- Apply the patch.
>
> Then, when you add a host or net in Services->Privileged host via Web
> admin it gets whitelisted.
>
> --- /tmp/xx/Kolab_Filter-2.2rc120080204/Filter/Content.php      2008-02-04
> 14:51:45.000000000 +0000
> +++ lib/php/Kolab/Filter/Content.php    2008-04-14 22:54:38.976551441 +0000
> @@ -34,6 +34,7 @@
>
>  /* Load the basic filter definition */
>  require_once 'Kolab/Filter/Filter.php';
> +require_once('Net/IPv4.php');
>
>  define('RM_STATE_READING_HEADER', 1 );
>  define('RM_STATE_READING_FROM',   2 );
> @@ -390,6 +391,39 @@
>      return sprintf($fmt, $sender);
>  }
>
> +
> +
> +function permited_host($host){
> +
> +       global $conf;
> +
> +       $ldapconn = ldap_connect($conf['filter']['ldap_uri']);
> +       if(!$ldapconn)
> +               return false;
> +
> +       if(!ldap_bind($ldapconn, $conf['filter']['bind_dn'],
> +                       $conf['filter']['bind_pw']))
> +               return false;
> +
> +       $attrs[0] = "postfix-mynetworks";
> +       $result = ldap_search($ldapconn, $conf['filter']['base_dn'],
> +                       "k=kolab", $attrs);
> +       if(!$result)
> +               return false;
> +
> +       $info = ldap_get_entries($ldapconn, $result);
> +       if($info['count'] != 1 || !array_key_exists($attrs[0], $info[0]))
> +               return false;
> +       $addrs = $info[0]['postfix-mynetworks'];
> +       foreach($addrs as $addr){
> +               if($host == $addr or Net_IPv4::ipInNetwork($host, $addr))
> +                       return true;
> +       }
> +
> +       return false;
> +
> +}
> +
>  /** Check that the From header is not trying
>      to impersonate a valid user that is not
>      $sasluser. Returns one of:
> @@ -438,6 +472,12 @@
>          $kolabhosts = 'localhost';
>      }
>
> +       /*
> +        * Allow Postfix $mynetworks
> +        */
> +       if(permited_host($client_addr))
> +               return true;
> +
>      /* Allow anything from localhost and
>       * fellow Kolab-hosts
>       */



-- 

Thorsen Consulting ApS - Qt consulting services
http://www.thorsen-consulting.dk

More information about the users mailing list