1 Topic by bradford

  • bradford
  • Member
  • Offline
  • Registered: 2019-05-03
  • Posts: 33

Topic: Reject Sender Login Mismatch

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 9.9 MariaDB
- Deployed with iRedMail Easy or the downloadable installer: Probably downloadable version 9.7 or before
- Linux/BSD distribution name and version: CentOS Linux release 7.6.1810 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

We just had someone ask if we could allow them to send as an alias, I looked it up and found this:
https://docs.iredmail.org/allow.member. … .list.html

I followed this and found that, using the "From" field in Outlook I could mail as anyone, not just aliases/lists I was a member of, but accounts or anyone at all.

Below is debug from iredapd while sending with a different from address...

Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: --> Apply plugin: reject_sender_login_mismatch
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: Sender: bradford@domain.tld, SASL username: bradford@domain.tld
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: SKIP: sender == sasl username.
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: <-- Result: DUNNO

Is this normal/expected behavior?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Reject Sender Login Mismatch

What's the modified settings in /opt/iredapd/settings.py?

3 Reply by bradford

  • bradford
  • Member
  • Offline
  • Registered: 2019-05-03
  • Posts: 33

Re: Reject Sender Login Mismatch

Other than standard settings related to the service and database information this is all we have...

plugins = [
    "reject_null_sender",
    "wblist_rdns",
    "reject_sender_login_mismatch",
    "greylisting",
    "throttle",
    "amavisd_wblist",
    "sql_alias_access_policy"
    ]

# ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

Note: I purposely commented out the last directive until I get this worked out.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Reject Sender Login Mismatch

bradford wrote:

# ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

You can enable this setting to allow members of mail alias account to send as mail alias (Specify the email address of mail alias account in the "From:" header on sent email).

If you still have some issue, please turn on debug mode in iRedAPD, then reproduce the issue and paste me full + original iredapd log.

5 Reply by bradford

  • bradford
  • Member
  • Offline
  • Registered: 2019-05-03
  • Posts: 33

Re: Reject Sender Login Mismatch

ZhangHuangbin wrote:
bradford wrote:

# ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

You can enable this setting to allow members of mail alias account to send as mail alias (Specify the email address of mail alias account in the "From:" header on sent email).

If you still have some issue, please turn on debug mode in iRedAPD, then reproduce the issue and paste me full + original iredapd log.

The problem is that even if this setting is off it allows you to change the address in the From: field. When it's on you can change the From: address to be anything you want, it will not prevent you from mailing as aliases you are not member of, or mailboxes that are not your own.

iRedAPD debug is already on and I provided you with relevant events.

Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: --> Apply plugin: reject_sender_login_mismatch
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: Sender: bradford@domain.tld, SASL username: bradford@domain.tld
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: SKIP: sender == sasl username.
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: <-- Result: DUNNO

Again these are when the setting is enabled and I am sending as anyone other than my sender... it says SKIP because sender is == sasl username... but in my From: i can list anyone.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Reject Sender Login Mismatch

How did you send email?

Postfix pipes the info it gets during smtp session, the sender address is the one specified in "MAIL FROM:" directive, not from mail header.

7 Reply by bradford

  • bradford
  • Member
  • Offline
  • Registered: 2019-05-03
  • Posts: 33

Re: Reject Sender Login Mismatch

ZhangHuangbin wrote:

How did you send email?

Had an Outlook profile set up for an account, started a new email, selected the "From:" field, manually entered anything. Completed the email and sent.

Recipient sees whoever I put in the from field unless you look at the headers.

Am I misunderstanding the intent behind the "reject_sender_login_mismatch" plugin, and the "ALLOWED_LOGIN_MISMATCH_LIST_MEMBER" directive?

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Reject Sender Login Mismatch

There're few "sender" addresses:

1) The username used for smtp authentication
2) The one MUA (Outlook) specifies in SMTP session (command "MAIL FROM:")
3) The one in composed/encoded email message (mail header)

For the "reject_sender_login_mismatch" plugin, it checks #1 and #2, but not #3 because Postfix doesn't pipe full email message (or just mail headers) to iRedAPD, so iRedAPD doesn't get the "From:" header in message.

This is limited by how "Postfix SMTP access policy delegation" works:
http://www.postfix.org/SMTPD_POLICY_README.html

Unless we rewrite iRedAPD to be a milter program, otherwise iRedAPD won't get the mail headers and body.