Ansible roles
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

97 lines
3.8 KiB

--- /opt/zimbra/libexec/zmpostfixpolicyd.bak 2019-07-18 21:24:39.000000000 +0200
+++ /opt/zimbra/libexec/zmpostfixpolicyd 2020-11-22 17:07:32.387815282 +0100
@@ -30,7 +30,7 @@
my $syslog_facility="mail";
my $syslog_options="pid";
our $syslog_priority="info";
-our ($verbose, %attr, @ldap_url, $ldap_starttls_supported, $postfix_pw);
+our ($verbose, %attr, @ldap_url, $ldap_starttls_supported, $postfix_pw, $zimbra_pw, $delim_re);
my ($option, $action, $ldap_url, @val);
$ENV{'HOME'}='/opt/zimbra';
@@ -43,14 +43,17 @@
chomp ($ldap_starttls_supported);
$postfix_pw = $localxml->{key}->{ldap_postfix_password}->{value};
chomp($postfix_pw);
+$zimbra_pw = $localxml->{key}->{zimbra_ldap_password}->{value};
+chomp($zimbra_pw);
$ldap_url = $localxml->{key}->{ldap_url}->{value};
chomp($ldap_url);
@ldap_url = split / /, $ldap_url;
sub smtpd_access_policy {
- my($domain, $ldap, $mesg, $user, $daddr, @attrs, $result);
+ my($domain, $ldap, $mesg, $user, $canon_user, $daddr, @attrs, $result);
$daddr = lc $attr{recipient};
($user, $domain) = split /\@/, lc $attr{recipient};
+ $canon_user = (defined $delim_re) ? (split /$delim_re/, $user)[0] : $user;
syslog $syslog_priority, "Recipient Domain: %s", $domain if $verbose;
syslog $syslog_priority, "Recipient userid: %s", $user if $verbose;
foreach my $url (@ldap_url) {
@@ -90,8 +93,9 @@
$mesg = $ldap->search_s(
"",
LDAP_SCOPE_SUBTREE,
- "(&(|(zimbraMailDeliveryAddress=$user"."$robject)(zimbraMailDeliveryAddress=$daddr)(zimbraMailAlias=$user".
- "$robject)(zimbraMailAlias=$daddr)(zimbraMailCatchAllAddress=$user"."$robject)(zimbraMailCatchAllAddress=$robject)".
+ "(&(|(zimbraMailDeliveryAddress=$user"."$robject)(zimbraMailDeliveryAddress=$canon_user"."$robject)".
+ "(zimbraMailDeliveryAddress=$daddr)(zimbraMailAlias=$user"."$robject)(zimbraMailAlias=$daddr)".
+ "(zimbraMailCatchAllAddress=$user"."$robject)(zimbraMailCatchAllAddress=$robject)".
"(zimbraMailCatchAllAddress=$daddr))(zimbraMailStatus=enabled))",
\@attrs,
0,
@@ -140,6 +144,54 @@
#
select((select(STDOUT), $| = 1)[0]);
+# Try to get recipient delimiter, if defined
+# This will allow checking for valid recipient on alias domains
+# even for recipient using delimiter. Eg user+foobar@alias.example.org
+# will correctly check if user@example.org is valid
+my ($ldap, $mesg, @attrs, $result);
+foreach my $url (@ldap_url) {
+ $ldap=Net::LDAPapi->new(-url=>$url);
+ if ( $ldap_starttls_supported ) {
+ $mesg = $ldap->start_tls_s();
+ if ($mesg != 0) {
+ next;
+ }
+ }
+ $mesg = $ldap->bind_s("uid=zimbra,cn=admins,cn=zimbra",$zimbra_pw);
+ if ($mesg != 0) {
+ next;
+ } else {
+ last;
+ }
+}
+if ($mesg == 0){
+ @attrs=('zimbraMtaRecipientDelimiter');
+ $mesg = $ldap->search_s(
+ "",
+ LDAP_SCOPE_SUBTREE,
+ "(&(cn=config)(objectClass=zimbraGlobalConfig))",
+ \@attrs,
+ 0,
+ $result
+ );
+ my $ent = $ldap->first_entry();
+ if ($ent != 0){
+ my $delim = ($ldap->get_values('zimbraMtaRecipientDelimiter'))[0];
+ if ($delim ne ''){
+ $delim_re = qr{[$delim]};
+ syslog $syslog_priority, "Recipient delimiter regex is $delim_re" if $verbose;
+ } else {
+ syslog $syslog_priority, "Recipient delimiter is an empty string so it won't be used" if $verbose;
+ }
+ } else {
+ syslog $syslog_priority, "Recipient delimiter not found" if $verbose;
+ }
+ # Unbind, everything else will bind with the postfix LDAP user
+ $ldap->unbind;
+} else {
+ syslog $syslog_priority, "Couldn't bind with zimbra account, recipient delimiter won't be used" if $verbose;
+}
+
#
# Receive a bunch of attributes, evaluate the policy, send the result.
#