1 (edited by tom cotton 2017-09-08 01:11:46)

Topic: Per User Whitelist/Blacklist not working

==== Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.7
- Linux/BSD distribution name and version: CentOs 6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

The per user Whitelist and Blacklist is not stopping any blacklisted senders. Also I can send to Blacklisted recipients.

Per recipient filtering is enabled in amavisd.conf and the plugin is enabled.

Blacklist is @. = All accounts

Whitelist are 20 specific email addresses.

Settings same for both inbound and outbound mail.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Per User Whitelist/Blacklist not working

Could you please show me output of commands below?

postconf smtpd_recipient_restrictions
postconf smtpd_end_of_data_restrictions
grep '^plugins' /opt/iredapd/settings.py
cd /opt/iredapd/tools/
python wblist_admin.py --list --whitelist
python wblist_admin.py --list --blacklist

Also, please turn on debug mode in iRedAPD, send one new testing email, extract related log from iRedAPD log file (/var/log/iredapd/iredapd.log) and paste here.
FYI: http://www.iredmail.org/docs/debug.iredapd.html

3

Re: Per User Whitelist/Blacklist not working

Output of commands and relevant debug data from iredapd log for the message I sent are in the attached file.

4

Re: Per User Whitelist/Blacklist not working

No attachment. Please paste as post content directly.

5

Re: Per User Whitelist/Blacklist not working

Thu Sep 07 16:57:39
(22)[root@mx2 tools]$ postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/access check_policy_service inet:127.0.0.1:7777 reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient reject_unauth_destination permit_sasl_authenticated
Fri Sep 08 15:30:16
(23)[root@mx2 tools]$ postconf smtpd_end_of_data_restrictions
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
Fri Sep 08 15:31:06
(24)[root@mx2 tools]$ grep '^plugins' /opt/iredapd/settings.py
plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "ldap_maillist_access_policy"]
Fri Sep 08 15:31:39
(25)[root@mx2 tools]$ cd /opt/iredapd/tools/
Fri Sep 08 15:32:20
(26)[root@mx2 tools]$ python wblist_admin.py --list --whitelist
* Establishing SQL connection.
* List all inbound whitelist for account: @.
@ansspc.supportsystem.com
ericalavender@ymail.com
Fri Sep 08 15:32:31
(27)[root@mx2 tools]$ python wblist_admin.py --list --blacklist
* Establishing SQL connection.
* List all inbound blacklist for account: @.
* No whitelist/blacklist.
Fri Sep 08 15:34:37

2017-09-08 15:38:41 DEBUG smtp session: request=smtpd_access_policy
2017-09-08 15:38:41 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2017-09-08 15:38:41 DEBUG smtp session: protocol_name=ESMTP
2017-09-08 15:38:41 DEBUG smtp session: client_address=108.60.195.213
2017-09-08 15:38:41 DEBUG smtp session: client_name=cx-a.mxthunder.net
2017-09-08 15:38:41 DEBUG smtp session: reverse_client_name=cx-a.mxthunder.net
2017-09-08 15:38:41 DEBUG smtp session: helo_name=cx-a.mxthunder.net
2017-09-08 15:38:41 DEBUG smtp session: sender=cotton59@gmail.com
2017-09-08 15:38:41 DEBUG smtp session: recipient=thomas@ansspc.com
2017-09-08 15:38:41 DEBUG smtp session: recipient_count=1
2017-09-08 15:38:41 DEBUG smtp session: queue_id=97171F31
2017-09-08 15:38:41 DEBUG smtp session: instance=6b55.59b2b981.95657.0
2017-09-08 15:38:41 DEBUG smtp session: size=3060
2017-09-08 15:38:41 DEBUG smtp session: etrn_domain=
2017-09-08 15:38:41 DEBUG smtp session: stress=
2017-09-08 15:38:41 DEBUG smtp session: sasl_method=
2017-09-08 15:38:41 DEBUG smtp session: sasl_username=
2017-09-08 15:38:41 DEBUG smtp session: sasl_sender=
2017-09-08 15:38:41 DEBUG smtp session: ccert_subject=
2017-09-08 15:38:41 DEBUG smtp session: ccert_issuer=
2017-09-08 15:38:41 DEBUG smtp session: ccert_fingerprint=
2017-09-08 15:38:41 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-09-08 15:38:41 DEBUG smtp session: encryption_protocol=TLSv1.2
2017-09-08 15:38:41 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384
2017-09-08 15:38:41 DEBUG smtp session: encryption_keysize=256
2017-09-08 15:38:41 DEBUG LDAP connection initialied success.
2017-09-08 15:38:41 DEBUG LDAP bind success.
2017-09-08 15:38:41 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2017-09-08 15:38:41 DEBUG Skip plugin: wblist_rdns (protocol_state != END-OF-MESSAGE)
2017-09-08 15:38:41 DEBUG Skip plugin: reject_sender_login_mismatch (protocol_state != END-OF-MESSAGE)
2017-09-08 15:38:41 DEBUG Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
2017-09-08 15:38:41 DEBUG --> Apply plugin: throttle
2017-09-08 15:38:41 DEBUG Check sender throttling.
2017-09-08 15:38:41 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='external' AND account IN ('108.60.195.213', '@ip', 'cotton59@gmail.com', '@gmail.com', '@.', '@$
         ORDER BY priority DESC

2017-09-08 15:38:41 DEBUG [SQL] Query result:
[]
2017-09-08 15:38:41 DEBUG No sender throttle setting.
2017-09-08 15:38:41 DEBUG Check recipient throttling.
2017-09-08 15:38:41 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('108.60.195.213', '@ip', 'thomas@ansspc.com', '@ansspc.com', '@.', '@.$
         ORDER BY priority DESC

2017-09-08 15:38:41 DEBUG [SQL] Query result:
[]
2017-09-08 15:38:41 DEBUG No recipient throttle setting.
2017-09-08 15:38:41 DEBUG <-- Result: DUNNO
2017-09-08 15:38:41 DEBUG Skip plugin: ldap_maillist_access_policy (protocol_state != END-OF-MESSAGE)
2017-09-08 15:38:41 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2017-09-08 15:38:41 DEBUG Session ended.

6

Re: Per User Whitelist/Blacklist not working

*) Postfix and iRedAPD configurations are ok.
*) You didn't paste full log related to your testing email, cannot troubleshoot right now.
*) Please run commands below and show us output. NOTE: you should replace '<mail>' by the real email address of the user you're setting per-user white/blacklists.

cd /opt/iredapd/tools/
python wblist_admin.py --list --whitelist --account '<mail>'
python wblist_admin.py --list --blacklist --account '<mail>'

7

Re: Per User Whitelist/Blacklist not working

Output of commands:

(4)[root@mx2 ~]$ cd /opt/iredapd/tools/
Sun Sep 10 17:43:22
(5)[root@mx2 tools]$ python wblist_admin.py --list --whitelist --account thomas@ansspc.com
* Establishing SQL connection.
* List all inbound whitelist for account: thomas@ mydomain.com
...
Sun Sep 10 17:43:39
(6)[root@mx2 tools]$ python wblist_admin.py --list --blacklist --account thomas@mydomain.com
* Establishing SQL connection.
* List all inbound blacklist for account: thomas@ansspc.com
@.
Sun Sep 10 17:43:59
(7)[root@mx2 tools]$

Here is the log from the test message. Let me know if I am missing anything.

2017-09-10 17:47:49 INFO Starting iRedAPD (version: 2.1, backend: ldap), listening on 127.0.0.1:7777.
2017-09-10 17:47:49 INFO Log rotate type: time, interval: W6, backup copies: 12.
2017-09-10 17:47:49 INFO Loading plugin (priority: 100): reject_null_sender
2017-09-10 17:47:49 INFO Loading plugin (priority: 99): wblist_rdns
2017-09-10 17:47:49 INFO Loading plugin (priority: 90): reject_sender_login_mismatch
2017-09-10 17:47:49 INFO Loading plugin (priority: 80): greylisting
2017-09-10 17:47:49 INFO Loading plugin (priority: 60): throttle
2017-09-10 17:47:49 INFO Loading plugin (priority: 50): ldap_maillist_access_policy
2017-09-10 17:47:49 INFO Loading plugin (priority: 40): amavisd_wblist
2017-09-10 17:48:01 DEBUG Connect from 127.0.0.1, port 53302.
2017-09-10 17:48:01 DEBUG smtp session: request=smtpd_access_policy
2017-09-10 17:48:01 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2017-09-10 17:48:01 DEBUG smtp session: protocol_name=ESMTP
2017-09-10 17:48:01 DEBUG smtp session: client_address=108.60.195.213
2017-09-10 17:48:01 DEBUG smtp session: client_name=cx-a.mxthunder.net
2017-09-10 17:48:01 DEBUG smtp session: reverse_client_name=cx-a.mxthunder.net
2017-09-10 17:48:01 DEBUG smtp session: helo_name=cx-a.mxthunder.net
2017-09-10 17:48:01 DEBUG smtp session: sender=cotton59@gmail.com
2017-09-10 17:48:01 DEBUG smtp session: recipient=thomas@mydomain.com
2017-09-10 17:48:01 DEBUG smtp session: recipient_count=1
2017-09-10 17:48:01 DEBUG smtp session: queue_id=E2AB15CA
2017-09-10 17:48:01 DEBUG smtp session: instance=4073.59b57ad1.e0be5.0
2017-09-10 17:48:01 DEBUG smtp session: size=3091
2017-09-10 17:48:01 DEBUG smtp session: etrn_domain=
2017-09-10 17:48:01 DEBUG smtp session: stress=
2017-09-10 17:48:01 DEBUG smtp session: sasl_method=
2017-09-10 17:48:01 DEBUG smtp session: sasl_username=
2017-09-10 17:48:01 DEBUG smtp session: sasl_sender=
2017-09-10 17:48:01 DEBUG smtp session: ccert_subject=
2017-09-10 17:48:01 DEBUG smtp session: ccert_issuer=
2017-09-10 17:48:01 DEBUG smtp session: ccert_fingerprint=
2017-09-10 17:48:01 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-09-10 17:48:01 DEBUG smtp session: encryption_protocol=TLSv1.2
2017-09-10 17:48:01 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384
2017-09-10 17:48:01 DEBUG smtp session: encryption_keysize=256
2017-09-10 17:48:01 DEBUG LDAP connection initialied success.
2017-09-10 17:48:01 DEBUG LDAP bind success.
2017-09-10 17:48:02 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2017-09-10 17:48:02 DEBUG Skip plugin: wblist_rdns (protocol_state != END-OF-MESSAGE)
2017-09-10 17:48:02 DEBUG Skip plugin: reject_sender_login_mismatch (protocol_state != END-OF-MESSAGE)
2017-09-10 17:48:02 DEBUG Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
2017-09-10 17:48:02 DEBUG --> Apply plugin: throttle
2017-09-10 17:48:02 DEBUG Check sender throttling.
2017-09-10 17:48:02 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='external' AND account IN ('108.60.195.213', '@ip', 'cotton59@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', '108.60.195.*', '108.60.*.213')
         ORDER BY priority DESC

2017-09-10 17:48:02 DEBUG [SQL] Query result:
[]
2017-09-10 17:48:02 DEBUG No sender throttle setting.
2017-09-10 17:48:02 DEBUG Check recipient throttling.
2017-09-10 17:48:02 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('108.60.195.213', '@ip', 'thomas@mydomain.com', '@ansspc.com', '@.', '@.ansspc.com', '@.com', '108.60.195.*', '108.60.*.213')
         ORDER BY priority DESC

2017-09-10 17:48:02 DEBUG [SQL] Query result:
[]
2017-09-10 17:48:02 DEBUG No recipient throttle setting.
2017-09-10 17:48:02 DEBUG <-- Result: DUNNO
2017-09-10 17:48:02 DEBUG Skip plugin: ldap_maillist_access_policy (protocol_state != END-OF-MESSAGE)
2017-09-10 17:48:02 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2017-09-10 17:48:02 DEBUG Session ended.
2017-09-10 17:48:02 INFO [108.60.195.213] END-OF-MESSAGE, cotton59@gmail.com -> thomas@ mydomain.com, DUNNO [0.0413s]
2017-09-10 17:48:02 DEBUG Close LDAP connection.
2017-09-10 17:48:05 DEBUG Connect from 127.0.0.1, port 53318.
2017-09-10 17:48:05 DEBUG smtp session: request=smtpd_access_policy
2017-09-10 17:48:05 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2017-09-10 17:48:05 DEBUG smtp session: protocol_name=ESMTP
2017-09-10 17:48:05 DEBUG smtp session: client_address=209.59.182.9

8

Re: Per User Whitelist/Blacklist not working

Are you going to reply to this issue? I think I have delivered the debugging information you requested. If there is anything more you need from me, please let me know.

9

Re: Per User Whitelist/Blacklist not working

tom cotton wrote:

smtpd_recipient_restrictions = permit_mynetworks check_sender_access hash:/etc/postfix/access check_policy_service inet:127.0.0.1:7777 reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient reject_unauth_destination permit_sasl_authenticated

Found the issue: The order of smtpd_recipient_restrictions restriction rules is incorrect. The correct one used by default iRedMail setting is:

smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

Please fix it and restart postfix service, then try again, it should work now.

10

Re: Per User Whitelist/Blacklist not working

This setting "check_sender_access hash:/etc/postfix/access"was omitted in the list order. Is it not required?

11

Re: Per User Whitelist/Blacklist not working

It should be present in smtpd_sender_restrictions. And this is default setting in iRedMail (Note: we don't use hash:/etc/postfix/access):

smtpd_sender_restrictions =
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre

12

Re: Per User Whitelist/Blacklist not working

Thanks, this did solve the issue I was experiencing.