1 Topic by Peter (edited by Peter 2014-10-14 19:22:14)

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Topic: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

======== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySql
- Linux/BSD distribution name and version: Debian Wheezy 7.6
- Related log if you're reporting an issue:
====

- Sender and Receiver are hosted on iRedMail (Test Accounts)
- rolf@testzone.ch sends an email trough SMTP Auth (587) to rolf@newmail.samplezone.ch
- while sending email a message pops up in Thunderbird telling me "451 4.7.1 <rolf@newmail.samplezone.ch>: Recipient address rejected: Greylisting in effect, please come back late"

- mail.log shows:

Oct 14 10:40:09 test cbpolicyd[27100]: module=Greylisting, action=defer, host=xx.202.195.xx, helo=[10.10.10.180], from=rolf@testzone.ch, to=rolf@newmail.samplezone.ch, reason=greylisted
Oct 14 10:40:09 test postfix/smtpd[17360]: NOQUEUE: reject: RCPT from xx_202_195_xx.inet.ezbase.net[xx.202.195.xx]: 451 4.7.1 <rolf@newmail.samplezone.ch>: Recipient address rejected: Greylisting in effect, please come back later; from=<rolf@testzone.ch> to=<rolf@newmail.samplezone.ch> proto=ESMTP helo=<[xx.xx.xx.xx]>

When I inspect postfix/main.cf there is a configuration for smtpd_recipient_restrictions:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

I wonder if it's better to set permit_sasl_authenticated bevor check_policy_service like this:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, reject_unauth_destination

I tested this change and it seems to work? I might be wrong and my second attempt was accepted by greylisting.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

I suggest you try to understand what greylisting is and how it helps fight spam:
http://www.greylisting.org/

Don't disable it.

3 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

I know what greylisting is and I didn't disable it.

Could you please read my Question again? It's all about Sending E-Mail from my MUA to iRedMail.

Please tell me if something can't be understand.

Thanks.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

The problem is not greylisting, the problem is you didn't enable SMTP authentication in your MUA.
Cluebringer (the component provides greylisting) will bypass emails sent by smtp authenticated users.

5 Reply by Peter (edited by Peter 2014-10-14 23:37:30)

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

That's strange. SMTP seems to be configured like it should: password, Port 587, STARTTLS.

How should it be possible to send succefully an e-mail, which I could after second attempt? Maybe you are wright and thunderbird's first attempt to send an e-mail was completely wrong (without SMTP auth). I didn't change anything in thunderbird and this happend yesterday as well with another test account (only the first attempt to send).

Cluebringer (the component provides greylisting) will bypass emails sent by smtp authenticated users.

Where can I cross check that? Where do I need to set log level to see SMTP Auth?

Thanks for your help

6 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

I did some tests which show:

-> MUA does SMTP Authentication
-> Cluebringer does NOT bypass for smtp authenticated users

SMTP without Auth -> 5.7.1
==========================
Pop up in thunderbird

Oct 14 16:46:16 test postfix/smtpd[24634]: connect from xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]
Oct 14 16:46:16 test postfix/smtpd[24634]: NOQUEUE: reject: RCPT from xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]: 553 5.7.1 <rolf@testzone.ch>: Sender address rejected: not logged in; from=<rolf@testzone.ch> to=<rolf@newmail.samplezone.ch> proto=ESMTP helo=<[10.10.10.180]>

SMTP Auth wrong User/Password
==========================
Pop up in thunderbird wrong username/password

Oct 14 16:48:52 test postfix/smtpd[24711]: warning: xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]: SASL PLAIN authentication failed:
Oct 14 16:48:58 test postfix/smtpd[24711]: warning: xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

SMTP Auth, first attempt -> 4.7.1
==========================
No 5.7.1 message nor message about wrong username/password -> conclusion: SMTP Auth succeeded
But 4.7.1 which souldn't happen. Pop up in thunderbird.

Oct 14 16:52:44 test postfix/smtpd[24796]: connect from xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]
Oct 14 16:52:44 test cbpolicyd[23382]: module=Greylisting, action=defer, host=xxx.202.195.146, helo=[10.10.10.180], from=rolf@testzone.ch, to=rolf@newmail.samplezone.ch, reason=greylisted
Oct 14 16:52:44 test postfix/smtpd[24796]: NOQUEUE: reject: RCPT from xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]: 451 4.7.1 <rolf@newmail.samplezone.ch>: Recipient address rejected: Greylisting in effect, please come back later; from=<rolf@testzone.ch> to=<rolf@newmail.samplezone.ch> proto=ESMTP helo=<[10.10.10.180]>

DB greylisting_tracking:
---------------------------------
  TrackKey: SenderIP:xxx.202.195.0/24
    Sender: rolf@testzone.ch
Recipient: rolf@newmail.samplezone.ch
FirstSeen: 1413305564
LastUpdate: 1413305564
     Tries: 1
     Count: 0


SMTP Auth, second attempt -> 4.7.1
==========================
Same as first attempt

Oct 14 16:55:02 test postfix/smtpd[24840]: connect from xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]
Oct 14 16:55:02 test cbpolicyd[23074]: module=Greylisting, action=defer, host=xxx.202.195.146, helo=[10.10.10.180], from=rolf@testzone.ch, to=rolf@newmail.samplezone.ch, reason=greylisted, tries=2
Oct 14 16:55:02 test postfix/smtpd[24840]: NOQUEUE: reject: RCPT from xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]: 451 4.7.1 <rolf@newmail.samplezone.ch>: Recipient address rejected: Greylisting in effect, please come back later; from=<rolf@testzone.ch> to=<rolf@newmail.samplezone.ch> proto=ESMTP helo=<[10.10.10.180]>

DB greylisting_tracking:
---------------------------------
  TrackKey: SenderIP:xxx.202.195.0/24
    Sender: rolf@testzone.ch
Recipient: rolf@newmail.samplezone.ch
FirstSeen: 1413305564
LastUpdate: 1413305702
     Tries: 2
     Count: 0


SMTP Auth, 5th attempt!
==========================
Finally cluebringer accepts my message

Oct 14 16:56:48 test postfix/smtpd[24840]: disconnect from xxx_202_195_146.inet.ezbase.net[xxx.202.195.146]
Oct 14 16:56:48 test amavis[26326]: (26326-02) NOTICE: reconnecting in response to: err=2006, HY000, DBD::mysql::st execute failed: MySQL server has gone away at (eval 111) line 170, <GEN37> line 66.
Oct 14 16:56:48 test postfix/smtpd[24881]: connect from localhost.localdomain[127.0.0.1]
Oct 14 16:56:48 test postfix/smtpd[24881]: 4994565C2D5: client=localhost.localdomain[127.0.0.1]
Oct 14 16:56:48 test postfix/cleanup[24874]: 4994565C2D5: message-id=<543D55CE.8060103@testzone.ch>
Oct 14 16:56:48 test postfix/qmgr[24487]: 4994565C2D5: from=<rolf@testzone.ch>, size=1699, nrcpt=1 (queue active)
Oct 14 16:56:48 test postfix/smtpd[24881]: disconnect from localhost.localdomain[127.0.0.1]
Oct 14 16:56:48 test amavis[26326]: (26326-02) Passed CLEAN {RelayedInternal}, MYUSERS LOCAL [xxx.202.195.146]:17814 [xxx.202.195.146] <rolf@testzone.ch> -> <rolf@newmail.samplezone.ch>, Queue-ID: D942965C2D4, Message-ID: <543D55CE.8060103@testzone.ch>, mail_id: IOmKqXNGdqem, Hits: -10, size: 601, queued_as: 4994565C2D5, dkim_new=dkim:testzone.ch, 336 ms
Oct 14 16:56:48 test postfix/smtp[24875]: D942965C2D4: to=<rolf@newmail.samplezone.ch>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.5, delays=1.2/0.01/0.05/0.3, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4994565C2D5)
Oct 14 16:56:48 test postfix/qmgr[24487]: D942965C2D4: removed
Oct 14 16:56:48 test postfix/pipe[24886]: 4994565C2D5: to=<rolf@newmail.samplezone.ch>, relay=dovecot, delay=0.04, delays=0/0.01/0/0.03, dsn=2.0.0, status=sent (delivered via dovecot service)
Oct 14 16:56:48 test postfix/qmgr[24487]: 4994565C2D5: removed

DB greylisting_tracking:
---------------------------------
  TrackKey: SenderIP:xxx.202.195.0/24
    Sender: rolf@testzone.ch
Recipient: rolf@newmail.samplezone.ch
FirstSeen: 1413305564
LastUpdate: 1413305806
     Tries: 5
     Count: 1


It looks like cluebringer does NOT bypass smtp athenticated users. Log level 4 for cluebringer didn't help either to narrow down the problem.

Any ideas?

7 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

If others face the same problem:

- if you add a new domain through iRedMail Webadmin (free Version) it will NOT be excluded from greylisting
- you need to add a record through Cluebring Web Admin. In my case I add new domain testzone.ch
- http://[your domain]/cluebringer
- groups >> internal_domains >> select action -> members >> select action -> add >> Member: @testzone.ch >> save >> Back to Members >> @testzone.ch >> select Action -> change >> disabled -> no -> save

After this change greylisting for authenticated user rolf@testzone.ch is bypassed.


Side note: I'm not too happy how much time this took to track down the problem (investigate code and sql queries). Was expecting the developer(s) of iRedMail know how things work. Instead I got two wrong (misleading) answers.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: SMTP Auth 4.7.1 Recipient Address rejected, Greylisting

Sorry, i forgot that iRedAdmin open source edition won't add new mail domain in Cluebringer '%internal_domains' group.
You can fix it with script shipped in iRedAdmin: tools/sync_cluebringer_internal_domains.py. If the iRedAdmin installed on your server doesn't have this file, please download it in our source code repository, and it will be included in next release:
https://bitbucket.org/zhb/iredadmin-ose … ult/tools/

You need to download below files:

- tools/__init__.py
- tools/ira_tool_lib.py
- tools/sync_cluebringer_internal_domains.py