Fix Courier ACL
Replaced blacklisting approach with a whitelisting on, thus preventing access due to responses from authlib not containing the word 'FAIL', e.g. empty ones (see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto)
This commit is contained in:
parent
ea94ec919e
commit
03fc5fc526
@ -36,7 +36,7 @@ def has_right(owner, user, password):
|
||||
return False
|
||||
|
||||
line = "%s\nlogin\n%s\n%s" % (sys.argv[0], user, password)
|
||||
line = "%i\n%s" % (len(line), line)
|
||||
line = "AUTH %i\n%s" % (len(line), line)
|
||||
try:
|
||||
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
sock.connect(COURIER_SOCKET)
|
||||
@ -51,7 +51,13 @@ def has_right(owner, user, password):
|
||||
|
||||
log.LOGGER.debug("Got Courier socket response: %r" % data)
|
||||
|
||||
if repr(data) == "FAIL":
|
||||
return False
|
||||
# Address, HOME, GID, and either UID or USERNAME are mandatory in resposne
|
||||
# see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
|
||||
for line in data.split():
|
||||
if 'GID' in line:
|
||||
return True
|
||||
|
||||
return True
|
||||
# default is reject
|
||||
# this alleviates the problem of a possibly empty reply from courier authlib
|
||||
# see http://www.courier-mta.org/authlib/README_authlib.html#authpipeproto
|
||||
return False
|
||||
|
Loading…
Reference in New Issue
Block a user