1 (edited by hws 2018-04-18 17:42:39)

Topic: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Greetings,

since our update to 0.9.8 (from 0.9.6) we have problems with users sending mail with their alias address as sender. Before (with version 0.9.6) it worked as expected.

We have "ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True" in config of iredapd (iRedAPD-2.2).

This is a line of iredapd log file with the problem:

2018-04-17 13:52:10 INFO [245.14.144.145] RCPT, user@domain.com => alias@domain.com -> receipient@anotherdomain.com, REJECT Sender is not same as SMTP authenticate username [sasl_username=user@domain.com, sender=alias@domain.com, client_name=245-14-144-145.cable.dynamic.ddwf.com, reverse_client_name=245-14-144-145.cable.dynamic.ddwf.com, helo=[192.168.0.136], encryption_protocol=TLSv1, process_time=0.0032s]

Since the alias addresses have been moved to the new table "forwardings", can this be the source of the problem?

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by hws 2018-04-18 18:15:49)

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

I checked the code and found out that all former alias addresses have been moved to the new table "forwardings" with "is_forwarding" set to "1".

iRedApd however does not check "is_forwarding" to allow to send mails from the forwarding address. Only "is_alias" and "is_list" will be checked. Since "is_alias" can only be set if both addresses are in the same domain, we cannot simply set this field to "1".

Can you please add a setting to iRedApd to also allow forwarding addresses to be used as sender addresses? Otherwise this would be an undocumented change of functionality from the 0.9.6 version.

3

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

*) "is_alias" is for per-user alias addresses (email sent to primary address and per-user alias address will be delivered to same mailbox)
*) "is_forwarding" is for mail forwarding address (forward emails sent to primary address to other addresses, could be external address, or other internal users).
*) "is_list" is for the mail alias account.
*) "is_maillist" is for the mlmmj mailing list account.

Could you please double check your SQL records and make sure you're using correct "is_X" column for different accounts? If you're sure they're correct, please turn on debug mode in iRedAPD, send a testing email, then extract iRedAPD log related to this testing email and paste here for troubleshooting.

4

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

Thank you for your answer. However the problem does not seem to be a bug in the code. I checked the code and the reject_sender_login_mismatch plugin handles only "is_alias" and "is_list" as configurable to be allowed to be sent by a different sasl_username. There is no possibility to use forwarding addresses (is_forwarding) as allowed sender names. May I suggest to add that?

Our problem is as follows:

1) We set up alias addresses (with different name and domain parts, both domains hosted with our mail server) according to your former instructions with version 0.9.6 in iRedmail. Everything worked as expected, users could send mails with their alias addresses and get all mails into their only mailbox address.

2) We upgraded to 0.9.8 and changed the SQL scheme. We ran "migrate_sql_alias_table.py" to migrate our settings. All former alias addresses were imported as "is_forwarding" to the new scheme. From now on none of our users could use their alias address to send mail any more. They get the "REJECT Sender is not same as SMTP authenticate username" error. The upgrade broke that functionality.

So the question is:
How can an alias address (abc@domain1.com) be setup correctly for a mailbox (xyz@domain2.com) in iRedMail to be able to be used as a sending address?

According to your documents "is_alias" is only used for "per-user alias addresses" which have to be in the same domain which is not applicable in our case. Also the document https://docs.iredmail.org/sql.create.mail.alias.html seems to be wrong, because it describes how to setup an mail list account only.

5

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

hws wrote:

There is no possibility to use forwarding addresses (is_forwarding) as allowed sender names. May I suggest to add that?

This is like spamming. It's usual that people forward email to an external address, e.g. Gmail, in your case, if your user sends out email as <someone>@gmail.com, it's like spam.

hws wrote:

2) We upgraded to 0.9.8 and changed the SQL scheme. We ran "migrate_sql_alias_table.py" to migrate our settings. All former alias addresses were imported as "is_forwarding" to the new scheme. From now on none of our users could use their alias address to send mail any more. They get the "REJECT Sender is not same as SMTP authenticate username" error. The upgrade broke that functionality.

I'd like to ask you to double check, for old mail alias account, it should have "is_list=1" instead of "is_forwarding=1".

hws wrote:

Also the document https://docs.iredmail.org/sql.create.mail.alias.html seems to be wrong, because it describes how to setup an mail list account only.

it should be "mail alias account", not "mailing list".
I will update this tutorial soon.

6

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

ZhangHuangbin wrote:

I'd like to ask you to double check, for old mail alias account, it should have "is_list=1" instead of "is_forwarding=1".

I double checked and all old aliases have been migrated with "is_forwarding". We have zero "is_list" entries in our forwarding table. Also the alias table is empty.

How can I correct the wrong migration? Changing the "is_forwarding" to "is_list" and adding each alias address to the alias table?

7

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

How did you manage old mail alias accounts? Added them manually? Show us the SQL command you used to create mail alias account please.

It's very POSSIBLE that your SQL commands created incomplete mail alias account.

8

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

ZhangHuangbin wrote:

How did you manage old mail alias accounts? Added them manually? Show us the SQL command you used to create mail alias account please.

It's very POSSIBLE that your SQL commands created incomplete mail alias account.

We used the manual SQL commands shown in your former "adding an alias" documentation. Sorry, we have no record of the exact SQL command used back then and also have deleted the old fields according to your update documentation after using the migration scripts.

And, as said, all alias addresses worked without problems in 0.9.6.

To solve the problem we now need to know how an alias address with another domain (hosted also at our server) could be setup correctly with the new database scheme or simply if your documentation at https://docs.iredmail.org/sql.create.mail.alias.html is correct despite explaining how to setup a mail list account.

Thank you.

9

Re: ALLOWED_LOGIN_MISMATCH_SENDERS broken?

This tutorial is correct and up to date:
https://docs.iredmail.org/sql.create.mail.alias.html