Check authenticated user/identity before sending

In my

/etc/e-smith/events/nethserver-mail-server-update

there’s only the directories structure, no files with code

=====

[root@mail nethserver-mail-server-update]# ls -lR
.:
total 0
drwxr-xr-x 2 root root  6 Mar 19 11:04 services2adjust
drwxr-xr-x 4 root root 28 Mar 19 11:01 templates2expand

./services2adjust:
total 0

./templates2expand:
total 0
drwxr-xr-x 8 root root 90 Mar 19 11:04 etc
drwxr-xr-x 3 root root 17 Mar 19 11:01 var

./templates2expand/etc:
total 0
drwxr-xr-x 2 root root  6 Mar 19 11:04 amavisd
drwxr-xr-x 2 root root  6 Mar 19 11:04 dovecot
drwxr-xr-x 2 root root  6 Mar 19 11:04 pam.d
drwxr-xr-x 3 root root 21 Mar 19 11:01 pki
drwxr-xr-x 2 root root  6 Mar 19 11:04 postfix
drwxr-xr-x 3 root root 20 Mar 19 11:01 systemd

./templates2expand/etc/amavisd:
total 0

./templates2expand/etc/dovecot:
total 0

./templates2expand/etc/pam.d:
total 0

./templates2expand/etc/pki:
total 0
drwxr-xr-x 4 root root 34 Mar 19 11:01 dovecot

./templates2expand/etc/pki/dovecot:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 certs
drwxr-xr-x 2 root root 6 Mar 19 11:04 private

./templates2expand/etc/pki/dovecot/certs:
total 0

./templates2expand/etc/pki/dovecot/private:
total 0

./templates2expand/etc/postfix:
total 0

./templates2expand/etc/systemd:
total 0
drwxr-xr-x 3 root root 31 Mar 19 11:01 system

./templates2expand/etc/systemd/system:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 dovecot.service.d

./templates2expand/etc/systemd/system/dovecot.service.d:
total 0

./templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 19 11:01 lib

./templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 19 11:01 nethserver

./templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 6 Mar 19 11:04 sieve-scripts

./templates2expand/var/lib/nethserver/sieve-scripts:
total 0

=====

root@mail nethserver-mail2-server-update]# ls -lR
.:
total 0
lrwxrwxrwx 1 root root 39 Mar 19 11:04 S00initialize-default-databases -> ../actions/initialize-default-databases
lrwxrwxrwx 1 root root 48 Mar 19 11:04 S01nethserver-mail-default-domain-create -> ../actions/nethserver-mail-default-domain-create
lrwxrwxrwx 1 root root 41 Mar 19 11:04 S30nethserver-mail-postmap-update -> ../actions/nethserver-mail-postmap-update
lrwxrwxrwx 1 root root 46 Mar 19 11:04 S40nethserver-mail-create-opendkim-key -> ../actions/nethserver-mail-create-opendkim-key
lrwxrwxrwx 1 root root 38 Mar 19 11:04 S50nethserver-sssd-initkeytabs -> ../actions/nethserver-sssd-initkeytabs
lrwxrwxrwx 1 root root 51 Mar 19 11:04 S95nethserver-mail-server-init-system-users -> ../actions/nethserver-mail-server-init-system-users
lrwxrwxrwx 1 root root 42 Mar 19 11:04 S98nethserver-mail-server-init-acl -> ../actions/nethserver-mail-server-init-acl
drwxr-xr-x 2 root root 82 Mar 19 11:04 services2adjust
drwxr-xr-x 4 root root 28 Mar 19 11:04 templates2expand

./services2adjust:
total 20
-rw-r--r-- 1 root root 8 Mar  8 18:03 dnsmasq
-rw-r--r-- 1 root root 8 Mar  8 18:03 dovecot
-rw-r--r-- 1 root root 8 Mar  8 18:03 opendkim
-rw-r--r-- 1 root root 8 Mar  8 18:03 postfix
-rw-r--r-- 1 root root 8 Mar  8 18:03 rsyslog

./templates2expand:
total 0
drwxr-xr-x 8 root root 145 Mar 19 11:04 etc
drwxr-xr-x 3 root root  17 Mar 19 11:04 var

./templates2expand/etc:
total 0
-rw-r--r-- 1 root root   0 Mar  8 18:03 dnsmasq.conf
drwxr-xr-x 2 root root  85 Mar 19 11:04 dovecot
-rw-r--r-- 1 root root   0 Mar  8 18:03 hosts
drwxr-xr-x 2 root root  62 Mar 19 11:04 opendkim
-rw-r--r-- 1 root root   0 Mar  8 18:03 opendkim.conf
drwxr-xr-x 2 root root  28 Mar 19 11:04 pam.d
drwxr-xr-x 3 root root  21 Mar 19 11:04 pki
drwxr-xr-x 2 root root 114 Mar 22 09:46 postfix
drwxr-xr-x 3 root root  20 Mar 19 11:04 systemd

./templates2expand/etc/dovecot:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 deny.passwd
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.conf
-rw-r--r-- 1 root root 0 Mar  8 18:03 master-users
-rw-r--r-- 1 root root 0 Mar  8 18:03 quota.passwd

./templates2expand/etc/opendkim:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 KeyTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 SigningTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 TrustedHosts

./templates2expand/etc/pam.d:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot-master

./templates2expand/etc/pki:
total 0
drwxr-xr-x 4 root root 34 Mar 19 11:04 dovecot

./templates2expand/etc/pki/dovecot:
total 0
drwxr-xr-x 2 root root 25 Mar 19 11:04 certs
drwxr-xr-x 2 root root 25 Mar 19 11:04 private

./templates2expand/etc/pki/dovecot/certs:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.pem

./templates2expand/etc/pki/dovecot/private:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.pem

./templates2expand/etc/postfix:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 internal_access
-rw-r--r-- 1 root root 0 Mar  8 18:03 main.cf
-rw-r--r-- 1 root root 0 Mar  8 18:03 master.cf
-rw-r--r-- 1 root root 0 Mar  8 18:03 recipient_bcc
-rw-r--r-- 1 root root 0 Mar  8 18:03 transport
-rw-r--r-- 1 root root 0 Mar  8 18:03 virtual

./templates2expand/etc/systemd:
total 0
drwxr-xr-x 3 root root 31 Mar 19 11:04 system

./templates2expand/etc/systemd/system:
total 0
drwxr-xr-x 2 root root 25 Mar 19 11:04 dovecot.service.d

./templates2expand/etc/systemd/system/dovecot.service.d:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 limits.conf

./templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 19 11:04 lib

./templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 19 11:04 nethserver

./templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 26 Mar 19 11:04 sieve-scripts

./templates2expand/var/lib/nethserver/sieve-scripts:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 before.sieve

do not make a mistake, I spoke about nethserver-mail-server-save

[root@ns7dev6 ~]# ll -R /etc/e-smith/events/nethserver-mail-server-save/
/etc/e-smith/events/nethserver-mail-server-save/:
total 0
lrwxrwxrwx 1 root root 41 Mar 18 11:15 S30nethserver-mail-postmap-update -> ../actions/nethserver-mail-postmap-update
lrwxrwxrwx 1 root root 39 Mar 18 11:15 S95nethserver-mail-quota-recalc -> ../actions/nethserver-mail-quota-recalc
drwxr-xr-x 2 root root 36 Mar 18 11:15 services2adjust
drwxr-xr-x 4 root root 28 Mar 18 11:15 templates2expand

/etc/e-smith/events/nethserver-mail-server-save/services2adjust:
total 8
-rw-r--r-- 1 root root 7 Mar  8 18:03 dovecot
-rw-r--r-- 1 root root 7 Mar  8 18:03 postfix

/etc/e-smith/events/nethserver-mail-server-save/templates2expand:
total 0
drwxr-xr-x 6 root root 86 Mar 18 11:15 etc
drwxr-xr-x 3 root root 17 Mar 18 11:15 var

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc:
total 0
drwxr-xr-x 2 root root 65 Mar 18 11:15 dovecot
drwxr-xr-x 2 root root 62 Mar 18 11:15 opendkim
-rw-r--r-- 1 root root  0 Mar  8 18:03 opendkim.conf
drwxr-xr-x 2 root root 28 Mar 18 11:15 pam.d
drwxr-xr-x 2 root root 97 Mar 18 11:15 postfix

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/dovecot:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 deny.passwd
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot.conf
-rw-r--r-- 1 root root 0 Mar  8 18:03 quota.passwd

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/opendkim:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 KeyTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 SigningTable
-rw-r--r-- 1 root root 0 Mar  8 18:03 TrustedHosts

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/pam.d:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 dovecot-master

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/etc/postfix:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 internal_access
-rw-r--r-- 1 root root 0 Mar  8 18:03 main.cf
-rw-r--r-- 1 root root 0 Mar  8 18:03 recipient_bcc
-rw-r--r-- 1 root root 0 Mar  8 18:03 transport
-rw-r--r-- 1 root root 0 Mar  8 18:03 virtual

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var:
total 0
drwxr-xr-x 3 root root 24 Mar 18 11:15 lib

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib:
total 0
drwxr-xr-x 3 root root 27 Mar 18 11:15 nethserver

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib/nethserver:
total 0
drwxr-xr-x 2 root root 26 Mar 18 11:15 sieve-scripts

/etc/e-smith/events/nethserver-mail-server-save/templates2expand/var/lib/nethserver/sieve-scripts:
total 0
-rw-r--r-- 1 root root 0 Mar  8 18:03 before.sieve

I did a mistake

yes you can use

signal-event nethserver-mail2-server-update

or

nethserver-mail-server-save

1 Like

I’ve replied to command that @giacomo wrote in his post.

signal-event nethserver-mail-server-update

That command doesn’t work for me with rspamd module installed, so I’ve found why.

2 Likes

Too many commands :slight_smile:

Ok, after some other test it seems that Roundcube and Webtop don’t use SMTP authenticaton (with credentials submitted at login) to send mail so the configuration doesn’t work.

It’s possible to enable SMTP authentication to send mail in Webtop and Roundcube?

If you need more than one user to be able to use the same email address, enter the users separated by comma

for example, you want users u1, u2 and u3 to be able to send as marketing@local.neth.eu :

u1@local.neth.eu u1
u2@local.neth.eu u2
marketing@local.neth.eu u1, u2, u3
@local.neth.eu u2

With latest version of Webtop now it seems YES:

These should be the commands to enable outgoing authentication on webtop:

http://docs.nethserver.org/en/v7/webtop5.html#smtp-setting

But I haven’t tried.

we could use pcre and ease a lot the code

# cat /etc/e-smith/templates-custom/etc/postfix/master.cf/40restrictions
{
push @submission_smtpd_options, ‘smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch’;
push @submission_smtpd_options, ‘smtpd_sender_login_maps=pcre:/etc/postfix/login_maps.pcre’;

    '';
}

then

# cat  /etc/postfix/login_maps.pcre
#Match the domain name of user
/^(.*)$/   ${1}

#match a specific domain name
#/^(.*)@nethservertest.org\.org$/   ${1}

and

signal-event nethserver-mail-server-update

the test with curl are good, but indeed sogo and roudcubemail do not respect the policy :frowning:

1 Like

With roundcubemail we could try this

// Set identities access level:
// 0 - many identities with possibility to edit all params
// 1 - many identities with possibility to edit all params but not email address
// 2 - one identity with possibility to edit all params
// 3 - one identity with possibility to edit all params but not email address
// 4 - one identity with possibility to edit only signature
$config['identities_level'] = 0;

$config['identities_level'] = 4; is a good security choice

Of course this won’t work nicely with our configuration with only one domain name and the domain alias

cc @saitobenkei cc @giacomo cc @davidep

1 Like

I’m not sure the regexp is enough

Is it possible make a template of /etc/postfix/smtpd_sender_login_maps by expanding the pseudonym records?

As a rule of thumb the db format is

<key> <TAB> <Account  prop>

The Account prop should be filtered, ignoring “external” addresses…

works well at first tests

do you think postfix sasl authentication is aware about pseudonym, at the end I am sure we want here a way to banish it and allow only the user@firstDomain.com email address. At least it is what roundcubemail and SOGo displays as user address email

For example,

  • user: first.user@example.com
  • pseudonym: info@example.comfirst.user@example.com

The user wants to send a message as first.user@example.com: it works for both first.user@example.com and first.user SMTP/AUTH login names.

But, if the user wants to send a message as info@example.com the regexp does not match.

The regexp is a good generic/fallback rule but we need a table where this record exists too:

info@example.com     first.user@example.com,first.user

I’d like to simplify the table, by not requiring ,first.user too… :thinking:

1 Like

we can force roundcubemail to use sasl=login

-$config['smtp_server'] = '127.0.0.1';
+$config['smtp_server'] = 'tls://127.0.0.1';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
-$config['smtp_user'] = '';
+$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
-$config['smtp_pass'] = '';
+$config['smtp_pass'] = '%p';

// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
-$config['smtp_auth_type'] = '';
+$config['smtp_auth_type'] = 'LOGIN';

after that we must respect the smtpd_sender_login_maps

workable with pseudonym @davidep :slight_smile:

I did and it is ok

Dec 13 17:23:01 ns7loc14 postfix/smtpd[5997]: connect from localhost[127.0.0.1]
Dec 13 17:23:03 ns7loc14 postfix/smtpd[5997]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 553 5.7.1 <zorro@nethservertest.org>: Sender address rejected: not owned by user stephane@nethservertest.org; from=<zorro@nethservertest.org> to=<stephane@nethservertest.org> proto=ESMTP helo=<ns7loc14.nethservertest.org>
Dec 13 17:23:03 ns7loc14 postfix/smtpd[5997]: disconnect from localhost[127.0.0.1]

with the smtpd_sender_login_maps only known identities are allowed (pseudonym or real account)

https://sogo.nu/bugs/view.php?id=31

no TLS/SSL encryption in SOGO :cry:

A workaround is to use stunnel :frowning:

@mark_nl what do you think, we need tls to authenticate with sasl, at least my first tries without failed

Sorry, do not know what this is about… Will try to understand / read-in soon :hushed:

1 Like

We want to follow a strict policy for sender address and allow only the good from address. The challlenge here is that SOGo do not allow to send email with sasl authentication with TLS…

Either I am wrong (please shoot), or it is really incredible :smiley:

when you add : SOGoSMTPAuthenticationType = PLAIN;

you cannot anymore send email, until you modify in your postfix configuration

-smtpd_tls_auth_only = yes
+smtpd_tls_auth_only = no

and you restart the service

But smtp of sogo doesn’t connect to the same server (127.0.0.1) to send mail? It’s really necessary to use TLS/SSL?

1 Like

I think so yes :cry: