1 Topic by ronaldst (edited by ronaldst 2019-11-18 21:20:12)

  • ronaldst
  • Member
  • Offline
  • Registered: 2019-11-17
  • Posts: 8

Topic: Send system e-mail as non existing user

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: CentOS 7.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL/MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I am trying to get a server to send system emails (cron, logwatch etc.) and e-mails from various web applications (WordPress etc.) through to my iRedMail server.

Some of these emails appear to come from e-mails like user1@mydomain.com, user2@mydomain.com, root@mydomain.com, logwatch@mydomain.com. These are accounts that does not exist on the iRedMail server.

All of these e-mails are being rejected by iRedMail.

Nov 17 14:33:46 mx postfix/smtpd[14979]: NOQUEUE: reject: RCPT from mydomain.com[IP]: 550 5.1.0 <user1@mydomain.com>: Sender address rejected: User unknown in virtual mailbox table; from=<user1@mydomain.com> to=<webmaster@mydomain.com> proto=ESMTP helo=<mydomain.com>

If I change the from address to a real email adress (on the iRedMail server), lets say webmaster@mydomain.com, everything works ok.

How can I allow iRedMail to accept certain accounts to send emails from a address that does not exist? I really don't want to create accounts for root@ user1@ no-reply@ etc., it makes no sense to do so.

What I would like to allow is for a few users to be able to send e-mail as a non-existing user:
postmaster@mydomain.com > Allowed to send emails as any@mydomain.com
postmaster@anotherdomain.com > Allowed to send emails as any@anotherdomain.com

After reading all I could find on these forums from others having similar challenges, I've tried to experiment with the plugin "reject_null_sender" and "reject_sender_login_mismatch" - but without any success. I'm way over my head here and have reset all back to default configuration.

Thank you.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: Send system e-mail as non existing user

Recommended solution:

1: Create a mail account used to send such notification emails. for example, notify@domain.com
2: Set up server-wide relay in Postfix running on non-iRedMail server, use "notify@" as SMTP sasl auth account for the relay.
   FYI: https://docs.iredmail.org/relayhost.html
3: In web applications, enable smtp auth to send email. No exception.

Why is it recommended? Standard SMTP auth, no server-side modification (on iRedMail server).

3 Reply by ronaldst (edited by ronaldst 2019-11-18 21:39:15)

  • ronaldst
  • Member
  • Offline
  • Registered: 2019-11-17
  • Posts: 8

Re: Send system e-mail as non existing user

Thank you @ZhangHuangbin.

I have already set up a mail relay with Postfix on mydomain.com.
All mail sent from this server connects (SMTP) to my iRedMail-server to send out e-mails.
The relay is configured to connect/auth to mx.mailserver.com (iRedMail) with email user postmaster@mydomain.com.

However, mydomain.com have multiple system user accounts (each hosting various applications), e-mail is sent from mydomain.com with user1@mydomain.com, user2@mydomain.com, root@mydomain.com etc. as their FROM: address.

The web applications where SMTP is possible, like WordPress, is not a problem. However, all e-mails that WordPress sends out needs to be FROM: a valid user on mx.mailserver.com or it will be rejected as well. This stops me from using FROM: no-reply@mydomain.com on certain e-mails.

The immediate solution I can see is to allow postmaster@mydomain.com to send e-mails as any@mydomain.com. Please correct me if there is a better way.

Thank you.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: Send system e-mail as non existing user

Add one setting in /opt/iredapd/settings.py to allow sending as different users:

ALLOWED_LOGIN_MISMATCH_SENDERS = ["postmaster@mydomain.com"]

Then restart "iredapd" service.

FYI: https://docs.iredmail.org/errors.html#r … e-username

5 Reply by ronaldst (edited by ronaldst 2019-11-19 18:30:05)

  • ronaldst
  • Member
  • Offline
  • Registered: 2019-11-17
  • Posts: 8

Re: Send system e-mail as non existing user

I've edited /opt/iredapd/settings.py according to your guidance, and restarted iredapd.

When testing if this works as intended, I'm getting "Recipient address rejected" on mx.mailserver.com (iRedMail).

/var/log/maillog (iredmail server)
Nov 19 10:18:27 mx postfix/smtpd[1115]: connect from mydomain.com[IP]
Nov 19 10:18:27 mx postfix/smtpd[1115]: NOQUEUE: reject: RCPT from mydomain.com[IP]: 550 5.1.0 <root@mydomain.com>: Sender address rejected: User unknown in virtual mailbox table; from=<root@mydomain.com> to=<webmaster@anotherdomain.com> proto=ESMTP helo=<mydomain.com>
Nov 19 10:18:27 mx postfix/smtpd[1115]: disconnect from mydomain.com[IP]

The recipient webmaster@anotherdomain.com is a valid email account/user on mx.mailserver.com (iRedMail).


Thank you.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: Send system e-mail as non existing user

ronaldst wrote:

The recipient webmaster@anotherdomain.com is a valid email account/user on mx.mailserver.com (iRedMail).

I suppose you use "postmaster@mydomain.com" as smtp authentication user while relaying, isn't it? Why it shows "root@mydomain.com"? If the 3 log lines are not the FULL log related to this mail session, please paste full log for troubleshooting.

7 Reply by ronaldst (edited by ronaldst 2019-11-20 00:24:08)

  • ronaldst
  • Member
  • Offline
  • Registered: 2019-11-17
  • Posts: 8

Re: Send system e-mail as non existing user

That is correct, I'm using postmaster@mydomain.com for the Postfix relay, hosted on mx.mailserver.com (iRedMail).

It shows root@mydomain.com because I tried to send an test e-mail (from SSH) while being logged in as root on mydomain.com.


Here's another test I did while being logged in as user1@mydomain.com (SSH). It results in the same error as before.

/var/log/maillog (iredmail server)
Nov 19 15:46:02 mx postfix/smtpd[6761]: connect from mydomain.com[IP]
Nov 19 15:46:02 mx postfix/smtpd[6761]: NOQUEUE: reject: RCPT from mydomain.com[IP]: 550 5.1.0 <user1@mydomain.com>: Sender address rejected: User unknown in virtual mailbox table; from=<user1@mydomain.com> to=<webmaster@anotherdomain.com> proto=ESMTP helo=<mydomain.com>
Nov 19 15:46:02 mx postfix/smtpd[6761]: disconnect from mydomain.com[IP]

My conclusion is that iRedMail does still not accept postmaster@mydomain.com to send e-mail where the FROM recipient does not match a user that exist on mx.mailserver.com. To test this theory further, I've added a generic SMTP map for the relay at mydomain.com to force FROM: to be postmaster@mydomain.com.

What I did was the following:

/etc/postfix/main.cf:
    smtp_generic_maps = hash:/etc/postfix/generic

/etc/postfix/generic:
    root@mydomain.com   postmaster@mydomain.com
    user1@mydomain.com postmaster@mydomain.com

sudo postmap /etc/postfix/generic
sudo /etc/init.d/postfix reload

When I now try to send an e-mail while logged in as root@mydomain.com (SSH) to webmaster@anotherdomain.com it is accepted on mx.mailserver.com (iRedMail).

/var/log/maillog (iRedMail)
Nov 19 16:03:03 mx postfix/postscreen[7099]: CONNECT from [IP]:45460 to [IP.100]:25
Nov 19 16:03:03 mx postfix/postscreen[7099]: PASS OLD [IP]:45460
Nov 19 16:03:03 mx postfix/smtpd[7100]: connect from mydomain.com[IP]
Nov 19 16:03:03 mx postfix/smtpd[7100]: 47HVwR6436z3wk3: client=mydomain.com[IP]
Nov 19 16:03:03 mx postfix/cleanup[7105]: 47HVwR6436z3wk3: message-id=<20191119160303.AF364221D2@mydomain.com>
Nov 19 16:03:03 mx postfix/qmgr[722]: 47HVwR6436z3wk3: from=<postmaster@mydomain.com>, size=613, nrcpt=1 (queue active)
Nov 19 16:03:03 mx postfix/smtpd[7100]: disconnect from mydomain.com[IP]
Nov 19 16:03:05 mx postfix/10025/smtpd[7111]: connect from localhost[127.0.0.1]
Nov 19 16:03:05 mx postfix/10025/smtpd[7111]: 47HVwT0WqJz3wkw: client=localhost[127.0.0.1]
Nov 19 16:03:05 mx postfix/cleanup[7105]: 47HVwT0WqJz3wkw: message-id=<20191119160303.AF364221D2@mydomain.com>
Nov 19 16:03:05 mx postfix/qmgr[722]: 47HVwT0WqJz3wkw: from=<postmaster@mydomain.com>, size=1063, nrcpt=1 (queue active)
Nov 19 16:03:05 mx amavis[27013]: (27013-02) Passed CLEAN {RelayedInbound}, [IP]:45460 [IP] <postmaster@mydomain.com> -> <webmaster@anotherdomain.com>, Queue-ID: 47HVwR6436z3wk3, Message-ID: <20191119160303.AF364221D2@mydomain.com>, mail_id: 1NhW9fbEmwef, Hits: 1.205, size: 613, queued_as: 47HVwT0WqJz3wkw, 1256 ms, Tests: [MISSING_HEADERS=1.207,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001]
Nov 19 16:03:05 mx amavis[27013]: (27013-02) Passed CLEAN, <postmaster@mydomain.com> -> <webmaster@anotherdomain.com>, Hits: 1.205, tag=2, tag2=6.2, kill=6.9, queued_as: 47HVwT0WqJz3wkw, L/0/0/0
Nov 19 16:03:05 mx postfix/10025/smtpd[7111]: disconnect from localhost[127.0.0.1]
Nov 19 16:03:05 mx postfix/amavis/smtp[7108]: 47HVwR6436z3wk3: to=<webmaster@anotherdomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.4, delays=0.1/0.01/0/1.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 47HVwT0WqJz3wkw)
Nov 19 16:03:05 mx postfix/qmgr[722]: 47HVwR6436z3wk3: removed
Nov 19 16:03:05 mx postfix/pipe[7112]: 47HVwT0WqJz3wkw: to=<webmaster@anotherdomain.com>, relay=dovecot, delay=0.13, delays=0.05/0.01/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 19 16:03:05 mx postfix/qmgr[722]: 47HVwT0WqJz3wkw: removed

Just to make sure everything is dandy in /opt/iredmail/settings.py, here is a copy of the config (I've taken out the LDAP-part in the end as it is irrelevant).

############################################################
# DO NOT MODIFY THIS LINE, IT'S USED TO IMPORT DEFAULT SETTINGS.
from libs.default_settings import *
############################################################

# Listen address and port.
listen_address = "127.0.0.1"
# Port for normal Postfix policy requests.
listen_port = "7777"
# Ports for SRS (Sender Rewriting Scheme).
# - `srs_forward_port` is used in Postfix parameter `sender_canonical_maps`.
# - `recipient_canonical_maps` is used in Postfix parameter `recipient_canonical_maps`.
srs_forward_port = "7778"
srs_reverse_port = "7779"

# Run as a low privileged user.
run_as_user = "iredapd"

# Path to pid file.
pid_file = '/var/run/iredapd.pid'

# Log level: info, debug.
log_level = "info"

# Backend: ldap, mysql, pgsql.
backend = "mysql"

# Enabled plugins.
plugins = ["reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"]

# SRS (Sender Rewriting Scheme)
#
# The secret key(s) used to generate cryptographic hash.
# The first secret key is used for generating AND verifying hash in SRS
# address. If you have old keys, you can append them also for verification only.
srs_secrets = ["XXX"]

# Rewrite address will be 'xxx@<srs_domain>', so please make sure `srs_domain`
# is a resolvable mail domain name and pointed to your server.
srs_domain = "mx.mailserver.com"

# Allow certain users to send e-mail as non-existing user
ALLOWED_LOGIN_MISMATCH_SENDERS = ["postmaster@mydomain.com"]

# For LDAP backend.

EDITED.

I am none the wiser and even though I've managed to send e-mails successfully using generic mapping - it's not a optimal solution to the problem.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,090

Re: Send system e-mail as non existing user

By the way, i didn't see smtp authentication related log in pasted log lines.