1 Topic by Chameleon (edited by Chameleon 2017-11-28 21:04:17)

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Topic: Send mail from private IP to iRedMail public IP

==== Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.7 MYSQL edition
- Linux/BSD distribution name and version: Ubuntu 16.04.3 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I have a small network with 192.168.0.0/24 as LAN and Public DMZ, where my servers are. one of them is iRedMail.
I want to allow few servers to be able to send mails without authentication, like reports and etc., to mailboxes hosted by iRedMail, which has Public IP.

The internal domain is not resolvable from Public DMZ and cannot add DNS records for it.

The diagram below shows the setup. There is no NAT between internal network and the iRedMail server, which means that in the iRedMail logs the connection from internal LAN are seen with their actual IP addresses. In this case 192.168.0.200

I didn't manage to achieve this setup, no matter that i have listed the 'trusted' internal servers into mynetworks or something else, so that the mails coming from those 'trusted' servers to bypass all the security checks which iRedMail has.

I know that if I add the local fake domain into iRedMail, this may solve the case, but this something which I want to avoid, as I will end up with list of bunch of internal domains on the iRedMail admin panel.

Is there a simple why to do it?

Thanks in advance.

BR,
Stan

Post's attachments

Network.jpg
Network.jpg 16.67 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Send mail from private IP to iRedMail public IP

Your firewall should have a public IP address, then whitelist it in iRedMail (Postfix "mynetworks =").

3 Reply by Chameleon (edited by Chameleon 2017-11-30 00:03:48)

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Send mail from private IP to iRedMail public IP

ZhangHuangbin wrote:

Your firewall should have a public IP address, then whitelist it in iRedMail (Postfix "mynetworks =").

The firewall interface towards iRedMail has Public IP, there is no issue about this.
I have added the needed IPs into mynetworks, i have even tried adding the entire LAN into mynetworks, but this didn't helped.
I have moved permit_mynetworks above the other setting and restarted postfix, but no luck.

for systems with which I can setup user/pass for sasl auth - there is no issue.
For systems or printers to which i cannot add user/pass - there is an issue.

I have created an internal system with postfix and used ssl auth user/pass to try to send mail from that machine - this worked.

Then I tried to point a printer or system to send a mail trough that machine (which can send mail to iRedMail) to iRedMail, but no luck. iRedMail drops the mail.


BR,
Stan

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Send mail from private IP to iRedMail public IP

Please show us related error message.

5 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Send mail from private IP to iRedMail public IP

ZhangHuangbin wrote:

Please show us related error message.

The most often errors are those:

Nov 29 20:54:48 mail postfix/submission/smtpd[13725]: NOQUEUE: reject: RCPT from lpngmailrelay01.domain.com[192.168.0.200]: 554 5.7.1 <joro@domain.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<root@isu.domain.com> to=<joro@optixco.com> proto=ESMTP helo=<lpngmailrelay01.domain.com>


Nov 29 21:29:24 lpngmailrelay01 postfix/smtp[4794]: 85EE67FEA4: to=<root@isu.domain.com>, relay=mail.domain.com[public IP of iRedMail]:587, delay=105313, delays=105312/0.02/0.08/0.25, dsn=4.1.2, status=deferred (host mail.domain.com[public IP of iRedMail] said: 450 4.1.2 <root@isu.domain.com>: Recipient address rejected: Domain not found (in reply to RCPT TO command))

Those errors are for a internal mail relay system (lpngmailrelay01), which we build and which uses sasl authentication towards iRedMail. I am pointing a printer/MFU to relay trough that system, in order for the users to have scan to email features enabled.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Send mail from private IP to iRedMail public IP

Chameleon wrote:

Recipient address rejected: Sender is not same as SMTP authenticate username

FYI: https://docs.iredmail.org/errors.html#r … e-username

Chameleon wrote:

Recipient address rejected: Domain not found

Domain name is not resolvable by DNS query, or no entry in /etc/hosts, /var/spool/postfix/etc/hosts.

7 Reply by Chameleon

  • Chameleon
  • Member
  • Offline
  • Registered: 2013-01-22
  • Posts: 40

Re: Send mail from private IP to iRedMail public IP

ZhangHuangbin wrote:
Chameleon wrote:

Recipient address rejected: Sender is not same as SMTP authenticate username

FYI: https://docs.iredmail.org/errors.html#r … e-username

Chameleon wrote:

Recipient address rejected: Domain not found

Domain name is not resolvable by DNS query, or no entry in /etc/hosts, /var/spool/postfix/etc/hosts.

Hi, Thanks for the reply.

But this solve my issue partially.

I want mails coming from internal network (or at least know servers) to bypass all the security checks, which are applicable to external hosts. I don't want internal host to use tls auth in order to send me a mail with report issue via cron job for example.
I have added the internal network into the mynetworks directive in main.cf and I have moved the permit_mynetworks on top of the smtpd_sender_restrictions and the others restrictions as well. But still, cannot send mail from internal networks, due to different type of errors

Is there a simple way to define which hosts are allowed to send mail to mail server without being inspected for anything?

Thanks in advance.

BR,
Stan

8 Reply by selea

  • selea
  • selea
  • Member
  • Offline
  • Registered: 2017-06-02
  • Posts: 111

Re: Send mail from private IP to iRedMail public IP

Depending on what software you are sending from, you can always send via port 587.
On Linux - the package ssmtp solves that.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Send mail from private IP to iRedMail public IP

Chameleon wrote:

But this solve my issue partially.

What's the new error message in Postfix log file?

Did you whitelist internal IP/networks in /opt/iredapd/settings.py with parameter "MYNETWORKS =" too? e.g.

MYNETWORKS = ['xx.xx.xx.xx', 'xx.xx.xx.0/24']

Restarting iredapd service is required.

10 Reply by selea

  • selea
  • selea
  • Member
  • Offline
  • Registered: 2017-06-02
  • Posts: 111

Re: Send mail from private IP to iRedMail public IP

I can recommend using the package "sSMTP" if you want to send emails from a Linux box.
It can auth to submission (587) over TLS 1.0.