KEP-0010.txt
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Wed Jul 6 13:24:28 CEST 2011
KEP-0010.txt | 265 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 265 insertions(+)
New commits:
commit 952dd4f197630f637404b0f8497a0183d6f3be2d
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Wed Jul 6 12:24:07 2011 +0100
Add KEP 0010 on Kolab SMTP Access Policy by Jeroen van Meeuwen
diff --git a/KEP-0010.txt b/KEP-0010.txt
new file mode 100644
index 0000000..ccdf430
--- /dev/null
+++ b/KEP-0010.txt
@@ -0,0 +1,265 @@
+{{kep
+ |number=10
+ |ticketnumber=
+ |title=Kolab SMTP Access Policy
+ |author=Jeroen van Meeuwen
+ |author_email=vanmeeuwen at kolabsys.com
+ |status=draft
+ |type=informational
+ |creation_date=2011-07-01
+ |obsoletes=
+ |obsoleted_by=
+ |related=
+}}
+
+== Abstract ==
+
+The Kolab SMTP Access Policy rejects, allows or defers policy requests from the Postfix mail transfer agent using policy configuration and recipient's and sender's LDAP attributes. To offer guidance in the exact policy request handling, configuration and deployment, this KEP outlines how the Kolab SMTP Access Policy works.
+
+The following access policies exist:
+
+* [[#Sender_Access_Policy | Sender Access Policy]]
+* [[#Recipient_Access_Policy | Recipient Access Policy]]
+
+== Postfix Configuration ==
+
+=== Restriction Checking Order ===
+
+It is important to remember in which order the restrictions are checked in Postfix. Suffice it to say between 'sender' and 'recipient' restrictions, they are executed in reverse alphabetical order; The sender restrictions are applied before the recipient restrictions.
+
+=== PERMIT, REJECT and OTHER ===
+
+It is also important to remember how Postfix determines the result of a set of restrictions in combination with the exact position of the Kolab SMTP Access Policy, and the policy result used (configured for) the Kolab SMTP Access Policy. For more information on possible actions the Kolab SMTP Access Policy could return to Postfix, please see [http://www.postfix.org/access.5.html access(5)].
+
+=== Caching ===
+
+In order to reduce the load on LDAP, the Kolab SMTP Access Policy employs a form of volatile caching, storing a tuple of sender, recipient, sasl_username, sasl_sender, function, result and expire.
+
+== Access Policies ==
+
+A typical Postfix MTA listens on multiple ports;
+
+# '''smtp''', 25/tcp,
+# '''smtps''', 465/tcp,
+# '''submission''', 587/tcp
+
+Different rules apply to each of these services. For example, '''submission''' is often specifically enabled to force authentication to take place, and thus offers opportunity to thoroughly check the sender's authenticity and apply sender policies. Thinking of Kolab Delegate users for example, the sender's policy for the target 'sender' should be applied rather then the sender policy associated with the 'sasl_username'.
+
+However, receiving incoming mail from the Internet over port 25, without exception, no authentication information is available. The sender can still be matched against recipient policies, but since the actual sender cannot be authenticated, complying with the sender policies becomes more difficult and behaves subtly differently compared to sender policies applied to '''submission'''.
+
+== Timing, not 42, is Everything ==
+
+For internal mail exchangers, with external mail exchangers doing content filtering, and additional, non-Kolab, groupware environments, may find themselves forced to using one single load-balanced IP address with little to no opportunity for verification of the sending host's IP address.
+
+As such, in combining restrictions such as ''permit_mynetworks'' (in combination with which networks are listed), ''reject_unlisted_sender'' and the Kolab SMTP Access Policy, which check is performed after and before another is crucially important.
+
+== Recipient Access Policy ==
+
+A recipient access policy is used to determine whether a sender may send email to a recipient, using the recipient's policy (using the multi-valued '''kolabAllowSMTPSender''' attribute). That is to say, when a policy request comes in, the Kolab SMTP Access Policy searches for the recipient's LDAP object, and checks whether the recipient allows the sender to send to said recipient.
+
+The recipient access policy is checked at two points in the transmission;
+
+# When receiving '''incoming''' email, from unauthenticated mail exchangers,
+# When receiving '''submitted''' email, from authenticated users.
+
+=== Example Implementation ===
+
+An example implementation would be as follows:
+
+'''Example LDAP Objects'''
+
+ dn: uid=john.doe,ou=People,dc=kolab,dc=org
+ ...
+ mail: john.doe at kolab.org
+ kolabAllowSMTPSender: -recruiter at kolabsys.com
+ ...
+
+ dn: uid=jane.doe,ou=People,dc=kolab,dc=org
+ ...
+ mail: jane.doe at kolab.org
+ kolabAllowSMTPSender: -john.doe at kolab.org
+ ...
+
+'''Example Postfix Configuration (main.cf)'''
+
+ smtpd_recipient_restrictions = permit_mynetworks
+ reject_unauth_pipelining
+ reject_rbl_client zen.spamhaus.org
+ reject_non_fqdn_recipient
+ reject_invalid_helo_hostname
+ reject_unknown_recipient_domain
+ reject_unauth_destination
+ check_policy_service unix:private/recipient_policy_incoming
+ permit
+
+ smtpd_sender_restrictions = permit_mynetworks
+ check_policy_service unix:private/sender_policy_incoming
+
+ submission_recipient_restrictions = check_policy_service unix:private/recipient_policy
+ permit_sasl_authenticated
+ reject
+
+ submission_sender_restrictions = reject_non_fqdn_sender
+ reject_unlisted_sender
+ check_policy_service unix:private/sender_policy
+ reject
+
+'''Example Postfix Configuration (master.cf)'''
+
+ recipient_policy unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-recipient
+
+ recipient_policy_incoming unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-recipient --allow-unauthenticated
+
+=== Example Process #1 ===
+
+; '''Sender'''
+: recruiter at kolabsys.com
+; '''Recipient(s)'''
+: john.doe at kolab.org, jane.doe at kolab.org;
+
+# The email arrives at the internal (Kolab) mail exchanger
+# The Postfix MTA is configured to check the recipient policy
+
+{{note|Mail from External|Please note the aforementioned example is supposed to illustrate incoming email from an external source, through the Internet, and as such, the sender is (by definition) not authenticated. Naturally, exceptions to this rule apply, such as would be the case with Trusted Third Parties.}}
+
+The Kolab SMTP Access Policy is executed provided with the following information:
+
+ request=smtpd_access_policy
+ protocol_state=RCPT
+ protocol_name=ESMTP
+ helo_name=ext-mx01.kolabsys.com
+ queue_id=8045F2AB23
+ sender=recruiter at kolabsys.com
+ recipient=john.doe at kolab.org
+ client_address=1.2.3.4
+ client_name=ext-mx01.kolabsys.com
+ instance=123.456.7
+ sasl_method=
+ sasl_username=
+ sasl_sender=
+ size=12345
+ ''[empty line]''
+
+{{note|Kolab SMTP Access Policy Executed per Recipient|The Kolab SMTP Access Policy is executed once for every recipient. If one of the access policies denies the request, a NDR should be returned [/needs-investigation].}}
+
+Because this is the '''recipient''' checking, the Kolab SMTP Access Policy will now attempt to determine whether the LDAP object that has the '''recipient address''' associated with it also has an LDAP attribute '''kolabAllowSMTPSender'''.
+
+If no such LDAP attribute exists for the recipient, the delivery is allowed.
+
+If the LDAP attribute '''kolabAllowSMTPSender''' does exist, the Kolab SMTP Access Policy attempts to match the sender address (''recruiter at kolabsys.com'') to the value(s) of the LDAP attribute for the LDAP object (for John Doe, this is ''-recruiter at kolabsys.com'').
+
+For matching policies, please see [[#Matching_Policies|the section on Matching Policies]].
+
+In this example, suffice to say the mail from ''recruiter at kolabsys.com'' to ''john.doe at kolab.org'' is rejected, and the copy sent to ''jane.doe at kolab.org'' is accepted (subject to other smtpd_recipient_policies).
+
+=== Example Process #2 ===
+
+; '''Sender'''
+: john.doe at kolab.org
+; '''Recipient(s)'''
+: jane.doe at kolab.org;
+
+# The email is submitted to the Postfix MTA,
+# The Postfix MTA is configured to check the recipient policy
+
+{{note|Mail from Internal|Please note the aforementioned example is supposed to illustrate email being sent internally, and as such, the sender could be authenticated.}}
+
+The Kolab SMTP Access Policy is executed provided with the following information:
+
+ request=smtpd_access_policy
+ protocol_state=RCPT
+ protocol_name=ESMTP
+ helo_name=webmail.kolab.org
+ queue_id=8045F2AB23
+ sender=john.doe at kolab.org
+ recipient=jane.doe at kolab.org
+ client_address=1.2.3.4
+ client_name=webmail.kolab.org
+ instance=123.456.7
+ sasl_method=
+ sasl_username=<does not matter>
+ sasl_sender=
+ size=12345
+ ''[empty line]''
+
+Because this is the '''recipient''' checking, the Kolab SMTP Access Policy will now attempt to determine whether the LDAP object that has the '''recipient address''' associated with it also has an LDAP attribute '''kolabAllowSMTPSender'''.
+
+If no such LDAP attribute exists for the recipient, the delivery is allowed.
+
+If the LDAP attribute '''kolabAllowSMTPSender''' does exist, the Kolab SMTP Access Policy attempts to match the sender address (''john.doe at kolab.org'') to the value(s) of the LDAP attribute for the LDAP object (for Jane Doe, this is ''-john.doe at kolab.org'').
+
+For matching policies, please see [[#Matching_Policies|the section on Matching Policies]].
+
+In this example, suffice to say the mail from ''john.doe at kolab.org'' to ''jane.doe at kolab.org'' is rejected.
+
+== Sender Access Policy ==
+
+The sender access policy is used to determine whether or not;
+
+* an authenticated sender is allowed to use the envelope address used,
+* the sender is allowed to send to these recipient(s) using the sender's policy.
+
+{{important|Postfix Submission Daemon|For email to a domain name space for which the Postfix instance executing the policy is also a delivery destination (i.e. the domain name space for the recipient is among the domain name spaces listed in ''$relay_domains'' or ''$mydestination''), the sender access policy could immediately verify the recipient address(es) as well.}}
+
+=== Example Implementation ===
+
+An example implementation would be as follows:
+
+'''Example LDAP Objects'''
+
+ dn: uid=john.doe,ou=People,dc=kolab,dc=org
+ ...
+ mail: john.doe at kolab.org
+ kolabAllowSMTPRecipient: -recruiter at kolabsys.com
+ ...
+
+ dn: uid=jane.doe,ou=People,dc=kolab,dc=org
+ ...
+ mail: jane.doe at kolab.org
+ kolabAllowSMTPRecipient: -john.doe at kolab.org
+ ...
+
+'''Example Postfix Configuration (main.cf)'''
+
+ smtpd_recipient_restrictions = permit_mynetworks
+ reject_unauth_pipelining
+ reject_rbl_client zen.spamhaus.org
+ reject_non_fqdn_recipient
+ reject_invalid_helo_hostname
+ reject_unknown_recipient_domain
+ reject_unauth_destination
+ check_policy_service unix:private/recipient_policy_incoming
+ permit
+
+ smtpd_sender_restrictions = permit_mynetworks
+ check_policy_service unix:private/sender_policy_incoming
+
+ submission_recipient_restrictions = check_policy_service unix:private/recipient_policy
+ permit_sasl_authenticated
+ reject
+
+ submission_sender_restrictions = reject_non_fqdn_sender
+ reject_unlisted_sender
+ check_policy_service unix:private/sender_policy
+ reject
+
+'''Example Postfix Configuration (master.cf)'''
+
+ sender_policy unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender
+
+ sender_policy_incoming unix - n n - - spawn
+ user=kolab-n argv=/usr/libexec/postfix/kolab_smtp_access_policy --verify-sender --allow-unauthenticated
+
+=== The Process ===
+
+== Matching Policies ==
+
+An example implementation of parsing the policies attributed to '''kolabAllowSMTPRecipient''' and '''kolabAllowSMTPSender''' attributes can be found [http://git.kolab.org/pykolab/tree/bin/kolab_smtp_access_policy.py?id=68422fedfe7d5db35bbb12a6ac765a7507fd6ff5#n133 here].
+
+== References ==
+
+{{Reflist}}
+
More information about the commits
mailing list