1

Topic: Limiting From: to user aliases

============ Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version:  Ubuntu 14.04
- Related log if you're reporting an issue:
====

Hi,
i want my users to be able to send emails for their associated aliases. Therefore i digged into the forum and found a lot (as it seems to me) obsolete information.
The essence I got out of this is to use iredapd for checking aliases and remove reject_sender_login_mismatch from postfix config.
Here is what I did (important parts):

in /etc/postfix/main.cf

smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated

in /opt/iredapd/settings.py

backend = "mysql"
plugins = ["reject_null_sender", "reject_sender_login_mismatch", "sql_alias_access_policy", "sql_user_restrictions"]
sql_server = "127.0.0.1"
sql_port = "3306"
sql_db = "vmail"
sql_user = "vmail"
alias_table = "alias"
sql_password = "supers3cret"

SQL Structure in alias table

| address                 | accesspolicy | goto               | moderators |
+-------------------------+--------------+--------------------+------------+
| mail@tld1               |              | mail@tld1          |            |
| wordpress@tld1          |              | mail@tld1          |            |
| @tld1                   |              | mail@tld1          |            | (/*Catchall*/)
| mail@tld2               |              | mail@tld2          |            |
+-------------------------+--------------+--------------------+------------+

Unfortunaltely I'm still able to send email as whatever I want in "From:". If I put reject_sender_login_mismatch back in postfix config, only mail@tld is possible as from.
What did I miss in my config?

iredapd log:

mail@tld2 -> mail@tld1, DUNNO
wordpress@tld1 -> mail@tld1, DUNNO
mail@tld1 -> mail@tld1, DUNNO

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Limiting From: to user aliases

Could you please turn on debug mode in iRedAPD and send a testing email again? Paste me full log of this testing email in /var/log/iredapd.log.

Reference: turn on debug mode in iRedAPD.
http://www.iredmail.org/docs/debug.iredapd.html

3

Re: Limiting From: to user aliases

Hi,
thanks for your quick response!
I attached the debug log and replaces the actual domains with tld1 and tld2. I'm sending from mail@tld1.de account and webmaster@tld2.de is a separate Inbox.

2015-01-27 14:22:43 DEBUG Connect from 127.0.0.1, port 42624.
2015-01-27 14:22:43 DEBUG smtp session: request=smtpd_access_policy
2015-01-27 14:22:43 DEBUG smtp session: protocol_state=RCPT
2015-01-27 14:22:43 DEBUG smtp session: protocol_name=ESMTP
2015-01-27 14:22:43 DEBUG smtp session: client_address=5.28.64.113
2015-01-27 14:22:43 DEBUG smtp session: client_name=unknown
2015-01-27 14:22:43 DEBUG smtp session: reverse_client_name=cable-5-28-64-113.cust.telecolumbus.net
2015-01-27 14:22:43 DEBUG smtp session: helo_name=admins-Mac-mini.local
2015-01-27 14:22:43 DEBUG smtp session: sender=webmaster@tld2.de
2015-01-27 14:22:43 DEBUG smtp session: recipient=mail@tld1.de
2015-01-27 14:22:43 DEBUG smtp session: recipient_count=0
2015-01-27 14:22:43 DEBUG smtp session: queue_id=
2015-01-27 14:22:43 DEBUG smtp session: instance=4644.54c79123.245b8.0
2015-01-27 14:22:43 DEBUG smtp session: size=394
2015-01-27 14:22:43 DEBUG smtp session: etrn_domain=
2015-01-27 14:22:43 DEBUG smtp session: stress=
2015-01-27 14:22:43 DEBUG smtp session: sasl_method=PLAIN
2015-01-27 14:22:43 DEBUG smtp session: sasl_username=mail@tld1.de
2015-01-27 14:22:43 DEBUG smtp session: sasl_sender=
2015-01-27 14:22:43 DEBUG smtp session: ccert_subject=
2015-01-27 14:22:43 DEBUG smtp session: ccert_issuer=
2015-01-27 14:22:43 DEBUG smtp session: ccert_fingerprint=
2015-01-27 14:22:43 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-01-27 14:22:43 DEBUG smtp session: encryption_protocol=TLSv1
2015-01-27 14:22:43 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES128-SHA
2015-01-27 14:22:43 DEBUG smtp session: encryption_keysize=128
2015-01-27 14:22:43 DEBUG --> Apply plugin: reject_null_sender
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO
2015-01-27 14:22:43 DEBUG --> Apply plugin: reject_sender_login_mismatch
2015-01-27 14:22:43 DEBUG SKIP: No allowed senders specified (ALLOWED_LOGIN_MISMATCH_SENDERS).
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO
2015-01-27 14:22:43 DEBUG --> Apply plugin: sql_alias_access_policy
2015-01-27 14:22:43 DEBUG SQL: query access policy: SELECT accesspolicy, goto, moderators
            FROM alias
            WHERE
                address='mail@tld1.de'
                AND address <> goto
                AND active=1
            LIMIT 1
    
2015-01-27 14:22:43 DEBUG SQL: record: None
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO (Not mail alias)
2015-01-27 14:22:43 DEBUG --> Apply plugin: sql_user_restrictions
2015-01-27 14:22:43 DEBUG SQL to get restriction rules of sender (webmaster@tld2.de): 
        SELECT
            allowedrecipients, rejectedrecipients,
            allowedsenders, rejectedsenders
        FROM mailbox
        WHERE username='webmaster@tld2.de'
        LIMIT 1
    
2015-01-27 14:22:43 DEBUG Returned SQL Record: ('', '', '', '')
2015-01-27 14:22:43 DEBUG No sender restriction.
2015-01-27 14:22:43 DEBUG SQL to get restriction rules of recipient (mail@tld1.de): 
            SELECT
                allowedrecipients, rejectedrecipients,
                allowedsenders, rejectedsenders
            FROM mailbox
            WHERE username='mail@tld1.de'
            LIMIT 1
        
2015-01-27 14:22:43 DEBUG Returned SQL Record: ('', '', '', '')
2015-01-27 14:22:43 DEBUG No recipient restriction.
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO
2015-01-27 14:22:43 INFO [5.28.64.113] webmaster@tld2.de -> mail@tld1.de, DUNNO
2015-01-27 14:22:43 DEBUG Session ended
2015-01-27 14:22:43 DEBUG Closed SQL connection.
2015-01-27 14:22:43 DEBUG smtp session: request=smtpd_access_policy
2015-01-27 14:22:43 DEBUG smtp session: protocol_state=RCPT
2015-01-27 14:22:43 DEBUG smtp session: protocol_name=ESMTP
2015-01-27 14:22:43 DEBUG smtp session: client_address=5.28.64.113
2015-01-27 14:22:43 DEBUG smtp session: client_name=unknown
2015-01-27 14:22:43 DEBUG smtp session: reverse_client_name=cable-5-28-64-113.cust.telecolumbus.net
2015-01-27 14:22:43 DEBUG smtp session: helo_name=admins-Mac-mini.local
2015-01-27 14:22:43 DEBUG smtp session: sender=webmaster@tld2.de
2015-01-27 14:22:43 DEBUG smtp session: recipient=mail@tld1.de
2015-01-27 14:22:43 DEBUG smtp session: recipient_count=0
2015-01-27 14:22:43 DEBUG smtp session: queue_id=
2015-01-27 14:22:43 DEBUG smtp session: instance=4644.54c79123.245b8.0
2015-01-27 14:22:43 DEBUG smtp session: size=394
2015-01-27 14:22:43 DEBUG smtp session: etrn_domain=
2015-01-27 14:22:43 DEBUG smtp session: stress=
2015-01-27 14:22:43 DEBUG smtp session: sasl_method=PLAIN
2015-01-27 14:22:43 DEBUG smtp session: sasl_username=mail@tld1.de
2015-01-27 14:22:43 DEBUG smtp session: sasl_sender=
2015-01-27 14:22:43 DEBUG smtp session: ccert_subject=
2015-01-27 14:22:43 DEBUG smtp session: ccert_issuer=
2015-01-27 14:22:43 DEBUG smtp session: ccert_fingerprint=
2015-01-27 14:22:43 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-01-27 14:22:43 DEBUG smtp session: encryption_protocol=TLSv1
2015-01-27 14:22:43 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES128-SHA
2015-01-27 14:22:43 DEBUG smtp session: encryption_keysize=128
2015-01-27 14:22:43 DEBUG --> Apply plugin: reject_null_sender
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO
2015-01-27 14:22:43 DEBUG --> Apply plugin: reject_sender_login_mismatch
2015-01-27 14:22:43 DEBUG SKIP: No allowed senders specified (ALLOWED_LOGIN_MISMATCH_SENDERS).
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO
2015-01-27 14:22:43 DEBUG --> Apply plugin: sql_alias_access_policy
2015-01-27 14:22:43 DEBUG SQL: query access policy: SELECT accesspolicy, goto, moderators
            FROM alias
            WHERE
                address='mail@tld1.de'
                AND address <> goto
                AND active=1
            LIMIT 1
    
2015-01-27 14:22:43 DEBUG SQL: record: None
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO (Not mail alias)
2015-01-27 14:22:43 DEBUG --> Apply plugin: sql_user_restrictions
2015-01-27 14:22:43 DEBUG SQL to get restriction rules of sender (webmaster@tld2.de): 
        SELECT
            allowedrecipients, rejectedrecipients,
            allowedsenders, rejectedsenders
        FROM mailbox
        WHERE username='webmaster@tld2.de'
        LIMIT 1
    
2015-01-27 14:22:43 DEBUG Returned SQL Record: ('', '', '', '')
2015-01-27 14:22:43 DEBUG No sender restriction.
2015-01-27 14:22:43 DEBUG SQL to get restriction rules of recipient (mail@tld1.de): 
            SELECT
                allowedrecipients, rejectedrecipients,
                allowedsenders, rejectedsenders
            FROM mailbox
            WHERE username='mail@tld1.de'
            LIMIT 1
        
2015-01-27 14:22:43 DEBUG Returned SQL Record: ('', '', '', '')
2015-01-27 14:22:43 DEBUG No recipient restriction.
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO
2015-01-27 14:22:43 INFO [5.28.64.113] webmaster@tld2.de -> mail@tld1.de, DUNNO
2015-01-27 14:22:43 DEBUG Session ended
2015-01-27 14:22:43 DEBUG Closed SQL connection.
2015-01-27 14:22:43 DEBUG smtp session: request=smtpd_access_policy
2015-01-27 14:22:43 DEBUG smtp session: protocol_state=DATA
2015-01-27 14:22:43 DEBUG smtp session: protocol_name=ESMTP
2015-01-27 14:22:43 DEBUG smtp session: client_address=5.28.64.113
2015-01-27 14:22:43 DEBUG smtp session: client_name=unknown
2015-01-27 14:22:43 DEBUG smtp session: reverse_client_name=cable-5-28-64-113.cust.telecolumbus.net
2015-01-27 14:22:43 DEBUG smtp session: helo_name=admins-Mac-mini.local
2015-01-27 14:22:43 DEBUG smtp session: sender=webmaster@tld2.de
2015-01-27 14:22:43 DEBUG smtp session: recipient=mail@tld1.de
2015-01-27 14:22:43 DEBUG smtp session: recipient_count=1
2015-01-27 14:22:43 DEBUG smtp session: queue_id=3EB4620094512
2015-01-27 14:22:43 DEBUG smtp session: instance=4644.54c79123.245b8.0
2015-01-27 14:22:43 DEBUG smtp session: size=394
2015-01-27 14:22:43 DEBUG smtp session: etrn_domain=
2015-01-27 14:22:43 DEBUG smtp session: stress=
2015-01-27 14:22:43 DEBUG smtp session: sasl_method=PLAIN
2015-01-27 14:22:43 DEBUG smtp session: sasl_username=mail@tld1.de
2015-01-27 14:22:43 DEBUG smtp session: sasl_sender=
2015-01-27 14:22:43 DEBUG smtp session: ccert_subject=
2015-01-27 14:22:43 DEBUG smtp session: ccert_issuer=
2015-01-27 14:22:43 DEBUG smtp session: ccert_fingerprint=
2015-01-27 14:22:43 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-01-27 14:22:43 DEBUG smtp session: encryption_protocol=TLSv1
2015-01-27 14:22:43 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES128-SHA
2015-01-27 14:22:43 DEBUG smtp session: encryption_keysize=128
2015-01-27 14:22:43 DEBUG Skip plugin: reject_null_sender (protocol_state != DATA)
2015-01-27 14:22:43 DEBUG Skip plugin: reject_sender_login_mismatch (protocol_state != DATA)
2015-01-27 14:22:43 DEBUG Skip plugin: sql_alias_access_policy (protocol_state != DATA)
2015-01-27 14:22:43 DEBUG Skip plugin: sql_user_restrictions (protocol_state != DATA)
2015-01-27 14:22:43 INFO [5.28.64.113] webmaster@tld2.de -> mail@tld1.de, DUNNO
2015-01-27 14:22:43 DEBUG Session ended
2015-01-27 14:22:43 DEBUG Closed SQL connection.

4

Re: Limiting From: to user aliases

henrikw wrote:

2015-01-27 14:22:43 DEBUG --> Apply plugin: reject_sender_login_mismatch
2015-01-27 14:22:43 DEBUG SKIP: No allowed senders specified (ALLOWED_LOGIN_MISMATCH_SENDERS).
2015-01-27 14:22:43 DEBUG <-- Result: DUNNO

Plugin 'reject_sender_login_mismatch' was ignored due to missing parameter 'ALLOWED_LOGIN_MISMATCH_SENDERS' in /opt/iredapd/settings.py. Please try to add this setting in /opt/iredapd/settings.py, then restart iRedAPD service and try again.

ALLOWED_LOGIN_MISMATCH_SENDERS = ['tld1.de']

With above setting, only users under 'tld1.de' are allowed to send email as their own alias addresses. If you just allow certain users, update it like below:

ALLOWED_LOGIN_MISMATCH_SENDERS = ['user1@tld1.de', 'user2@tld1.de']

I suggest you read comment lines in /opt/iredapd/plugins/reject_sender_login_mismatch.py to understand how it works and what additional settings it has.

5

Re: Limiting From: to user aliases

Thanks once more for your feedback!
With the suggested settings, I'm at the same point, where I was with reject_sender_login_mismatch in postfix config:

mail@tld1 -> mail@tld1, possible and fine
mail@tld2 -> mail@tld1, not allows and fine
wordpress@tld1 -> mail@tld1, not allowed but should be, because wordpress@tld1 is alias for mail@tld1

2015-01-27 17:00:56 DEBUG Sender: wordpress@tld1.de, SASL username: mail@tld1.de
2015-01-27 17:00:56 DEBUG Allowed SASL senders: tld1.de
2015-01-27 17:00:56 DEBUG Apply strict restriction (ALLOWED_LOGIN_MISMATCH_STRICTLY = True).
2015-01-27 17:00:56 DEBUG <-- Result: REJECT Sender login mismatch

With ALLOWED_LOGIN_MISMATCH_STRICTLY False, its again possible to send from tld2.

I had a look into reject_sender_login_mismatch.py and it seems like its only looking up the alias_domain table (which is empty in my case), so I guess mail@tld3 should work if it would be in alias_domain table.
Anyway, the correct entry should be looked up in alias table (if I didnt setup aliasing wrong). I guess this can be done via sql_alias_access_policy.py, but how to connect this to reject_sender_login_mismatch?

6

Re: Limiting From: to user aliases

Ok, I digged a litte into the code for making it match my need (look up alias table)- I'm totaly not into python, but the result suits my demands from the first point of view:

            elif settings.backend in ['mysql', 'pgsql']:
                if sasl_username in ALLOWED_LOGIN_MISMATCH_SENDERS \
                   or sasl_sender_domain in ALLOWED_LOGIN_MISMATCH_SENDERS:
                   
                   #We purge the assumption, that header_sender_domain has to be sasl_sender_domain
                   #But if we dont find an alias, we will reject anyway
                  
                    valid_alias = 0
                    # Get alias domains
                    sql = """SELECT alias_domain FROM alias_domain
                             WHERE alias_domain='%s' AND target_domain='%s'
                             LIMIT 1""" % (header_sender_domain, sasl_sender_domain)
                    logging.debug('SQL: query alias domains: %s' % sql)

                    conn.execute(sql)
                    sql_record = conn.fetchone()
                    logging.debug('SQL query result: %s' % str(sql_record))

                    if not sql_record:
                        logging.debug('No alias domain found.')
                        #return reject
                    else:
                        logging.debug('Sender domain %s is alias domain of %s.' % (header_sender_domain, sasl_sender_domain))
                        # header_sender_domain is one of alias domains
                        if sender.split('@', 1)[0] != sasl_username.split('@', 1)[0]:
                            logging.debug('Sender is not an user alias address.')
                            #return reject
                        else:
                            logging.debug('Sender is an alias address of sasl username.')
                            valid_alias = 1

                    # Get alias user
                    sql_alias = """SELECT goto FROM alias
                             WHERE address='%s' AND goto='%s'
                             LIMIT 1""" % (sender, sasl_username)  
                    logging.debug('SQL: query alias: %s' % sql_alias)
                    conn.execute(sql_alias)
                    sql_record = conn.fetchone()
                    logging.debug('SQL query result: %s' % str(sql_record))

                    if not sql_record:
                        logging.debug('No alias found.')
                        #return reject
                    else:
                        logging.debug('Sender %s is alias of %s.' % (sender, sasl_username))
                        valid_alias = 1;

                    if (valid_alias == 1):
                       return SMTP_ACTIONS['default']
                    else:
                       return reject

Currently this doesn't work for "catchall" aliases.

The super interesting question is: Does this brake things? 
What can be done better?
And would have there been a global better way, without touching your code?

Cheers,
Henrik

7

Re: Limiting From: to user aliases

Now i understand what you want.

You have a mail alias account, and you want to allow all members of this mail alias account to send email as this mail alias. right?
This is interesting, and i implemented this moment ago, you can download this plugin (new version) then override file /opt/iredapd/plugins/reject_sender_login_mismatch.py:
https://bitbucket.org/zhb/iredapd/src/default/plugins/

Important notes:

* your iRedAPD version number must be 1.4.4.
* set new setting in /opt/iredapd/settings.py:

ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

* setting 'ALLOWED_LOGIN_MISMATCH_SENDERS' is now optional.
* setting 'ALLOWED_LOGIN_MISMATCH_STRICTLY 'is optional too.
* setting 'ALLOWED_LOGIN_MISMATCH_LIST_MEMBER' is optional too.
* if no one of above 3 optional settings, reject all mismatched.

8

Re: Limiting From: to user aliases

ZhangHuangbin wrote:

Now i understand what you want.

You have a mail alias account, and you want to allow all members of this mail alias account to send email as this mail alias. right?

Exactly, sorry not not clarifying this earlier!

ZhangHuangbin wrote:

This is interesting, and i implemented this moment ago, you can download this plugin (new version) then override file /opt/iredapd/plugins/reject_sender_login_mismatch.py:
https://bitbucket.org/zhb/iredapd/src/default/plugins/

Important notes:

* your iRedAPD version number must be 1.4.4.
* set new setting in /opt/iredapd/settings.py:

ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

* setting 'ALLOWED_LOGIN_MISMATCH_SENDERS' is now optional.
* setting 'ALLOWED_LOGIN_MISMATCH_STRICTLY 'is optional too.
* setting 'ALLOWED_LOGIN_MISMATCH_LIST_MEMBER' is optional too.
* if no one of above 3 optional settings, reject all mismatched.

Awesome work! Its totally doing, what I was looking for and the code looks much cleaner than my workaround wink
Thanks for your great work on iredmail! I came to this project from a self made vmail setup (which got out of manageability at some point) and never regretted this step.

9

Re: Limiting From: to user aliases

henrikw wrote:

I came to this project from a self made vmail setup (which got out of manageability at some point) and never regretted this step.

Would you mind sharing your story in our forum here? You can find others' stories:
http://www.iredmail.org/forum/forum7-su … ories.html

We have a template for you:
http://www.iredmail.org/forum/topic25-s … story.html