1 (edited by maxwell 2022-04-04 12:26:23)

Topic: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Hello guys, I have a server that needs to forbid local network requests of using postfix relay, so I decided that I should set up SASL for iRedmail.

As I modified "smtpd_relay_restrictions" to permit_sasl_auth, the Roundcube web interface cannot send mail anymore, which suggests that Roundcube was never configured to use SASL authentication when using local postfix relay.

So the problem is, how should I fix it? Please let me know if you have any idea, thanks in advance!

UPDATE: I realized that Roundcube actually uses the mail account logged in to AUTH. But somehow, removing permit_mynetworks would result in "Recipient address rejected: Access denied". But the recipient restrictions seems fine...?

Here:
---------
# Recipient restrictions
smtpd_recipient_restrictions =
    check_policy_service inet:127.0.0.1:7777
    permit_sasl_authenticated
    permit_mynetworks
    check_policy_service inet:127.0.0.1:12340
    reject_unauth_destination
------------

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Stable release is out.

2 (edited by Cthulhu 2022-04-04 02:30:06)

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

you cannot send mail without smtp auth, even roundcube cannot do this, only possibility is mail sent from a local user via sendmail

logging in with roundcubse uses SASL trough plain password over TLS

3

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Cthulhu wrote:

you cannot send mail without smtp auth, even roundcube cannot do this, only possibility is mail sent from a local user via sendmail

logging in with roundcubse uses SASL trough plain password over TLS

Thanks for your reply!
I must have misunderstood something about how Roundcube works.
Here, what I did was adding restrictions to Postfix relay restrictions, and my configuration was like below:
-------------
     smtpd_relay_restrictions =
        permit_sasl_authenticated,
        reject
-------------
Which is expected to reject all relay requests without SASL auth. And now, any mail sent by Roundcube will be rejected and returned with the following reason:
-------------
<test1@outlook.com>: host 127.0.0.1[127.0.0.1] said: 554 5.7.1
    id=17952-14 - Rejected by next-hop MTA on relaying, from
    MTA(smtp:[127.0.0.1]:10025): 554 5.7.1 <test1@outlook.com>: Recipient
    address rejected: Access denied (in reply to end of DATA command)
-------------
Implied from "in reply to end of DATA command", I think it is due to the rejection of non-SASL-authed request.

But how should I fix it? Please let me know if you have more ideas, thanks!

4 (edited by Cthulhu 2022-04-04 11:27:02)

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

why you restrict your local network from sending mails at all?

since you relay on your own network (normally localhost trough amavis), you should not modify this setting at all to avoid such behaviour

5

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Cthulhu wrote:

why you restrict your local network from sending mails at all?

since you relay on your own network (normally localhost trough amavis), you should not modify this setting at all to avoid such behaviour

I hate to admit, but there is a NAT client running on this server. Blackmailers made it to detect my domain and stroke port 25 with 70K+ queued mails as it accepts "mynetworks". Any connection coming from NAT client is Local, so I must disable it to get rid of the risks.

6

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

then get a vps with a dedicated ip and a proper ptr

7

Re: Roundcube cannot send mail anymore after I removed "permit_mynetwork"

Default iRedMail configuration considers localhost as trusted, not even servers/devices in same LAN.
There's nothing you need to change for "forbid local network requests of using postfix relay" -- unless you already modified default settings which allows it.