1 files changed, 13 insertions, 5 deletions
diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
index 00182523..45619fb0 100644
--- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
+++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,12 +28,14 @@ class PolicyHandler(StreamRequestHandler):
        allowed = False
        user = None
+        relay_eligible = False
        if self.args['sasl_username']:
            user = self.args['sasl_username']
        if self.args['ccert_subject']:
            user = self.args['ccert_subject']
+            relay_eligible = True
-        if user:
+        if user and '@' in self.args['sender']:
            with self.server.db_pool.connection() as conn:
                local, domain = self.args['sender'].split(sep='@', maxsplit=1)
                extension = None
@@ -44,10 +46,16 @@ class PolicyHandler(StreamRequestHandler):
                with conn.cursor() as cur:
                    cur.row_factory = namedtuple_row
-                    cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
-                    for record in cur:
+                    if relay_eligible:
-                        logger.debug('Received result: %s', record)
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
-                        allowed = True
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
+                    if not allowed:
+                        cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
+                        if (row := cur.fetchone()) is not None:
+                            allowed = row.exists
        action = '550 5.7.0 Sender address not authorized for current user'
        if allowed:

diff --git a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py index 00182523..45619fb0 100644 --- a/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py +++ b/hosts/surtr/email/ccert-policy-server/ccert_policy_server/__main__.py
@@ -28,12 +28,14 @@ class PolicyHandler(StreamRequestHandler):
28		28
29	allowed = False	29	allowed = False
30	user = None	30	user = None
		31	relay_eligible = False
31	if self.args['sasl_username']:	32	if self.args['sasl_username']:
32	user = self.args['sasl_username']	33	user = self.args['sasl_username']
33	if self.args['ccert_subject']:	34	if self.args['ccert_subject']:
34	user = self.args['ccert_subject']	35	user = self.args['ccert_subject']
		36	relay_eligible = True
35		37
36	if user:	38	if user and '@' in self.args['sender']:
37	with self.server.db_pool.connection() as conn:	39	with self.server.db_pool.connection() as conn:
38	local, domain = self.args['sender'].split(sep='@', maxsplit=1)	40	local, domain = self.args['sender'].split(sep='@', maxsplit=1)
39	extension = None	41	extension = None
@@ -44,10 +46,16 @@ class PolicyHandler(StreamRequestHandler):
44		46
45	with conn.cursor() as cur:	47	with conn.cursor() as cur:
46	cur.row_factory = namedtuple_row	48	cur.row_factory = namedtuple_row
47	cur.execute('SELECT "mailbox"."mailbox" as "user", "local", "extension", "domain" FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)	49
48	for record in cur:	50	if relay_eligible:
49	logger.debug('Received result: %s', record)	51	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "relay_access" ON "mailbox".id = "relay_access"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("domain" = %(domain)s OR %(domain)s ilike CONCAT(\'%%_.\', "domain"))) as "exists"', params = {'user': user, 'domain': domain})
50	allowed = True	52	if (row := cur.fetchone()) is not None:
		53	allowed = row.exists
		54
		55	if not allowed:
		56	cur.execute('SELECT EXISTS(SELECT true FROM "mailbox" INNER JOIN "mailbox_mapping" ON "mailbox".id = "mailbox_mapping"."mailbox" WHERE "mailbox"."mailbox" = %(user)s AND ("local" = %(local)s OR "local" IS NULL) AND ("extension" = %(extension)s OR "extension" IS NULL) AND "domain" = %(domain)s) as "exists"', params = {'user': user, 'local': local, 'extension': extension if extension is not None else '', 'domain': domain}, prepare=True)
		57	if (row := cur.fetchone()) is not None:
		58	allowed = row.exists
51		59
52	action = '550 5.7.0 Sender address not authorized for current user'	60	action = '550 5.7.0 Sender address not authorized for current user'
53	if allowed:	61	if allowed: