search

ops-trust / portal

Ops-Trust Platform - Portal
https://www.ops-trust.net
Apache License 2.0
21 stars 4 forks source link

Handle emails with To == From == list-address. #56

Closed morrowc closed 8 years ago

morrowc commented 8 years ago

Emails that arrive from non-list-member addresses are leaking though, specifically:

To: testlist@example.com From: testlist@example.com

leaks through, despite code checks to the contrary, example mail.log for a message: morrowc@testbox:~$ grep 976621C27E9: /var/log/mail.log Mar 29 16:37:05 testbox.example.com postfix/smtpd[12622]: 976621C27E9: client=unknown[202.159.47.90] Mar 29 16:37:06 testbox.example.com postfix/cleanup[12598]: 976621C27E9: message-id=C4089704-2086-5D64-EB10-B83E6FDB337B@example.com Mar 29 16:37:06 testbox.example.com postfix/qmgr[4895]: 976621C27E9: from=testlist@example.com, size=4910, nrcpt=1 (queue active) Mar 29 16:37:07 testbox.example.com postfix/local[12624]: 976621C27E9: to=opstrust-mail-handler@portal.example.com, orig_to=testlist@example.com, relay=local, delay=6.8, delays=5.6/0/0/1.2, dsn=2.0.0, status=sent (delivered to command: /proj/ops-trust/library/mh-wrapper) Mar 29 16:37:07 testbox.example.com postfix/qmgr[4895]: 976621C27E9: removed

headers(clipped withough full received lines): From: "testlist@example.com" testlist@example.com Subject: [ops-t testlist] CCE29032016_00094 To: testlist@example.com Date: Tue, 29 Mar 2016 23:36:57 +0700 Return-Path: mail-handler@example.com X-Original-To: user@example.net Delivered-To: user@example.net X-Original-To: testlist@example.com Delivered-To: opstrust-mail-handler@portal.example.com Received: from [192.168.1.1](unknown [192.168.1.1]) by portal.example.com (Postfix) with ESMTP id 976621C27E9 for testlist@example.com; Tue, 29 Mar 2016 16:37:00 +0000 (UTC) Content-Type: multipart/mixed; boundary=RandomBits Content-Transfer-Encoding: 7bit MIME-Version: 1.0 (1.0) Message-ID: random@example.com

Potentially problematic code location: https://github.com/ops-trust/portal/blob/master/library/mail-handler.pl#L313

if ($from !~ /^(\w+-)?${common::hostmaster}$/ && $members_only && ($from eq $ml || !defined $member)) { puke "not a valid sender: $db_from"; } This message to testlist@ has the following parts I believe: !hostmaster@domain && lhs | trustgroup | members_only testlist | main | t && from == ML (testlist@ == testlist@) !!! not a member so I believe this message should fail, yet it is not.
massar commented 8 years ago

See

https://github.com/ops-trust/portal/commit/66f55ce51468a34ee9f5081fa6768e5abf7c9fe2