summaryrefslogtreecommitdiffstats
path: root/bin
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2011-07-13 10:44:41 +0200
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2011-07-13 10:44:41 +0200
commitbcfd9f6c0ee4077e7eb7ba13618ab0e951d0774f (patch)
tree1ba8f882ca7a6fa4887a1b95fa2abc923110883f /bin
parentf49b722a01222ddc31b07d0c54b96eef8d3f9c8c (diff)
downloadpykolab-bcfd9f6c0ee4077e7eb7ba13618ab0e951d0774f.tar.gz
Make sure we always end up with a result,
Improve log messages, Read policy requests indefinitely
Diffstat (limited to 'bin')
-rw-r--r--bin/kolab_smtp_access_policy.py182
1 files changed, 103 insertions, 79 deletions
diff --git a/bin/kolab_smtp_access_policy.py b/bin/kolab_smtp_access_policy.py
index c4671a5..eab18d4 100644
--- a/bin/kolab_smtp_access_policy.py
+++ b/bin/kolab_smtp_access_policy.py
@@ -407,9 +407,9 @@ def verify_recipient(policy_request):
log.debug(_("Using authentication domain %s instead of %s") %(auth.secondary_domains[domain],domain), level=8)
domain = auth.secondary_domains[domain]
else:
- log.debug(_("Why does auth not have anything on domain %s?") %(domain), level=8)
+ log.debug(_("Domain %s is a primary domain") %(domain), level=8)
else:
- log.debug(_("How did we end up checking the recipient for a domain that is not ours?"), level=8)
+ log.warning(_("Checking the recipient for domain %s that is not ours") %(domain))
# Attr search list
# TODO: Use the configured filter
@@ -669,97 +669,121 @@ if __name__ == "__main__":
# Start the work
while True:
policy_request = read_request_input()
- break
-
- # Set the overall default policy in case nothing attracts any particular
- # type of action.
- #
- # When either is configured or specified to be verified, negate
- # that policy to be false by default.
- #
- sender_allowed = True
- recipient_allowed = True
-
- if conf.verify_sender:
- sender_allowed = False
-
- log.debug(_("Verifying sender."), level=8)
-
- # If no sender is specified, we bail out.
- if policy_request['sender'] == "":
- log.debug(_("No sender specified."), level=8)
- reject(_("Invalid sender"))
-
- # If no sasl username exists, ...
- if policy_request['sasl_username'] == "":
- log.debug(_("No SASL username in request."), level=8)
- if not conf.allow_unauthenticated:
- log.debug(_("Not allowing unauthenticated senders."), level=8)
- reject(_("Access denied for unauthenticated senders"))
- else:
- log.debug(_("Allowing unauthenticated senders."), level=8)
- if not verify_domain(policy_request['sender'].split('@')[1]):
- sender_allowed = True
- permit(_("External sender"))
- else:
- sender_allowed = verify_sender(policy_request)
- # If the authenticated username is the sender...
- elif policy_request["sasl_username"] == policy_request["sender"]:
- log.debug(
- _("Allowing authenticated sender %s to send as %s.") %(
- policy_request["sasl_username"],
- policy_request["sender"]
- ),
- level=8
- )
+ # Set the overall default policy in case nothing attracts any particular
+ # type of action.
+ #
+ # When either is configured or specified to be verified, negate
+ # that policy to be false by default.
+ #
+ sender_allowed = True
+ recipient_allowed = True
- sender_allowed = True
+ if conf.verify_sender:
+ sender_allowed = False
- permit(
- _("Authenticated as sender %s") %(policy_request['sender'])
- )
+ log.debug(_("Verifying sender."), level=8)
- # Or if the authenticated username is the sender but the sender address
- # lists an address with a recipient delimiter...
- #
- # TODO: The recipient delimiter is configurable!
- elif policy_request["sasl_username"] == \
- parse_address(
- policy_request["sender"]
- ):
+ # If no sender is specified, we bail out.
+ if policy_request['sender'] == "":
+ log.debug(_("No sender specified."), level=8)
+ reject(_("Invalid sender"))
+ continue
- sender_allowed = True
+ # If no sasl username exists, ...
+ if policy_request['sasl_username'] == "":
+ log.debug(_("No SASL username in request."), level=8)
- permit(
- _("Authenticated as sender %s") %(
- parse_address(policy_request["sender"])
+ if not conf.allow_unauthenticated:
+ log.debug(
+ _("Not allowing unauthenticated senders."),
+ level=8
)
- )
- else:
- sender_allowed = verify_sender(policy_request)
+ reject(_("Access denied for unauthenticated senders"))
+ continue
+
+ else:
+ log.debug(_("Allowing unauthenticated senders."), level=8)
+
+ if not verify_domain(policy_request['sender'].split('@')[1]):
+ sender_allowed = True
+ permit(_("External sender"))
+ continue
+
+ else:
+ sender_allowed = verify_sender(policy_request)
+
+ # If the authenticated username is the sender...
+ elif policy_request["sasl_username"] == policy_request["sender"]:
+ log.debug(
+ _("Allowing authenticated sender %s to send as %s.") %(
+ policy_request["sasl_username"],
+ policy_request["sender"]
+ ),
+ level=8
+ )
+
+ sender_allowed = True
+
+ permit(
+ _("Authenticated as sender %s") %(
+ policy_request['sender']
+ )
+ )
+
+ continue
+
+ # Or if the authenticated username is the sender but the sender address
+ # lists an address with a recipient delimiter...
+ #
+ # TODO: The recipient delimiter is configurable!
+ elif policy_request["sasl_username"] == \
+ parse_address(
+ policy_request["sender"]
+ ):
- if conf.verify_recipient:
- recipient_allowed = False
+ sender_allowed = True
- log.debug(_("Verifying recipient."), level=8)
+ permit(
+ _("Authenticated as sender %s") %(
+ parse_address(policy_request["sender"])
+ )
+ )
+
+ continue
+
+ else:
+ sender_allowed = verify_sender(policy_request)
- if policy_request['recipient'] == "":
- reject(_("Invalid recipient"))
+ if conf.verify_recipient:
+ recipient_allowed = False
- if policy_request['sasl_username'] == "":
- log.debug(_("No SASL username in request."), level=8)
+ log.debug(_("Verifying recipient."), level=8)
- if not conf.allow_unauthenticated:
- log.debug(_("Not allowing unauthenticated senders."), level=8)
- reject(_("Access denied for unauthenticated senders"))
+ if policy_request['recipient'] == "":
+ reject(_("Invalid recipient"))
+ continue
+
+ if policy_request['sasl_username'] == "":
+ log.debug(_("No SASL username in request."), level=8)
+
+ if not conf.allow_unauthenticated:
+ log.debug(_("Not allowing unauthenticated senders."), level=8)
+ reject(_("Access denied for unauthenticated senders"))
+ continue
+ else:
+ recipient_allowed = verify_recipient(policy_request)
else:
recipient_allowed = verify_recipient(policy_request)
+ # TODO: Insert whitelists.
+ if conf.verify_sender and not sender_allowed:
+ reject(_("Sender access denied"), policy_request)
+ continue
+ elif conf.verify_recipient and not recipient_allowed:
+ reject(_("Recipient access denied"), policy_request)
+ continue
else:
- recipient_allowed = verify_recipient(policy_request)
-
- # TODO: Insert whitelists.
- if not sender_allowed or not recipient_allowed:
- reject(_("Access denied"), policy_request)
+ permit(_("No objections"))
+ continue \ No newline at end of file