1 Topic by zeep

  • zeep
  • Member
  • Offline
  • Registered: 2017-08-16
  • Posts: 10

Topic: Reject_sender_login_mismatch not wokring

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mysql
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro?: Free version
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have enabled reject_sender_login_mismatch as follows:

# Sender restrictions
smtpd_sender_restrictions =
    reject_unknown_sender_domain
    reject_sender_login_mismatch
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    check_sender_access pcre:/etc/postfix/sender_access.pcre

But it still allows me to change FROM address to any email including existing ones. For example, my email is abc@xyz.com and I can send email as myboss@xyz.com. This is a very serious issue and I could not solve. Please let me know how to fix this. Thanks a lot.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by zeep

  • zeep
  • Member
  • Offline
  • Registered: 2017-08-16
  • Posts: 10

Re: Reject_sender_login_mismatch not wokring

/var/log/mail.log shows as follows

Aug 26 20:29:41 mail postfix/submission/smtpd[8360]: warning: hostname my-other-domain.asia does not resolve to address my_current_ip
Aug 26 20:29:41 mail postfix/submission/smtpd[8360]: connect from unknown[my_current_ip]
Aug 26 20:29:42 mail postfix/submission/smtpd[8360]: Anonymous TLS connection established from unknown[my_current_ip]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 26 20:29:42 mail postfix/submission/smtpd[8360]: E84DE17CAE2: client=unknown[my_current_ip], sasl_method=PLAIN, sasl_username=exampletest@mydomain
Aug 26 20:29:43 mail postfix/cleanup[8371]: E84DE17CAE2: message-id=<7d59d41d-d470-c7c6-7f33-52d439ddf005@mydomain>
Aug 26 20:29:43 mail postfix/qmgr[8180]: E84DE17CAE2: from=<exampletest@mydomain>, size=623, nrcpt=1 (queue active)
Aug 26 20:29:43 mail postfix/10025/smtpd[8379]: connect from mail.mydomain[127.0.0.1]
Aug 26 20:29:43 mail postfix/10025/smtpd[8379]: 7C9F717CDDE: client=mail.mydomain[127.0.0.1]
Aug 26 20:29:43 mail postfix/cleanup[8371]: 7C9F717CDDE: message-id=<7d59d41d-d470-c7c6-7f33-52d439ddf005@mydomain>
Aug 26 20:29:43 mail postfix/10025/smtpd[8379]: disconnect from mail.mydomain[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Aug 26 20:29:43 mail postfix/qmgr[8180]: 7C9F717CDDE: from=<exampletest@mydomain>, size=1834, nrcpt=1 (queue active)
Aug 26 20:29:43 mail amavis[2172]: (02172-06) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [my_current_ip]:39954 [my_current_ip] <exampletest@mydomain> -> <example-mail@gmail.com>, Queue-ID: E84DE17CAE2, Message-ID: <7d59d41d-d470-c7c6-7f33-52d439ddf005@mydomain>, mail_id: I01aFVC6Lb-z, Hits: -0.5, size: 623, queued_as: 7C9F717CDDE, dkim_new=dkim:mydomain, 203 ms, Tests: [ALL_TRUSTED=-1,FROM_LOCAL_NOVOWEL=0.5]
Aug 26 20:29:43 mail postfix/amavis/smtp[8376]: E84DE17CAE2: to=<example-mail@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.7, delays=0.49/0.01/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7C9F717CDDE)
Aug 26 20:29:43 mail postfix/qmgr[8180]: E84DE17CAE2: removed
Aug 26 20:29:43 mail postfix/smtp[8380]: connect to gmail-smtp-in.l.google.com[2404:6800:4003:c01::1a]:25: Network is unreachable
Aug 26 20:29:43 mail postfix/submission/smtpd[8360]: disconnect from unknown[my_current_ip] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Aug 26 20:29:44 mail postfix/smtp[8380]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.130.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 26 20:29:44 mail postfix/smtp[8380]: 7C9F717CDDE: to=<example-mail@gmail.com>, relay=gmail-smtp-in.l.google.com[74.125.130.26]:25, delay=1.3, delays=0.01/0.01/0.74/0.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1503779384 i194si3382333pgd.296 - gsmtp)
Aug 26 20:29:44 mail postfix/qmgr[8180]: 7C9F717CDDE: removed

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Reject_sender_login_mismatch not wokring

*) According to your log, we cannot see different sender address.
*) Any related log in /var/log/iredapd/iredapd.log?

4 Reply by zeep (edited by zeep 2017-08-27 19:34:15)

  • zeep
  • Member
  • Offline
  • Registered: 2017-08-16
  • Posts: 10

Re: Reject_sender_login_mismatch not wokring

ZhangHuangbin wrote:

*) According to your log, we cannot see different sender address.
*) Any related log in /var/log/iredapd/iredapd.log?

Thanks for the reply. Yes, the log does not show the random address that I entered as FROM address. But it instead shows the address that I signed in with the email client (Thunderbird).  It is weird. /var/log/iredapd/iredapd.log shows lines like following:

2017-08-27 08:26:12 INFO [my_IP] END-OF-MESSAGE, xxx-xx@mydomain.com => xx-xx-xx@gmail.com, DUNNO [0.0016s]

There is nothing peculiar in that one either.

By the way, I didn't change anything except SSL certificate lines in Postfix after installation on Ubuntu. So its still using the same configuration shipped inside iredmail installer.

SMTP Service Status Error: fatal: no SASL authentication mechanisms

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Reject_sender_login_mismatch not wokring

zeep wrote:

2017-08-27 08:26:12 INFO [my_IP] END-OF-MESSAGE, xxx-xx@mydomain.com => xx-xx-xx@gmail.com, DUNNO [0.0016s]

in iRedAPD log,  "=>" indicates the smtp auth username and the sender address are the same.

If you see iRedAPD log like below, that means smtp auth username and sender address are different:

2017-08-27 08:26:12 INFO [my_IP] END-OF-MESSAGE, xxx-xx@mydomain.com => yyy@zzz.com -> xx-xx-xx@gmail.com, DUNNO [0.0016s]

6 Reply by zeep (edited by zeep 2017-08-28 04:27:56)

  • zeep
  • Member
  • Offline
  • Registered: 2017-08-16
  • Posts: 10

Re: Reject_sender_login_mismatch not wokring

I think I was confused. What I want to achieve is that if a user with email (john@domain.com) changes FROM address to (jim@domain.com), I want postfix to force rewrite the FROM address as the original (john@domain.com).

What I want is the opposite of the guide here: http://www.iredmail.org/docs/allow.cert … .user.html

iredapd log shows smtp auth username and the sender address are the same but when the mail arrives in my gmail, the sender is the random one that I set in the mail client.

Is the order of options like reject_sender_login_mismatch, reject_unlisted_domain etc important in postfix main.cf?

7 Reply by zeep (edited by zeep 2017-08-29 07:58:05)

  • zeep
  • Member
  • Offline
  • Registered: 2017-08-16
  • Posts: 10

Re: Reject_sender_login_mismatch not wokring

ZhangHuangbin wrote:
zeep wrote:

2017-08-27 08:26:12 INFO [my_IP] END-OF-MESSAGE, xxx-xx@mydomain.com => xx-xx-xx@gmail.com, DUNNO [0.0016s]

in iRedAPD log,  "=>" indicates the smtp auth username and the sender address are the same.

If you see iRedAPD log like below, that means smtp auth username and sender address are different:

2017-08-27 08:26:12 INFO [my_IP] END-OF-MESSAGE, xxx-xx@mydomain.com => yyy@zzz.com -> xx-xx-xx@gmail.com, DUNNO [0.0016s]


After trying out different things, I found that reject_sender_login_mismatch is actually working. I didn't realize the issue was with headers. So after rewriting headers (From,Return-Path) using header_checks, I think it should be ok.