Dec 29, 2023: iRedMail-1.6.8 has been released.

**bjs59** · 2015-06-03 00:18:59

bjs59
Member
Offline

Registered: 2015-05-10
Posts: 12

Topic: Mail list access policy has no effect (LDAP backend)

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.9.1 with iredapd 1.5.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache 2.2
- Linux/BSD distribution name and version: CentOS 6.6 x86_64
- Related log if you're reporting an issue:
====

As part of setting up and testing mail lists, I found that the access policy parameter has no effect. Note: I did the upgrade process from iredpd 1.4.4 to 1.5.0. Perhaps that is related?

I set the accessPolicy for a mail list "list1@example.tld" to "domain" and sent an email to it from an outside domain "user2@otherdomain.tld" and the message was delivered to the list without complaint. Similarly I tried the "membersonly" setting for accessPolicy and got the exact same behavior.

Basically anyone from the outside of that domain can send to an email list since the filtering policy does not work. The iredapd settings.py has the plugin enabled:

plugins = ["reject_null_sender", "amavisd_message_size_limit", "amavisd_wblist", "ldap_maillist_access_policy"]

The iredapd 1.5.0 is configured properly and the daemon running as far as I can tell. The netstat output is:

tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 12961/python

Postfix main.cf has the iredapd policy server configured from the standard install:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031,

I also tried restarting postfix and LDAP and iredapd but that did not fix the problem.

How to fix?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2015-06-03 06:02:41

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Mail list access policy has no effect (LDAP backend)

Bug in iRedAPD-1.5.0 and latest development version, please fix it with below patch:

diff -r b29632fb0b7d plugins/ldap_maillist_access_policy.py
--- a/plugins/ldap_maillist_access_policy.py    Tue Jun 02 00:35:13 2015 +0800
+++ b/plugins/ldap_maillist_access_policy.py    Wed Jun 03 06:02:01 2015 +0800
@@ -28,7 +28,7 @@
     if policy == 'public':
         return SMTP_ACTIONS['default'] + ' (Access policy: public, no restriction)'
 
-    conn = kwargs['conn']
+    conn = kwargs['conn_vmail']
     base_dn = kwargs['base_dn']
     sender = kwargs['sender']
     sender_domain = kwargs['sender_domain']

Note: restarting iRedAPD service is required.

**bjs59** · 2015-06-03 06:44:27

bjs59
Member
Offline

Registered: 2015-05-10
Posts: 12

Re: Mail list access policy has no effect (LDAP backend)

ZhangHuangbin wrote:

Bug in iRedAPD-1.5.0 and latest development version, please fix it with below patch:

diff -r b29632fb0b7d plugins/ldap_maillist_access_policy.py
--- a/plugins/ldap_maillist_access_policy.py    Tue Jun 02 00:35:13 2015 +0800
+++ b/plugins/ldap_maillist_access_policy.py    Wed Jun 03 06:02:01 2015 +0800
@@ -28,7 +28,7 @@
     if policy == 'public':
         return SMTP_ACTIONS['default'] + ' (Access policy: public, no restriction)'
 
-    conn = kwargs['conn']
+    conn = kwargs['conn_vmail']
     base_dn = kwargs['base_dn']
     sender = kwargs['sender']
     sender_domain = kwargs['sender_domain']

Note: restarting iRedAPD service is required.

OK, that fixed it. You have a minor typo in the error message returned to the mail user:

/opt/iRedAPD-1.5.0/libs/__init__.py:13: 'reject_not_authorized': 'REJECT Not authoried',

Change "authoried" to "authorised" (or "authorized")

**ZhangHuangbin** · 2015-06-03 07:04:58

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Mail list access policy has no effect (LDAP backend)

Fixed. Thanks for the feedback.

Dec 29, 2023: iRedMail-1.6.8 has been released.

[ Closed ] Mail list access policy has no effect (LDAP backend)

Posts: 4

1 Topic by bjs59 2015-06-03 00:18:59

Topic: Mail list access policy has no effect (LDAP backend)

2 Reply by ZhangHuangbin 2015-06-03 06:02:41

Re: Mail list access policy has no effect (LDAP backend)

3 Reply by bjs59 2015-06-03 06:44:27

Re: Mail list access policy has no effect (LDAP backend)

4 Reply by ZhangHuangbin 2015-06-03 07:04:58

Re: Mail list access policy has no effect (LDAP backend)

Posts: 4