1

Topic: Policyd/Cluebringer IPV6 Support

======== Required information ====
- iRedMail version:  0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  PGSQL
- Linux/BSD distribution name and version:  Debian 7
- Related log if you're reporting an issue:
====
I don't want to hijack the other thread on similar issue. As the error logs below show, email originating from IPV6 addresses are blocked. I am hoping we can use this thread as a guide for all needing IPV6 support until future release of iRedMail implements it.

Apr 19 20:00:59 mx postfix/smtpd[5146]: connect from mail-pb0-x24a.google.com[2607:f8b0:400e:c01::24a]
Apr 19 20:01:00 mx postfix/smtpd[5146]: NOQUEUE: reject: RCPT from mail-pb0-x24a.google.com[2607:f8b0:400e:c01::24a]: 450 4.7.1 <cygni@mydomain.com>: Recipient address rejected: Access denied; from=<noreply-dmarc-support@google.com> to=<cygni@mydomain.com> proto=ESMTP helo=<mail-pb0-x24a.google.com>
Apr 19 20:01:01 mx postfix/smtpd[5146]: disconnect from mail-pb0-x24a.google.com[2607:f8b0:400e:c01::24a]
Apr 19 20:06:18 mx postfix/smtpd[4280]: connect from verifier.port25.com[2002:60f4:db13::1]
Apr 19 20:06:19 mx postfix/smtpd[4280]: NOQUEUE: reject: RCPT from verifier.port25.com[2002:60f4:db13::1]: 450 4.7.1 <cygni@mydomain.com>: Recipient address rejected: Access denied; from=<auth-results@verifier.port25.com> to=<cygni@mydomain.com> proto=ESMTP helo=<verifier.port25.com>
Apr 19 20:06:21 mx postfix/smtpd[4280]: NOQUEUE: reject: RCPT from verifier.port25.com[2002:60f4:db13::1]: 450 4.7.1 <cygni@mydomain.com>: Recipient address rejected: Access denied; from=<auth-results@verifier.port25.com> to=<cygni@mydomain.com> proto=ESMTP helo=<verifier.port25.com>
Apr 19 20:06:22 mx postfix/smtpd[4280]: disconnect from verifier.port25.com[2002:60f4:db13::1]

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Policyd/Cluebringer IPV6 Support

We need a newer Cluebringer which supports IPv6.

3 (edited by cygni 2014-04-22 05:25:41)

Re: Policyd/Cluebringer IPV6 Support

Installation of version 2.1.x which supports IPV6 now allows emails from gmail on a test server. Besides cluebringer.conf and cluebringer-webui.conf in /etc/cbpolicyd/, is there another configuration file that needs modification, perhaps needing access to the new database called cbpolicyd in this case?

4 (edited by cygni 2014-04-22 08:57:22)

Re: Policyd/Cluebringer IPV6 Support

What I did first was backed up /etc/cluebringer, and then removed postfix-cluebringer and postfix-cluebringer-webui. Next, downloaded and installed from http://download.policyd.org/v2.1.x-201310261831 both policyd and webui packages.

cd to /usr/share/doc/cluebringer/database/ and ran:

for i in core.tsql access_control.tsql quotas.tsql amavis.tsql checkhelo.tsql checkspf.tsql greylisting.tsql accounting.tsql
do
./convert-tsql pgsql $i
done > policyd.sql

I appended the following to policyd.sql:

GRANT SELECT,INSERT,UPDATE,DELETE ON access_control,amavis_rules,checkhelo,checkhelo_blacklist,checkhelo_tracking,checkhelo_whitelist,checkspf,greylisting,greylisting_autoblacklist,greylisting_autowhitelist,greylisting_tracking,greylisting_whitelist,policies,policy_group_members,policy_groups,policy_members,quotas,quotas_limits,quotas_tracking,session_tracking TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON access_control_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON amavis_rules_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON checkhelo_blacklist_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON checkhelo_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON checkhelo_whitelist_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON checkspf_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON greylisting_autoblacklist_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON greylisting_autowhitelist_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON greylisting_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON greylisting_whitelist_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON policies_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON policy_group_members_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON policy_groups_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON policy_members_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON quotas_id_seq TO cbpolicyd;
GRANT SELECT,UPDATE,USAGE ON quotas_limits_id_seq TO cbpolicyd;

As root, I 'su postgres' and ran 'psql', then created a database/user:

CREATE DATABASE cbpolicyd WITH TEMPLATE template0 ENCODING 'UTF8';
CREATE USER cbpolicyd WITH ENCRYPTED PASSWORD 'j8GQUlAllm3FBKJ7qdNbAoQe' NOSUPERUSER NOCREATEDB NOCREATEROLE;

I exited psql  and re-entered with 'psql cbpolicyd postgres' and ran the following:

\i /path/to/policyd.sql

Files cluebringer.conf  and webui.conf in /etc/cbpolicyd were modified to reflect the new database/user, and directory path in /etc/apache2/conf.d/cluebringer.conf was changed to /usr/share/cluebringer/webui/.

It may be necessary to 'chown cbpolicyd:cbpolicyd /var/log/cbpolicyd.log' or  /var/log/cbpolicyd directory.

Restart both cbpolicyd and postfix.

5

Re: Policyd/Cluebringer IPV6 Support

ZhangHuangbin wrote:

We need a newer Cluebringer which supports IPv6.

Does this extra need modification to be IPV6 compliant?

-- Reference: http://wiki.policyd.org/

-- Priorities (Lower integer has higher priority):
--  priority=6  server-wide Whitelist
--  priority=7  server-wide Blacklist
--  priority=20 No greylisting. Works for both per-domain and per-user account.

-- Cluebringer default priorities:
--  priority=0  Default
--  priority=10 Default Inbound
--  priority=10 Default Outbound

-- Add new column: policy_group_members.Type.
-- It's used to identify record type/kind in iRedAdmin-Pro, for easier
-- management of white/blacklists.
--
-- Samples:
--   - Type=ip: value of `Member` is an IP address or CIDR range
--   - Type=email: a valid full email address
--   - Type=domain: a valid domain name
--
-- We can use multiple policies for different types, but it brings more SQL
-- queries for each policy request, this is not a good idea for performance
-- since Cluebringer is used to process every in/out SMTP session.
ALTER TABLE policy_group_members ADD COLUMN Type VARCHAR(10) NOT NULL DEFAULT '';
CREATE INDEX policy_group_members_type ON policy_group_members (Type);
CREATE INDEX policy_group_members_policygroupid_type ON policy_group_members (PolicyGroupID, Type);

-- ------------------------------
-- Whitelists (priority=6)
-- ------------------------------
INSERT INTO policies (Name, Priority, Disabled, Description)
    VALUES ('whitelists', 6, 0, 'Whitelisted sender, domain, IP');

INSERT INTO policy_groups (Name, Disabled) VALUES ('whitelists', 0);

INSERT INTO policy_members (PolicyID, Source, Destination, Disabled)
    SELECT id, '%whitelists', '%internal_domains', 0
    FROM policies WHERE name='whitelists' LIMIT 1;

-- Add access_control record to bypass whitelisted senders
INSERT INTO access_control (PolicyID, Name, Verdict, Data)
    SELECT id, 'bypass_whitelisted', 'OK', 'Whitelisted'
    FROM policies WHERE name='whitelists' LIMIT 1;

-- Samples: Add whitelisted sender, domain, IP
-- INSERT INTO policy_group_members (PolicyGroupID, Member, Disabled, Type)
--    SELECT id, 'user@domain.com', 0, 'email' FROM policy_groups
--    WHERE name='whitelisted_senders' LIMIT 1;
-- INSERT INTO policy_group_members (PolicyGroupID, Member, Disabled, Type)
--    SELECT id, '@domain.com', 0, 'domain' FROM policy_groups
--    WHERE name='whitelisted_domains' LIMIT 1;
-- INSERT INTO policy_group_members (PolicyGroupID, Member, Disabled, Type)
--    SELECT id, '123.123.123.123', 0, 'ip' FROM policy_groups
--    WHERE name='whitelisted_ips' LIMIT 1;

-- ------------------------------
-- Blacklist (priority=8)
-- ------------------------------
INSERT INTO policies (Name, Priority, Disabled, Description) 
    VALUES ('blacklists', 8, 0, 'Blacklisted sender, domain, IP');

INSERT INTO policy_groups (Name, Disabled) VALUES ('blacklists', 0);

INSERT INTO policy_members (PolicyID, Source, Destination, Disabled)
    SELECT id, '%blacklists', '%internal_domains', 0
    FROM policies WHERE name='blacklists' LIMIT 1;

-- Add access control to reject whitelisted senders.
INSERT INTO access_control (PolicyID, Name, Verdict, Data)
    SELECT id, 'reject_blacklisted', 'REJECT', 'Blacklisted'
    FROM policies WHERE name='blacklists' LIMIT 1;

-- Samples: Add blacklisted sender, domain, IP
-- INSERT INTO policy_group_members (PolicyGroupID, Member, Disabled, Type)
--    SELECT id, 'user@domain.com', 0, 'email' FROM policy_groups
--    WHERE name='blacklists' LIMIT 1;
-- INSERT INTO policy_group_members (PolicyGroupID, Member, Disabled, Type)
--    SELECT id, '@domain.com', 0, 'domain' FROM policy_groups
--    WHERE name='blacklists' LIMIT 1;
-- INSERT INTO policy_group_members (PolicyGroupID, Member, Disabled, Type)
--    SELECT id, '123.123.123.123', 0, 'ip' FROM policy_groups
--    WHERE name='blacklists' LIMIT 1;

-- ------------------------------------
-- Per-domain and per-user greylisting
-- ------------------------------------
INSERT INTO policies (Name, Priority, Disabled, Description)
    VALUES ('no_greylisting', 20, 0, 'Disable grelisting for certain domain and users');

-- No greylisting for certain local domains/users
INSERT INTO policy_groups (Name, Disabled) VALUES ('no_greylisting_for_internal', 0);
INSERT INTO policy_members (PolicyID, Source, Destination, Disabled)
    SELECT id, '!%internal_ips,!%internal_domains', '%no_greylisting_for_internal', 0
    FROM policies WHERE name='no_greylisting' LIMIT 1;

-- No greylisting for certain external domains/users
INSERT INTO policy_groups (Name, Disabled) VALUES ('no_greylisting_for_external', 0);
INSERT INTO policy_members (PolicyID, Source, Destination, Disabled)
    SELECT id, '%no_greylisting_for_external', '%internal_domains', 0
    FROM policies WHERE name='no_greylisting' LIMIT 1;

-- Disable greylisting for %no_greylisting
INSERT INTO greylisting (PolicyID, Name, UseGreylisting, Track, UseAutoWhitelist, AutoWhitelistCount, AutoWhitelistPercentage, UseAutoBlacklist, AutoBlacklistCount, AutoBlacklistPercentage, Disabled)
    SELECT id, 'no_greylisting', 0, 'SenderIP:/32', 0, 0, 0, 0, 0, 0, 0
    FROM policies WHERE name='no_greylisting' LIMIT 1;

-- Sample: Disable greylisting for certain local domain/users:
-- INSERT INTO policy_group_members (PolicyGroupID, Member, Disabled)
--    SELECT id, '@domain.com', 0 FROM policy_groups WHERE name='no_greylisting_for_internal' LIMIT 1;

-- ---------------
-- INDEXES
-- ---------------
-- Add indexes for columns used in Cluebringer modules
--
CREATE INDEX policies_disabled ON policies (disabled);
-- Used in module: access_control
CREATE INDEX access_control_policyid_disabled ON access_control (policyid, disabled);
-- Used in module: checkhelo
CREATE INDEX checkhelo_policyid_disabled ON checkhelo (policyid, disabled);
CREATE INDEX checkhelo_whitelist_disabled ON checkhelo_whitelist (disabled);
-- Used in module: greylisting
CREATE INDEX greylisting_policyid_disabled ON greylisting (policyid, disabled);
CREATE INDEX greylisting_whitelist_disabled ON greylisting_whitelist (disabled);
CREATE INDEX greylisting_tracking_trackkey_firstseen ON greylisting_tracking (trackkey, firstseen);
CREATE INDEX greylisting_tracking_trackkey_firstseen_count ON greylisting_tracking (trackkey, firstseen, count);
-- Used in module: quotas
CREATE INDEX quotas_policyid_disabled ON quotas (policyid, disabled);
-- Used in module: accounting_tracking. Available in cluebringer-2.1.x.
-- CREATE INDEX accounting_policyid_disabled ON accounting (policyid, disabled);
-- CREATE INDEX accounting_tracking_accountingid_trackkey_periodkey ON accounting_tracking (accountingid, trackkey, periodkey);

--
-- Add indexes for columns required by web interface
--
CREATE UNIQUE INDEX policies_name ON policies (name);
CREATE UNIQUE INDEX policy_groups_name ON policy_groups (name);
CREATE INDEX policy_group_members_member ON policy_group_members (member);
-- Unique index to avoid duplicate records
CREATE UNIQUE INDEX policy_group_members_policygroupid_member ON policy_group_members (policygroupid, member);
CREATE INDEX quotas_name ON quotas (Name);
CREATE UNIQUE INDEX quotas_limits_quotasid_type ON quotas_limits (QuotasID, Type);
CREATE INDEX quotas_tracking_trackkey ON quotas_tracking (TrackKey);

6

Re: Policyd/Cluebringer IPV6 Support

cygni wrote:

Does this extra need modification to be IPV6 compliant?

I don't think so. We need IPv6 support in Cluebringer source code, not its data in SQL database.