1 Topic by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Topic: cluebringer (policyd) setup.

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PgSQL
- Linux/BSD distribution name and version: Debian 7
- Related log if you're reporting an issue:
====

Some time ago my customers had problems reaching my account - their emails addressed to myself was rejected by HELO check (you know, windows clients have non RFC compliant hostnames). I was fiddling a lot with configuration (moved HELO checks here and there) and also started to blame Outlook by some incompatibility with postfix/RFC - then the problem vanished and I nearly forget about it.

Today it striked back and I found the symptoms.

It was not postfix setup (restrictions in main.cf) but clubrienger who rejected the email. For some to me unknown reason, cluebringer applied policy for public internet (Default Inbound) also to SSL authenticated users if and ONLY IF the email was send to my domain.

I solved it now by deleting my domain from internal_domains group - but I don't understand why is this. From my point of view the problem could be the opposite / internal_domains had only my domain there, not all the others.

Zhang, do you have any idea why is this and how to solve it correctly? Would it work correctly if I would have all local domains in the internal_domains group? Are there any potential problems having internal_domains empty?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: cluebringer (policyd) setup.

camel1cz wrote:

I solved it now by deleting my domain from internal_domains group

This is totally wrong.
Cluebringer requires you to list all hosted mail domain names in group 'internal_domains', so that it can know an email is inbound or outbound. If you deleted the domain from 'internal_domains', it won't apply any restrictions (HELO/GREYLISTING/WHITELISTING/BLACKLISTING/etc) to this this domain at all.

I suggest you post detailed error message in log file and/or mail client, then we can discuss how to solve it properly.

3 Reply by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: cluebringer (policyd) setup.

ZhangHuangbin wrote:

This is totally wrong.

True, but it works - I have HELO checks in postfix restrictions and for me is the first problem (applying HELO checks to authenticated users ever worser - basically none of windows users has correct hostname).
Relevant lines from log:

Nov 28 10:42:11 email postfix/smtpd[11407]: input attribute value: REJECT Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'XXX'
Nov 28 10:42:11 email postfix/smtpd[11407]: 127.0.0.1:10031: wanted attribute: (list terminator)
Nov 28 10:42:11 email postfix/smtpd[11407]: input attribute name: (end)
Nov 28 10:42:11 email postfix/smtpd[11407]: check_table_result: inet:127.0.0.1:10031 REJECT Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'XXX' policy query

It happened in the RECIPIENT RESTRICTIONS / they call policyd...

As I already noted / I don't have all my local domains in the internal_domains / there was only one (primary domain which I use for my company emails). In case authenticated user sends email to this account (so sender domain in local but not in internal_domains and recipient is both local and in internal_domains) / the policy used for this check is "Default Inbound" which applies all checks...

Should I copy all domains from vmail.domain to cluebringer.internal_domains?

Note: I use command line tool to create users/domains and I can easily incorpotate this insert into script creating new domain.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: cluebringer (policyd) setup.

camel1cz wrote:

Should I copy all domains from vmail.domain to cluebringer.internal_domains?

Yes, again, this is how Cluebringer works.

5 Reply by hferreira

  • hferreira
  • Member
  • Offline
  • Registered: 2012-08-14
  • Posts: 81

Re: cluebringer (policyd) setup.

ZhangHuangbin wrote:
camel1cz wrote:

Should I copy all domains from vmail.domain to cluebringer.internal_domains?

Yes, again, this is how Cluebringer works.

That isn't done auto when adding a new domain?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: cluebringer (policyd) setup.

hferreira wrote:

That isn't done auto when adding a new domain?

Sorry about this trouble. It's bug in the latest stable release of iRedAdmin-Pro, but it was fixed in development edition and will be available in next release.

7 Reply by camel1cz

  • camel1cz
  • camel1cz
  • Member
  • Offline
  • From: Czech Republic
  • Registered: 2013-04-20
  • Posts: 220

Re: cluebringer (policyd) setup.

Sorry, I didn't receive notification about your reply... I'll test it and let you know if it's OK.

Thank you