1

Topic: Problems whitelisting domains

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):   1.3.2 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer script
- Linux/BSD distribution name and version: Linux Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
First, many thanks for all your work on iRedMail.  I recommend it to others whenever I get the chance. 

We have set up an iRedMail server to be used by a subset of our employees who have not had any email until now.  Let's call our primary mail mail domain (hosted by Google), "example.com".   Our iRedmail server has been configured, successfully, to allow sending to and receiving mail *only* from "example.com" addresses.  All the iRedMail addresses use the subdomain, "sub.example.com"
However, during testing, a problem came up. Our Gmail users  often  use a third-party encryption service that integrates tightly with Gmail.  Let's call it "ENCRYPTER.ORG". 

To read the messages encrypted by ENCRYPTER.ORG  they can click on a button in the message to confirm their email address and ENCRYPTER.ORG then emails them a PIN.  With the PIN, their encypted message can be decrypted and displayed in the browser.

So, any encrypted mail sent from "example.com" accounts will be unreadable for our iRedMail accounts, unless I also whitelist mail from that third-party encryption service to permit the PIN messages.

However, none of those messages containing the PINs arrive, and I am thoroughly puzzled as to why. 
I thought that this should be very simple.  What is the best way to allow emails to and from just two domains, blocking everything else?  Because everything is so restricted, I have already disabled Greylisting in master.cf (the port 7777 line) in the interest of simplicity.  Whitelisting the ENCRYPTER.ORG domain with iRedAPD seems to make no difference.

Thanks for your help.

----------------------------
Sample log entries (with real domain names, IP's obscured) are attached from one attempt to deliver a PIN message to enable reading an encrypted email.

Post's attachments

iredlog.txt 16.73 kb, 2 downloads since 2021-04-13 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Problems whitelisting domains

0utre wrote:

First, many thanks for all your work on iRedMail.  I recommend it to others whenever I get the chance. 

Enjoy, and thanks. smile

According to the last log line in your log file:

Apr 13 20:05:47 hostname-1-2-3 postfix/smtp[4249]: 4FKc4x4cgqz60hY: to=<jqpublic@example.com>, relay=none, delay=90, delays=0.01/0/90/0, dsn=4.4.1, status=undeliverable (connect to alt1.aspmx.l.google.com[64.233.186.27]:25: Connection timed out)

Your server can not connect to Gmail server at all. Does your ISP block port 25?

3

Re: Problems whitelisting domains

This is an interesting observation. I had not paid much attention to that line.

It's a Debian 10 VM running on AWS, so its configured to use Amazon SES server as a relay. (Amazon is blocking direct outbound connections to port 25.)  Inbound and outbound email to/from our Gmail-hosted domain is working for messages sent from Roundcube.   

The problem I originally posted is with inbound messages from the third party vendor of the Gmail encryption product.

4

Re: Problems whitelisting domains

Finally figured out the answer.
#In /etc/postfix/main.cf

smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    check_helo_access pcre:/etc/postfix/helo_access.pcre #### <<<<< This line was the answer
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

---------------------
######### Contents of /etc/postfix/access.pcre 
   example.com      permit_auth_destination
   encrypter.org      permit_auth_destination
   mx.encrypter.org permit_auth_destination
   * discard