starred/modoboa-modoboa
1
0
Fork 0
mirror of https://github.com/modoboa/modoboa.git synced 2026-04-26 17:36:01 +03:00
Code Issues 60 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #2120] Disabled account can still receive email #1527

New issue
Closed
opened 2026-02-27 11:17:35 +03:00 by kerem · 6 comments
kerem commented 2026-02-27 11:17:35 +03:00
Owner
Copy link

Originally created by @jeromelebleu on GitHub (Jan 11, 2021).
Original GitHub issue: https://github.com/modoboa/modoboa/issues/2120

Impacted versions

  • OS Type: Debian
  • OS Version: Buster
  • Database Type: PostgreSQL
  • Database version: 11
  • Modoboa: 1.17.0

Steps to reproduce

  1. Create an account with Simple user role and disable it - either at the creation or after
  2. Send an email to this account

Current behavior

Even if the account is disabled, the recipient is still allowed by Postfix and the email is delivered.

Expected behavior

If I understand the meaning of a disabled account, emails to this address should be rejected.

Debugging

While trying to find in Postfix when this recipient is accepted, I found that it was by looking up in sql-aliases.cf table. Even if there is a condition on enabled in the admin_alias table, the object is still returned. And indeed, even if the core_user is disabled, the corresponding admin_alias is not.

Originally created by @jeromelebleu on GitHub (Jan 11, 2021). Original GitHub issue: https://github.com/modoboa/modoboa/issues/2120 # Impacted versions * OS Type: Debian * OS Version: Buster * Database Type: PostgreSQL * Database version: 11 * Modoboa: 1.17.0 # Steps to reproduce 1. Create an account with _Simple user_ role and disable it - either at the creation or after 2. Send an email to this account # Current behavior Even if the account is disabled, the recipient is still allowed by Postfix and the email is delivered. # Expected behavior If I understand the meaning of a disabled account, emails to this address should be rejected. # Debugging While trying to find in Postfix when this recipient is accepted, I found that it was by looking up in `sql-aliases.cf` table. Even if there is a condition on `enabled` in the `admin_alias` table, the object is still returned. And indeed, even if the `core_user` is disabled, the corresponding `admin_alias` is not.
kerem 2026-02-27 11:17:35 +03:00
kerem commented 2026-02-27 11:17:36 +03:00
Author
Owner
Copy link

@cyberal77 commented on GitHub (Jan 14, 2021):

Hi,

I Cant reproduce.

When i send mail to desactivated user, it's reject.

Regard

PS : Manual installed server

<!-- gh-comment-id:760188571 --> @cyberal77 commented on GitHub (Jan 14, 2021): Hi, I Cant reproduce. When i send mail to desactivated user, it's reject. Regard PS : Manual installed server
kerem commented 2026-02-27 11:17:36 +03:00
Author
Owner
Copy link

@jeromelebleu commented on GitHub (Jan 14, 2021):

Thanks @cyberal77 to give it a try! Are you also using the last Modoba's version? I encounter that on manual installations too, but my Postfix configuration is almost the same as the automatic installer's one. Anyway, from what I understood, I don't think this is related.

Could you also check that the corresponding admin_alias's object is also disabled please? For example, here is what I have in a shell:

>>> from modoboa.core.models import User
>>> from modoboa.admin.models import Alias

>>> u = User.objects.get(email='user2@example.org')
>>> u.enabled
False
>>> a = Alias.objects.get(address=u.email)
>>> a.enabled
True
>>> a.internal
True
<!-- gh-comment-id:760226958 --> @jeromelebleu commented on GitHub (Jan 14, 2021): Thanks @cyberal77 to give it a try! Are you also using the last Modoba's version? I encounter that on manual installations too, but my Postfix configuration is almost the same as the automatic installer's one. Anyway, from what I understood, I don't think this is related. Could you also check that the corresponding `admin_alias`'s object is also disabled please? For example, here is what I have in a shell: ```python >>> from modoboa.core.models import User >>> from modoboa.admin.models import Alias >>> u = User.objects.get(email='user2@example.org') >>> u.enabled False >>> a = Alias.objects.get(address=u.email) >>> a.enabled True >>> a.internal True ```
kerem commented 2026-02-27 11:17:36 +03:00
Author
Owner
Copy link

@kryskool commented on GitHub (Jan 18, 2021):

Hi @jeromelebleu

It seem that @tonioo fix the problem in this commit can you retry ?

Regards,

<!-- gh-comment-id:762204116 --> @kryskool commented on GitHub (Jan 18, 2021): Hi @jeromelebleu It seem that @tonioo fix the problem in this [commit](https://github.com/modoboa/modoboa/commit/1aed875f6865046a0d538a1a0772e50962987789) can you retry ? Regards,
kerem commented 2026-02-27 11:17:36 +03:00
Author
Owner
Copy link

@jeromelebleu commented on GitHub (Jan 18, 2021):

Hi @kryskool, no it does not fix this problem and this is why I commented this commit. It only disables aliases which have been added manually from the interface (internal=False) and not automatically like here (internal=True).

<!-- gh-comment-id:762237981 --> @jeromelebleu commented on GitHub (Jan 18, 2021): Hi @kryskool, no it does not fix this problem and this is why I commented this commit. It only disables aliases which have been added *manually* from the interface (`internal=False`) and not automatically like here (`internal=True`).
kerem commented 2026-02-27 11:17:36 +03:00
Author
Owner
Copy link

@Toniob commented on GitHub (Jun 28, 2022):

Hi,

I’m running 1.17.0 and I added the patch manually. But the mail are still received. I think that’s because that’s dovecot-lmtp which is responsible for accepting or not the mail. And in the user_query in dovecot, we never check for the is_active attribute.

<!-- gh-comment-id:1168639040 --> @Toniob commented on GitHub (Jun 28, 2022): Hi, I’m running 1.17.0 and I added the patch manually. But the mail are still received. I think that’s because that’s dovecot-lmtp which is responsible for accepting or not the mail. And in the user_query in dovecot, we never check for the is_active attribute.
kerem commented 2026-02-27 11:17:36 +03:00
Author
Owner
Copy link

@DaveDischord commented on GitHub (Jul 12, 2023):

Hi,

I’m running 1.17.0 and I added the patch manually. But the mail are still received. I think that’s because that’s dovecot-lmtp which is responsible for accepting or not the mail. And in the user_query in dovecot, we never check for the is_active attribute.

How can I manually fix this? What files would I need to edit and how? Thank you.

<!-- gh-comment-id:1632754798 --> @DaveDischord commented on GitHub (Jul 12, 2023): > Hi, > > I’m running 1.17.0 and I added the patch manually. But the mail are still received. I think that’s because that’s dovecot-lmtp which is responsible for accepting or not the mail. And in the user_query in dovecot, we never check for the is_active attribute. How can I manually fix this? What files would I need to edit and how? Thank you.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
fix/sievefilters-allow-email-in-rule-name
dependabot/npm_and_yarn/frontend/axios-1.15.0
translations_04c0b653215cb5fa48ab101eae1a1917_ja_JP
translations_5d93982e9fd6dab991db4faf93ce9ded_ja_JP
fix/login-issue-3995
fix/sievefilters-issues
add-vitepress-openapi
2974-dmarc-empty-email
2.3.x
updated-doc-2.3.0
feature/OIDC
delete-all-alarms
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_af_ZA
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ar
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_ca
1.x
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_sk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_tr
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_es_ES
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_uk
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_zh_CN
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_de_DE
translations_modoboa-admin-locale-en-lc-messages-djangojs-po--master_da_DK
1.8.x
1.7.x
1.6.x
1.4.x
1.3.x
1.2.x
2.8.2
2.8.1
2.8.0
2.7.2
2.7.1
2.7.0
2.6.5
2.6.4
2.6.3
2.6.2
2.6.1
2.6.0
2.5.1
2.5.0
2.4.11
2.4.10
2.4.9
2.4.8
2.4.7
2.4.6
2.4.5
2.4.4
2.4.3
2.4.2
2.4.1
2.4.0
2.3.6
2.3.5
2.3.4
2.3.3
2.3.2
2.3.1
2.3.0
2.3.0-beta.4
2.3.0-beta.3
2.3.0-beta.2
2.3.0-beta.1
2.2.4
2.2.3
2.2.2
2.2.1
2.2.0
2.1.2
2.1.1
2.1.0
2.0.5
2.0.4
2.0.3
2.0.2
2.0.1
2.0.0
2.0.0-beta.3
2.0.0-beta.2
2.0.0-beta.1
1.17.0
1.16.1
1.16.0
1.15.0
1.14.0
1.13.1
1.13.0
1.12.2
1.12.1
1.12.0
1.11.1
1.11.0
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
1.10.2
1.10.1
1.10.0
1.9.1
1.9.0
1.8.3
1.8.2
1.8.1
1.8.0
1.7.4
1.7.3
1.7.2
1.7.1
1.7.0
1.6.3
1.6.2
1.6.1
1.6.0
1.5.3
1.5.2
1.5.1
1.5.0
1.4.5
1.4.4
1.4.3
1.4.2
1.4.1
1.4.0
1.3.5
1.3.4
1.2.2
1.3.3
1.3.2
1.3.1
1.3.0
1.2.1
1.2.0
1.2.0-rc2
1.2.0-rc1
1.1.7
1.1.6
1.1.5
1.1.4
1.1.3
1.1.2
1.1.1
1.1.0
1.0.1
1.0.0
0.9.5
0.9.4
0.9.3
0.9.2
0.9.1
0.9
0.8.8
0.8.7
0.8.6.1
0.8.6
0.8.5
0.8.4
0.8.3
0.8.3-rc1
0.8.2
0.8.1
0.8
0.8-rc2
0.8-rc1
0.7.2
0.7.1
0.7
0.6.1
0.6
0.5
0.3
0.2
0.1
Labels
Clear labels   
bug

   
bug

   
dependencies

   
design

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
feedback-needed

   
help-needed

   
help-needed

   
installer

   
invalid

   
looking-for-sponsors

   
modoboa-contacts

   
new-ui

   
new-ui

   
pr

   
pull-request

Mirrored from GitHub Pull Request

  
pyconfr

   
python

   
question

   
security

   
stale

   
webmail

   
wontfix
No labels
bug
bug
dependencies
design
documentation
duplicate
enhancement
enhancement
enhancement
feedback-needed
help-needed
help-needed
installer
invalid
looking-for-sponsors
modoboa-contacts
new-ui
new-ui
pr
pull-request
pyconfr
python
question
security
stale
webmail
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/modoboa-modoboa#1527
No description provided.