Maillist/mailgroup restrictions for Kopano webmail (Solved)

Hello, maillist/group restrictions are not working for me.
I have UCS 4.3-2 errata291 with Kopano as application.

I try to send email with Kopano web mail client


cat /etc/postfix/master.cf

...
listfilter     unix  -       n       n       -       30       spawn user=listfilter argv=/usr/share/univention-mail-postfix/listfilter.py
    -b dc=domain,dc=localnet

cat /etc/postfix/main.cf | grep listfil
smtpd_recipient_restrictions = check_policy_service unix:private/listfilter,

Test group or test mailst created. with mail address. with restriction to send to it only for Domain Users or only for special user. But then it enabled - nobody can send emails to this group.

Recipient address rejected: Access denied for not authenticated sender to restricted list all@domain.com; from=<testuser@domain.com>; to=<all@domain.com>;

with debug:

Nov  7 09:39:46 mail listfilter[7545]: listfilter: attrib={'reverse_client_name': 'localhost', 'ccert_pubkey_fingerprint': '', 'ccert_subject': '', 'sasl_sender': '', 'protocol_state': 'RCPT', 'encryption_protocol': '', 'ccert_issuer': '', 'client_address': '127.0.0.1', 'size': '0', 'protocol_name': 'ESMTP', 'client_name': 'localhost', 'policy_context': '', 'helo_name': 'mail.domain.localnet', 'etrn_domain': '', 'instance': '1c71.5be2a4d2.24ca7.0', 'encryption_keysize': '0', 'encryption_cipher': '', 'ccert_fingerprint': '', 'recipient_count': '0', 'client_port': '40946', 'queue_id': '', 'sasl_method': '', 'recipient': 'all@domain.com', 'sasl_username': '', 'stress': '', 'sender': 'testuser@domain.com', 'request': 'smtpd_access_policy'}
Nov  7 09:39:46 mail listfilter[7545]: listfilter: allowed_user_dns=['uid=testuser,cn=users,dc=domain,dc=localnet'] allowed_group_dns=[]
Nov  7 09:39:46 mail listfilter[7545]: listfilter: action=REJECT Access denied for not authenticated sender to restricted list all@domain.com

here is related bug with FIXED status. But it still not working

https://forge.univention.org/bugzilla/show_bug.cgi?id=45422

Ok, it doesn’t work only with Kopano web interface . so i will change postfix config to allow it.

The problem is:

Only emails from authenticated users can be verified.

Solved with:

ucr set mail/postfix/policy/listfilter/use_sasl_username=false

This seems like a design issue to me. It would exclude all kinds of web-based email interfaces from ever being able to send to such addresses. I don’t know of any web interface that uses authenticated SMTP.

Maybe the filter could be extended to allow mail from localhost? Sure, it wouldn’t provide iron-clad security, but the main purpose of that filter is to prevent casual spam or access from external senders, and allowing localhost would probably not prevent that.

Maybe the filter could be extended to allow mail from localhost?

It’s not possible to exclude localhost from filter in this case. Then it will allow to send emails from restricted users too.

As i wrote i found sasl_check functions in /usr/share/univention-mail-postfix/listfilter.py

and ucr set mail/postfix/policy/listfilter/use_sasl_username=false solve this problem

At least those I know do: Open-Xchange, Roundcube, Horde

Roundcube uses localhost:25 by default, but can be configured to do auth (with the credentials used for IMAP) on 587. My guess is, that that’s true for most webmail interfaces.

Alright, I stand corrected. I was only pretty sure about Kopano’s WebApp as it doesn’t do delivery itself. It hands the mail over to the spooler daemon which then contacts the mail server. As far as I know the spooler daemon doesn’t have access to the user’s login credentials.

Mastodon