1 Topic by kambey

  • kambey
  • Member
  • Offline
  • Registered: 2015-02-27
  • Posts: 7

Topic: Maillist can't restrict non-moderators to send email

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? YES
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello,
I have a problem with iredmail maillist restriction. After migrating to a new server with latest OS and iredmail services, all configurations are working fine except maillist restriction. If i set mail list to only moderator can send, it doesnt work as anybody can send to that group. I have enabled ldap_malist_policy_access in iredpad/settings plugins as: plugins = ["reject_null_sender", "wblist_rdns", "greylisting", "throttle", "amavisd_wblist", "ldap_maillist_access_policy"]
and also connect from postfix as:
#Recipient restrictions
smtpd_recipient_restrictions =
    check_policy_service inet:10.1.2.33:7777
    reject_unknown_sender_domain
    reject_non_fqdn_sender
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

The maillist ldif are as follows:-
dn: mail=group.test@xxx.co.yy,ou=Groups,domainName=xxx.co.yy,o=domains,dc=xxx,dc=co,dc=yy
accessPolicy: allowedOnly
accountStatus: active
cn: System Admin test
enabledService: mail
enabledService: deliver
listAllowedUser: kambey@xxx.co.yy
mail: group.test@xxx.co.yy
objectClass: mailList
The logs in iredapd is set in debug mode and below are the logs showing when a user (non moderator)  kambeylk@gmail sent an email to a group group.test@xxx.co.yy but it get delivered to its members.

2017-10-16 10:54:59 INFO Loading plugin (priority: 50): ldap_maillist_access_policy
2017-10-16 10:54:59 INFO Loading plugin (priority: 40): amavisd_wblist
2017-10-16 10:56:52 DEBUG Connect from 10.1.2.40, port 22652.
2017-10-16 10:56:52 DEBUG smtp session: request=smtpd_access_policy
2017-10-16 10:56:52 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2017-10-16 10:56:52 DEBUG smtp session: protocol_name=ESMTP
2017-10-16 10:56:52 DEBUG smtp session: client_address=10.1.2.250
2017-10-16 10:56:52 DEBUG smtp session: client_name=unknown
2017-10-16 10:56:52 DEBUG smtp session: client_port=48317
2017-10-16 10:56:52 DEBUG smtp session: reverse_client_name=unknown
2017-10-16 10:56:52 DEBUG smtp session: server_address=10.1.2.40
2017-10-16 10:56:52 DEBUG smtp session: server_port=25
2017-10-16 10:56:52 DEBUG smtp session: helo_name=mail-io0-f170.google.com
2017-10-16 10:56:52 DEBUG smtp session: sender=kambeylk@gmail.com
2017-10-16 10:56:52 DEBUG smtp session: recipient=group.test@xxx.co.yy
2017-10-16 10:56:52 DEBUG smtp session: recipient_count=1
2017-10-16 10:56:52 DEBUG smtp session: queue_id=54BD81DBCC8
2017-10-16 10:56:52 DEBUG smtp session: instance=dc3f.59e46644.3c064.0
2017-10-16 10:56:52 DEBUG smtp session: size=5994
2017-10-16 10:56:52 DEBUG smtp session: etrn_domain=
2017-10-16 10:56:52 DEBUG smtp session: stress=
2017-10-16 10:56:52 DEBUG smtp session: sasl_method=
2017-10-16 10:56:52 DEBUG smtp session: sasl_username=
2017-10-16 10:56:52 DEBUG smtp session: sasl_sender=
2017-10-16 10:56:52 DEBUG smtp session: ccert_subject=
2017-10-16 10:56:52 DEBUG smtp session: ccert_issuer=
2017-10-16 10:56:52 DEBUG smtp session: ccert_fingerprint=
2017-10-16 10:56:52 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-10-16 10:56:52 DEBUG smtp session: encryption_protocol=TLSv1.2
2017-10-16 10:56:52 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES128-GCM-SHA256
2017-10-16 10:56:52 DEBUG smtp session: encryption_keysize=128
2017-10-16 10:56:52 DEBUG smtp session: policy_context=
2017-10-16 10:56:52 DEBUG LDAP connection initialied success.
2017-10-16 10:56:52 DEBUG LDAP bind success.
2017-10-16 10:56:52 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2017-10-16 10:56:52 DEBUG Skip plugin: wblist_rdns (protocol_state != END-OF-MESSAGE)
2017-10-16 10:56:52 DEBUG Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
2017-10-16 10:56:52 DEBUG --> Apply plugin: throttle
2017-10-16 10:56:52 DEBUG Check sender throttling.
2017-10-16 10:56:52 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='external' AND account IN ('10.1.2.250', '@ip', 'kambeylk@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', '10.1.2.*', '10.1.*.250')
         ORDER BY priority DESC

2017-10-16 10:56:52 DEBUG [SQL] Query result:
2017-10-16 10:56:52 DEBUG No sender throttle setting.
2017-10-16 10:56:52 DEBUG Check recipient throttling.
017-10-16 10:56:52 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('10.1.2.250', '@ip', 'group.test@xxx.co.yy', '@xxx.co.yy, '@.', '@.xxx.co.yy', '@.co.yy', '@.tz', '10.1.2.*', '10.1.*.250')
         ORDER BY priority DESC

2017-10-16 10:56:52 DEBUG [SQL] Query result:
[]
2017-10-16 10:56:52 DEBUG No recipient throttle setting.
2017-10-16 10:56:52 DEBUG <-- Result: DUNNO
2017-10-16 10:56:52 DEBUG Skip plugin: ldap_maillist_access_policy (protocol_state != END-OF-MESSAGE)
2017-10-16 10:56:52 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2017-10-16 10:56:52 DEBUG Session ended.
2017-10-16 10:56:52 INFO [10.1.2.250] END-OF-MESSAGE, kambeylk@gmail.com -> group.test@xxx.co.yy DUNNO [0.0207s]
2017-10-16 10:56:52 DEBUG Close LDAP connection.

Kindly assist me what might be the issue.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Maillist can't restrict non-moderators to send email

*) Your log shows only "protocol_state=END-OF-MESSAGE" part, but not log of "protocol_state=RCPT" part.
*) Please show me output of commands below:

postconf smtpd_recipient_restrictions
postconf smtpd_end_of_data_restrictions

Also, default settings in iRedMail is:

smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

3 Reply by kambey (edited by kambey 2017-10-17 13:42:50)

  • kambey
  • Member
  • Offline
  • Registered: 2015-02-27
  • Posts: 7

Re: Maillist can't restrict non-moderators to send email

Dear ZhangHuangbin,

ZhangHuangbin wrote:

*) Your log shows only "protocol_state=END-OF-MESSAGE" part, but not log of "protocol_state=RCPT" part.

-> The logs doesn't show protocol_State=RCPT part for maillist address checking, but it shows when checking recipient addresses e.g
2017-10-16 10:56:54 DEBUG Connect from 10.1.2.39, port 4530.
2017-10-16 10:56:54 DEBUG smtp session: request=smtpd_access_policy
2017-10-16 10:56:54 DEBUG smtp session: protocol_state=RCPT
2017-10-16 10:56:54 DEBUG smtp session: protocol_name=ESMTP
2017-10-16 10:56:54 DEBUG smtp session: client_address=10.1.2.33
2017-10-16 10:56:54 DEBUG smtp session: client_name=unknown
2017-10-16 10:56:54 DEBUG smtp session: client_port=34364
2017-10-16 10:56:54 DEBUG smtp session: reverse_client_name=unknown
2017-10-16 10:56:54 DEBUG smtp session: server_address=10.1.2.39
2017-10-16 10:56:54 DEBUG smtp session: server_port=25
2017-10-16 10:56:54 DEBUG smtp session: helo_name=sv001-ser-gms002.xxx.co.yy
2017-10-16 10:56:54 DEBUG smtp session: sender=kambeylk@gmail.com
2017-10-16 10:56:54 DEBUG smtp session: recipient=noreply@xxx.co.yy
2017-10-16 10:56:54 DEBUG smtp session: recipient_count=0
2017-10-16 10:56:54 DEBUG smtp session: queue_id=
2017-10-16 10:56:54 DEBUG smtp session: instance=5d7e.59e46646.b14de.0
2017-10-16 10:56:54 DEBUG smtp session: size=6813
2017-10-16 10:56:54 DEBUG smtp session: etrn_domain=
2017-10-16 10:56:54 DEBUG smtp session: stress=
2017-10-16 10:56:54 DEBUG smtp session: sasl_method=
2017-10-16 10:56:54 DEBUG smtp session: sasl_username=
2017-10-16 10:56:54 DEBUG smtp session: sasl_sender=
2017-10-16 10:56:54 DEBUG smtp session: ccert_subject=
2017-10-16 10:56:54 DEBUG smtp session: ccert_issuer=
2017-10-16 10:56:54 DEBUG smtp session: ccert_fingerprint=
2017-10-16 10:56:54 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-10-16 10:56:54 DEBUG smtp session: encryption_protocol=TLSv1.2
2017-10-16 10:56:54 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES256-GCM-SHA384
2017-10-16 10:56:54 DEBUG smtp session: encryption_keysize=256
2017-10-16 10:56:54 DEBUG smtp session: policy_context=
2017-10-16 10:56:54 DEBUG LDAP connection initialied success.
2017-10-16 10:56:54 DEBUG LDAP bind success.
2017-10-16 10:56:54 DEBUG --> Apply plugin: reject_null_sender
2017-10-16 10:56:54 DEBUG <-- Result: DUNNO
2017-10-16 10:56:54 DEBUG --> Apply plugin: wblist_rdns
2017-10-16 10:56:54 DEBUG No reverse dns name, bypass.
2017-10-16 10:56:54 DEBUG <-- Result: DUNNO
2017-10-16 10:56:54 DEBUG --> Apply plugin: greylisting
2017-10-16 10:56:54 DEBUG [SQL] Query greylisting whitelists from `greylisting_whitelist_domain_spf`:
SELECT id, sender, comment
                   FROM greylisting_whitelist_domain_spf
                  WHERE account IN ('noreply@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy')
2017-10-16 10:56:54 DEBUG [10.1.2.33] No whitelist found.
2017-10-16 10:56:54 DEBUG [SQL] Query greylisting whitelists from `greylisting_whitelists`:
SELECT id, sender, comment
                   FROM greylisting_whitelists
                  WHERE account IN ('noreply@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy')
2017-10-16 10:56:54 DEBUG [10.1.2.33] No whitelist found.
2017-10-16 10:56:54 DEBUG No whitelist found.
2017-10-16 10:56:54 DEBUG [SQL] query greylisting settings:
SELECT id, account, sender, sender_priority, active
               FROM greylisting
              WHERE account IN ('noreply@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy')
              ORDER BY priority DESC, sender_priority DESC
2017-10-16 10:56:54 DEBUG [SQL] query result: [(1L, '@.', '@.', 0, 1)]
2017-10-16 10:56:54 DEBUG Greylisting should be applied according to SQL record: (id=1, account='@.', sender='@.')
2017-10-16 10:56:54 DEBUG [SQL] check whether client address (10.1.2.33) passed greylisting:
ELECT id
               FROM greylisting_tracking
              WHERE client_address='10.1.2.33'
                    AND passed=1
              LIMIT 1
2017-10-16 10:56:54 DEBUG Client address (10.1.2.33) passed greylisting.
2017-10-16 10:56:54 DEBUG [SQL] Update expire time of passed client:
UPDATE greylisting_tracking
                     SET record_expired=1510732614
                   WHERE client_address='10.1.2.33' AND passed=1
2017-10-16 10:56:54 DEBUG <-- Result: DUNNO
2017-10-16 10:56:54 DEBUG --> Apply plugin: throttle
2017-10-16 10:56:54 DEBUG Check sender throttling.
2017-10-16 10:56:54 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='external' AND account IN ('10.1.2.33', '@ip', 'kambeylk@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', '10.1.2.*', '10.1.*.33')
         ORDER BY priority DESC
         
2017-10-16 10:56:54 DEBUG [SQL] Query result:
[]
2017-10-16 10:56:54 DEBUG No sender throttle setting.
2017-10-16 10:56:54 DEBUG Check recipient throttling.
2017-10-16 10:56:54 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('10.1.2.33', '@ip', 'noreply@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy', '10.1.2.*', '10.1.*.33')
         ORDER BY priority DESC
         
2017-10-16 10:56:54 DEBUG [SQL] Query result:
2017-10-16 10:56:54 DEBUG No recipient throttle setting.
2017-10-16 10:56:54 DEBUG <-- Result: DUNNO
2017-10-16 10:56:54 DEBUG [+] Getting LDIF data of account: noreply@xxx.co.yy
2017-10-16 10:56:54 DEBUG search base dn: o=domains,dc=xxx,dc=co,dc=yy
2017-10-16 10:56:54 DEBUG search scope: SUBTREE
2017-10-16 10:56:54 DEBUG search filter: (&(!(domainStatus=disabled))(|(mail=noreply@xxx.co.yy)(shadowAddress=noreply@xxx.co.yy))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2017-10-16 10:56:54 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy']
2017-10-16 10:56:54 DEBUG No such account.
2017-10-16 10:56:54 DEBUG --> Apply plugin: ldap_maillist_access_policy
2017-10-16 10:56:54 DEBUG <-- Result: DUNNO (Recipient is not a local account - no LDIF data)
2017-10-16 10:56:54 DEBUG --> Apply plugin: amavisd_wblist
2017-10-16 10:56:54 DEBUG Possible policy senders: ['kambeylk@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', 'kambeylk@*', '10.1.2.33', '10.1.2.*', '10.1.*.33']
2017-10-16 10:56:54 DEBUG Possible policy recipients: ['noreply@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy']
2017-10-16 10:56:54 DEBUG Apply wblist for inbound message.
2017-10-16 10:56:54 DEBUG [SQL] Query local addresses:
SELECT id, email
               FROM users
              WHERE email IN ('noreply@gov.go.tz', '@xxx.co.yy', '@.', '@.gxxx.co.yy', '@.co.yy', '@.yy')
           ORDER BY priority DESC
2017-10-16 10:56:54 DEBUG Local addresses (in `users`): [(1L, '@.')]
2017-10-16 10:56:54 DEBUG [SQL] Query external addresses:
SELECT id, email
               FROM mailaddr
              WHERE email IN ('kambeylk@gmail.com', '@gmail.com', '@.', '@.gmail.com', '@.com', 'kambeylk@*', '10.1.2.33', '10.1.2.*', '10.1.*.33')
           ORDER BY priority DESC
2017-10-16 10:56:54 DEBUG Local addresses (in `users`): [(1L, '@.')]
2017-10-16 10:56:54 DEBUG [SQL] Query external addresses:
SELECT id, email
               FROM mailaddr
              WHERE email IN ('kambeylk@gmail.com', '@gmail.com', '@.', '@.g
mail.com', '@.com', 'kambeylk@*', '10.1.2.33', '10.1.2.*', '10.1.*.33')
           ORDER BY priority DESC
2017-10-16 10:56:54 DEBUG No record found in SQL database.
2017-10-16 10:56:54 DEBUG [SQL] Query CIDR network:
SELECT id, email
               FROM mailaddr
              WHERE email LIKE '10.%%'
           ORDER BY priority DESC
2017-10-16 10:56:54 DEBUG No valid sender id or recipient id.
2017-10-16 10:56:54 DEBUG <-- Result: DUNNO
2017-10-16 10:56:54 DEBUG Session ended.
2017-10-16 10:56:54 INFO [10.1.2.33] RCPT, kambeylk@gmail.com -> noreply@xxx.co.yy, DUNNO [0.0382s]
2017-10-16 10:56:54 DEBUG Close LDAP connection.

The same apply for each member of the group.
For a mailist itself below is the portion of logs

2017-10-17 07:54:52 DEBUG smtp session: request=smtpd_access_policy
2017-10-17 07:54:52 DEBUG smtp session: protocol_state=RCPT
2017-10-17 07:54:52 DEBUG smtp session: protocol_name=ESMTP
2017-10-17 07:54:52 DEBUG smtp session: client_address=10.1.2.37
2017-10-17 07:54:52 DEBUG smtp session: client_name=unknown
2017-10-17 07:54:52 DEBUG smtp session: reverse_client_name=unknown
2017-10-17 07:54:52 DEBUG smtp session: helo_name=10.1.2.33
2017-10-17 07:54:52 DEBUG smtp session: sender=kambey@xxx.co.yy
2017-10-17 07:54:52 DEBUG smtp session: recipient=group.test@xxx.co.yy
2017-10-17 07:54:52 DEBUG smtp session: recipient_count=0
2017-10-17 07:54:52 DEBUG smtp session: queue_id=
2017-10-17 07:54:52 DEBUG smtp session: instance=c339.59e58d1c.203f7.0
2017-10-17 07:54:52 DEBUG smtp session: size=2438
2017-10-17 07:54:52 DEBUG smtp session: etrn_domain=
2017-10-17 07:54:52 DEBUG smtp session: stress=
2017-10-17 07:54:52 DEBUG smtp session: sasl_method=PLAIN
2017-10-17 07:54:52 DEBUG smtp session: sasl_username=kambey@xxx.co.yy
2017-10-17 07:54:52 DEBUG smtp session: sasl_sender=
2017-10-17 07:54:52 DEBUG smtp session: ccert_subject=
2017-10-17 07:54:52 DEBUG smtp session: ccert_issuer=
2017-10-17 07:54:52 DEBUG smtp session: ccert_fingerprint=
2017-10-17 07:54:52 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-10-17 07:54:52 DEBUG smtp session: encryption_protocol=TLSv1
2017-10-17 07:54:52 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES256-SHA
2017-10-17 07:54:52 DEBUG smtp session: encryption_keysize=256
2017-10-17 07:54:52 DEBUG LDAP connection initialied success.
2017-10-17 07:54:52 DEBUG LDAP bind success.
2017-10-17 07:54:52 DEBUG --> Apply plugin: reject_null_sender
2017-10-17 07:54:52 DEBUG <-- Result: DUNNO
2017-10-17 07:54:52 DEBUG --> Apply plugin: wblist_rdns
2017-10-17 07:54:52 DEBUG Found SASL username, bypass rDNS check for outbound.
2017-10-17 07:54:52 DEBUG <-- Result: DUNNO
2017-10-17 07:54:52 DEBUG --> Apply plugin: greylisting
2017-10-17 07:54:52 DEBUG Found SASL username, bypass greylisting for outbound email.
2017-10-17 07:54:52 DEBUG <-- Result: DUNNO
2017-10-17 07:54:52 DEBUG --> Apply plugin: throttle
2017-10-17 07:54:52 DEBUG SKIP: Sender domain (@xxx.co.yy) is same as recipient domain.
2017-10-17 07:54:52 DEBUG <-- Result: DUNNO
2017-10-17 07:54:52 DEBUG [+] Getting LDIF data of account: group.test@xxx.co.yy
2017-10-17 07:54:52 DEBUG search base dn: o=domains,dc=gov,dc=go,dc=tz
2017-10-17 07:54:52 DEBUG search scope: SUBTREE
2017-10-17 07:54:52 DEBUG search filter: (&(!(domainStatus=disabled))(|(mail=group.test@xxx.co.yy)(shadowAddress=group.test@xxx.co.yy))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2017-10-17 07:54:52 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy']
2017-10-17 07:54:52 DEBUG result: [('mail=group.test@xxx.co.yy,ou=Groups,domainName=xxx.co.yy,o=domains,dc=gov,dc=go,dc=tz', {'objectClass': ['mailList'], 'accessPolicy': ['allowedOnly'], 'listAllowedUser': ['kambeylk@gmail.com']})]
2017-10-17 07:54:52 DEBUG --> Apply plugin: ldap_maillist_access_policy
2017-10-17 07:54:52 DEBUG Access policy of mailing list (group.test@ega.go.tz): allowedonly

2017-10-17 07:54:52 DEBUG Primary and all alias domain names of recipient domain xxx.co.yy): xxx.co.yy
2017-10-17 07:54:52 DEBUG Sender domain and sub-domains: xxx.co.yy, .xxx.co.yy, .co.yy
2017-10-17 07:54:52 DEBUG Sender is not explicitly allowed, perform extra LDAP query to check access.
2017-10-17 07:54:52 DEBUG <-- Result: DUNNO (Unknown access policy: allowedonly, no restriction)
2017-10-17 07:54:52 DEBUG --> Apply plugin: amavisd_wblist
2017-10-17 07:54:52 DEBUG Possible policy senders: ['kambey@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.go.yy', '@.yy', '10.1.2.37', '10.1.2.*', '10.1.*.37']
2017-10-17 07:54:52 DEBUG Possible policy recipients: ['group.test@exxx.co.yy', '@xxx.co.yy, '@.', '@.xxx.co.yy', '@.co.yy', '@.yy']
2017-10-17 07:54:52 DEBUG Apply wblist for outbound message.
2017-10-17 07:54:52 DEBUG [SQL] Query local addresses:
SELECT id, email
               FROM users
              WHERE email IN ('kambey@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy', '10.1.2.37', '10.1.2.*', '10.1.*.37')
           ORDER BY priority DESC

2017-10-17 07:54:52 DEBUG Local addresses (in `users`): [(1L, '@.')]
2017-10-17 07:54:52 DEBUG [SQL] Query external addresses:
SELECT id, email
               FROM mailaddr
              WHERE email IN ('group.test@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy')
           ORDER BY priority DESC
2017-10-17 07:54:52 DEBUG No record found in SQL database.
2017-10-17 07:54:52 DEBUG [SQL] Query CIDR network:
SELECT id, email
               FROM mailaddr
              WHERE email LIKE '10.%%'
           ORDER BY priority DESC
2017-10-17 07:54:52 DEBUG No valid sender id or recipient id.
2017-10-17 07:54:52 DEBUG Apply wblist for inbound message.
2017-10-17 07:54:52 DEBUG [SQL] Query local addresses:
SELECT id, email
               FROM users
              WHERE email IN ('group.test@xxx.co.yy', '@xxx.co.yy', '@.', '@.xxx.co.yy', '@.co.yy', '@.yy)
           ORDER BY priority DESC
2017-10-17 07:54:52 DEBUG Local addresses (in `users`): [(1L, '@.')]
2017-10-17 07:54:52 DEBUG [SQL] Query external addresses:
SELECT id, email
               FROM mailaddr
              WHERE email IN ('kambey@xxx.co.yy', '@xxx.co.yy, '@.', '@.xxx.co.yy', '@.co.yy', '@.yy', '10.1.2.37', '10.1.2.*', '10.1.*.37')
           ORDER BY priority DESC
2017-10-17 07:54:52 DEBUG No record found in SQL database.
2017-10-17 07:54:52 DEBUG No valid sender id or recipient id.
2017-10-17 07:54:52 DEBUG <-- Result: DUNNO
2017-10-17 07:54:52 DEBUG Session ended.

Here the allowed moderator is kambeylk@gmail.com but even kambey@xxx.co.yy can send to the maillist.
It seem the policy is seen by the query but conclusio is termed as Unkwon access policy as below:-

Sender is not explicitly allowed, perform extra LDAP query to check access.
DEBUG <-- Result: DUNNO (Unknown access policy: allowedonly, no restriction)

*) Please show me output of commands below:

postconf smtpd_recipient_restrictions
=> 
#postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = check_policy_service inet:10.1.2.33:7777, check_sender_access hash:/etc/postfix/sender_access, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_sasl_authenticated, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_override, reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl.spamhaus.org
(This is for incoming server when connecting ldap/iredapd server 10.1.2.33)
postconf smtpd_end_of_data_restrictions

=>
# postconf smtpd_end_of_data_restrictions
smtpd_end_of_data_restrictions = check_policy_service inet:10.1.2.33:7777

Also, default settings in iRedMail is:

smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

My SMTP, MX servers are dependent, and each connecting ldap/iredapd server 10.1.2.33
smtpd_end_of_data_restrictions =
    check_policy_service inet:127.0.0.1:7777

My SMTP, MX, mailboxes  servers are independent, and each connecting to ldap/iredapd server 10.1.2.33

The same settings and setup are running from old server and it was working fine

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Maillist can't restrict non-moderators to send email

kambey wrote:

2017-10-16 10:56:54 DEBUG --> Apply plugin: ldap_maillist_access_policy
2017-10-16 10:56:54 DEBUG <-- Result: DUNNO (Recipient is not a local account - no LDIF data)

It says the recipient is not a local account, ldap query returned nothing.

is this the correct log related to the issue?

5 Reply by kambey

  • kambey
  • Member
  • Offline
  • Registered: 2015-02-27
  • Posts: 7

Re: Maillist can't restrict non-moderators to send email

Dear Zhang,
That portion is when its looking one of the member which is not local account.

The portion of the log checking the group is :
2017-10-17 07:54:52 DEBUG search filter: (&(!(domainStatus=disabled))(|(mail=group.test@xxx.co.yy)(shadowAddress=group.test@xxx.co.yy))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2017-10-17 07:54:52 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy']
2017-10-17 07:54:52 DEBUG result: [('mail=group.test@xxx.co.yy,ou=Groups,domainName=xxx.co.yy,o=domains,dc=gov,dc=go,dc=tz', {'objectClass': ['mailList'], 'accessPolicy': ['allowedOnly'], 'listAllowedUser': ['kambeylk@gmail.com']})]
2017-10-17 07:54:52 DEBUG --> Apply plugin: ldap_maillist_access_policy
2017-10-17 07:54:52 DEBUG Access policy of mailing list (group.test@ega.go.tz): allowedonly
2017-10-17 07:54:52 DEBUG Primary and all alias domain names of recipient domain xxx.co.yy): xxx.co.yy
2017-10-17 07:54:52 DEBUG Sender domain and sub-domains: xxx.co.yy, .xxx.co.yy, .co.yy
2017-10-17 07:54:52 DEBUG Sender is not explicitly allowed, perform extra LDAP query to check access.
2017-10-17 07:54:52 DEBUG <-- Result: DUNNO (Unknown access policy: allowedonly, no restriction)

and it seem it identify sender is not allowed to send but it perfomed extra checking and thats where it ended with Unknown access policy: allowedonly, no restriction

I think something is wrong with iredapd (2.0/2.1) because when i try to replace with iredapd 1.9 (whole directory) it works but i don't prefer to go back to old version and i see some abnormalities in checking/restart iredapd.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Maillist can't restrict non-moderators to send email

I figure it out: the access policy is 'allowedonly', but iRedAPD-2.1 uses 'moderatorsonly' instead. So there're 2 ways to fix it:

*) We fix it in next release of iRedAPD. (Fixed moment ago: https://bitbucket.org/zhb/iredapd/commi … dc51f08bb)
*) You replace 'allowedonly' by 'moderatorsonly'. Two ways to do this:

1) Go to profile of this mailing list, choose the correct access policy, save the changes. (if it correctly display the access policy, submit the page too.)
2) Replace it with ldap command line or other tool like phpLDAPadmin.

7 Reply by kambey

  • kambey
  • Member
  • Offline
  • Registered: 2015-02-27
  • Posts: 7

Re: Maillist can't restrict non-moderators to send email

Thanks for update. I will try to replace it. This took me several weeks in troubleshooting.

ZhangHuangbin wrote:

I figure it out: the access policy is 'allowedonly', but iRedAPD-2.1 uses 'moderatorsonly' instead. So there're 2 ways to fix it:

*) We fix it in next release of iRedAPD. (Fixed moment ago: https://bitbucket.org/zhb/iredapd/commi … dc51f08bb)
*) You replace 'allowedonly' by 'moderatorsonly'. Two ways to do this:

1) Go to profile of this mailing list, choose the correct access policy, save the changes. (if it correctly display the access policy, submit the page too.)
2) Replace it with ldap command line or other tool like phpLDAPadmin.