1

Topic: System Whitelists question

==== Required information ====
- iRedMail version: 0.8.7
- iRedAdmin-Pro-LDAP version 2.1.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: CentOS 6.5
- Related log if you're reporting an issue:
====

Dear iRedAdmin-Pro Support,
I have a question concerning the usage of system level Whitelists and Blacklists.

Suppose I want to define a Whitelist to allow a given sender address to be accepted for all the domains and accounts managed by our iRedMail installation even if the sending IP is listed in some RBL.

I tried to go into the iRedAdmin web interface, tab "System" -> "Whitelist" -> "Add Whitelist" and to place the sender address into the box named "Whitelist records" in the form: user@domain.
Then I tried to send an email from that address (whose smtp server is blacklisted) to one of our email accounts: destination@domain
The server (postfix) rejected the email:

Jul 16 11:56:02 XXXXX postfix/smtpd[32525]: NOQUEUE: reject: RCPT from unknown[XXX.XXX.XXX.XXX]: 554 5.7.1 Service unavailable; Client host [XXX.XXX.XXX.XXX] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=XXX.XXX.XXX.XXX; from=<user@domain> to=<destination@domain> proto=ESMTP helo=<bender>

My relevant postix configuration is the following:

smtpd_recipient_restrictions = permit_mynetworks, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, reject_unauth_destination, reject_invalid_helo_hostname, reject_rbl_client zen.spamhaus.org

In my understanding, the rule: check_policy_service inet:127.0.0.1:10031 which is placed before the RBL check, should have fired and should have let the mail to pass.

As a countercheck I placed a system Blacklist on an address whose smtp server is not blacklisted and the mail server rejected the mail with the message:

Jul 16 16:14:29 XXXXXX postfix/smtpd[19542]: NOQUEUE: reject: RCPT from unknown[XXX.XXX.XXX.XXX]: 554 5.7.1 <user2@domain2>: Recipient address rejected: Policy Rejection- Abuse. Go away.; from=<sender@domain> to=<user2@domain2> proto=ESMTP helo=<remotesmtp>

thus policyd rejected the mail as expected.

My question is: why in the first case the whitelist rule didn't work? Am I missing something?

Kind Regards.

Riccardo

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: System Whitelists question

riccardo.brunetti wrote:

In my understanding, the rule: check_policy_service inet:127.0.0.1:10031 which is placed before the RBL check, should have fired and should have let the mail to pass.

Postfix will apply the restriction rules in specified order. So i'm confused too. We have to turn on debug in Postfix for this client:

debug_peer_list = IP_of_whitelisted_sender_server

Restart Postfix service, then check how Postfix applies restriction rules in smtpd_recipient_restrictions and what they returned to Postfix.

By the way, your smtpd_recipient_restrictions value is improper, please use default value set by iRedMail:

smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

And place 'reject_rbl_client zen.spamhaus.org' after 'reject_unauth_destination'.

3

Re: System Whitelists question

Dear ZhangHuangbin.

Thank you very much for the prompt reply.
I tried to follow your suggestion, activating the postfix debug and replacing the smtpd_recipient_resctrictions in the way you showed.
Nevertheless, the result of the test is the same as before, the whitelist is ignored.
In attachment the log file.

As you can see, the log file in debug mode seems to be somehow incomplete. There is no "NOQUEUE: reject:" line, even if the message has been actually rejected, and the event log ends with a message from policyd.

I can't get any clue by looking at this log. May you help me?

Kind Regards.

Riccardo

Post's attachments

postfix_debug.out 17.49 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

4

Re: System Whitelists question

Hello ZhangHuangbin,

I work with Riccardo and I've probably found out what's wrong in the original issue: we use policyd 1.82 and I've enabled policyd debug + sniffed the connection between smtp and policyd.

It looks like policyd correctly finds the whitelisted entry:

Jul 17 11:36:26 mtaname policyd: DEBUG: fd: 8, db_optquery(): SELECT COUNT(*) FROM whitelist_sender WHERE _whitelist='@domain.net' OR _whitelist='user@domain.net'
Jul 17 11:36:26 mtaname policyd: DEBUG: fd: 8 row: 0 data: 1 (recieved)
Jul 17 11:36:26 mtaname policyd: DEBUG: fd: 8 row: 0 data: 1 (extracted)
Jul 17 11:36:26 mtaname policyd: DEBUG: fd: 8 whitelist sender found: domain.net/user@domain.net
Jul 17 11:36:26 mtaname policyd: DEBUG: fd: 8 bypassing other modules

but then answers to smtpd with "action=dunno", instead of OK, thus letting postfix continue with all the other rules. This is where RBL then kicks in.

This is indeed in policyd source code (from policyd.h):

#define POSTFIX_X_HEADER        "action=prepend X-Greylist: Passed"
#define POSTFIX_GOOD            "action=dunno\n\n"
#define POSTFIX_GREYLIST        "action=defer_if_permit Policy Rejection-"
#define POSTFIX_BAD_SIZE        "action=reject Policy Rejection-"
#define POSTFIX_SPAMTRAP        "action=reject Policy Rejection-"
#define POSTFIX_BLACKLIST_PERM  "action=reject Policy Rejection-"
#define POSTFIX_BLACKLIST_TEMP  "action=defer_if_permit Policy Rejection-"
#define POSTFIX_MODULE_FAILURE  "action=defer_if_permit Policy Rejection- Invalid data\n\n"
#define POSTFIX_QUOTA_EXCEEDED_PERM  "action=reject Policy Rejection-"
#define POSTFIX_QUOTA_EXCEEDED_TEMP  "action=defer_if_permit Policy Rejection-"

Does this make sense to you?

Our question now is: do you know if cluebringer (policyd 2.x) is able to really whitelist using "action=ok" ?

Thanks,

5

Re: System Whitelists question

AndreaC wrote:

Our question now is: do you know if cluebringer (policyd 2.x) is able to really whitelist using "action=ok" ?

Yes, it's default action set by iRedMail. Check it out:
https://bitbucket.org/zhb/iredmail/src/ … ault#cl-47

6

Re: System Whitelists question

ZhangHuangbin wrote:
AndreaC wrote:

Our question now is: do you know if cluebringer (policyd 2.x) is able to really whitelist using "action=ok" ?

Yes, it's default action set by iRedMail. Check it out:
https://bitbucket.org/zhb/iredmail/src/ … ault#cl-47

Thank you. We will upgrade.

.a.c.