1 Topic by pbf343

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 247

Topic: reject_sender_login_mismatch

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

CentOS 6.6 with iredAdmin pro mysql

Current plugins:
plugins = ["reject_null_sender", "amavisd_message_size_limit", "amavisd_wblist", "sql_alias_access_policy"]

Would like to add back:  reject_sender_login_mismatch
which I think helps eliminate spoofed email backscatter, etc.  However, if add this back into the scenario, what is the recommended method to deal with certain scenarios like the one below?


Client has a website with various forms that are completed by users.  Upon submission, the form is then sent by e-mail to mail system which blocks it b/c the form used one of their email accounts in the form field.  The use case scenarios can vary as well.  For example: this could be from their own website where the IP is fixed.  How would you recommend to handle this?


If one adds their IP to the "mynetworks" value, wouldn't that accept the e-mail?  However, if the form(s) or anything on the site is breached, would the mail system also accept everything sent from it as well? 


Would you recommend trying to whitelist the email address, domain or IP in the System Whiltelisted senders otpions?  Once again, is there anything that could be done about a breach from that e-mail? 

Thank you.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: reject_sender_login_mismatch

pbf343 wrote:

Upon submission, the form is then sent by e-mail to mail system which blocks it b/c the form used one of their email accounts in the form field.

Dear pbf343, I'm afraid that i don't understand what this means.

*) Adding IP to 'mynetworks' will make this IP a trusted client, all emails sent from this IP will be accepted.
*) If the form uses a fixed sender address, you may want to enable iRedAPD plugin 'reject_sender_login_mismatch' and whitelist this sender with setting below in /opt/iredapd/settings.py:

ALLOWED_LOGIN_MISMATCH_SENDERS = ['user@domain.com']

Restarting iRedAPD service is required.

3 Reply by pbf343 (edited by pbf343 2015-10-09 05:14:32)

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 247

Re: reject_sender_login_mismatch

ZhangHuangbin wrote:
pbf343 wrote:

Upon submission, the form is then sent by e-mail to mail system which blocks it b/c the form used one of their email accounts in the form field.

Dear pbf343, I'm afraid that i don't understand what this means.

*) Adding IP to 'mynetworks' will make this IP a trusted client, all emails sent from this IP will be accepted.
*) If the form uses a fixed sender address, you may want to enable iRedAPD plugin 'reject_sender_login_mismatch' and whitelist this sender with setting below in /opt/iredapd/settings.py:

ALLOWED_LOGIN_MISMATCH_SENDERS = ['user@domain.com']

Restarting iRedAPD service is required.

Mynetworks is not working.
Does it go in the settings.py file?


Ref.:
http://www.iredmail.org/docs/iredapd.releases.html
http://www.iredmail.org/forum/topic9485 … works.html

In main.cf
mynetworks = 127.0.0.1
mynetworks_style = host

In settings.py file
plugins = ["reject_null_sender", "amavisd_message_size_limit", "amavisd_wblist", "sql_alias_access_policy"]
MYNETWORKS = ['x.x.x.x']


Is there an order or what would cause such?

Would bad header block it in quaratined.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: reject_sender_login_mismatch

I'm afraid that i'm totally lost, i don't understand what your issue/question is, and what you're trying to solve. Please show us how your client send email, does it perform smtp authentication? you got error, and what's the error message in client side (e.g. web browser), and what's related log in server log file?

5 Reply by pbf343

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 247

Re: reject_sender_login_mismatch

iRedAdmin-Pro is virtual machine A.  A web site user is using a browser on virtual machine B (a website).  The web site user completes an online form which uses an email address some_user@domain.tld in the "From" field that is on machine A.  The form also posts the message to the email on machine A (some_user@domain.tld).

The email seems to be sent to virtual machine A now that I've added the IP to the MyNetworks field.  However, the message is caught in quarantine and shows "bad header" in the iRedAdmin-Pro interface.

What file should be used to specify MYNETWORKS?
  Either:  main.cf or /opt/iredapd/settings.py?

What is the accurate syntax of MYNETWORKS?  Example:  MYNETWORKS = ['x.x.x.x','y.y.y.y','p.p.p.p']


So I'm thinking the form message is getting caught in quarantine due to the AmavisD "bad header" issue as the message appears to now arrive to the iRedAdmin-Pro.  Is my theory correct?



On another note and in this post: 
http://www.iredmail.org/forum/topic9485 … works.html
You say MyNetworks is only "used" by the plugin 'reject_null_sender' plugin.  Is the effect of adding an IP to this value identical to result to adding it in a regular postfix main.cf file?  In other words, does the functionality change in the iRedAdmin-Pro compared to straight Postfix main.cf configuration?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: reject_sender_login_mismatch

Disable bad-header check in Amavisd config file and try again.

Amavisd doesn't read white/blacklists managed by iRedAdmin-Pro for bad-header checking, this is a known issue.