various cleanup related to the new permitted_senders column for aliases

setup/mail-users.sh

@@ -21,7 +21,7 @@ db_path=$STORAGE_ROOT/mail/users.sqlite
 if [ ! -f $db_path ]; then
 	echo Creating new user database: $db_path;
 	echo "CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, email TEXT NOT NULL UNIQUE, password TEXT NOT NULL, extra, privileges TEXT NOT NULL DEFAULT '');" | sqlite3 $db_path;
-	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL UNIQUE, receivers TEXT NOT NULL, senders TEXT NOT NULL);" | sqlite3 $db_path;
+	echo "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, source TEXT NOT NULL UNIQUE, destination TEXT NOT NULL, permitted_senders TEXT);" | sqlite3 $db_path;
 fi
 
 # ### User Authentication
@@ -71,18 +71,23 @@ tools/editconf.py /etc/postfix/main.cf \
 
 # ### Sender Validation
 
-# Use a Sqlite3 database to set login maps. This is used with
-# reject_authenticated_sender_login_mismatch to see if the user is
-# allowed to send mail as the FROM address specified in the request.
+# We use Postfix's reject_authenticated_sender_login_mismatch filter to
+# prevent intra-domain spoofing by logged in but untrusted users in outbound
+# email. In all outbound mail (the sender has authenticated), the MAIL FROM
+# address (aka envelope or return path address) must be "owned" by the user
+# who authenticated. An SQL query will find who are the owners of any given
+# address.
 tools/editconf.py /etc/postfix/main.cf \
 	smtpd_sender_login_maps=sqlite:/etc/postfix/sender-login-maps.cf
 
-# SQL statement that returns a list of addresses/domains the logged in username
-# is allowed to send as. This is similar to virtual-alias-maps.cf (see below).
-# Matches from the users table take priority over (direct) aliases.
+# Postfix will query the exact address first, where the priority will be alias
+# records first, then user records. If there are no matches for the exact
+# address, then Postfix will query just the domain part, which we call
+# catch-alls and domain aliases. A NULL permitted_senders column means to
+# take the value from the destination column.
 cat > /etc/postfix/sender-login-maps.cf << EOF;
 dbpath=$db_path
-query = SELECT senders from (SELECT senders, 0 as priority FROM aliases WHERE address='%s' UNION SELECT email as senders, 1 as priority FROM users WHERE email='%s') ORDER BY priority LIMIT 1;
+query = SELECT permitted_senders FROM (SELECT permitted_senders, 0 AS priority FROM aliases WHERE source='%s' AND permitted_senders IS NOT NULL UNION SELECT destination AS permitted_senders, 1 AS priority FROM aliases WHERE source='%s' AND permitted_senders IS NULL UNION SELECT email as permitted_senders, 2 AS priority FROM users WHERE email='%s') ORDER BY priority LIMIT 1;
 EOF
 
 # ### Destination Validation
@@ -95,13 +100,13 @@ tools/editconf.py /etc/postfix/main.cf \
 	virtual_alias_maps=sqlite:/etc/postfix/virtual-alias-maps.cf \
 	local_recipient_maps=\$virtual_mailbox_maps
 
-# SQL statement to check if we handle mail for a domain, either for users or aliases.
+# SQL statement to check if we handle incoming mail for a domain, either for users or aliases.
 cat > /etc/postfix/virtual-mailbox-domains.cf << EOF;
 dbpath=$db_path
-query = SELECT 1 FROM users WHERE email LIKE '%%@%s' UNION SELECT 1 FROM aliases WHERE address LIKE '%%@%s'
+query = SELECT 1 FROM users WHERE email LIKE '%%@%s' UNION SELECT 1 FROM aliases WHERE source LIKE '%%@%s'
 EOF
 
-# SQL statement to check if we handle mail for a user.
+# SQL statement to check if we handle incoming mail for a user.
 cat > /etc/postfix/virtual-mailbox-maps.cf << EOF;
 dbpath=$db_path
 query = SELECT 1 FROM users WHERE email='%s'
@@ -127,9 +132,13 @@ EOF
 # might be returned by the UNION, so the whole query is wrapped in
 # another select that prioritizes the alias definition to preserve
 # postfix's preference for aliases for whole email addresses.
+#
+# Since we might have alias records with an empty destination because
+# it might have just permitted_senders, skip any records with an
+# empty destination here so that other lower priority rules might match.
 cat > /etc/postfix/virtual-alias-maps.cf << EOF;
 dbpath=$db_path
-query = SELECT receivers from (SELECT receivers, 0 as priority FROM aliases WHERE address='%s' UNION SELECT email as receivers, 1 as priority FROM users WHERE email='%s') ORDER BY priority LIMIT 1;
+query = SELECT destination from (SELECT destination, 0 as priority FROM aliases WHERE source='%s' AND destination<>'' UNION SELECT email as destination, 1 as priority FROM users WHERE email='%s') ORDER BY priority LIMIT 1;
 EOF
 
 # Restart Services

setup/migrate.py

@@ -102,56 +102,14 @@ def migration_8(env):
 	os.unlink(os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private'))
 
 def migration_9(env):
-	# Switch from storing alias ownership in one column (used for both
-	# directions) to two columns (one for determining inbound forward-tos and
-	# one for determining outbound permitted-senders). This was motivated by the
-	# addition of #427 ("Reject outgoing mail if FROM does not match Login") -
-	# which introduced the notion of outbound permitted-senders.
+	# Add a column to the aliases table to store permitted_senders,
+	# which is a list of user account email addresses that are
+	# permitted to send mail using this alias instead of their own
+	# address. This was motivated by the addition of #427 ("Reject
+	# outgoing mail if FROM does not match Login") - which introduced
+	# the notion of outbound permitted-senders.
 	db = os.path.join(env["STORAGE_ROOT"], 'mail/users.sqlite')
-	# Move the old aliases table to one side.
-	shell("check_call", ["sqlite3", db, "ALTER TABLE aliases RENAME TO aliases_8"])
-	# Create the new aliases table, initially empty.
-	shell("check_call", ["sqlite3", db, "CREATE TABLE aliases (id INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT NOT NULL UNIQUE, receivers TEXT NOT NULL, senders TEXT NOT NULL)"])
-
-	import sqlite3
-	conn = sqlite3.connect(os.path.join(env["STORAGE_ROOT"], "mail/users.sqlite"))
-
-	c = conn.cursor()
-	c.execute('SELECT email FROM users')
-	valid_logins = [ row[0] for row in c.fetchall() ]
-
-	c = conn.cursor()
-	c.execute('SELECT source, destination FROM aliases_8')
-	aliases = { row[0]: row[1] for row in c.fetchall() }
-
-	# Populate the new aliases table. Forward-to addresses (receivers) is taken
-	# directly from the old destination column. Permitted-sender logins
-	# (senders) is made up of only those addresses in the old destination column
-	# that are valid logins, as other values are not relevant. Their presence
-	# would not do any harm, except that it would make the aliases UI confusing
-	# on upgraded boxes.
-	for source in aliases:
-
-		address = source
-		receivers = aliases[source]
-
-		validated_senders = []
-		for login in aliases[source].split(","):
-			login = login.strip()
-			if login == "": continue
-			if login in valid_logins:
-				validated_senders.append(login)
-
-		senders = ",".join(validated_senders)
-
-		c = conn.cursor()
-		c.execute("INSERT INTO aliases (address, receivers, senders) VALUES (?, ?, ?)", (address, receivers, senders))
-
-	# Save.
-	conn.commit()
-
-	# Delete the old aliases table.
-	shell("check_call", ["sqlite3", db, "DROP TABLE aliases_8"])
+	shell("check_call", ["sqlite3", db, "ALTER TABLE aliases ADD permitted_senders TEXT"])
 
 def get_current_migration():
 	ver = 0