1

Topic: whitelist/ Blaclist

==== Provide required information to help troubleshoot and get quick answer ====
- Linux/BSD distribution name and version:
- iRedMail version and backend (LDAP/MySQL):
- Any related log? Log is helpful for troubleshooting.
====
iRedmail-0.7.4
iRedMailProLDAP 1.6.3
Centos 5.6

Hi Zhang,

We need to restrict certains users not to send mail to particular domains. We have installed iRedapd and trying to restrcit by adding in whitelist/blacklist  features in ProLDAP 1.6.3 admin panel. But the mails sent to that domain are getting delivered, not getting quarantined or rejected.

Thanks,

Regards,
Mohan

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: whitelist/ Blaclist

Hi Zhang,

Kindly update on this query how we can restrict sending mails to specific domains for specific users.

Thanks,

Regards,

Mohan

3

Re: whitelist/ Blaclist

1) Could you please show output of below commands:

# postconf smtpd_recipient_restrictions
# postconf smtpd_sender_restrictions
# postconf smtpd_end_of_data_restrictions

2) Please show me whole content of file /opt/iredapd/etc/iredapd.ini? Please REMOVE password before posting.
3) Click 'Export account to LDIF' in your user's profile page (under tab "General"), then paste whole LDIF data here. (REMOVE password and other sensitive information before posting)

4

Re: whitelist/ Blaclist

Hi Zhang,

Kindly find the out put you requested:
1.
# postconf smtpd_recipient_restrictions
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031

# postconf smtpd_sender_restrictions
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:7778

# postconf smtpd_end_of_data_restrictions
smtpd_end_of_data_restrictions =

2. find below the contents in /opt/iredapd/etc/iredapd.ini
[general]
# Listen address and port.
listen_addr = 127.0.0.1
listen_port = 7777

# Run as a low privileged user.
# If you don't want to create one, you can try 'nobody'.
run_as_user = iredapd

# Background/daemon mode: yes, no.
# Run iRedAPD as daemon, detach iredapd from terminal.
run_as_daemon = yes

# Path to pid file.
pid_file        = /var/run/iredapd.pid

# Log type: file.
# Set 'log_file = /dev/null' if you don't want to keep the log.
log_type        = file
log_file        = /var/log/iredapd.log

# Log level: info, error, debug.
log_level       = error

# Backend: ldap, mysql.
backend = ldap

[ldap]
# For ldap backend only.
# LDAP server setting.
# Uri must starts with ldap:// or ldaps:// (TLS/SSL).
#
# Tip: You can get binddn, bindpw from /etc/postfix/ldap_*.cf.
#
uri = ldap://127.0.0.1:389
binddn = cn=vmail,dc=mydomain,dc=com
bindpw = ***********************
basedn = o=domains,dc=mydomain,dc=com

# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
#
# Available plugins:
#   * ldap_domain_wblist: per-domain white/blacklist support.
#       Note: If you want to enable this plugin, it's better to make it the
#             first one in enabled plugin list.
#   * ldap_maillist_access_policy: mail list deliver restrictions.
#   * block_amavisd_blacklisted_senders: per-user white/blacklist support.
plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders, ldap_recipient_restrictions

[mysql]
# For MySQL backend only.
server      = 127.0.0.1
db          = vmail
user        = vmail
password    = ***************


# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders, ldap_recipient_restrictions

3. LDIF data
dn: mail=test2@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=mydomain,dc=com
accountStatus: active
amavisLocal: TRUE
cn: Test2
enabledService: mail
enabledService: deliver
enabledService: lda
enabledService: smtp
enabledService: smtpsecured
enabledService: pop3
enabledService: pop3secured
enabledService: imap
enabledService: imapsecured
enabledService: managesieve
enabledService: managesievesecured
enabledService: sieve
enabledService: sievesecured
enabledService: forward
enabledService: senderbcc
enabledService: recipientbcc
enabledService: internal
enabledService: shadowaddress
enabledService: displayedInGlobalAddressBook
homeDirectory: /var/vmail/vmail1/mydomain.com/t/e/s/test2-2012.02.13.11.58.41/
mail: test2@mydomain.com
mailBlacklistRecipient: @gmail.com
mailMessageStore: vmail1/mbaoa.com/t/e/s/test2-2012.02.13.11.58.41/
mailQuota: 104857600
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: shadowAccount
objectClass: amavisAccount
shadowLastChange: 0
sn: test2
storageBaseDirectory: /var/vmail
uid: test2
userPassword: {SSHA}*************************


Thanks,
Regards,
Mohan

5

Re: whitelist/ Blaclist

Postfix and iRedAPD config looks fine.

As LDIF data shows, you want to block emails sent TO gmail.com, could you please turn on debug mode in iRedAPD with below setting in both iredapd.ini and iredapd-rr.ini, then send a test email and paste iRedAPD log here to help troubleshoot?

# Log level: info, error, debug.
log_level       = debug

6

Re: whitelist/ Blaclist

Hi Zhang,

I have pasted the iredapd-ini.log for your reference below, while sending mail to my gmail id after making the restriction in control panel.

tailf /var/log/iredapd.log
2012-02-14 10:19:47 INFO Starting iredapd (v1.3.6, pid: 29153), listening on 127.0.0.1:7777.
2012-02-14 10:19:47 DEBUG Forking first child.
2012-02-14 10:19:47 DEBUG Creating new session
2012-02-14 10:19:47 DEBUG Forking second child.
2012-02-14 10:19:47 DEBUG Setting umask
2012-02-14 10:19:47 DEBUG Changing working directory to "/"
2012-02-14 10:19:47 DEBUG Redirecting file descriptors
2012-02-14 10:20:38 DEBUG Connect from 127.0.0.1
2012-02-14 10:20:38 DEBUG smtp session: request=smtpd_access_policy
2012-02-14 10:20:38 DEBUG smtp session: protocol_state=RCPT
2012-02-14 10:20:38 DEBUG smtp session: protocol_name=ESMTP
2012-02-14 10:20:38 DEBUG smtp session: client_address=127.0.0.1
2012-02-14 10:20:38 DEBUG smtp session: client_name=localhost.localdomain
2012-02-14 10:20:38 DEBUG smtp session: reverse_client_name=localhost.localdomain
2012-02-14 10:20:38 DEBUG smtp session: helo_name=mail.mydomain.in
2012-02-14 10:20:38 DEBUG smtp session: sender=test2@mydomain.in
2012-02-14 10:20:38 DEBUG smtp session: recipient=mygmailid@gmail.com
2012-02-14 10:20:38 DEBUG smtp session: recipient_count=0
2012-02-14 10:20:38 DEBUG smtp session: queue_id=
2012-02-14 10:20:38 DEBUG smtp session: instance=720a.4f39e81e.28fd3.0
2012-02-14 10:20:38 DEBUG smtp session: size=0
2012-02-14 10:20:38 DEBUG smtp session: etrn_domain=
2012-02-14 10:20:38 DEBUG smtp session: stress=
2012-02-14 10:20:38 DEBUG smtp session: sasl_method=LOGIN
2012-02-14 10:20:38 DEBUG smtp session: sasl_username=test2@mydomain.in
2012-02-14 10:20:38 DEBUG smtp session: sasl_sender=
2012-02-14 10:20:38 DEBUG smtp session: ccert_subject=
2012-02-14 10:20:38 DEBUG smtp session: ccert_issuer=
2012-02-14 10:20:38 DEBUG smtp session: ccert_fingerprint=
2012-02-14 10:20:38 DEBUG smtp session: encryption_protocol=
2012-02-14 10:20:38 DEBUG smtp session: encryption_cipher=
2012-02-14 10:20:38 DEBUG smtp session: encryption_keysize=0
2012-02-14 10:20:38 DEBUG LDAP connection initialied success.
2012-02-14 10:20:38 DEBUG LDAP bind success.
2012-02-14 10:20:38 DEBUG __get_recipient_dn_ldif (recipient): mygmailid@gmail.com
2012-02-14 10:20:38 DEBUG __get_recipient_dn_ldif (ldap query filter): (&(|(mail=mygmailid@gmail.com)(shadowAddress=mygmailid@gmail.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2012-02-14 10:20:38 DEBUG __get_recipient_dn_ldif: Can not find recipient in LDAP server.
2012-02-14 10:20:38 DEBUG Recipient DN or LDIF is None.
2012-02-14 10:20:38 DEBUG Final action: DUNNO.
2012-02-14 10:20:38 INFO test2@mydomain.in -> mygmailid@gmail.com, DUNNO
2012-02-14 10:20:38 DEBUG Connection closed

Thanks,
Regards,
Mohan

7

Re: whitelist/ Blaclist

Hi Zhang,

Kindly update with the log I have posted after enabling debug in iredapd-ini

Thanks,
Regards,
Mohan

8

Re: whitelist/ Blaclist

mohan wrote:

I have pasted the iredapd-ini.log for your reference below, while sending mail to my gmail id after making the restriction in control panel.

tailf /var/log/iredapd.log

Is this iredapd.log or iredapd-rr.log?
Please post another log file with debug log.

9

Re: whitelist/ Blaclist

Hi Zhang,

The log I have posted previously is iredapd.log , I will paste below both the logs which is got while sending mail to restricted domain in Blacklisting option in panel.

Kindly  update

tailf /var/log/iredapd.log
2012-02-17 09:37:17 DEBUG Final action: DUNNO.
2012-02-17 09:37:17 INFO test2@mydomain.com -> mygmailid@gmail.com, DUNNO
2012-02-17 09:37:17 DEBUG Connection closed
2012-02-17 09:39:57 INFO Starting iredapd (v1.3.6, pid: 14411), listening on 127.0.0.1:7777.
2012-02-17 09:39:57 DEBUG Forking first child.
2012-02-17 09:39:57 DEBUG Creating new session
2012-02-17 09:39:57 DEBUG Forking second child.
2012-02-17 09:39:57 DEBUG Setting umask
2012-02-17 09:39:57 DEBUG Changing working directory to "/"
2012-02-17 09:39:57 DEBUG Redirecting file descriptors
2012-02-17 09:41:07 DEBUG Connect from 127.0.0.1
2012-02-17 09:41:07 DEBUG smtp session: request=smtpd_access_policy
2012-02-17 09:41:07 DEBUG smtp session: protocol_state=RCPT
2012-02-17 09:41:07 DEBUG smtp session: protocol_name=ESMTP
2012-02-17 09:41:07 DEBUG smtp session: client_address=127.0.0.1
2012-02-17 09:41:07 DEBUG smtp session: client_name=localhost.localdomain
2012-02-17 09:41:07 DEBUG smtp session: reverse_client_name=localhost.localdomain
2012-02-17 09:41:07 DEBUG smtp session: helo_name=mail.mydomain.in
2012-02-17 09:41:07 DEBUG smtp session: sender=test2@mydomain.com
2012-02-17 09:41:07 DEBUG smtp session: recipient=mygmailid@gmail.com
2012-02-17 09:41:07 DEBUG smtp session: recipient_count=0
2012-02-17 09:41:07 DEBUG smtp session: queue_id=
2012-02-17 09:41:07 DEBUG smtp session: instance=3873.4f3dd35b.12914.0
2012-02-17 09:41:07 DEBUG smtp session: size=0
2012-02-17 09:41:07 DEBUG smtp session: etrn_domain=
2012-02-17 09:41:07 DEBUG smtp session: stress=
2012-02-17 09:41:07 DEBUG smtp session: sasl_method=LOGIN
2012-02-17 09:41:07 DEBUG smtp session: sasl_username=test2@mydomain.com
2012-02-17 09:41:07 DEBUG smtp session: sasl_sender=
2012-02-17 09:41:07 DEBUG smtp session: ccert_subject=
2012-02-17 09:41:07 DEBUG smtp session: ccert_issuer=
2012-02-17 09:41:07 DEBUG smtp session: ccert_fingerprint=
2012-02-17 09:41:07 DEBUG smtp session: encryption_protocol=
2012-02-17 09:41:07 DEBUG smtp session: encryption_cipher=
2012-02-17 09:41:07 DEBUG smtp session: encryption_keysize=0
2012-02-17 09:41:07 DEBUG LDAP connection initialied success.
2012-02-17 09:41:07 DEBUG LDAP bind success.
2012-02-17 09:41:07 DEBUG __get_recipient_dn_ldif (recipient): mygmaiid@gmail.com
2012-02-17 09:41:07 DEBUG __get_recipient_dn_ldif (ldap query filter): (&(|(mail=mygmailgmail.com)(shadowAddress=mygmailid@gmail.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2012-02-17 09:41:07 DEBUG __get_recipient_dn_ldif: Can not find recipient in LDAP server.
2012-02-17 09:41:07 DEBUG Recipient DN or LDIF is None.
2012-02-17 09:41:07 DEBUG Final action: DUNNO.
2012-02-17 09:41:07 INFO test2@mbaoa.com -> mymailid@gmail.com, DUNNO
2012-02-17 09:41:07 DEBUG Connection closed


tailf /var/log/iredapd-rr.log

2012-02-14 10:19:52 DEBUG Setting umask
2012-02-14 10:19:52 DEBUG Changing working directory to "/"
2012-02-14 10:19:52 DEBUG Redirecting file descriptors
2012-02-17 09:39:47 INFO Starting iredapd (v1.3.6, pid: 14396), listening on 127.0.0.1:7778.
2012-02-17 09:39:47 DEBUG Forking first child.
2012-02-17 09:39:47 DEBUG Creating new session
2012-02-17 09:39:47 DEBUG Forking second child.
2012-02-17 09:39:47 DEBUG Setting umask
2012-02-17 09:39:47 DEBUG Changing working directory to "/"
2012-02-17 09:39:47 DEBUG Redirecting file descriptors

Thanks,
Regards,
Mohan

10

Re: whitelist/ Blaclist

mohan wrote:

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, check_policy_service inet:127.0.0.1:7778

You have permit_sasl_authenticated in front of "check_policy_service inet:127.0.0.1:7778", that's why it doesn't work at all.

The correct setting is:

smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7778, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

11

Re: whitelist/ Blaclist

Hi Zhang,

Thanks for providing the solution.

We have now set
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7778, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated  and in /opt/iredapd/etc/iredapd.ini file changed the order of plugins as below
plugins = block_amavisd_blacklisted_senders, ldap_recipient_restrictions, ldap_maillist_access_policy
previously it was like
plugins =  ldap_maillist_access_policy, block_amavisd_blacklisted_senders, ldap_recipient_restrictions

and in iredapd-rr.ini in general tab "bypass_mynetworks = no" line was not there added that line

Now we are able to restrict sending mails to specific domains from specific users.

Thanks,
Regards,
Mohan