Mail addresses with quotes + Postfix

Wed Mar 7 14:50:09 EET 2018

Hello!

Maybe experiment with auth_username_chars:

# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@

Good luck,
Reio

On 07.03.18 14:46, Philipp Berger wrote:
> I wrapped the LDA command in a script. I can see that Postfix passes
> "@@mydomain.tld" as the -d argument, without quotes.
> I then adapted the script to specifically replace this address with
> "@"@mydomain.tld, but this results in the following error message by
> Dovecot:
>
>      auth: Info: userdb(?): Username character disallowed by
> auth_username_chars: 0x22 (username: "@"@mydomain.tld)
>
> So what would be the appropriate quoting/setting for this address?
>
> Kind regards,
> Philipp
>
> Am 06-Mar-18 um 15:08 schrieb Stephan Bosch:
>>
>> Op 6-3-2018 om 14:34 schreef Philipp Berger:
>>> I upgraded to Dovecot 2.3.0.1 as advised, but it still seems broken. In
>>> the Postfix log I now see:
>>>
>>> Mar  6 13:49:03 myhost amavis[7165]: (07165-10) K00VtLRHdrYw FWD from
>>> <admin at mydomain.tld> -> <"@"@mydomain.tld>, BODY=7BIT 250 2.0.0 from
>>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37
>>> Mar  6 13:49:03 myhost amavis[7165]: (07165-10) Passed CLEAN
>>> {RelayedInbound}, [someIp]:11439 [someIp] <admin at mydomain.tld> ->
>>> <"@"@mydomain.tld>, Queue-ID: D27792DA167C, Message-ID:
>>> <22b95756-e95e-86cf-219c-3b603f7587c8 at mydomain.tld>, mail_id:
>>> K00VtLRHdrYw, Hits: -3, size: 7472, queued_as: B8CA22DA1B37, 1863 ms
>>> Mar  6 13:49:03 myhost postfix/smtp[2329]: D27792DA167C:
>>> to=<@@mydomain.tld>, relay=127.0.0.1[127.0.0.1]:10024, delay=2,
>>> delays=0.15/0.01/0/1.9, dsn=2.0.0, status=sent (250 2.0.0 from
>>> MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B8CA22DA1B37)
>>> Mar  6 13:49:03 myhost postfix/pipe[2282]: B8CA22DA1B37:
>>> to=<@@mydomain.tld>, relay=dovecot, delay=0.2, delays=0.11/0/0/0.09,
>>> dsn=5.1.1, status=bounced (user unknown)
>>> Mar  6 13:49:03 myhost postfix/cleanup[2280]: EA37E2DA1F80:
>>> message-id=<20180306124903.EA37E2DA1F80 at mydomain.tld>
>>> Mar  6 13:49:04 myhost postfix/bounce[2334]: B8CA22DA1B37: sender
>>> non-delivery notification: EA37E2DA1F80
>>> Mar  6 13:49:04 myhost postfix/qmgr[21911]: EA37E2DA1F80: from=<>,
>>> size=9830, nrcpt=1 (queue active)
>>> Mar  6 13:49:04 myhost postfix/qmgr[21911]: B8CA22DA1B37: removed
>>> Mar  6 13:49:04 myhost postfix/pipe[2282]: EA37E2DA1F80:
>>> to=<admin at mydomain.tld>, relay=dovecot, delay=0.07,
>>> delays=0.05/0/0/0.02, dsn=5.3.0, status=bounced (command line usage
>>> error. Command output: lda: Fatal: Invalid -f parameter: Missing
>>> domain )
>>>
>>> I can see in my MySQL Log that Dovecot queried at the same time with %n
>>> = "" (empty) and %d = "@mydomain.tld". So now the "@" is dropped
>>> entirely.
>>>
>>> What does the "Fatal: Invalid -f parameter: Missing domain" tell us? Do
>>> I need to change the way Postfix calls Dovecot? Add more quotes? :D
>> Can you check what Postfix is feeding to Dovecot exactly (i.e.,
>> whether it is properly escaped)? Maybe wrap dovecot-lda in some shell
>> script and see what is passed.
>>
>> Regards,
>>
>> Stephan.
>>
>>> Kind regards,
>>> Philipp
>>>
>>> Am 04-Mar-18 um 21:12 schrieb Stephan Bosch:
>>>> Op 3/1/2018 om 2:07 PM schreef Philipp Berger:
>>>>> Dear all,
>>>>>
>>>>> I have a working setup with Postfix + Dovecot, storing users in a
>>>>> MySQL
>>>>> table.
>>>>>
>>>>> I ran into problems setting up and using a mail address like
>>>>> a"@"b at mydomain.tld, which by RFC should be valid, but leads to
>>>>> problems
>>>>> in Dovecot. From my debugging, I can see that on the lookup, Dovecot
>>>>> replaces %n with "a" (quotes added by me) and %d with "b at mydomain.tld"
>>>>> (quotes added by me). So the original quotes are gone, and the
>>>>> domain/user split is incorrect.
>>>>>
>>>>> I am not sure of Postfix passes the address without quotes to
>>>>> Dovecot or
>>>>> whether Dovecot can not handle quotes correctly, but I was hoping that
>>>>> someone with more insight into Dovecot could help me out here.
>>>>>
>>>>> System Info: Debian 9, Postifx 3.1.6-0+deb9u1, Dovecot 2.2.27-3+deb9u1
>>>>> Postfix master.cf for Dovecot:
>>>>> dovecot unix  -       n       n       -       -       pipe
>>>>>     flags=DRhu user=virtual:virtual
>>>>> argv=/usr/lib/dovecot/dovecot-lda -f
>>>>> ${sender} -d ${user}@${nexthop}
>>>>>
>>>>> I am grateful for any hints :)
>>>>>
>>>>> Thank you in advance, kind regards,
>>>> Yeah, Dovecot v2.2 is doing some funky stuff with SMTP address parsing.
>>>> Dovecot v2.3 should do a better job. I am still not sure if this can be
>>>> fixed well for Dovecot v2.2.
>>>>
>>>> Regards,
>>>>
>>>> Stephan.