1

Topic: DUNNO policy is not defined in plugin.

Hi,

I get the following after enabling Debug in iredapd log :

Response from plugin (sql_alias_access_policy): DUNNO Policy is not defined in plugin (sql_alias_access_policy.py): .
Final action: None.

I have downloaded the latest sql_alias_access_policy.py

What can be the issue ???

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: DUNNO policy is not defined in plugin.

Do you have access policy defined for your mail alias account?

3

Re: DUNNO policy is not defined in plugin.

Access policy is defined as "moderatorsonly" in mail alias account.

moderators are also defined.

4

Re: DUNNO policy is not defined in plugin.

Could you please show me output of below SQL command? Replace 'USER@DOMAIN.LTD' by the real email address of your alias account.

mysql> USE vmail;
mysql> SELECT address,accesspolicy,active FROM alias WHERE address = 'USER@DOMAIN.LTD';

Also, please paste /opt/iredapd/etc/iredapd.ini. Replace sensitive information before posting.

5

Re: DUNNO policy is not defined in plugin.

ZhangHuangbin wrote:

Could you please show me output of below SQL command? Replace 'USER@DOMAIN.LTD' by the real email address of your alias account.

mysql> USE vmail;
mysql> SELECT address,accesspolicy,active FROM alias WHERE address = 'USER@DOMAIN.LTD';

Also, please paste /opt/iredapd/etc/iredapd.ini. Replace sensitive information before posting.

Hi ZhangHuangbin,

Following is the output of query needed :

+-----------------------+----------------+--------+
| address               | accesspolicy   | active |
+-----------------------+----------------+--------+
| username@domain.ltd | moderatorsonly |      1 |
+-----------------------+----------------+--------+


output of /opt/iredapd/etc/iredapd.ini :


[general]
# Listen address and port.
listen_addr = 127.0.0.1
listen_port = 7777

# Run as a low privileged user.
# If you don't want to create one, you can try 'nobody'.
run_as_user = iredapd

# Background/daemon mode: yes, no.
# Run iRedAPD as daemon, detach iredapd from terminal.
run_as_daemon = yes

# Path to pid file.
pid_file        = /var/run/iredapd.pid

# Log type: file.
# Set 'log_file = /dev/null' if you don't want to keep the log.
log_type        = file
log_file        = /var/log/iredapd.log

# Log level: info, error, debug.
log_level       = debug

# Backend: ldap, mysql.
backend = mysql

[mysql]
# For MySQL backend only.
server = 127.0.0.1
db = vmail
user = username
password = password
alias_table = alias

# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
plugins = sql_alias_access_policy

6

Re: DUNNO policy is not defined in plugin.

Weird, policy 'moderatorsonly' should work.
Could you please post output of command 'postconf -n' and the whole file of plugin sql_alias_access_policy.py?

7

Re: DUNNO policy is not defined in plugin.

Hi ZhangHuangbin,

Following is the Output :

postconf -n :
----------------

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 500
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8, 192.168.56.0/23
mynetworks_style = subnet
myorigin = mail.domain.com
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.5.9/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.5.9/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10032
smtpd_enforce_tls = no
smtpd_hard_error_limit = 500
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_junk_command_limit = 500
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_sender_login_mismatch,reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, hash:/etc/postfix/reject_sender, check_policy_service inet:127.0.0.1:7778
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500

-----------------
iredapd :
-----------------

import os
from web import sqlquote

ACTION_REJECT = 'REJECT Permission denied'
PLUGIN_NAME = os.path.basename(__file__)

# Policies. MUST be defined in lower case.
POLICY_PUBLIC = 'public'
POLICY_DOMAIN = 'domain'
POLICY_SUBDOMAIN = 'subdomain'
POLICY_MEMBERSONLY = 'membersonly'
POLICY_MODERATORSONLY = 'moderatorsonly'
POLICY_ALLOWEDONLY = 'allowedonly'      # Same as @POLICY_MODERATORSONLY
POLICY_MEMBERSANDMODERATORSONLY = 'membersandmoderatorsonly'

def restriction(dbConn, senderReceiver, smtpSessionData, logger, **kargs):

    sql = '''SELECT accesspolicy, goto, moderators \
            FROM alias \
            WHERE address=%s AND domain=%s AND active=1 \
            LIMIT 1 \
    ''' % (sqlquote(senderReceiver.get('recipient')), sqlquote(senderReceiver.get('recipient_domain')),)
    logger.debug('SQL: %s' % sql)

    dbConn.execute(sql)
    sqlRecord = dbConn.fetchone()
    logger.debug('SQL Record: %s' % str(sqlRecord))

    # Recipient account doesn't exist.
    if sqlRecord is None:
        return 'DUNNO Alias account does not exist.'

    policy = str(sqlRecord[0]).lower()

    members = [str(v.lower()) for v in str(sqlRecord[1]).split(',')]
    moderators = [str(v.lower()) for v in str(sqlRecord[2]).split(',')]

    logger.debug('(%s) policy: %s' % (PLUGIN_NAME, policy))
    logger.debug('(%s) members: %s' % (PLUGIN_NAME, ', '.join(members)))
    logger.debug('(%s) moderators: %s' % (PLUGIN_NAME, ', '.join(moderators)))

    if policy == POLICY_PUBLIC:
        # Return if no access policy available or policy is @POLICY_PUBLIC.
        return 'DUNNO'
    elif policy == POLICY_DOMAIN:
        # Bypass all users under the same domain.
        if senderReceiver['sender_domain'] == senderReceiver['recipient_domain']:
            return 'DUNNO'
        else:
            return ACTION_REJECT
    elif policy == POLICY_SUBDOMAIN:
        # Bypass all users under the same domain or sub domains.
        if senderReceiver['sender'].endswith('.' + senderReceiver['recipient_domain']):
            return 'DUNNO'
        else:
            return ACTION_REJECT
    elif policy == POLICY_MEMBERSONLY:
        # Bypass all members.
        if senderReceiver['sender'] in members:
            return 'DUNNO'
        else:
            return ACTION_REJECT
    elif policy == POLICY_MODERATORSONLY or policy == POLICY_ALLOWEDONLY:
        # Bypass all moderators.
        if senderReceiver['sender'] in moderators:
            return 'DUNNO'
        else:
            return ACTION_REJECT
    elif policy == POLICY_MEMBERSANDMODERATORSONLY:
        # Bypass both members and moderators.
        if senderReceiver['sender'] in members or senderReceiver['sender'] in moderators:
            return 'DUNNO'
        else:
            return ACTION_REJECT
    else:
        # Bypass all if policy is not defined in this plugin.
        return 'DUNNO Policy is not defined in plugin (%s): %s.' % (PLUGIN_NAME, policy)

8

Re: DUNNO policy is not defined in plugin.

Shashank wrote:

smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_sender_login_mismatch,reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, hash:/etc/postfix/reject_sender, check_policy_service inet:127.0.0.1:7778

Obviously, you didn't configure Postfix for iRedAPD by following its installation guide strictly.

The correct setting for smtpd_recipient_restrictions and smtpd_sender_restrictions are:

smtpd_recipient_restrictions =
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unlisted_recipient,
    check_policy_service inet:127.0.0.1:7777,
    permit_mynetworks
,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname

smtpd_sender_restrictions =
    check_policy_service inet:127.0.0.1:7778,
    permit_mynetworks,
    reject_sender_login_mismatch,
    permit_sasl_authenticated

reject_sender_login_mismatch should be placed in smtpd_sender_restrictions if you really want to use it.

Just want to emphasize the order of restriction rules is VERY IMPORTANT.