1

Topic: iRedAPD sql_user_restrictions.py not working?

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: iRedAdmin-Pro-MySQL-1.8.1
- Store mail accounts in which backend (MySQL):
- Linux/BSD distribution name and version: CentOS 6.5
- Related log if you're reporting an issue: iredapd.log
====

Hello.  I'm in the process of migrating one of our mail systems to using your product.  So far, it's been great.  I have had an issue implementing per-user whitelists and blacklists, however. 

I understand that there are four fields in vmail.mailbox that are read by iRedAPD to determine if the mail goes through.  On the user 'tim@mynewmailserver.net' I put 'joe@othermailhost.com' in the 'rejectedsenders' field and 'tim@othermailhost.com' in the 'rejectedrecipients' field.

Emails sent to his account from 'joe@othermailhost.com' go through without issue, and he is able to send to 'tim@othermailhost.com' from the 'tim@mynewmailserver.net' account.  It "DUNNO" about this, for some reason:

2014-04-27 03:13:12 INFO Starting iRedAPD (version: 1.4.2, backend: mysql), listening on 127.0.0.1:7777.
2014-04-27 03:13:12 INFO Loading plugin: sql_alias_access_policy
2014-04-27 03:13:12 INFO Loading plugin: sql_user_restrictions
2014-04-30 10:36:26 INFO [10.0.4.240] btv1==197eb6cbcce==joe@othermailhost.com -> tim@mynewmailserver.net, DUNNO
2014-04-30 10:53:01 INFO [127.0.0.1] tim@mynewmailserver.net -> joe@mynewmailserver.com, DUNNO
2014-04-30 10:54:41 INFO [127.0.0.1] tim@mynewmailserver.net -> tim@othermailhost.com, DUNNO
2014-04-30 10:54:43 INFO [127.0.0.1] tim@mynewmailserver.net -> joe@othermailhost.com, DUNNO

I can see that iRedAPD is probably thrown off by the bounce address tag validation, not a big deal.  However, after that, 'tim@mynewmailserver.net' sent a test message to 'tim@othermailhost.com', which went through without issue.  It is my understanding that othermailhost.com should not have received the message, since it is in the 'rejectedrecipients' field.

I turned debugging logging on in settings.py, and turned this possibly relevant info up:

2014-05-01 10:38:23 DEBUG Returned SQL Record: (None, 'tim@othermailhost.com', None, 'joe@othermailhost.com')
2014-05-01 10:38:23 DEBUG <!> Error: 'NoneType' object has no attribute 'split'
2014-05-01 10:38:23 INFO [127.0.0.1] tim@mynewmailserver.net -> tim@othermailhost.com, DUNNO
2014-05-01 10:38:23 DEBUG Connection closed
2014-05-01 10:38:23 DEBUG Closed SQL connection.

I don't discount the possibility that I'm doing something wrong, but I'm not sure what it might be.  iRedAPD was set up via the included script in iRedMail or iRedAdmin.  I'm not sure which.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iRedAPD sql_user_restrictions.py not working?

I believe we have found the issue.  If the user has rejected_senders or rejected_recipients but not any allowed_senders or allowed_recipients, the script fails on allowed_recipients.split(','), because it is type None.  Instead of something like this:

all_allowed_recipients = [s.lower().strip() for s in allowed_recpients.split(',')]
logging.debug('All allowed recipient: %s' % str(all_allowed_recipients))

It should have something more like:

if not allowed_recipients:
    all_allowed_recipients = None
    logging.debug('All allowed recipient: empty list, moving on')
else:
    all_allowed_recipients = [s.lower().strip() for s in allowed_recpients.split(',')]
    logging.debug('All allowed recipient: %s' % str(all_allowed_recipients))

I did this where the other three '.split's were called, and that appears to have resolved the issue.  I don't know what to do about the bounce address tag stuff, but that was less of an issue.

3

Re: iRedAPD sql_user_restrictions.py not working?

I may have discovered one (bad, but simple) way to deal with the bounce address tags, to allow the lookup to proceed without it:

            if all_allowed_senders:
                if sender in all_allowed_senders \
                   or sender_domain in all_allowed_senders \
>>>              or sender.rsplit('=', 1)[1] in all_allowed_senders \ <<<
                   or '@.' + sender_domain in all_allowed_senders \
                   or '@.' in all_allowed_senders:
                    return SMTP_ACTIONS['accept']

Obviously, remove the '<<<' and '>>>' stuff.  I understand this theoretically would catch legit email addresses, since '=' is a valid email address character.  A similar line can be added for 'all_rejected_senders' as well.  It works in my test case, at least.

4

Re: iRedAPD sql_user_restrictions.py not working?

Thanks very much for your feedback and patch. You can now download the new plugin file below and override the one on your server (/opt/iredapd/plugins/sql_user_restrictions.py), it fixes both issues you reported:
https://bitbucket.org/zhb/iredapd/src/7 … at=default

Commit logs:
1: fix 'NoneType' error: https://bitbucket.org/zhb/iredapd/commi … at=default
2: fix bounce address issue: https://bitbucket.org/zhb/iredapd/commi … at=default

jford wrote:

>>>              or sender.rsplit('=', 1)[1] in all_allowed_senders \ <<<

This is improper fix. It's fixed in above link.