Dovecot LMTP accepted all mail regardless of whether destination was a user, broken by ae8cd4ef, fixes #852

In the earlier commit, I added a Dovecot userdb lookup. Without a userdb lookup, Dovecot would use the password db for user lookups. With a userdb lookup we can support iterating over users.

But I forgot the WHERE clause in the query, resulting in every incoming message being accepted if the user database contained any users at all. Since the mailbox path template is the same for all users, mail was delivered correctly except that mail that should have been rejected was delivered too.

CHANGELOG.md

@@ -1,11 +1,19 @@
 CHANGELOG
 =========
 
+In Development
+--------------
+
+* Domain aliases (and misconfigured aliases/catch-alls with non-existent local targets) would accept mail and deliver it to new mailbox folders on disk, even if the target address didn't correspond with an existing mail user. This issue was introduced in v0.18.
+
+v0.18b (May 16, 2016)
+---------------------
+
+* Fixed a Roundcube user accounts issue introduced in v0.18.
+
 v0.18 (May 15, 2016)
 --------------------
 
-v0.18b was released immediately after fixing a Roundcube user accounts issue.
-
 ownCloud:
 
 * Updated to ownCloud to 8.2.3 

setup/mail-users.sh

@@ -49,7 +49,7 @@ driver = sqlite
 connect = $db_path
 default_pass_scheme = SHA512-CRYPT
 password_query = SELECT email as user, password FROM users WHERE email='%u';
-user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "$STORAGE_ROOT/mail/mailboxes/%d/%n" as home FROM users;
+user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "$STORAGE_ROOT/mail/mailboxes/%d/%n" as home FROM users WHERE email='%u';
 iterate_query = SELECT email AS user FROM users;
 EOF
 chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions