From f0062e5d6ece54359ddccc9b60e8d44f2f802ed5 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Mon, 23 Nov 2020 10:00:08 +0100
Subject: [PATCH] Update to 2020-11-23 10:00

---
 .../files/zmpostfixpolicyd_recipient_delim.patch   | 97 ++++++++++++++++++++++
 roles/zimbra/tasks/main.yml                        |  1 +
 roles/zimbra/tasks/mta.yml                         |  7 ++
 3 files changed, 105 insertions(+)
 create mode 100644 roles/zimbra/files/zmpostfixpolicyd_recipient_delim.patch

diff --git a/roles/zimbra/files/zmpostfixpolicyd_recipient_delim.patch b/roles/zimbra/files/zmpostfixpolicyd_recipient_delim.patch
new file mode 100644
index 0000000..5f28d7f
--- /dev/null
+++ b/roles/zimbra/files/zmpostfixpolicyd_recipient_delim.patch
@@ -0,0 +1,97 @@
+--- /opt/zimbra/libexec/zmpostfixpolicyd.bak	2019-07-18 21:24:39.000000000 +0200
++++ /opt/zimbra/libexec/zmpostfixpolicyd	2020-11-22 17:07:32.387815282 +0100
+@@ -30,7 +30,7 @@
+ my $syslog_facility="mail";
+ my $syslog_options="pid";
+ our $syslog_priority="info";
+-our ($verbose, %attr, @ldap_url, $ldap_starttls_supported, $postfix_pw);
++our ($verbose, %attr, @ldap_url, $ldap_starttls_supported, $postfix_pw, $zimbra_pw, $delim_re);
+ my ($option, $action, $ldap_url, @val);
+ 
+ $ENV{'HOME'}='/opt/zimbra';
+@@ -43,14 +43,17 @@
+ chomp ($ldap_starttls_supported);
+ $postfix_pw = $localxml->{key}->{ldap_postfix_password}->{value};
+ chomp($postfix_pw);
++$zimbra_pw = $localxml->{key}->{zimbra_ldap_password}->{value};
++chomp($zimbra_pw);
+ $ldap_url = $localxml->{key}->{ldap_url}->{value};
+ chomp($ldap_url);
+ @ldap_url = split / /, $ldap_url;
+ 
+ sub smtpd_access_policy {
+-  my($domain, $ldap, $mesg, $user, $daddr, @attrs, $result);
++  my($domain, $ldap, $mesg, $user, $canon_user, $daddr, @attrs, $result);
+   $daddr = lc $attr{recipient};
+   ($user, $domain) = split /\@/, lc $attr{recipient};
++  $canon_user = (defined $delim_re) ? (split /$delim_re/, $user)[0] : $user;
+   syslog $syslog_priority, "Recipient Domain: %s", $domain if $verbose;
+   syslog $syslog_priority, "Recipient userid: %s", $user if $verbose;
+   foreach my $url (@ldap_url) {
+@@ -90,8 +93,9 @@
+       $mesg = $ldap->search_s(
+                 "",
+                 LDAP_SCOPE_SUBTREE,
+-                "(&(|(zimbraMailDeliveryAddress=$user"."$robject)(zimbraMailDeliveryAddress=$daddr)(zimbraMailAlias=$user".
+-                "$robject)(zimbraMailAlias=$daddr)(zimbraMailCatchAllAddress=$user"."$robject)(zimbraMailCatchAllAddress=$robject)".
++                "(&(|(zimbraMailDeliveryAddress=$user"."$robject)(zimbraMailDeliveryAddress=$canon_user"."$robject)".
++                "(zimbraMailDeliveryAddress=$daddr)(zimbraMailAlias=$user"."$robject)(zimbraMailAlias=$daddr)".
++                "(zimbraMailCatchAllAddress=$user"."$robject)(zimbraMailCatchAllAddress=$robject)".
+ 		"(zimbraMailCatchAllAddress=$daddr))(zimbraMailStatus=enabled))",
+                 \@attrs,
+                 0,
+@@ -140,6 +144,54 @@
+ #
+ select((select(STDOUT), $| = 1)[0]);
+ 
++# Try to get recipient delimiter, if defined
++# This will allow checking for valid recipient on alias domains
++# even for recipient using delimiter. Eg user+foobar@alias.example.org
++# will correctly check if user@example.org is valid
++my ($ldap, $mesg, @attrs, $result);
++foreach my $url (@ldap_url) {
++  $ldap=Net::LDAPapi->new(-url=>$url);
++  if ( $ldap_starttls_supported ) {
++    $mesg = $ldap->start_tls_s();
++      if ($mesg != 0) {
++        next;
++      }
++  }
++  $mesg = $ldap->bind_s("uid=zimbra,cn=admins,cn=zimbra",$zimbra_pw);
++  if ($mesg != 0) {
++    next;
++  } else {
++    last;
++  }
++}
++if ($mesg == 0){
++  @attrs=('zimbraMtaRecipientDelimiter');
++  $mesg = $ldap->search_s(
++            "",
++            LDAP_SCOPE_SUBTREE,
++            "(&(cn=config)(objectClass=zimbraGlobalConfig))",
++            \@attrs,
++            0,
++            $result
++          );
++  my $ent = $ldap->first_entry();
++  if ($ent != 0){
++    my $delim = ($ldap->get_values('zimbraMtaRecipientDelimiter'))[0];
++    if ($delim ne ''){
++      $delim_re = qr{[$delim]};
++      syslog $syslog_priority, "Recipient delimiter regex is $delim_re" if $verbose;
++    } else {
++      syslog $syslog_priority, "Recipient delimiter is an empty string so it won't be used" if $verbose;
++    }
++  } else {
++    syslog $syslog_priority, "Recipient delimiter not found" if $verbose;
++  }
++  # Unbind, everything else will bind with the postfix LDAP user
++  $ldap->unbind;
++} else {
++  syslog $syslog_priority, "Couldn't bind with zimbra account, recipient delimiter won't be used" if $verbose;
++}
++
+ #
+ # Receive a bunch of attributes, evaluate the policy, send the result.
+ #
diff --git a/roles/zimbra/tasks/main.yml b/roles/zimbra/tasks/main.yml
index fc108d3..4cb2041 100644
--- a/roles/zimbra/tasks/main.yml
+++ b/roles/zimbra/tasks/main.yml
@@ -13,6 +13,7 @@
       - tar
       - MySQL-python
       - perl-JSON
+      - patch
   tags: zcs
 
 - name: Check if zimbra is installed
diff --git a/roles/zimbra/tasks/mta.yml b/roles/zimbra/tasks/mta.yml
index a3a762c..221954f 100644
--- a/roles/zimbra/tasks/mta.yml
+++ b/roles/zimbra/tasks/mta.yml
@@ -13,6 +13,13 @@
   changed_when: False
   tags: zcs
 
+- name: Patch zmpostfixpolicyd to support recipient delimiter
+  patch:
+    src: zmpostfixpolicyd_recipient_delim.patch
+    dest: /opt/zimbra/libexec/zmpostfixpolicyd
+  notify: restart zimbra
+  tags: zcs
+
 - name: Handle Zimbra mta ports
   iptables_raw:
     name: zcs_mta_ports