1 Topic by jpforte

  • jpforte
  • Member
  • Offline
  • From: Belleair Florida USA
  • Registered: 2013-08-24
  • Posts: 58

Topic: Upgrade from iRedAPD 1.4.3 to 1.4.4

==== Required information ====
- iRedMail version: 0.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Linux/BSD distribution name and version:  CentOS 6
- Related log if you're reporting an issue: iRedAPD 1.4.4
====

I have the upgrade done following http://www.iredmail.org/docs/upgrade.iredapd.html

However the instructions for some of the new things don't tell how to do it

It's recommended to enable plugin reject_null_sender in iRedAPD-1.4.4 or newer releases to prevent authenticated user sending spam as null sender.

Where do it update Reject_null_sender to be a plugin?

In

Since version 1.4.4, iRedAPD supports Postfix smtp protocol state END-OF-MESSAGE, so you can enable iRedAPD in Postfix parameter smtpd_end_of_data_restrictions like below:
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777, ...
Currently, only plugin amavisd_message_size_limit works in END-OF-MESSAGE state, other plugins work in RCPT state.

How do enable that? in postfix main it already has "smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031"

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

jpforte's Website

2 Reply by mir

  • mir
  • Member
  • Offline
  • Registered: 2014-05-30
  • Posts: 170

Re: Upgrade from iRedAPD 1.4.3 to 1.4.4

jpforte wrote:

Where do it update Reject_null_sender to be a plugin?

/opt/iredapd/settings.py

jpforte wrote:

How do enable that? in postfix main it already has "smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031"

/etc/postfix/main.cf

3 Reply by jpforte

  • jpforte
  • Member
  • Offline
  • From: Belleair Florida USA
  • Registered: 2013-08-24
  • Posts: 58

Re: Upgrade from iRedAPD 1.4.3 to 1.4.4

Thank you I edited /opt/iredapd/settings.py

In case someone else trips on this and is not familiar with the syntax
The line was plugins = ["sql_alias_access_policy", "sql_user_restrictions"]
I changed it to plugins = ["sql_alias_access_policy", "sql_user_restrictions","reject_null_sender"]

I was hoping for something like this.
More Info on what this does from /opt/iRedAPD-1.4.4/plugins/reject_null_sender.py

# Author: Zhang Huangbin <zhb _at_ iredmail.org>
#
# Purpose: Reject message submitted by sasl authenticated user but specifying
#          null sender in 'From:' header (from=<> in Postfix log).
#
#          If your user's password was cracked by spammer, spammer can use
#          this account to bypass smtp authentication, but with a null sender
#          in 'From:' header, throttling won't be triggered.
#
# How to use this plugin:
#
# *) Enable this plugin in iRedAPD config file /opt/iredapd/settings.py:
#
#    plugins = ['reject_null_sender', ...]
#
# *) Restart iRedAPD service.

jpforte's Website

4 Reply by jpforte

  • jpforte
  • Member
  • Offline
  • From: Belleair Florida USA
  • Registered: 2013-08-24
  • Posts: 58

Re: Upgrade from iRedAPD 1.4.3 to 1.4.4

mir wrote:
jpforte wrote:

Where do it update Reject_null_sender to be a plugin?

/opt/iredapd/settings.py

jpforte wrote:

How do enable that? in postfix main it already has "smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031"

/etc/postfix/main.cf

I changed smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031

to

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031,check_policy_service inet:127.0.0.1:7777

Then service postfix restart, with no errors.

Is this correct?

jpforte's Website

5 Reply by mir

  • mir
  • Member
  • Offline
  • Registered: 2014-05-30
  • Posts: 170

Re: Upgrade from iRedAPD 1.4.3 to 1.4.4

You should swap it around like:

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777,check_policy_service inet:127.0.0.1:10031

END-OF-MESSAGE state is a fairly quick check so if it already fails this check there is no need to bring in the big guns.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Upgrade from iRedAPD 1.4.3 to 1.4.4

Better to use it as first plugin:

plugins = ["reject_null_sender", "sql_alias_access_policy", "sql_user_restrictions"]

About smtpd_end_of_data_restrictions support, currently only one plugin is available in iRedAPD - "amavisd_message_size_limit". If you don't need it, you should not enable iRedAPD in smtpd_end_of_data_restrictions.

I'm sorry that I didn't make it clear in upgrade tutorial, will fix it later.