Fix Courier ACL

Replaced blacklisting approach with a whitelisting on, thus preventing access
due to responses from authlib not containing the word 'FAIL', e.g. empty ones
(see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto)
This commit is contained in:
Benjamin Frank 2012-07-02 13:30:28 +02:00 committed by Guillaume Ayoub
parent ea94ec919e
commit 03fc5fc526

View File

@ -36,7 +36,7 @@ def has_right(owner, user, password):
return False
line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
line = "%i\n%s" % (len(line), line)
line = "AUTH %i\n%s" % (len(line), line)
try:
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect(COURIER_SOCKET)
@ -51,7 +51,13 @@ def has_right(owner, user, password):
log.LOGGER.debug("Got Courier socket response: %r" % data)
if repr(data) == "FAIL":
return False
# Address, HOME, GID, and either UID or USERNAME are mandatory in resposne
# see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
for line in data.split():
if 'GID' in line:
return True
return True
# default is reject
# this alleviates the problem of a possibly empty reply from courier authlib
# see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
return False