gunnar: server/perl-kolab/bin kolab_smtpdpolicy.in,1.2.2.2,1.2.2.3

cvs at kolab.org cvs at kolab.org
Mon Dec 7 09:41:20 CET 2009 

Author: gunnar

Update of /kolabrepository/server/perl-kolab/bin
In directory doto:/tmp/cvs-serv3939/bin

Modified Files:
      Tag: kolab_2_2_branch
	kolab_smtpdpolicy.in 
Log Message:
 kolab/issue1340 (RFC: restrict users to sending mail only to internal recipients)

Index: kolab_smtpdpolicy.in
===================================================================
RCS file: /kolabrepository/server/perl-kolab/bin/kolab_smtpdpolicy.in,v
retrieving revision 1.2.2.2
retrieving revision 1.2.2.3
diff -u -d -r1.2.2.2 -r1.2.2.3
--- kolab_smtpdpolicy.in	4 Dec 2009 16:33:52 -0000	1.2.2.2
+++ kolab_smtpdpolicy.in	7 Dec 2009 08:41:18 -0000	1.2.2.3
@@ -292,17 +292,37 @@
 			    attrs => [ 'kolabAllowSMTPRecipient' ]);
   if( !$mesg->code && $mesg->count() > 0 ) {
     mylog($syslog_priority, "LDAP search returned ".$mesg->count()." objects") if $verbose;
+    my $global_permit = 1;
     foreach my $entry ( $mesg->entries ) {
       my $allowed_recipient;
+      my $permit;
       for $allowed_recipient ($entry->get_value('kolabAllowSMTPRecipient')) {
-          mylog($syslog_priority, lc($entry->get_value('uid')." has allowed recipient ".$allowed_recipient)) if $verbose;
+          mylog($syslog_priority, lc($username." has allowed recipient ".$allowed_recipient)) if $verbose;
+	  # Return early with REJECT if the sender may not send at all ('-')
 	  return undef if $allowed_recipient eq '-';
-	  # TODO
-
+	  # Check if the entry is a negation (leading '-')
+	  if ( $allowed_recipient =~ /^-(.*)/ ) {
+	      $permit = undef;
+	      $allowed_recipient = $1;
+	  } else {
+	      # Once there is a non-negating entry we need REJECT if no rule matched
+	      $global_permit = undef;
+	      $permit = 1;
+	  }
+	  if ( $allowed_recipient =~ /@/ ) {
+	      # If the entry contains '@' the leading segment must match
+	      return $permit if  $recipient =~ /^$allowed_recipient/;
+	  } elsif ( $allowed_recipient =~ /^\.(.*)/ ) {
+	      # If the entry starts with '.' the trailing domain must match
+	      return $permit if $recipient =~ /${1}$/;
+	  } else {
+	      # All other entries must match the last part of the mail address
+	      return $permit if $recipient =~ /\@${allowed_recipient}$/;
+	  }
       }
     }
-    # Allow sending if there was no entry or no entry rejcted
-    return 1;
+    # Allow sending if there was no entry or no negated entry rejected
+    return $global_permit;
   } elsif( $mesg->code && $mesg->code != LDAP_NO_SUCH_OBJECT && $tries++ <= $ldap_max_tries ) {
     mylog($syslog_priority, "LDAP Connection error during CHECKRESTRICTEDSENDER: ".$mesg->error.", trying to reconnect" );
     ldap_connect;

More information about the commits mailing list