1 Topic by Stephen77

  • Stephen77
  • Member
  • Offline
  • Registered: 2018-07-30
  • Posts: 18

Topic: How to Change smtpd_sender_restrictions to work with multiple domains

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Yes
- Linux/BSD distribution name and version: Ubuntu 18.0.4
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes 3.9 (MySQL)
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

We are mostly a Mac and iOS users and so has been getting much more difficult to operate multiple domains because the certificate only relates to the main domain and so keep having to delete the mail account and add it again because of certificate issues, so wanting to use the main domain name for users of other domains as well.

So we wish to use the main domain as the incoming and outgoing server address for all accounts rather than the domain on which the email address uses.  Example: name@domain2.com will use outgoing server address of mail.maindomain.com The problem with this setup is that the smtpd_sender_restrictions prevent emails from sending.  Incoming is ok.

How do we change the smtpd_sender_restrictions to allow mail to be sent from user name@domain2.com when the server address is mail.maindomain.com

Currently we have the default installation which is:
smtpd_sender_restrictions =
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre

All users are authenticating when connecting, so I would have thought that the permit_sasl_authenticated would override the reject_unlisted_sender but it does not seem to.

Can I add the following into the above list and does the order matter?
reject_unauthenticated_sender_login_mismatch
Enforces the reject_sender_login_mismatch restriction for unauthenticated clients only. This feature is available in Postfix version 2.1 and later.

By adding the above line should I take out the reject_unlisted_sender

Would appreciate advice as to what is the correct way to do this properly.

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to Change smtpd_sender_restrictions to work with multiple domains

Stephen77 wrote:

the certificate only relates to the main domain and so keep having to delete the mail account and add it again because of certificate issues

I don't understand what the issue is.

Default iRedMail settings work fine with multiple mail domains, i believe you're working in the wrong direction.

3 Reply by Stephen77

  • Stephen77
  • Member
  • Offline
  • Registered: 2018-07-30
  • Posts: 18

Re: How to Change smtpd_sender_restrictions to work with multiple domains

OK, let me explain in more detail.  Let's assume just two domains being hosted on an iRedMail server, that are domain1.com and domain2.com.  The first domain1.com is the name of the server and the certificate is on domain1.com and then I setup an email on MacOS Catalina Mail client that is name@domain2.com with the following settings:
Incoming : mail.domain1.com Port 993 Use TLS/SSL selected, Authentication Password selected
Username : name@domain2.com
Outgoing : mail.domain1.com Port 587 Use TLS/SSL selected Authentication Password selected

So when you try and send an email you get a message that says:
The server response was: <recipient email addr>: Recipient address rejected: Sender is not same as SMTP authenticate username

This is what I am wanting to stop happening, and I don't want to stop it by changing the Outgoing server name to mail.domain2.com because when you do that there are all kinds of certificate issues with Mac OS and iOS which are:
1. Mail program can sit for up to a minute trying to send the email and finally gives a message The certificate is not valid for this site - do you want to Continue.
2. iOS will pop up a dialog that the certificate is wrong where the only options are Details or Cancel.  At this stage you have to cancel and then delete the whole email account and then set it up again, which depending on how many emails in the account can take half an hour.
All these things waste a huge amount of time and it seems like you can only hope that if you hold your mouth right it might work.  This is too complicated in the latest versions of Mac OS and iOS and I want something that works reliably, which is to use mail.domain1.com as the outgoing server.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: How to Change smtpd_sender_restrictions to work with multiple domains

Stephen77 wrote:

The server response was: <recipient email addr>: Recipient address rejected: Sender is not same as SMTP authenticate username

This means you're using email address X for smtp authentication, but use address Y as sender address. It's not about multiple domain support or smtpd_sender_restrictions.

FYI: https://docs.iredmail.org/errors.html#r … e-username