1

Topic: SMTP AUTH is required for users under this sender domain (Mailing list

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I've read the information at https://docs.iredmail.org/errors.html#r … der-domain , but unless I'm misunderstanding something I see a third (and legitimate) reason that email could get caught by this: discussion/mailing lists. If I host domain1.COM and a user on that domain sends a message though my server to a discussion list on domain2.NET hosted elsewhere, and that list distributes it to users back on domain1.COM, the email will be bounced.

Am I right? How can I allow these emails without having to manually keep track of a whitelist in "MYNETWORKS"? One of my users wants me to whitelist 5500 IP addresses for a big European company!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SMTP AUTH is required for users under this sender domain (Mailing list

Another legitimate situation in which emails will bounce is when a third party sends emails from an address on my domain to my users if my domain is also hosted on the same server. I have the necessary SPF record identifying their mail server as a legitimate source of email for my domain.

Is such an SPF record taken into consideration by this feature?

Is it possible for me to turn this feature off, but only for situations like these legitimate examples?

3

Re: SMTP AUTH is required for users under this sender domain (Mailing list

craig wrote:

If I host domain1.COM and a user on that domain sends a message though my server to a discussion list on domain2.NET hosted elsewhere, and that list distributes it to users back on domain1.COM, the email will be bounced.

Do you mean the mailing list address is also "<something>@domain1.COM? If yes, then it will be rejected due to it's considered as forged spam (all emails with sender address '<someone>@domain1.com' must be sent from your server).

craig wrote:

Another legitimate situation in which emails will bounce is when a third party sends emails from an address on my domain to my users if my domain is also hosted on the same server. I have the necessary SPF record identifying their mail server as a legitimate source of email for my domain.

Is such an SPF record taken into consideration by this feature?

This one is well handled by iRedAPD, email sent from servers listed in SPF will not be rejected.

4

Re: SMTP AUTH is required for users under this sender domain (Mailing list

ZhangHuangbin wrote:

Do you mean the mailing list address is also "<something>@domain1.COM? If yes, then it will be rejected due to it's considered as forged spam (all emails with sender address '<someone>@domain1.com' must be sent from your server).

No, I believe that whatever is happening the "from" field of the sender is just being preserved. I am still waiting for this user to send me a sample of a mailing list email and tell me what MLM is being used.

ZhangHuangbin wrote:

This one is well handled by iRedAPD, email sent from servers listed in SPF will not be rejected.

Cool, that's good news. I will test.

5

Re: SMTP AUTH is required for users under this sender domain (Mailing list

craig wrote:
ZhangHuangbin wrote:

This one is well handled by iRedAPD, email sent from servers listed in SPF will not be rejected.

Cool, that's good news. I will test.

This is *not* working.

My user's domain is example.COM, and their parent company has what I assume is an alias on their domain example.NET. They use Hornet Security, a third-party, to process their email. So my user sends an email to list@example.NET, and the message is then distributed to a number of addresses on both example.COM and example.NET.

At https://www.hornetsecurity.com/en/onboa … nformation Hornet Security states, under the "Setting the SPF record" heading:

Another DNS setting you can configure in addition to the MX record is the SPF record. This is saved as a domain TXT record and specifies which systems are allowed to send e-mail on behalf of the domain. It is analyzed in certain circumstances by external recipients, but also by the Hornetsecurity spam filter service, for purposes that include detecting fraud attempts such as spoofing. It is therefore very useful to modify or expand the TXT entry. The following setting is recommended:   “v=spf1 include:antispameurope.com ~all”

So I added that to the SPF record of example.COM. This is the output of dig run on my iRedMail server:

[06:18:26 root@server log]# dig +short example.COM txt @localhost
"v=spf1 a mx include:example.NET include:antispameurope.com ~all"
[06:28:37 root@server log]#

However, messages still bounce:

Jun 14 05:35:11 server postfix/smtpd[3158]: NOQUEUE: reject: RCPT from mx-relay28-hz1.antispameurope.com[94.100.133.204]: 554 5.7.1 <user2@example.COM>: Recipient address rejected: SMTP AUTH is required for users under this sender domain; from=<user1@example.COM> to=<user2@example.COM> proto=ESMTP helo=<mx-relay28-hz1.antispameurope.com>

So is my logic broken, or is iRedAPD not taking into account the SPF record as you say it should?

6

Re: SMTP AUTH is required for users under this sender domain (Mailing list

To save some looking up, the IP address that was denied was 94.100.133.204. The antispameurope.com SPF record is as follows:

v=spf1 a mx ip4:83.246.65.0/24 ip4:185.140.204.0/22 ip4:94.100.128.0/20 ip4:81.20.94.0/24 ip4:173.45.18.0/24 ~all

Breaking that down:

81.20.94.0/24
83.246.65.0/24
94.100.128.0/20
173.45.18.0/24
185.140.204.0/22

The blocked IP address is within the 94.100.128.0/20 range, so it should have been allowed by iRedAPD, according to your earlier post.


Craig

7

Re: SMTP AUTH is required for users under this sender domain (Mailing list

Aha, my mistake, i forgot to mention that you need to add a setting in /opt/iredapd/settings.py and restart iredapd service:

CHECK_SPF_IF_LOGIN_MISMATCH = True

If it still doesn't work, please turn on debug mode in iRedAPD and trigger this issue again. i need detailed debug log for troubleshooting.

I will enable this option by default in next release.

8

Re: SMTP AUTH is required for users under this sender domain (Mailing list

Thanks. I've made the change and will wait for user to advise whether or not it's working. If it's not working, I'll be back. smile

9

Re: SMTP AUTH is required for users under this sender domain (Mailing list

This *did* work. Thanks.