1

Topic: Reject Sender Login Mismatch

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 9.9 MariaDB
- Deployed with iRedMail Easy or the downloadable installer: Probably downloadable version 9.7 or before
- Linux/BSD distribution name and version: CentOS Linux release 7.6.1810 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

We just had someone ask if we could allow them to send as an alias, I looked it up and found this:
https://docs.iredmail.org/allow.member. … .list.html

I followed this and found that, using the "From" field in Outlook I could mail as anyone, not just aliases/lists I was a member of, but accounts or anyone at all.

Below is debug from iredapd while sending with a different from address...

Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: --> Apply plugin: reject_sender_login_mismatch
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: Sender: bradford@domain.tld, SASL username: bradford@domain.tld
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: SKIP: sender == sasl username.
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: <-- Result: DUNNO

Is this normal/expected behavior?

2

Re: Reject Sender Login Mismatch

What's the modified settings in /opt/iredapd/settings.py?

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: Reject Sender Login Mismatch

Other than standard settings related to the service and database information this is all we have...

plugins = [
    "reject_null_sender",
    "wblist_rdns",
    "reject_sender_login_mismatch",
    "greylisting",
    "throttle",
    "amavisd_wblist",
    "sql_alias_access_policy"
    ]

# ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

Note: I purposely commented out the last directive until I get this worked out.

4

Re: Reject Sender Login Mismatch

bradford wrote:

# ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

You can enable this setting to allow members of mail alias account to send as mail alias (Specify the email address of mail alias account in the "From:" header on sent email).

If you still have some issue, please turn on debug mode in iRedAPD, then reproduce the issue and paste me full + original iredapd log.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: Reject Sender Login Mismatch

ZhangHuangbin wrote:
bradford wrote:

# ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

You can enable this setting to allow members of mail alias account to send as mail alias (Specify the email address of mail alias account in the "From:" header on sent email).

If you still have some issue, please turn on debug mode in iRedAPD, then reproduce the issue and paste me full + original iredapd log.

The problem is that even if this setting is off it allows you to change the address in the From: field. When it's on you can change the From: address to be anything you want, it will not prevent you from mailing as aliases you are not member of, or mailboxes that are not your own.

iRedAPD debug is already on and I provided you with relevant events.

Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: --> Apply plugin: reject_sender_login_mismatch
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: Sender: bradford@domain.tld, SASL username: bradford@domain.tld
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: SKIP: sender == sasl username.
Jun 26 15:35:34 mail.domain.tld python2[15264]: iredapd DEBUG: <-- Result: DUNNO

Again these are when the setting is enabled and I am sending as anyone other than my sender... it says SKIP because sender is == sasl username... but in my From: i can list anyone.

6

Re: Reject Sender Login Mismatch

How did you send email?

Postfix pipes the info it gets during smtp session, the sender address is the one specified in "MAIL FROM:" directive, not from mail header.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee