1 (edited by joonlapsi 2022-06-14 01:22:35)

Topic: Mailling List Send by Non-Domain users

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2
- Deployed with iRedMail Easy or the downloadable installer? downloadabel installer
- Linux/BSD distribution name and version: Ubuntu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I setup mailing list so that "Who can send email to this list: Users under same domain."

BUT even if I use other domain emails, I can send to the mailing lists.  I don't want to restrict to members only, since I want to our users to send to the mailing list who are non members.  But I want only domain-users to be able to send.  Not other domain users.  For example, I can use a Gmail account to send to user1@example.com even though I setup "users under same domain."

Please help.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Mailling List Send by Non-Domain users

Please upgrade iRedMail to the latest release and try again.
FYI https://docs.iredmail.org/iredmail.releases.html

3

Re: Mailling List Send by Non-Domain users

Ok. I'll try do soon.

4 (edited by joonlapsi 2022-07-02 03:39:21)

Re: Mailling List Send by Non-Domain users

I upgraded to iredmail, iredadmin, mlmmjadmin, netdata, etc. all to latest version.  Still anyone can send to mailing list even though I chose 'Users under same domain.'  Please help.

5

Re: Mailling List Send by Non-Domain users

In iredadmin pro web interface I can create and manage mailling lists.  However, in the setting.py (.../www/iRedAdmin-Pro-SQL-5.1) I noticed the mlmmjadmin_api_auth_token has nothing in the single quotes.  Could this be the reason?  But I'm still able to make changes to mailling list in iredadmin-pro interface. 

Just trying to find out why non-domain users can still send to list.

6

Re: Mailling List Send by Non-Domain users

joonlapsi wrote:

I noticed the mlmmjadmin_api_auth_token has nothing in the single quotes.  Could this be the reason? 

Yes. Please find the api token in /opt/mlmmjadmin/settings.py, then copy it to iRedAdmin-Pro config file (parameter "mlmmjadmin_api_auth_token"), restart "iredadmin" service.

Login to iRedAdmin-Pro, update the access again and try sending a testing email.

7 (edited by joonlapsi 2022-07-06 02:36:17)

Re: Mailling List Send by Non-Domain users

ZhangHuangbin wrote:
joonlapsi wrote:

I noticed the mlmmjadmin_api_auth_token has nothing in the single quotes.  Could this be the reason? 

Yes. Please find the api token in /opt/mlmmjadmin/settings.py, then copy it to iRedAdmin-Pro config file (parameter "mlmmjadmin_api_auth_token"), restart "iredadmin" service.

Login to iRedAdmin-Pro, update the access again and try sending a testing email.

For some reason didn't work again.  I copied the api token into iredadmin setting.py, and restarted iredadmin service.

Is there something I can do using the mlmmjadmin/tools/maillist_admin.py?  For now I'm just using moderate_non_subscribter_post, but would like to find a proper way to stop non-domain users from using maillling lists.

8

Re: Mailling List Send by Non-Domain users

joonlapsi wrote:

For some reason didn't work again.  I copied the api token into iredadmin setting.py, and restarted iredadmin service.

You missed one step in my previous post: Login to iRedAdmin-Pro, update the access again and try sending a testing email.

9 (edited by joonlapsi 2022-07-07 01:58:07)

Re: Mailling List Send by Non-Domain users

ZhangHuangbin wrote:
joonlapsi wrote:

For some reason didn't work again.  I copied the api token into iredadmin setting.py, and restarted iredadmin service.

You missed one step in my previous post: Login to iRedAdmin-Pro, update the access again and try sending a testing email.

Sorry I forgot to include.  I redid the iRedAdmin-Pro setting.  I went in changed to unrestricted, then changed back to same domain.  But still allowed gmail to send to domain email.

I even created a new mailing list today called testing@mydomain.com, set users under same domain, and still gmail can send.

10

Re: Mailling List Send by Non-Domain users

Please turn on debug mode in iRedAPD, send one more testing email from Gmail, extract FULL related log from iRedAPD log line and paste here for troubleshooting.
FYI https://docs.iredmail.org/debug.iredapd.html

11

Re: Mailling List Send by Non-Domain users

ZhangHuangbin wrote:

Please turn on debug mode in iRedAPD, send one more testing email from Gmail, extract FULL related log from iRedAPD log line and paste here for troubleshooting.
FYI https://docs.iredmail.org/debug.iredapd.html

Hope its not too long.  I changed some info for privacy.  "protect.mycompany.com" is our spam filter service. Gateway spam filter.  It doesn't alter email, does virus and spam checks, then passes on to iredmail server.   Please let me know if anything else is needed.  Thanks!

Jul  8 10:08:26 mail iredapd [policy] request=smtpd_access_policy
Jul  8 10:08:26 mail iredapd [policy] protocol_state=RCPT
Jul  8 10:08:26 mail iredapd [policy] protocol_name=ESMTP
Jul  8 10:08:26 mail iredapd [policy] client_address=151.151.118.151
Jul  8 10:08:26 mail iredapd [policy] client_name=protect.mycompany.com
Jul  8 10:08:26 mail iredapd [policy] client_port=51537
Jul  8 10:08:26 mail iredapd [policy] reverse_client_name=protect.mycompany.com
Jul  8 10:08:26 mail iredapd [policy] server_address=192.168.0.130
Jul  8 10:08:26 mail iredapd [policy] server_port=25
Jul  8 10:08:26 mail iredapd [policy] helo_name=protect.mycompany.com
Jul  8 10:08:26 mail iredapd [policy] sender=techsupport@gmail.com
Jul  8 10:08:26 mail iredapd [policy] recipient=testing@mycompany.com
Jul  8 10:08:26 mail iredapd [policy] recipient_count=0
Jul  8 10:08:26 mail iredapd [policy] queue_id=
Jul  8 10:08:26 mail iredapd [policy] instance=9647f.62c8486a.aaf78.0
Jul  8 10:08:26 mail iredapd [policy] size=4499
Jul  8 10:08:26 mail iredapd [policy] etrn_domain=
Jul  8 10:08:26 mail iredapd [policy] stress=
Jul  8 10:08:26 mail iredapd [policy] sasl_method=
Jul  8 10:08:26 mail iredapd [policy] sasl_username=
Jul  8 10:08:26 mail iredapd [policy] sasl_sender=
Jul  8 10:08:26 mail iredapd [policy] ccert_subject=
Jul  8 10:08:26 mail iredapd [policy] ccert_issuer=
Jul  8 10:08:26 mail iredapd [policy] ccert_fingerprint=
Jul  8 10:08:26 mail iredapd [policy] ccert_pubkey_fingerprint=
Jul  8 10:08:26 mail iredapd [policy] encryption_protocol=TLSv1.3
Jul  8 10:08:26 mail iredapd [policy] encryption_cipher=TLS_AES_256_GCM_SHA384
Jul  8 10:08:26 mail iredapd [policy] encryption_keysize=256
Jul  8 10:08:26 mail iredapd [policy] policy_context=
Jul  8 10:08:26 mail iredapd --> Apply plugin: reject_null_sender
Jul  8 10:08:26 mail iredapd <-- Result: DUNNO
Jul  8 10:08:26 mail iredapd --> Apply plugin: wblist_rdns
Jul  8 10:08:26 mail iredapd All policy rDNS names: ['protect.mycompany.com', '.protect.mycompany.com', '.mycompany.com', '.com']
Jul  8 10:08:26 mail iredapd [SQL] Query whitelisted rDNS names: #012SELECT rdns#012               FROM wblist_rdns#012              WHERE rdns IN ('protect.mycompany.com', '.protect.mycompany.com', '.mycompany.com', '.com') AND wb='W'#012              LIMIT 1
Jul  8 10:08:26 mail iredapd [SQL] Query blacklisted rDNS names: #012SELECT rdns#012               FROM wblist_rdns#012              WHERE rdns IN ('protect.mycompany.com', '.protect.mycompany.com', '.mycompany.com', '.com') AND wb='B'#012              LIMIT 1
Jul  8 10:08:26 mail iredapd <-- Result: DUNNO
Jul  8 10:08:26 mail iredapd --> Apply plugin: reject_sender_login_mismatch
Jul  8 10:08:26 mail iredapd Not an authenticated sender (no sasl_username).
Jul  8 10:08:26 mail iredapd [SQL] query local domain (gmail.com): #012SELECT domain#012                   FROM domain#012                  WHERE domain='gmail.com' AND active=1 AND backupmx=0#012                  LIMIT 1
Jul  8 10:08:26 mail iredapd SQL query result: None
Jul  8 10:08:26 mail iredapd [SQL] query alias domain (gmail.com): #012"SELECT alias_domain.alias_domain\n                       FROM alias_domain, domain\n                      WHERE domain.active=1\n                            AND domain.domain=alias_domain.target_domain\n                            AND alias_domain.alias_domain='gmail.com'\n                      LIMIT 1"
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd Sender domain is NOT hosted locally.
Jul  8 10:08:26 mail iredapd <-- Result: DUNNO
Jul  8 10:08:26 mail iredapd --> Apply plugin: greylisting
Jul  8 10:08:26 mail iredapd [SQL] query target domain of given alias domain (mycompany.com): #012"SELECT alias_domain.target_domain\n               FROM alias_domain, domain\n              WHERE domain.active=1\n                    AND domain.domain=alias_domain.target_domain\n                    AND alias_domain.alias_domain='mycompany.com'\n              LIMIT 1"
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd [SQL] Query greylisting whitelists from `greylisting_whitelist_domain_spf`: #012SELECT LOWER(sender)#012                   FROM greylisting_whitelist_domain_spf#012                  WHERE account IN ('testing@mycompany.com', '@mycompany.com', '@.', '@.mycompany.com', '@.com')
Jul  8 10:08:26 mail iredapd [151.151.118.151] Client IP is explictly whitelisted for greylisting service.
Jul  8 10:08:26 mail iredapd <-- Result: DUNNO
Jul  8 10:08:26 mail iredapd Skip plugin: throttle (protocol_state != RCPT)
Jul  8 10:08:26 mail iredapd --> Apply plugin: sql_alias_access_policy
Jul  8 10:08:26 mail iredapd [SQL] query access policy: #012SELECT accesspolicy#012               FROM alias#012              WHERE address='testing@mycompany.com'#012              LIMIT 1
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd [SQL] query target domain of given alias domain (mycompany.com): #012"SELECT alias_domain.target_domain\n               FROM alias_domain, domain\n              WHERE domain.active=1\n                    AND domain.domain=alias_domain.target_domain\n                    AND alias_domain.alias_domain='mycompany.com'\n              LIMIT 1"
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd Recipient domain is not an alias domain.
Jul  8 10:08:26 mail iredapd <-- Result: DUNNO Recipient is not a mail alias account or no access policy
Jul  8 10:08:26 mail iredapd --> Apply plugin: amavisd_wblist
Jul  8 10:08:26 mail iredapd [SQL] query target domain of given alias domain (gmail.com): #012"SELECT alias_domain.target_domain\n               FROM alias_domain, domain\n              WHERE domain.active=1\n                    AND domain.domain=alias_domain.target_domain\n                    AND alias_domain.alias_domain='gmail.com'\n              LIMIT 1"
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd [SQL] query target domain of given alias domain (mycompany.com): #012"SELECT alias_domain.target_domain\n               FROM alias_domain, domain\n              WHERE domain.active=1\n                    AND domain.domain=alias_domain.target_domain\n                    AND alias_domain.alias_domain='mycompany.com'\n              LIMIT 1"
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd Possible policy senders: ['techsupport@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', 'techsupport@*', '151.151.118.151', '151.151.118.*', '151.151.*.151']
Jul  8 10:08:26 mail iredapd Possible policy recipients: ['testing@mycompany.com', '@mycompany.com', '@.', '@.mycompany.com', '@.com']
Jul  8 10:08:26 mail iredapd Apply wblist for inbound message.
Jul  8 10:08:26 mail iredapd [SQL] Query local addresses: #012SELECT id, email#012               FROM users#012              WHERE email IN ('testing@mycompany.com', '@mycompany.com', '@.', '@.mycompany.com', '@.com')#012           ORDER BY priority DESC
Jul  8 10:08:26 mail iredapd Local addresses (in `amavisd.users`): [(1, b'@.')]
Jul  8 10:08:26 mail iredapd [SQL] Query external addresses: #012SELECT id, email#012               FROM mailaddr#012              WHERE email IN ('techsupport@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', 'techsupport@*', '151.151.118.151', '151.151.118.*', '151.151.*.151')#012           ORDER BY priority DESC
Jul  8 10:08:26 mail iredapd No record found in SQL database.
Jul  8 10:08:26 mail iredapd [SQL] Query CIDR network: #012SELECT id, email#012               FROM mailaddr#012              WHERE email LIKE '52.%%'#012           ORDER BY priority DESC
Jul  8 10:08:26 mail iredapd IDs of CIDR network(s): []
Jul  8 10:08:26 mail iredapd No valid sender id or recipient id.
Jul  8 10:08:26 mail iredapd <-- Result: DUNNO
Jul  8 10:08:26 mail iredapd Session ended.
Jul  8 10:08:26 mail iredapd [151.151.118.151] RCPT, techsupport@gmail.com -> testing@mycompany.com, DUNNO [sasl_username=, sender=techsupport@gmail.com, client_name=protect.mycompany.com, reverse_client_name=protect.mycompany.com, helo=protect.mycompany.com, encryption_protocol=TLSv1.3, encryption_cipher=TLS_AES_256_GCM_SHA384, server_port=25, process_time=0.0466s]
Jul  8 10:08:26 mail iredapd [policy] request=smtpd_access_policy
Jul  8 10:08:26 mail iredapd [policy] protocol_state=END-OF-MESSAGE
Jul  8 10:08:26 mail iredapd [policy] protocol_name=ESMTP
Jul  8 10:08:26 mail iredapd [policy] client_address=151.151.118.151
Jul  8 10:08:26 mail iredapd [policy] client_name=protect.mycompany.com
Jul  8 10:08:26 mail iredapd [policy] client_port=51537
Jul  8 10:08:26 mail iredapd [policy] reverse_client_name=protect.mycompany.com
Jul  8 10:08:26 mail iredapd [policy] server_address=192.168.0.130
Jul  8 10:08:26 mail iredapd [policy] server_port=25
Jul  8 10:08:26 mail iredapd [policy] helo_name=protect.mycompany.com
Jul  8 10:08:26 mail iredapd [policy] sender=techsupport@gmail.com
Jul  8 10:08:26 mail iredapd [policy] recipient=testing@mycompany.com
Jul  8 10:08:26 mail iredapd [policy] recipient_count=1
Jul  8 10:08:26 mail iredapd [policy] queue_id=4Lfc9Q5X3NzFpXP
Jul  8 10:08:26 mail iredapd [policy] instance=9647f.62c8486a.aaf78.0
Jul  8 10:08:26 mail iredapd [policy] size=4497
Jul  8 10:08:26 mail iredapd [policy] etrn_domain=
Jul  8 10:08:26 mail iredapd [policy] stress=
Jul  8 10:08:26 mail iredapd [policy] sasl_method=
Jul  8 10:08:26 mail iredapd [policy] sasl_username=
Jul  8 10:08:26 mail iredapd [policy] sasl_sender=
Jul  8 10:08:26 mail iredapd [policy] ccert_subject=
Jul  8 10:08:26 mail iredapd [policy] ccert_issuer=
Jul  8 10:08:26 mail iredapd [policy] ccert_fingerprint=
Jul  8 10:08:26 mail iredapd [policy] ccert_pubkey_fingerprint=
Jul  8 10:08:26 mail iredapd [policy] encryption_protocol=TLSv1.3
Jul  8 10:08:26 mail iredapd [policy] encryption_cipher=TLS_AES_256_GCM_SHA384
Jul  8 10:08:26 mail iredapd [policy] encryption_keysize=256
Jul  8 10:08:26 mail iredapd [policy] policy_context=
Jul  8 10:08:26 mail iredapd Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
Jul  8 10:08:26 mail iredapd Skip plugin: wblist_rdns (protocol_state != END-OF-MESSAGE)
Jul  8 10:08:26 mail iredapd Skip plugin: reject_sender_login_mismatch (protocol_state != END-OF-MESSAGE)
Jul  8 10:08:26 mail iredapd Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
Jul  8 10:08:26 mail iredapd --> Apply plugin: throttle
Jul  8 10:08:26 mail iredapd Check sender throttling.
Jul  8 10:08:26 mail iredapd [SQL] query target domain of given alias domain (gmail.com): #012"SELECT alias_domain.target_domain\n               FROM alias_domain, domain\n              WHERE domain.active=1\n                    AND domain.domain=alias_domain.target_domain\n                    AND alias_domain.alias_domain='gmail.com'\n              LIMIT 1"
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd [SQL] Query throttle setting: #012        SELECT id, account, priority, period, max_msgs, max_quota, max_rcpts, msg_size#012          FROM throttle#012         WHERE kind='external' AND account IN ('151.151.118.151', '@ip', 'techsupport@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', '151.151.118.*', '151.151.*.151')#012         ORDER BY priority DESC#012
Jul  8 10:08:26 mail iredapd [SQL] Query result: []
Jul  8 10:08:26 mail iredapd No sender throttle setting.
Jul  8 10:08:26 mail iredapd Check recipient throttling.
Jul  8 10:08:26 mail iredapd [SQL] query target domain of given alias domain (mycompany.com): #012"SELECT alias_domain.target_domain\n               FROM alias_domain, domain\n              WHERE domain.active=1\n                    AND domain.domain=alias_domain.target_domain\n                    AND alias_domain.alias_domain='mycompany.com'\n              LIMIT 1"
Jul  8 10:08:26 mail iredapd [SQL] query result: None
Jul  8 10:08:26 mail iredapd [SQL] Query throttle setting: #012        SELECT id, account, priority, period, max_msgs, max_quota, max_rcpts, msg_size#012          FROM throttle#012         WHERE kind='inbound' AND account IN ('151.151.118.151', '@ip', 'testing@mycompany.com', '@mycompany.com', '@.', '@.mycompany.com', '@.com', '151.151.118.*', '151.151.*.151')#012         ORDER BY priority DESC#012
Jul  8 10:08:26 mail iredapd [SQL] Query result: []
Jul  8 10:08:26 mail iredapd No recipient throttle setting.
Jul  8 10:08:26 mail iredapd <-- Result: DUNNO
Jul  8 10:08:26 mail iredapd Skip plugin: sql_alias_access_policy (protocol_state != END-OF-MESSAGE)
Jul  8 10:08:26 mail iredapd Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
Jul  8 10:08:26 mail iredapd Session ended.
Jul  8 10:08:26 mail iredapd [151.151.118.151] END-OF-MESSAGE, techsupport@gmail.com -> testing@mycompany.com, DUNNO [recipient_count=1, size=4497, process_time=0.0093s]
Jul  8 10:08:26 mail iredapd [SQL] Insert into smtp_sessions: #012        INSERT INTO smtp_sessions (#012            time, time_num,#012            action, reason, instance,#012            client_address, client_name, reverse_client_name, helo_name,#012            encryption_protocol, encryption_cipher,#012            server_address, server_port,#012            sender, sender_domain,#012            sasl_username, sasl_domain,#012            recipient, recipient_domain)#012        VALUES (#012            '2022-07-08 15:08:26', 1657292906,#012            'DUNNO', '', '9647f.62c8486a.aaf78.0',#012            '151.151.118.151', 'protect.mycompany.com', 'protect.mycompany.com', 'protect.mycompany.com',#012            'TLSv1.3', 'TLS_AES_256_GCM_SHA384',#012            '192.168.0.130', '25',#012            'techsupport@gmail.com', 'gmail.com',#012            '', '',#012            'testing@mycompany.com', 'mycompany.com')#012

12

Re: Mailling List Send by Non-Domain users

Please check file /opt/iredapd/settings.py, parameter "plugins =", make sure plugin "sql_ml_access_policy" is enabled. If not, please append it and restart "iredapd" service, then try again.

13

Re: Mailling List Send by Non-Domain users

I only had
"reject_null_sender", "wblist_rdns", "reject_sender_login_mismatch", "greylisting", "throttle", "amavisd_wblist", "sql_alias_access_policy"

I just added the one you mentioned.  Thanks!  I'll try again.

14 (edited by joonlapsi 2022-07-10 01:03:58)

Re: Mailling List Send by Non-Domain users

That was it!!!  Just needed that plug in added to the settings:
"sql_ml_access_policy"