Dec 29, 2023: iRedMail-1.6.8 has been released.

**maxwell** · 2022-04-04 01:47:34

maxwell
Member
Offline

Registered: 2022-04-02
Posts: 13

Topic: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Hello guys, I have a server that needs to forbid local network requests of using postfix relay, so I decided that I should set up SASL for iRedmail.

As I modified "smtpd_relay_restrictions" to permit_sasl_auth, the Roundcube web interface cannot send mail anymore, which suggests that Roundcube was never configured to use SASL authentication when using local postfix relay.

So the problem is, how should I fix it? Please let me know if you have any idea, thanks in advance!

UPDATE: I realized that Roundcube actually uses the mail account logged in to AUTH. But somehow, removing permit_mynetworks would result in "Recipient address rejected: Access denied". But the recipient restrictions seems fine...?

Here:
---------
# Recipient restrictions
smtpd_recipient_restrictions =
check_policy_service inet:127.0.0.1:7777
permit_sasl_authenticated
permit_mynetworks
check_policy_service inet:127.0.0.1:12340
reject_unauth_destination
------------

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**Cthulhu** · 2022-04-04 02:24:11

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 815

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

you cannot send mail without smtp auth, even roundcube cannot do this, only possibility is mail sent from a local user via sendmail

logging in with roundcubse uses SASL trough plain password over TLS

**maxwell** · 2022-04-04 10:40:25

maxwell
Member
Offline

Registered: 2022-04-02
Posts: 13

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Cthulhu wrote:

you cannot send mail without smtp auth, even roundcube cannot do this, only possibility is mail sent from a local user via sendmail
logging in with roundcubse uses SASL trough plain password over TLS

Thanks for your reply!
I must have misunderstood something about how Roundcube works.
Here, what I did was adding restrictions to Postfix relay restrictions, and my configuration was like below:
-------------
smtpd_relay_restrictions =
permit_sasl_authenticated,
reject
-------------
Which is expected to reject all relay requests without SASL auth. And now, any mail sent by Roundcube will be rejected and returned with the following reason:
-------------
<test1@outlook.com>: host 127.0.0.1[127.0.0.1] said: 554 5.7.1
id=17952-14 - Rejected by next-hop MTA on relaying, from
MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <test1@outlook.com>: Recipient
address rejected: Access denied (in reply to end of DATA command)
-------------
Implied from "in reply to end of DATA command", I think it is due to the rejection of non-SASL-authed request.

But how should I fix it? Please let me know if you have more ideas, thanks!

**Cthulhu** · 2022-04-04 11:21:25

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 815

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

why you restrict your local network from sending mails at all?

since you relay on your own network (normally localhost trough amavis), you should not modify this setting at all to avoid such behaviour

**maxwell** · 2022-04-04 11:48:34

maxwell
Member
Offline

Registered: 2022-04-02
Posts: 13

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Cthulhu wrote:

why you restrict your local network from sending mails at all?
since you relay on your own network (normally localhost trough amavis), you should not modify this setting at all to avoid such behaviour

I hate to admit, but there is a NAT client running on this server. Blackmailers made it to detect my domain and stroke port 25 with 70K+ queued mails as it accepts "mynetworks". Any connection coming from NAT client is Local, so I must disable it to get rid of the risks.

**Cthulhu** · 2022-04-04 12:21:57

Cthulhu
Member
Offline

Registered: 2019-06-04
Posts: 815

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

then get a vps with a dedicated ip and a proper ptr

**ZhangHuangbin** · 2022-04-13 22:34:58

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Default iRedMail configuration considers localhost as trusted, not even servers/devices in same LAN.
There's nothing you need to change for "forbid local network requests of using postfix relay" -- unless you already modified default settings which allows it.

Dec 29, 2023: iRedMail-1.6.8 has been released.

Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Posts: 7

1 Topic by maxwell 2022-04-04 01:47:34 (edited by maxwell 2022-04-04 12:26:23)

Topic: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

2 Reply by Cthulhu 2022-04-04 02:24:11 (edited by Cthulhu 2022-04-04 02:30:06)

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

3 Reply by maxwell 2022-04-04 10:40:25

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

4 Reply by Cthulhu 2022-04-04 11:21:25 (edited by Cthulhu 2022-04-04 11:27:02)

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

5 Reply by maxwell 2022-04-04 11:48:34

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

6 Reply by Cthulhu 2022-04-04 12:21:57

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

7 Reply by ZhangHuangbin 2022-04-13 22:34:58

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Posts: 7