1 Topic by Chameleon (edited by Chameleon 2020-04-14 16:02:54)

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Topic: Sending mail via internal postfix

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? No
- Linux/BSD distribution name and version:  Ubuntu 18.04.4 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MARIADB
- Web server (Apache or Nginx):Nginz
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
I have a iRedMail installation running in a cloud VM with public IP address for domain test123.net
I have a network using 172.16.24.0/24 where my internal services/servers are.
I have internal postfix server, which is allowed on the company firewall to relay emails (send from internal systems) to external iRedMail. Internal system/services cannot send email directly to iRedMail for various reasons, like but not limited to configuration limitations and etc. I have configured separate email accounts, just in case for each system, I have configured port 2525 based on this how to: https://docs.iredmail.org/additional.smtp.port.html, but still when try to send email from internal system via internal mail relay to the iRedMail server with different recipients: user@test123.net, user@exmaple.com, in iRedMail server I get this:

RCPT from unknown[IP address of the fireall NAT IP]: 554 5.7.1 <scan@test123.net>: Sender address rejected: Access denied; from=<scan@test123.net> to=<user@example.com> proto=ESMTP helo=<printer1.local>
printer1.local is one of the printers which we have and which tries to send scanned document to external user.



Can you please advise how to solve this and allow mails coming from that internal mail server (no matter the sender, as we have many or service/server) to be accepted by the iRedMail server and delivered based on their destination?

BR,
Stan

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Sending mail via internal postfix

If your firewall has a static public ip address, based on the tutorial you followed (https://docs.iredmail.org/additional.smtp.port.html), you can do some small tweaks to get it work:

2525      inet  n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_tls_security_level=may
  -o mynetworks=127.0.0.1,<ip-of-your-firewall>
  -o smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

Let me know how it works for you.

3 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Sending mail via internal postfix

ZhangHuangbin wrote:

If your firewall has a static public ip address, based on the tutorial you followed (https://docs.iredmail.org/additional.smtp.port.html), you can do some small tweaks to get it work:

2525      inet  n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_tls_security_level=may
  -o mynetworks=127.0.0.1,<ip-of-your-firewall>
  -o smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

Let me know how it works for you.

I have added what you advised and now I can see that I may pass through. I will wait for the greylisting to expire and will see if the recipient will receive it.

I have noticed that once I did what you advised and restarted postfix in the logs I get this:

Apr 14 14:07:11 mail postfix/postfix-script[20961]: warning: group or other writable: /etc/postfix/./.#main.cf

Also, I had to disable fail2ban, as if active connections to port 2525 is not accepted. What and where to add to allow port 2525 into the default iRedMail fail2ban?

Thanks in advance.

BR,
Stan

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Sending mail via internal postfix

Chameleon wrote:

I will wait for the greylisting to expire and will see if the recipient will receive it.

You can disable greylisting from your firewall IP with /opt/iredapd/tools/greylisting_admin.py.
if you have iRedAdmin-Pro, whitelist it globally in web UI.

Chameleon wrote:

Apr 14 14:07:11 mail postfix/postfix-script[20961]: warning: group or other writable: /etc/postfix/./.#main.cf

What's "/etc/postfix/#main.cf" file?

Chameleon wrote:

Also, I had to disable fail2ban, as if active connections to port 2525 is not accepted. What and where to add to allow port 2525 into the default iRedMail fail2ban?

If you want to block 2525, please add this port number in fail2ban jail config files under /etc/fail2ban/jail.d/

5 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Sending mail via internal postfix

ZhangHuangbin wrote:
Chameleon wrote:

I will wait for the greylisting to expire and will see if the recipient will receive it.

You can disable greylisting from your firewall IP with /opt/iredapd/tools/greylisting_admin.py.
if you have iRedAdmin-Pro, whitelist it globally in web UI.

Chameleon wrote:

Apr 14 14:07:11 mail postfix/postfix-script[20961]: warning: group or other writable: /etc/postfix/./.#main.cf

What's "/etc/postfix/#main.cf" file?

Chameleon wrote:

Also, I had to disable fail2ban, as if active connections to port 2525 is not accepted. What and where to add to allow port 2525 into the default iRedMail fail2ban?

If you want to block 2525, please add this port number in fail2ban jail config files under /etc/fail2ban/jail.d/

I can confirm that the tweak worked.

The error, which I post "/etc/postfix/./.#main.cf" is inside the Linux box logs. I found the issue and remove it.

I want to allow this port 2525, which I have created permanently so that I dont have to stop fail2ban. I have add it into the postfix rule located in /etc/fail2ban/jail.d/, but after restarting fail2ban port 2525 looks blocked.

Thanks in advance.

6 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Sending mail via internal postfix

Chameleon wrote:
ZhangHuangbin wrote:
Chameleon wrote:

I will wait for the greylisting to expire and will see if the recipient will receive it.

You can disable greylisting from your firewall IP with /opt/iredapd/tools/greylisting_admin.py.
if you have iRedAdmin-Pro, whitelist it globally in web UI.

Chameleon wrote:

Apr 14 14:07:11 mail postfix/postfix-script[20961]: warning: group or other writable: /etc/postfix/./.#main.cf

What's "/etc/postfix/#main.cf" file?

Chameleon wrote:

Also, I had to disable fail2ban, as if active connections to port 2525 is not accepted. What and where to add to allow port 2525 into the default iRedMail fail2ban?

If you want to block 2525, please add this port number in fail2ban jail config files under /etc/fail2ban/jail.d/

I can confirm that the tweak worked.

The error, which I post "/etc/postfix/./.#main.cf" is inside the Linux box logs. I found the issue and remove it.

I want to allow this port 2525, which I have created permanently so that I dont have to stop fail2ban. I have add it into the postfix rule located in /etc/fail2ban/jail.d/, but after restarting fail2ban port 2525 looks blocked.

Thanks in advance.


Weird thing happend, when we did a test from another system, which relayed email from the internal mail relay towards iRedMail. Inside iRedMail we have this error:

Apr 15 14:46:26 mail postfix/smtpd[17650]: NOQUEUE: reject: RCPT from unknown[X.X.X.X - public NATed IP of the internal relay server]: 554 5.7.1 <user@example.com>: Recipient address rejected: SMTP AUTH is required for users under this sender domain; from=<scan@test123.net> to=<user@example.com> proto=ESMTP helo=<monitoring.local>

Any idea?

7 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Sending mail via internal postfix

Chameleon wrote:
Chameleon wrote:
ZhangHuangbin wrote:

You can disable greylisting from your firewall IP with /opt/iredapd/tools/greylisting_admin.py.
if you have iRedAdmin-Pro, whitelist it globally in web UI.
What's "/etc/postfix/#main.cf" file?
If you want to block 2525, please add this port number in fail2ban jail config files under /etc/fail2ban/jail.d/

I can confirm that the tweak worked.

The error, which I post "/etc/postfix/./.#main.cf" is inside the Linux box logs. I found the issue and remove it.

I want to allow this port 2525, which I have created permanently so that I dont have to stop fail2ban. I have add it into the postfix rule located in /etc/fail2ban/jail.d/, but after restarting fail2ban port 2525 looks blocked.

Thanks in advance.


Weird thing happend, when we did a test from another system, which relayed email from the internal mail relay towards iRedMail. Inside iRedMail we have this error:

Apr 15 14:46:26 mail postfix/smtpd[17650]: NOQUEUE: reject: RCPT from unknown[X.X.X.X - public NATed IP of the internal relay server]: 554 5.7.1 <user@example.com>: Recipient address rejected: SMTP AUTH is required for users under this sender domain; from=<scan@test123.net> to=<user@example.com> proto=ESMTP helo=<monitoring.local>

Any idea?

I have managed to fix that error.

Could you please tell me how and where to add port 2525 in fail2ban, so that after restart it will work like the rest of the ports and be listed here:
CCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Sending mail via internal postfix

In files /etc/fail2ban/jail.d/*.local.

9 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Sending mail via internal postfix

ZhangHuangbin wrote:

In files /etc/fail2ban/jail.d/*.local.

I have added port 2525 into all *.local files and restarted fail2ban, but the port is still blocked and is not listed here:
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993

I have to manually add it, in order to appear there:
iptables -A INPUT -p tcp -m tcp --dport 2525 -j ACCEPT

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Sending mail via internal postfix

My mistake, i thought you want to block it in fail2ban. sad
On ubuntu 18.04, iRedMail adds iptables rule file /etc/default/iptables, you can add your rule here.