Dovecot LMTP accepted all mail regardless of whether destination was a user, broken by ae8cd4ef, fixes #852

In the earlier commit, I added a Dovecot userdb lookup. Without a userdb lookup, Dovecot would use the password db for user lookups. With a userdb lookup we can support iterating over users.

But I forgot the WHERE clause in the query, resulting in every incoming message being accepted if the user database contained any users at all. Since the mailbox path template is the same for all users, mail was delivered correctly except that mail that should have been rejected was delivered too.
This commit is contained in:
Joshua Tauberer 2016-06-02 07:42:53 -04:00
parent 9ee2d946b7
commit 66675ff2e9
2 changed files with 11 additions and 3 deletions

View File

@ -1,11 +1,19 @@
CHANGELOG
=========
In Development
--------------
* Domain aliases (and misconfigured aliases/catch-alls with non-existent local targets) would accept mail and deliver it to new mailbox folders on disk, even if the target address didn't correspond with an existing mail user. This issue was introduced in v0.18.
v0.18b (May 16, 2016)
---------------------
* Fixed a Roundcube user accounts issue introduced in v0.18.
v0.18 (May 15, 2016)
--------------------
v0.18b was released immediately after fixing a Roundcube user accounts issue.
ownCloud:
* Updated to ownCloud to 8.2.3

View File

@ -49,7 +49,7 @@ driver = sqlite
connect = $db_path
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u';
user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "$STORAGE_ROOT/mail/mailboxes/%d/%n" as home FROM users;
user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "$STORAGE_ROOT/mail/mailboxes/%d/%n" as home FROM users WHERE email='%u';
iterate_query = SELECT email AS user FROM users;
EOF
chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions