1

Topic: Suggestion - change of cluebringer configuration

Hi Zhang,

I'm not expert in cluebringer - so please review my ideas.

I did some research about cluebringer setup in iRedMail after some complains from my customers and I think, we should do some adjustments in default iRedMail installation.

The problem pops out when you send email using SMTP AUTH and change the MAIL FROM address (account has enabled sender_login_mismatch in iRedAPD). In this situation, cluebringer applies both EHLO and graylisting checks to the email. Especially if the new MAIL FROM is not from locally configured domain.

I think, it's not expected. It should instead work exactly as if the MAIL FROM will stay the same as sasl_username - SASL simply makes the traffic trusted/authenticated/internal.

The reason is, such that email:
a) doesn't match identifier (%internal_ips AND %internal_domains) - both the IP and also the email domain could be different in case SASL is in use,
b) does match the (!internal_ips AND !%internal_domains) - for the same reason

To allow such emails, we should:
- add new rule in policies matching (%internal_ips AND %internal_domains) and use $* instead (see below).
- change the rule (!%internal_ips AND !%internal_domains) and add "... AND $-" to also require NO SASL.

So to be specific:

1) Default Inbound - change from:
Source: !%internal_ips,!%internal_domains
Destination: %internal_domains
to:
Source: !%internal_ips,!%internal_domains,$-
Destination: %internal_domains

Meaning: default inbound is NOT when SASL is used to deliver the email.

2) Default Outbound
add rule:
Source: $*
Destination: !%internal_domains

Meaning: defaoult outbound IS then SASL is used and destination in not local.

3) no_greylisting change from:
Source: !%internal_ips,!%internal_domains
Destination: %no_greylisting_for_internal
to
Source: !%internal_ips,!%internal_domains,$-
Destination: %no_greylisting_for_internal

Meaning: no_greylisting can apply only if the email comes from outside world via NO SASL.

4) Default Internal
add rule:
Source: $*
Destination: %internal_domains

Meaning: default internal is also when mail comes via in SASL and destination is internal.

Thanks.

2

Re: Suggestion - change of cluebringer configuration

I think you're right. Did you already test it on your production server?

3

Re: Suggestion - change of cluebringer configuration

Yes, I have all the changes aplied on my production server and no complains so far.

I have tested the "Default Inbound" rule and the change does what we need.

The rest has low to zero impact on my system (don't use no-graylisting policy and SPF and Quota is off) - I did it just to have the adjustment complete and consistent with rest of rules.

Btw. The cluebringer setup is quite tricky :-/

4

Re: Suggestion - change of cluebringer configuration

OK, i will apply this adjustment in next release of iRedMail and iRedAdmin-Pro. Thanks very much for your feedback.

5

Re: Suggestion - change of cluebringer configuration

I'm happy to help! Cheers!

6

Re: Suggestion - change of cluebringer configuration

Hi camel1cz,

I rechecked this change and did some basic tests, and i found '$*/$-' is not supported by Cluebringer 2.0.x, so i'm afraid that i have to delay it.
Since Linux/BSD distributions will need some time to commit a new version, i guess it will take a long time for iRedMail to use Cluebringer 2.1.0.