1 files changed, 118 insertions, 8 deletions

diff --git a/bin/kolab_smtp_access_policy.py b/bin/kolab_smtp_access_policy.py
index 304ab85..935fc6e 100755
--- a/bin/kolab_smtp_access_policy.py
+++ b/bin/kolab_smtp_access_policy.py
@@ -1333,14 +1333,124 @@ def hold(message, policy_request=None):
 def permit(message, policy_request=None):
     log.info(_("Returning action PERMIT: %s") % (message))
 
-    if hasattr(policy_request, 'sasl_username'):
-        sender = conf.get('kolab_smtp_access_policy', 'sender_header')
-        if utils.true_or_false(sender):
-            print "action=PREPEND Sender: %s" % (policy_request.sasl_username)
-
-        xsender = conf.get('kolab_smtp_access_policy', 'xsender_header')
-        if utils.true_or_false(xsender):
-            print "action=PREPEND X-Sender: %s" % (policy_request.sasl_username)
+    # If we have no policy request, we have been called for a reason,
+    # and everything relevant has been figured out already.
+    if policy_request == None:
+        print "action=PERMIT\n\n"
+        sys.exit(0)
+
+    # If the user is not authenticated, there's no reason to do
+    # extra checks here -- to have been performed already.
+    if not hasattr(policy_request, 'sasl_username'):
+        print "action=PERMIT\n\n"
+        sys.exit(0)
+
+    # Same here.
+    if policy_request.sasl_username == None:
+        print "action=PERMIT\n\n"
+        sys.exit(0)
+
+    delegate_sender_header = None
+    alias_sender_header = None
+
+    # If the sender is a delegate of the envelope sender address, take into
+    # account the preferred domain policy for appending the Sender and/or
+    # X-Sender headers.
+    #
+    # Note that a delegatee by very definition is not using an alias.
+    #
+    if policy_request.sasl_user_is_delegate:
+        # Domain-specific setting?
+        if not policy_request.sender_domain == None:
+            delegate_sender_header = conf.get(policy_request.sender_domain, 'delegate_sender_header')
+
+        # Global setting?
+        if delegate_sender_header == None:
+            delegate_sender_header = conf.get('kolab_smtp_access_policy', 'delegate_sender_header')
+
+        # Default
+        if delegate_sender_header == None:
+            delegate_sender_header = True
+
+    # If the sender is using an alias as the envelope sender address, take
+    # into account the preferred domain policy for appending the Sender
+    # and/or X-Sender headers.
+    elif policy_requiest.sasl_user_uses_alias:
+        # Domain-specific setting?
+        if not policy_request.sender_domain == None:
+            alias_sender_header = conf.get(policy_request.sender_domain, 'alias_sender_header')
+
+        # Global setting?
+        if alias_sender_header == None:
+            alias_sender_header = conf.get('kolab_smtp_access_policy', 'alias_sender_header')
+
+        # Default
+        if alias_sender_header == None:
+            alias_sender_header = True
+
+    # Make the values booleans
+    delegate_sender_header = utils.true_or_false(delegate_sender_header)
+    alias_sender_header = utils.true_or_false(alias_sender_header)
+
+    # Do we use a (simple) encryption key to obscure the headers' contents?
+    # Note that using an encryption key voids the actual use of proper Sender
+    # and X-Sender headers such as they could be interpreted by a client
+    # application.
+    enc_key = conf.get(policy_request.sender_domain, 'sender_header_enc_key')
+    if enc_key == None:
+        enc_key = conf.get('kolab_smtp_access_policy', 'sender_header_enc_key')
+
+    sender_header = None
+    xsender_header = None
+
+    if delegate_sender_header or alias_sender_header:
+        # Domain specific?
+        sender_header = conf.get(policy_request.sender_domain, 'sender_header')
+
+        # Global setting?
+        if sender_header == None:
+            sender_header = conf.get('kolab_smtp_access_policy', 'sender_header')
+
+        # Default
+        if sender_header == None:
+            sender_header = True
+
+        # Domain specific?
+        xsender_header = conf.get(policy_request.sender_domain, 'xsender_header')
+
+        # Global setting?
+        if xsender_header == None:
+            xsender_header = conf.get('kolab_smtp_access_policy', 'xsender_header')
+
+        # Default
+        if xsender_header == None:
+            xsender_header = True
+
+    # Note that if the user is not a delegatee, and not using an alias, the sender
+    # address is the envelope sender address, and the defaults for sender_header
+    # and xsender_header being None, ultimately evaluating to False seems
+    # appropriate.
+
+    # Make the values booleans
+    sender_header = utils.true_or_false(sender_header)
+    xsender_header = utils.true_or_false(xsender_header)
+
+    if sender_header or xsender_header:
+        # Do the encoding, if any
+        if not enc_key == None:
+            header = 'X-Authenticated-As'
+            xheader = None
+            sender = utils.encode(enc_key, policy_request.sasl_username)
+        else:
+            header = 'Sender'
+            xheader = 'X-Sender'
+            sender = policy_request.sasl_username
+
+        if sender_header:
+            print "action=PREPEND %s: %s" % (header, sender)
+
+        if xsender_header and not xheader == None:
+            print "action=PREPEND %s: %s" % (xheader, sender)
 
     print "action=PERMIT\n\n"
     sys.exit(0)