1 Topic by chall

  • chall
  • Member
  • Offline
  • Registered: 2009-06-18
  • Posts: 8

Topic: Local Domain Sender Address Verification

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version: Debian Wheezy
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- Related log if you're reporting an issue: N/A
====
Not sure if this has been asked before....
Is there any way to automatically quarantine email FROM non-existent local domain email addresses?

Let me elaborate:
- I have received an email containing malware from an address that doesn't exist on my iRedMail instance. In this case it was an email FROM: accounts@<my-domain>.

- The TO: <me>@<my-domain> email address does exist (hence I received the email!)

- My iRedMail server handles all email @<my-domain>.

- The email address accounts@<my-domain> does not exist.

So to confirm, is there any way to check <sender>@<my-domain> before delivering the email?
Not interested in checking any other email domains other than my own.

Cheers

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Local Domain Sender Address Verification

This issue was reported before. Could you please show us output of command "postconf -n"?

With default iRedMail settings, it requires smtp auth for email sent from hosted domains, so this issue is not expected.

As a temporary solution, you can try this:

*) Upgrade iRedAPD to the latest 1.8.0. Upgrade tutorial is available here: http://www.iredmail.org/docs/upgrade.iredapd.html
*) Remove 'reject_sender_login_mismatch' in /etc/postfix/main.cf.
*) Enable plugin 'reject_sender_login_mismatch' in /opt/iredapd/settings.py.
*) restart both Postfix and iRedAPD services.

3 Reply by chall

  • chall
  • Member
  • Offline
  • Registered: 2009-06-18
  • Posts: 8

Re: Local Domain Sender Address Verification

Thanks for getting back to me.

Output is here: http://pastebin.com/ZmXTe2Aa

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Local Domain Sender Address Verification

Does it work if you add 'reject_unlisted_sender' in 'smtpd_sender_restrictions =' like below?

smtpd_sender_restrictions = reject_unlisted_sender, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

5 Reply by chall

  • chall
  • Member
  • Offline
  • Registered: 2009-06-18
  • Posts: 8

Re: Local Domain Sender Address Verification

Have added 'reject_unlisted_sender' in 'smtpd_sender_restrictions' and rebooted just to be 100% sure:

smtpd_sender_restrictions = reject_unlisted_sender, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

Spoofing email (via telnet) from accounts@<my-domain> to me is still getting through sad

Nice idea though smile

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Local Domain Sender Address Verification

Does it work if you place 'reject_unlisted_sender' in 'smtpd_recipient_restrictions' (instead of smtpd_sender_restrictions)?

7 Reply by chall

  • chall
  • Member
  • Offline
  • Registered: 2009-06-18
  • Posts: 8

Re: Local Domain Sender Address Verification

Hey apologies for lateness of reply.

I've added  'reject_unlisted_sender' as first option of 'smtpd_recipient_restrictions'  and restarted the postfix service.

spoofing email via telnet from a local account that 100% doesn't exist, (accounts@<my-domain>), the email is still delivered sad

Any other ideas?

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Local Domain Sender Address Verification

A temporary solution:

*) Remove 'reject_sender_login_mismatch' in /etc/postfix/main.cf.
*) Enable plugin "reject_sender_login_mismatch' in /opt/iredapd/settings.py.
*) Open file /opt/iredapd/plugins/reject_sender_login_mismatch.py, comment out lines listed below:

    if not sasl_username:
        logger.debug('Bypass: Not sent by hosted user (no sasl_username).')
        return SMTP_ACTIONS['default']

*) Restart both Postfix and iRedAPD service.

9 Reply by chall

  • chall
  • Member
  • Offline
  • Registered: 2009-06-18
  • Posts: 8

Re: Local Domain Sender Address Verification

Thanks for reply.  I think we are getting closer!
First off I had some indent problems from the comment lines.  From iredapd.log:

2016-03-04 14:11:25 ERROR Error while loading plugin (reject_sender_login_mismatch): unexpected indent (reject_sender_login_mismatch.py, line 82)

Fixed those.  Tested again:

2016-03-04 14:12:19 INFO Starting iRedAPD (version: 1.6.0, backend: mysql), listening on 127.0.0.1:7777.
2016-03-04 14:12:19 INFO Loading plugin: sql_alias_access_policy
2016-03-04 14:12:19 INFO Loading plugin: sql_user_restrictions
2016-03-04 14:12:19 INFO Loading plugin: reject_sender_login_mismatch
2016-03-04 14:13:39 ERROR <!> Error applying plugin reject_sender_login_mismatch: need more than 1 value to unpack
2016-03-04 14:13:39 INFO [192.168.52.161] RCPT, accounts@<my-domain> -> <me>@<my-domain>, DUNNO

Almost there!