Don't let authenticated client use arbitrary sender addresses.

The following policy is now implemented: * users can use their SASL login name as sender address; * alias and/or list owners can use the address as envelope sender; * domain postmasters can use arbitrary sender addresses under their domains; * domain owners can use arbitrary sender addresses under their domains, unless it is also an existing account name; * for known domains without owner or postmasters, other sender addresses are not allowed; and * arbitrary sender addresses under unknown domains are allowed.
author: Guilhem Moulin <guilhem@fripost.org> 2017-05-31 21:42:32 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2017-06-01 01:09:00 +0200
commit: 6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be (patch)
tree: 87898c1653a36f1b23efbef55d6f876d8bc83444 /roles/common-LDAP/templates/etc/ldap
parent: e136d3edbdb6749d4559939dc9fcbc11d166e34c (diff)
1 files changed, 16 insertions, 1 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 8310818..494888e 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -258,7 +258,7 @@ olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://"                                                    =sd
     {% endif -%}
-    {% if 'MX' in group_names -%}
+    {% if 'MX' in group_names or 'MSA' in group_names -%}
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =sd
     {% endif -%}
     by users                                                                                                                                    =0 break
@@ -476,6 +476,21 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
     {% endif -%}
     by users                                                                                                                                    =0 break
 {% endif %}
+#
+# * The MSA's postfix user can read entry ownership to dermine the SASL
+#   login name(s) owning a given sender address
+{% if 'MSA' in group_names %}
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
+        attrs=fripostOwner,fripostPostmaster
+        filter=(|(objectClass=FripostVirtualAliasDomain)(objectClass=FripostVirtualDomain))
+    by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+    by users                                                                                                                                    =0 break
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
+        attrs=entry,objectClass,fvl,fripostOwner
+        filter=(|(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualUser))
+    by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+    by users                                                                                                                                    =0 break
+{% endif %}
 {% if 'LDAP-provider' in group_names %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
author	Guilhem Moulin <guilhem@fripost.org>	2017-05-31 21:42:32 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2017-06-01 01:09:00 +0200
commit	6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be (patch)
tree	87898c1653a36f1b23efbef55d6f876d8bc83444 /roles/common-LDAP/templates/etc/ldap
parent	e136d3edbdb6749d4559939dc9fcbc11d166e34c (diff)