1

Topic: Policy to allow email from specific domains is not working as exepcted

==== Required information ====
- iRedMail version: 1.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Centos
- Related log if you're reporting an issue: iredapd.log
====


Hi zhang,

We added a few domains in ldap attribute "listAllowedUser" for a maling list. Also we restricted only moderators to send email to this list. However when a user from the listed domains sends an email to this mailing list, the mails are rejected.Please find the log below

LOG:

2013-04-26 15:15:25 DEBUG Close LDAP connection.
2013-04-26 15:15:26 DEBUG Connect from 127.0.0.1, port 36171.
2013-04-26 15:15:26 DEBUG smtp session: request=smtpd_access_policy
2013-04-26 15:15:26 DEBUG smtp session: protocol_state=RCPT
2013-04-26 15:15:26 DEBUG smtp session: protocol_name=ESMTP
2013-04-26 15:15:26 DEBUG smtp session: client_address=209.85.212.174
2013-04-26 15:15:26 DEBUG smtp session: client_name=unknown
2013-04-26 15:15:26 DEBUG smtp session: reverse_client_name=unknown
2013-04-26 15:15:26 DEBUG smtp session: helo_name=mail-wi0-f174.google.com
2013-04-26 15:15:26 DEBUG smtp session: sender=xxx@gmail.com
2013-04-26 15:15:26 DEBUG smtp session: recipient=xxx@xx.in
2013-04-26 15:15:26 DEBUG smtp session: recipient_count=0
2013-04-26 15:15:26 DEBUG smtp session: queue_id=
2013-04-26 15:15:26 DEBUG smtp session: instance=70a2.517a4cb6.5cd9a.0
2013-04-26 15:15:26 DEBUG smtp session: size=0
2013-04-26 15:15:26 DEBUG smtp session: etrn_domain=
2013-04-26 15:15:26 DEBUG smtp session: stress=
2013-04-26 15:15:26 DEBUG smtp session: sasl_method=
2013-04-26 15:15:26 DEBUG smtp session: sasl_username=
2013-04-26 15:15:26 DEBUG smtp session: sasl_sender=
2013-04-26 15:15:26 DEBUG smtp session: ccert_subject=
2013-04-26 15:15:26 DEBUG smtp session: ccert_issuer=
2013-04-26 15:15:26 DEBUG smtp session: ccert_fingerprint=
2013-04-26 15:15:26 DEBUG smtp session: encryption_protocol=TLSv1
2013-04-26 15:15:26 DEBUG smtp session: encryption_cipher=RC4-SHA
2013-04-26 15:15:26 DEBUG smtp session: encryption_keysize=128
2013-04-26 15:15:26 DEBUG LDAP connection initialied success.
2013-04-26 15:15:26 DEBUG LDAP bind success.
2013-04-26 15:15:26 DEBUG [+] Getting LDIF data of account: xxx@xx.in
2013-04-26 15:15:26 DEBUG search filter: (&(|(mail=xxx@xx.in)(shadowAddress=xxx@xx.in))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2013-04-26 15:15:26 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy', 'amavisBlacklistSender', 'amavisWhitelistSender']
2013-04-26 15:15:26 DEBUG result: [('mail=mailbounce@xxx.xx.in,ou=Groups,domainName=xxx.xx.in,o=domains,dc=abc,dc=com', {'objectClass': ['mailList'], 'accessPolicy': ['allowedOnly'], 'listAllowedUser': ['gmail.com']})]
2013-04-26 15:15:26 DEBUG --> Apply plugin: ldap_maillist_access_policy
2013-04-26 15:15:26 DEBUG xxxx@gmail.com -> xxx@xx.in, access policy: allowedonly (Only moderators/allowed are allowed)
2013-04-26 15:15:26 DEBUG Sender is not explicitly allowed, query user aliases and alias domains.
2013-04-26 15:15:26 DEBUG [+] Getting allowed senders of mail list: xxx@xx.in
2013-04-26 15:15:26 DEBUG result: ['gmail.com']
2013-04-26 15:15:26 DEBUG Allowed users:
2013-04-26 15:15:26 DEBUG Allowed domains:
2013-04-26 15:15:26 DEBUG Allowed subdomains: gmail.com
2013-04-26 15:15:26 DEBUG Query to get domain aliases of allowed (sub-)domains.
2013-04-26 15:15:26 DEBUG base dn: o=domains,dc=xxx,dc=com
2013-04-26 15:15:26 DEBUG search scope: 1 (ldap.SCOPE_ONELEVEL)
2013-04-26 15:15:26 DEBUG search filter: (&(objectClass=mailDomain)(enabledService=domainalias)(|(domainName=gmail.com)(domainAliasName=gmail.com)))
2013-04-26 15:15:26 DEBUG search attributes: domainName, domainAliasName
2013-04-26 15:15:26 DEBUG result: []
2013-04-26 15:15:26 DEBUG All possible sender domains: gmail.com, .gmail.com, .com
2013-04-26 15:15:26 DEBUG <-- Result: REJECT Not authorized
2013-04-26 15:15:26 INFO [209.85.212.174] xxx@gmail.com -> xxx@xx.in, REJECT Not authorized
2013-04-26 15:15:26 DEBUG Connection closed
2013-04-26 15:15:26 DEBUG Close LDAP connection.

Please look into this and update .

Note: I see that allowed_senders is empty in below lines.. please check

   elif policy in ['membersonly', 'allowedonly', 'membersandmoderatorsonly']:
        allowed_senders = recipient_ldif.get('listAllowedUser', [])
        if policy == 'allowedonly':
            if sender in allowed_senders:
                return 'DUNNO (Allowed explicitly)'
            logging.debug('Sender is not explicitly allowed, query user aliases and alias domains.')

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Policy to allow email from specific domains is not working as exepcted

Hi Soundar,

Could you please try below patch for plugin: plugins/ldap_maillist_access_policy.py? Also, could you please show me LDIF data of this mail list account? Looks like there's some conflict in the log, i need the LDIF data to verify it.

diff -r 922bc7b5aa9d plugins/ldap_maillist_access_policy.py
--- a/plugins/ldap_maillist_access_policy.py    Sat Apr 20 17:21:06 2013 +0800
+++ b/plugins/ldap_maillist_access_policy.py    Fri Apr 26 23:25:15 2013 +0800
@@ -25,6 +25,7 @@
     conn = kwargs['conn']
     base_dn = kwargs['base_dn']
     sender = kwargs['sender']
+    sender_domain = kwargs['sender_domain']
     recipient = kwargs['recipient']
     recipient_dn = kwargs['recipient_dn']
 
@@ -59,7 +60,6 @@
         # No restriction.
         return 'DUNNO (Access policy: public)'
     elif policy == "domain":
-        sender_domain = sender.split('@', 1)[-1]
         # Bypass all users under the same domain.
         if sender_domain in recipient_alias_domains:
             return 'DUNNO (Access policy: domain)'
@@ -77,7 +77,7 @@
     elif policy in ['membersonly', 'allowedonly', 'membersandmoderatorsonly']:
         allowed_senders = recipient_ldif.get('listAllowedUser', [])
         if policy == 'allowedonly':
-            if sender in allowed_senders:
+            if sender in allowed_senders or sender_domain in allowed_senders:
                 return 'DUNNO (Allowed explicitly)'
             logging.debug('Sender is not explicitly allowed, query user aliases and alias domains.')

3 (edited by swiss2011 2013-04-27 00:05:02)

Re: Policy to allow email from specific domains is not working as exepcted

Hi zhang,

Please find the below ldiff file

dn: mail=mailbounce@xxx.xx.in,ou=Groups,domainName=xxx.xx.in,o=domains,dc=abc,dc=com
accessPolicy: allowedOnly
accountStatus: active
cn: Bounced Email
enabledService: mail
enabledService: deliver
listAllowedUser: gmail.com
mail: mailbounce@xxx.xx.in
objectClass: mailList
shadowAddress: mailbounce@xx.in

Patch applied and tested working fine.. Thanks a lot zhang..:)


ZhangHuangbin wrote:

Hi Soundar,

Could you please try below patch for plugin: plugins/ldap_maillist_access_policy.py? Also, could you please show me LDIF data of this mail list account? Looks like there's some conflict in the log, i need the LDIF data to verify it.

diff -r 922bc7b5aa9d plugins/ldap_maillist_access_policy.py
--- a/plugins/ldap_maillist_access_policy.py    Sat Apr 20 17:21:06 2013 +0800
+++ b/plugins/ldap_maillist_access_policy.py    Fri Apr 26 23:25:15 2013 +0800
@@ -25,6 +25,7 @@
     conn = kwargs['conn']
     base_dn = kwargs['base_dn']
     sender = kwargs['sender']
+    sender_domain = kwargs['sender_domain']
     recipient = kwargs['recipient']
     recipient_dn = kwargs['recipient_dn']
 
@@ -59,7 +60,6 @@
         # No restriction.
         return 'DUNNO (Access policy: public)'
     elif policy == "domain":
-        sender_domain = sender.split('@', 1)[-1]
         # Bypass all users under the same domain.
         if sender_domain in recipient_alias_domains:
             return 'DUNNO (Access policy: domain)'
@@ -77,7 +77,7 @@
     elif policy in ['membersonly', 'allowedonly', 'membersandmoderatorsonly']:
         allowed_senders = recipient_ldif.get('listAllowedUser', [])
         if policy == 'allowedonly':
-            if sender in allowed_senders:
+            if sender in allowed_senders or sender_domain in allowed_senders:
                 return 'DUNNO (Allowed explicitly)'
             logging.debug('Sender is not explicitly allowed, query user aliases and alias domains.')

4

Re: Policy to allow email from specific domains is not working as exepcted

swiss2011 wrote:

listAllowedUser: gmail.com

Strange, the iRedAPD log says "Allowed subdomains: gmail.com", it should be "Allowed domains", not "subdomains".

5

Re: Policy to allow email from specific domains is not working as exepcted

I can apply this patch to 0.8.5 iredmail?

6

Re: Policy to allow email from specific domains is not working as exepcted

Revenant wrote:

I can apply this patch to 0.8.5 iredmail?

I suggest you upgrade iRedAPD to the latest 1.4.2 release, you can download it here:
http://www.iredmail.org/yum/misc/

Upgrade tutorial can be found here:
http://iredmail.org/wiki/index.php?titl … .4.1-1.4.2