1

Topic: Allowed FROM address with a different logged in user

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (0.9.4):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (MySQL):
- Web server (Apache):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello Guys,

A couple of days ago i had some problems that email users where able to send from random@nonexistingdomain.abc to anyone.

ZhangHuangbin adviced to enable the plugin "reject_sender_login_mismatch", which helped to prevent that users can send email with non existing FROM users. The only problem now is that a authenticated user "example: validmail@validdomain.com" in SSMTP (small program_ cannot send with a different FROM email like "secondexistingemail@secondexistingdomain.com", which is also existing in de alias list. In this case i am getting the message: "REJECT Sender login mismatch"

Question: Is it possible to login with a an existing alias email and send with different FROM domain which exist in the alias list.

My current configuration is:


Main.cf
# HELO restriction
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_non_fqdn_helo_hostname
    reject_invalid_helo_hostname
    check_helo_access pcre:/etc/postfix/helo_access.pcre

# Sender restrictions
smtpd_sender_restrictions =
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_sasl_authenticated
    permit_mynetworks
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
    reject_rbl_client b.barracudacentral.org=127.0.0.2
    check_sender_access pcre:/etc/postfix/reject_domains

# Recipient restrictions
smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    reject_unlisted_sender
    reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]
    reject_rbl_client b.barracudacentral.org=127.0.0.2
    check_sender_access pcre:/etc/postfix/reject_domains


Enabled Iredapd plugins:
plugins = ["reject_null_sender", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"]

Hopefully someone can help me out.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Allowed FROM address with a different logged in user

Ooh yeah,

i forgot to mention. That i comment out the iredapd plugin "reject_sender_login_mismatch" to prevent that mails getting rejected with the error: "REJECT Sender login mismatch"

3 (edited by tedsje 2018-12-27 20:13:35)

Re: Allowed FROM address with a different logged in user

Well i did some tests. In al the examples a valid  user is logged in on SSMTP program.


Example: 1
COMMAND: ssmtp info@validdomain.nl
To: info@validdomain.nl
From: sklfdjsldkf@sdfkjsfl.nl

Sssmtp: RCPT TO:<info@validdomain.nl> (450 4.1.8 <sklfdjsldkf@sdfkjsfl.nl>: Sender address rejected: Domain not found)

Which is good. = "sdfkjsfl.nl" is not an domain.



Example: 2
COMMAND: ssmtp info@validdomain.nl
To: info@validdomain.nl
From: sdsfd@validdomain.nl
Subject: test

ssmtp: RCPT TO:<info@validdomain.nl> (550 5.1.0 <sdsfd@validdomain.nl>: Sender address rejected: User unknown in virtual mailbox table)

Which is good = "sdsfd@validdomain.nl" does not exists in the alias list.



Example 3
COMMAND: ssmtp info@validdomain.nl
To: info@validdomain.nl
From: info@validdomain2.net (an second iredmail server)
Subject: test

Hello world
^C

Result: Message is send to info@validdomain.nl.

I am not quit sure if this is good. i mean the TO: info@validdomain.nl is an internal email address. In this case you should say: If the TO is an internal emailadres the FROM address should always be a valid alias emailaddress.




Example 4
COMMAND: ssmtp info@validdomain.nl
To: info@validdomain.nl
From: invalidemail@validdomain2.net (an second iredmail server)
Subject: test

Hello world^C

Result: Message is send to info@validdomain.nl.

Also this is an internal email where the FROM is from a different mailserver also the FROM email is invalid @ the other mailserver.

The last two examples chould me tricky.

4

Re: Allowed FROM address with a different logged in user

1: better always force smtp auth to send email.
2: if you want to allow some authenticated user to send as different From: address, list this user in /opt/iredapd/settings.py like below:

ALLOWED_LOGIN_MISMATCH_SENDERS = ['user@mydomain1.com', 'mydomain2.com']

FYI: https://bitbucket.org/zhb/iredapd/src/5 … #lines-131

5

Re: Allowed FROM address with a different logged in user

Thanks Zhang for the information.

1. E-mail using SMTP they need to login but not for Relay (example 3 and 4) in some kind of way. To i mis something?

2. Yeah this is manual work using SSH. Would be nice that there is some kind of list in a DB where people can add e-mailaddresses that may use different FROM addresses (via iredadmin). When more people using your mailserver it is not handy to manual add from addresses to ALLOWED_LOGIN_MISMATCH_SENDERS. Feature?

6

Re: Allowed FROM address with a different logged in user

tedsje wrote:

1. E-mail using SMTP they need to login but not for Relay (example 3 and 4) in some kind of way. To i mis something?

You can use a normal user's email+password as relay account.

tedsje wrote:

2. Yeah this is manual work using SSH. Would be nice that there is some kind of list in a DB where people can add e-mailaddresses that may use different FROM addresses (via iredadmin). When more people using your mailserver it is not handy to manual add from addresses to ALLOWED_LOGIN_MISMATCH_SENDERS. Feature?

Noted. i will see how we can improve it. thanks for the suggestion.