Loading ...
Sorry, an error occurred while loading the content.

Re: check_recipient_access, regexp and case sensitivity

Expand Messages
  • Viktor Dukhovni
    ... Correct. ... -f Do not fold the lookup key to lower case while creating or querying a table. With Postfix version 2.3 and later, this option
    Message 1 of 6 , Mar 25, 2013
    • 0 Attachment
      On Mon, Mar 25, 2013 at 05:44:45PM +0100, Fabio Sangiovanni wrote:

      > Hi, thanks for your answer. I'm sorry but I can't get the point here.
      > I *want* case sensitive matching. To me, the manual says that, due
      > to the fact that insensitive matching is on by default, one should
      > append the flag to the pattern in order to "toggle the behaviour",
      > that is: to turn insensitive matching off.

      Correct.

      > $ postmap -q 'test@...' \
      > regexp:/etc/postfix/check_recipient_access.regexp
      > REJECT wrong format
      >
      > while:
      > $ postmap -q 'tEsT@...' \
      > regexp:/etc/postfix/check_recipient_access.regexp
      > <no output>

      -f Do not fold the lookup key to lower case while creating or
      querying a table.

      With Postfix version 2.3 and later, this option has no effect
      for regular expression tables. There, case folding is controlled
      by appending a flag to a pattern.

      So your case-insensitive lookups are working.

      > This behaviour is correct, but I can't get it using the restriction
      > in postfix.

      The Postfix table layer is at the mercy of any upstream rewriting.
      Are you sure your input address is not mapped to lower case upstream?

      --
      Viktor.
    • Fabio Sangiovanni
      ... Relevant (long piece of) information included at the end of this message :) ... Is it maybe the case to update the documentation, then? I can t find this
      Message 2 of 6 , Mar 26, 2013
      • 0 Attachment
        Viktor Dukhovni <postfix-users <at> dukhovni.org> writes:

        > Sorry, I don't do pastebins.   If you want help include the
        relevant
        > information in your message.

        Relevant (long piece of) information included at the end of this message :)
         
        > Addresses used in access checks are case folded in Postfix
        upstream
        > of the access table.  The original address goes into the queue
        file,
        > but access checks use case folded addresses.

        Is it maybe the case to update the documentation, then? I can't find this
        thing anywhere. Plus (from http://www.postfix.org/access.5.html):

        CASE FOLDING
               The search string is folded to lowercase  before  database
               lookup.  As  of Postfix 2.3, the search string is not case
               folded with database types such as regexp: or pcre:  whose
               lookup fields can match both upper and lower case.

        There's no mention of special treatment for mail addresses as far as I can see :(

        Thanks for your help.

        Fabio


        [previously linked to pastebin]

        [root@postfixhost postfix]# postconf -m
        btree
        cidr
        environ
        hash
        ldap
        mysql
        nis
        pcre
        proxy
        regexp
        static
        unix


        [root@postfixhost log]# postconf -n
        alias_database = hash:/etc/aliases
        alias_maps = hash:/etc/aliases
        allow_min_user = yes
        command_directory = /usr/sbin
        config_directory = /etc/postfix
        daemon_directory = /usr/libexec/postfix
        data_directory = /var/lib/postfix
        debug_peer_level = 2
        disable_vrfy_command = yes
        html_directory = no
        inet_interfaces = 10.0.0.1
        inet_protocols = ipv4
        local_recipient_maps =
        local_transport = error:local delivery is disabled
        mail_owner = postfix
        mailq_path = /usr/bin/mailq.postfix
        manpage_directory = /usr/share/man
        message_size_limit = 27962028
        mydestination =
        mydomain = domain.tld
        myhostname = mx.domain.tld
        mynetworks =
            127.0.0.0/8,
            10.0.0.0/8
        newaliases_path = /usr/bin/newaliases.postfix
        parent_domain_matches_subdomains =
            debug_peer_list,
            fast_flush_domains,
            mynetworks,
            permit_mx_backup_networks,
            qmqpd_authorized_clients
        queue_directory = /var/spool/postfix
        readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
        relay_domains = domain.tld
        relay_recipient_maps =
        relay_transport = relay:[10.0.0.2]
        sample_directory = /usr/share/doc/postfix-2.6.6/samples
        sendmail_path = /usr/sbin/sendmail.postfix
        setgid_group = postdrop
        smtpd_banner = $myhostname ESMTP Service Ready
        smtpd_discard_ehlo_keywords = dsn
        smtpd_helo_required = yes
        smtpd_recipient_restrictions =
            reject_non_fqdn_sender,
            reject_non_fqdn_recipient,
            reject_unknown_sender_domain,
            reject_unauth_destination,
            check_recipient_access regexp:/etc/postfix/check_recipient_access.regexp,
        unknown_local_recipient_reject_code = 550


        [root@postfixhost postfix]# cat /etc/postfix/check_recipient_access.regexp
        /^test@domain\.tld$/i    REJECT wrong format


        [root@postfixhost log]# cat /etc/postfix/master.cf
        #
        # Postfix master process configuration file.  For details on the format
        # of the file, see the master(5) manual page (command: "man 5 master").
        #
        # Do not forget to execute "postfix reload" after editing this file.
        #
        # ==========================================================================
        # service type  private unpriv  chroot  wakeup  maxproc command + args
        #               (yes)   (yes)   (yes)   (never) (100)
        # ==========================================================================
        smtp      inet  n       -       n       -       -       smtpd -v
        #submission inet n       -       n       -       -       smtpd
        #  -o smtpd_tls_security_level=encrypt
        #  -o smtpd_sasl_auth_enable=yes
        #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        #  -o milter_macro_daemon_name=ORIGINATING
        #smtps     inet  n       -       n       -       -       smtpd
        #  -o smtpd_tls_wrappermode=yes
        #  -o smtpd_sasl_auth_enable=yes
        #  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        #  -o milter_macro_daemon_name=ORIGINATING
        #628      inet  n       -       n       -       -       qmqpd
        pickup    fifo  n       -       n       60      1       pickup
        cleanup   unix  n       -       n       -       0       cleanup
        qmgr      fifo  n       -       n       300     1       qmgr
        #qmgr     fifo  n       -       n       300     1       oqmgr
        tlsmgr    unix  -       -       n       1000?   1       tlsmgr
        rewrite   unix  -       -       n       -       -       trivial-rewrite
        bounce    unix  -       -       n       -       0       bounce
        defer     unix  -       -       n       -       0       bounce
        trace     unix  -       -       n       -       0       bounce
        verify    unix  -       -       n       -       1       verify
        flush     unix  n       -       n       1000?   0       flush
        proxymap  unix  -       -       n       -       -       proxymap
        proxywrite unix -       -       n       -       1       proxymap
        smtp      unix  -       -       n       -       -       smtp
        # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
        relay     unix  -       -       n       -       -       smtp
            -o smtp_fallback_relay=
        #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
        showq     unix  n       -       n       -       -       showq
        error     unix  -       -       n       -       -       error
        retry     unix  -       -       n       -       -       error
        discard   unix  -       -       n       -       -       discard
        local     unix  -       n       n       -       -       local
        virtual   unix  -       n       n       -       -       virtual
        lmtp      unix  -       -       n       -       -       lmtp
        anvil     unix  -       -       n       -       1       anvil
        scache    unix  -       -       n       -       1       scache
        #
        # ====================================================================
        # Interfaces to non-Postfix software. Be sure to examine the manual
        # pages of the non-Postfix software to find out what options it wants.
        #
        # Many of the following services use the Postfix pipe(8) delivery
        # agent.  See the pipe(8) man page for information about ${recipient}
        # and other message envelope options.
        # ====================================================================
        #
        # maildrop. See the Postfix MAILDROP_README file for details.
        # Also specify in main.cf: maildrop_destination_recipient_limit=1
        #
        #maildrop  unix  -       n       n       -       -       pipe
        #  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
        #
        # ====================================================================
        #
        # The Cyrus deliver program has changed incompatibly, multiple times.
        #
        #old-cyrus unix  -       n       n       -       -       pipe
        #  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
        #
        # ====================================================================
        #
        # Cyrus 2.1.5 (Amos Gouaux)
        # Also specify in main.cf: cyrus_destination_recipient_limit=1
        #
        #cyrus     unix  -       n       n       -       -       pipe
        #  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
        #
        # ====================================================================
        #
        # See the Postfix UUCP_README file for configuration details.
        #
        #uucp      unix  -       n       n       -       -       pipe
        #  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
        #
        # ====================================================================
        #
        # Other external delivery methods.
        #
        #ifmail    unix  -       n       n       -       -       pipe
        #  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
        #
        #bsmtp     unix  -       n       n       -       -       pipe
        #  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
        #
        #scalemail-backend unix -       n       n       -       2       pipe
        #  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
        #  ${nexthop} ${user} ${extension}
        #
        #mailman   unix  -       n       n       -       -       pipe
        #  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
        #  ${nexthop} ${user}


        [root@postfixhost postfix]# postmap -q 'test@...' regexp:/etc/postfix/check_recipient_access.regexp
        REJECT wrong format
        [root@postfixhost postfix]# postmap -q 'tEsT@...' regexp:/etc/postfix/check_recipient_access.regexp
        [root@postfixhost postfix]#


        [root@spauth-test ~]# telnet 10.0.0.1 25
        Trying 10.0.0.1...
        Connected to 10.0.0.1.
        Escape character is '^]'.
        220 mx.domain.tld ESMTP Service Ready
        ehlo my.host.name
        250-mx.domain.tld
        250-PIPELINING
        250-SIZE 27962028
        250-ETRN
        250-ENHANCEDSTATUSCODES
        250 8BITMIME
        mail from:<sangiovanni@...>
        250 2.1.0 Ok
        rcpt to:<test@...>
        554 5.7.1 <test@...>: Recipient address rejected: wrong format
        rcpt to:<tEsT@...>
        554 5.7.1 <tEsT@...>: Recipient address rejected: wrong format
        quit
        221 2.0.0 Bye
        Connection closed by foreign host.

        [...]
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: < unknown[10.0.0.3]: rcpt to:<tEsT@...>
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: extract_addr: input: <tEsT@...>
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: smtpd_check_addr: addr=tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: send attr request = rewrite
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: send attr rule = local
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: send attr address = tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: flags
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: flags
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute value: 0
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: address
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: address
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute value: tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: (list terminator)
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: (end)
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: rewrite_clnt: local: tEsT@... -> tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: send attr request = resolve
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: send attr sender =
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: send attr address = tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: flags
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: flags
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute value: 0
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: transport
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: transport
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute value: relay
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: nexthop
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: nexthop
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute value: [10.0.0.2]
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: recipient
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: recipient
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute value: tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: flags
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: flags
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute value: 2048
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: private/rewrite socket: wanted attribute: (list terminator)
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: input attribute name: (end)
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: resolve_clnt: `' -> `tEsT@...' -> transp=`relay' host=`[10.0.0.2]' rcpt=`tEsT@...' flags= class=relay
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: ctable_locate: install entry key tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: extract_addr: in: <tEsT@...>, result: tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: >>> START Recipient address RESTRICTIONS <<<
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_non_fqdn_sender
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: reject_non_fqdn_address: sangiovanni@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_non_fqdn_sender status=0
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_non_fqdn_recipient
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: reject_non_fqdn_address: tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_non_fqdn_recipient status=0
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_unknown_sender_domain
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: reject_unknown_address: sangiovanni@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: ctable_locate: move existing entry key sangiovanni@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: reject_unknown_mailhost: valid.domain.tld
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: lookup valid.domain.tld type MX flags 0
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: dns_query: valid.domain.tld (MX): OK
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: dns_get_answer: type MX for valid.domain.tld
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: dns_get_answer: type MX for valid.domain.tld
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_unknown_sender_domain status=0
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_unauth_destination
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: reject_unauth_destination: tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: permit_auth_destination: tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: ctable_locate: move existing entry key tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=reject_unauth_destination status=0
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=check_recipient_access
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: check_mail_access: tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: ctable_locate: leave existing entry key tEsT@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: check_access: test@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: dict_regexp_lookup: /etc/postfix/check_recipient_access.regexp: test@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: check_table_result: regexp:/etc/postfix/check_recipient_access.regexp REJECT wrong format test@...
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: NOQUEUE: reject: RCPT from unknown[10.0.0.3]: 554 5.7.1 <tEsT@...>: Recipient address rejected: wrong format; from=<sangiovanni@...> to=<tEsT@...> proto=ESMTP helo=<my.host.name>
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: generic_checks: name=check_recipient_access status=2
        Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: > unknown[10.0.0.3]: 554 5.7.1 <tEsT@...>: Recipient address rejected: wrong format
        [...]
      • Viktor Dukhovni
        ... The postmap command no longer folds the case. However the access(5) layer of the SMTP server does. The tables are still case-sensitive if you wish when
        Message 3 of 6 , Mar 26, 2013
        • 0 Attachment
          On Tue, Mar 26, 2013 at 08:25:43PM +0100, Fabio Sangiovanni wrote:

          > > Addresses used in access checks are case folded in Postfix upstream
          > > of the access table. The original address goes into the queue file,
          > > but access checks use case folded addresses.
          >
          > Is it maybe the case to update the documentation, then? I can't find this
          > thing anywhere. Plus (from http://www.postfix.org/access.5.html):
          >
          > *CASE FOLDING*
          > The search string is folded to lowercase before database
          > lookup. As of Postfix 2.3, the search string is not case
          > folded with database types such asregexp <http://www.postfix.org/regexp_table.5.html>: or
          > pcre <http://www.postfix.org/pcre_table.5.html>: whose
          > lookup fields can match both upper and lower case.
          >
          >
          > There's no mention of special treatment for mail addresses as far as
          > I can see :(

          The postmap command no longer folds the case. However the access(5)
          layer of the SMTP server does. The tables are still case-sensitive
          if you wish when doing address rewriting with canonical(5),
          virtual(5), ...

          So perhaps the access(5) man-page (or else the code) needs to be updated,

          CASE FOLDING
          The search string is folded to lowercase before database lookup. As of
          Postfix 2.3, the search string is not case folded with database types
          such as regexp: or pcre: whose lookup fields can match both upper and
          lower case.

          > Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: <
          > unknown[10.0.0.3]: rcpt to:<tEsT@...>
          > ...
          > Mar 26 10:01:36 postfixhost postfix/smtpd[13886]: check_access:
          > test@...

          The address is case-folded before the lookup.

          > Mar 26 10:01:36 postfixhost postfix/smtpd[13886]:
          > dict_regexp_lookup: /etc/postfix/check_recipient_access.regexp:
          > test@...
          > Mar 26 10:01:36 postfixhost postfix/smtpd[13886]:
          > check_table_result:
          > regexp:/etc/postfix/check_recipient_access.regexp REJECT wrong
          > format test@...

          Naturally the result is what you expect with the case-folded key.

          --
          Viktor.
        Your message has been successfully submitted and would be delivered to recipients shortly.