1 Topic by InformaticaTTU (edited by InformaticaTTU 2015-01-16 01:57:31)

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Topic: Postfix whitelist, how i can add a host?

==== Required information ====
- iRedMail version: 0.9.0
- iRedAdminPro version: 1.9.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian 7
- Related log if you're reporting an issue: 

Jan 15 18:32:49 srv1m3 postfix/smtpd[1616]: NOQUEUE: reject: RCPT from XXXXXXXX: 450 4.1.8 <gitlab@repositorios.red>: Sender address rejected: Domain not found; from=<gitlab@repositorios.red> to=<xxxxxx@xxxxx.xx> proto=ESMTP helo=<repositorios.red>

====

Hi, recently i've updated to latest version of IredAdmin Pro, and now I don't know how to whitelist an email, domain,... or maybe don't work for me. Of course is a local host and don't exist.

I've entered on "System > Add whitelist and blacklist" (iredadmin/create/wblist) and after add a direction and press "add" all is cleared. Then I've pressed the above link called "Add whitelist and blacklist" too (iredadmin/system/wblist) and seems to work (at least all directions still there after pressing add and reloading), but the problem is that postfix still rejecting mails from that direction or domains...

I've to do something else?, I've checked amavisd_wblist and is enabled in iredadp.

plugins = ["amavisd_wblist", "reject_null_sender", "reject_sender_login_mismatch", "sql_alias_access_policy", "sql_user_restrictions"]

Thanks!!

PDTA: After add something to whitelist i can't delete any entrie, after pressing add button all lines come back again.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

Looks like a bug in iRedAdmin-Pro, will try to reproduce this issue and come back with a fix.
BTW, Suggested iRedAPD plugins order: first should be 'reject_null_sender', then 'reject_sender_login_mismatch', then 'amavisd_wblist', then other plugins.

plugins = ["reject_null_sender", "reject_sender_login_mismatch", "amavisd_wblist", "sql_alias_access_policy", "sql_user_restrictions"]

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

Here's patch to fix white/blacklist bug:
http://www.iredmail.org/forum/post35664.html#p35664

4 Reply by InformaticaTTU

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:

Looks like a bug in iRedAdmin-Pro, will try to reproduce this issue and come back with a fix.
BTW, Suggested iRedAPD plugins order: first should be 'reject_null_sender', then 'reject_sender_login_mismatch', then 'amavisd_wblist', then other plugins.

plugins = ["reject_null_sender", "reject_sender_login_mismatch", "amavisd_wblist", "sql_alias_access_policy", "sql_user_restrictions"]

Thanks for info!!, I really had amavisd in last place.

ZhangHuangbin wrote:

Here's patch to fix white/blacklist bug:
http://www.iredmail.org/forum/post35664.html#p35664

Thanks for the fast fix, now one of whitelist pages works perfect but the other still without work. I really don't know if that page is necessary but is there. To enter that page you should go to "Add" menu and then press "Add to Whitelist and Blacklist".

About postfix, i've added my local domain to whitelist but still being blocked. That whitelist is only for Amavis?, how i can add something to postfix whitelist?

Thanks!!

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

InformaticaTTU wrote:

About postfix, i've added my local domain to whitelist but still being blocked. That whitelist is only for Amavis?, how i can add something to postfix whitelist?

how do you whitelist domain in Postfix? Could you please paste related log of blocked email?

6 Reply by InformaticaTTU

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:
InformaticaTTU wrote:

About postfix, i've added my local domain to whitelist but still being blocked. That whitelist is only for Amavis?, how i can add something to postfix whitelist?

how do you whitelist domain in Postfix? Could you please paste related log of blocked email?


Better a video than an explanation with my bad english wink

http://youtu.be/lTJohycSI9E

And the log is the same of first post:

Jan 16 11:00:07 srv1m3 postfix/smtpd[26989]: NOQUEUE: reject: RCPT from xxxxxxxxxxxxxxx: 450 4.1.8 <gitlab@repositorios.red>: Sender address rejected: Domain not found; from=<gitlab@repositorios.red> to=<xxxxxxxx@xxx.es> proto=ESMTP helo=<repositorios.red>

Greetings!!

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

InformaticaTTU wrote:

<gitlab@repositorios.red>: Sender address rejected: Domain not found

Does mail domain name 'repositorios.red' exist?

iRedMail has below setting in Postfix (main.cf) by default:

smtpd_recipient_restrictions = reject_unknown_sender_domain, ...

With 'reject_unknown_sender_domain', Postfix will query DNS server to verify whether this mail domain exists or not. If not exist, reject this email.

8 Reply by InformaticaTTU (edited by InformaticaTTU 2015-01-19 17:49:44)

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:
InformaticaTTU wrote:

<gitlab@repositorios.red>: Sender address rejected: Domain not found

Does mail domain name 'repositorios.red' exist?

iRedMail has below setting in Postfix (main.cf) by default:

smtpd_recipient_restrictions = reject_unknown_sender_domain, ...

With 'reject_unknown_sender_domain', Postfix will query DNS server to verify whether this mail domain exists or not. If not exist, reject this email.

Repositorios.red exist but only in local netkwork. The mail server can't check if that domain exist, but the problem is that i can't add that email address/domain to whitelist and avoid that restriction.
This problem comes with latest update because i added another non existent address and domain to old whitelist, and works perfect with same configuration, but after update to 1.9.1 I can't manage that whitelist (but items in that list still working).

I've investigated the mysql database, and all items are in "policy_group_members" from "cluebringer" database. All items in that list still working (even the inexistent sender of above).

Greetings!!

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

It doesn't make sense in this case.

If same Postfix setting works before upgrading, it should work after upgraded. Could you please show us output of command "postconf -n" here?

10 Reply by InformaticaTTU

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:

It doesn't make sense in this case.

If same Postfix setting works before upgrading, it should work after upgraded. Could you please show us output of command "postconf -n" here?

Is very strange, because i've linked the old version of iredadmin (1.8.1) and i can see the whole list again, but if I add the blocked address to that list still no working... I'm lost, because like i said, I've another direction in that list and works perfect (root@unix3.red), and unix3.red domain is inexistent and server cant check if exist. Just like repositorios.red.
The problem can be the command used to sent that email?, because root@unix3.red use mail and the other uses postfix.

Anyway, i've found a way to configure the server to use a remote smtp server instead local, then i can fix the problem creating and using a real account.
Of course i want to know more about this problem, because maybe one day I'll have similar problems with other host with a bad hello or similar (i had that problem with a client before).

This is my postconf info:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 31457280
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = ghi.es
myhostname = srv1m3.ghi.es
mynetworks = 127.0.0.0/8,94.23.80.83
mynetworks_style = host
myorigin = srv1m3.ghi.es
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /server/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

Greetings and thanks!!

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

Do these domain names exist in /etc/hosts or /var/spool/postfix/etc/hosts?

12 Reply by InformaticaTTU (edited by InformaticaTTU 2015-01-20 21:57:49)

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:

Do these domain names exist in /etc/hosts or /var/spool/postfix/etc/hosts?

No, even i can't ping any of them with ping.

EDIT: Here's the log of root@unix3.red.

Jan 20 08:30:04 srv1m3 cbpolicyd[24167]: module=AccessControl, action=ok, host=xx.xx.xxx.xxx, helo=unix3.red, from=root@unix3.red, to=xxxxxxxxxx@xxxxx.xxx, reason=verdict
Jan 20 08:30:05 srv1m3 postfix/qmgr[4736]: 84B83F61E1: from=<root@unix3.red>, size=720, nrcpt=1 (queue active)
Jan 20 08:30:06 srv1m3 postfix/qmgr[4736]: 340E5F625F: from=<root@unix3.red>, size=1152, nrcpt=1 (queue active)
Jan 20 08:30:06 srv1m3 amavis[5688]: (05688-12) Passed CLEAN {RelayedInternal}, LOCAL [xx.xx.xxx.xxx]:32804 [xx.xx.xxx.xxx] <root@unix3.red> -> <xxxxxxxxxxxx@xxxxxx.xxx>, Queue-ID: 84B83F61E1, Message-ID: <201501200730.t0K7U1226455@unix3.red>, mail_id: Z37Yy9cniaFQ, Hits: -1.899, size: 720, queued_as: 340E5F625F, 513 ms

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

Could you please help gather some debug message with below steps:

1) Enable debug mode in iRedAPD, restart iRedAPD service: http://www.iredmail.org/docs/debug.iredapd.html
2) Send a testing email to reproduce this issue.
3) Paste FULL log related to this testing email here.

Note: you may want to hide sensitive information in log.

14 Reply by InformaticaTTU

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:

Could you please help gather some debug message with below steps:

1) Enable debug mode in iRedAPD, restart iRedAPD service: http://www.iredmail.org/docs/debug.iredapd.html
2) Send a testing email to reproduce this issue.
3) Paste FULL log related to this testing email here.

Note: you may want to hide sensitive information in log.

Sorry, but log don't show anything about that. I've seen debug info from before and after my test, but nothing about my test.

Greetings!!

15 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

If no log in iRedAPD, that means this email was rejected before Postfix passes email to iRedAPD. Let's do a quick test, does it work if you remove 'reject_unknown_sender_domain' in Postfix parameter 'smtpd_recipient_restrictions' (in /etc/postfix/main.cf)?

16 Reply by InformaticaTTU (edited by InformaticaTTU 2015-01-22 01:07:11)

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:

If no log in iRedAPD, that means this email was rejected before Postfix passes email to iRedAPD. Let's do a quick test, does it work if you remove 'reject_unknown_sender_domain' in Postfix parameter 'smtpd_recipient_restrictions' (in /etc/postfix/main.cf)?

Now email pass from postfix to iredapd but i think iredapd don't have a filter for unknown senders.

Debug shows an error conecting to amavisd database:

2015-01-21 17:54:17 DEBUG Connect from 127.0.0.1, port 35536.
2015-01-21 17:54:17 DEBUG smtp session: request=smtpd_access_policy
2015-01-21 17:54:17 DEBUG smtp session: protocol_state=RCPT
2015-01-21 17:54:17 DEBUG smtp session: protocol_name=ESMTP
2015-01-21 17:54:17 DEBUG smtp session: client_address=xx.xx.xx.xxx
2015-01-21 17:54:17 DEBUG smtp session: client_name=xx.xx.xx.xxx
2015-01-21 17:54:17 DEBUG smtp session: reverse_client_name=xx.xxx.xxx.xxx
2015-01-21 17:57:17 DEBUG smtp session: helo_name=repositorios.red
2015-01-21 17:54:17 DEBUG smtp session: sender=gitlab@repositorios.red
2015-01-21 17:54:17 DEBUG smtp session: recipient=xxxxxxxxx@xxxx.xx
2015-01-21 17:54:17 DEBUG smtp session: recipient_count=0
2015-01-21 17:54:17 DEBUG smtp session: queue_id=
2015-01-21 17:54:17 DEBUG smtp session: instance=1664.54bfd9b9.39a8a.0
2015-01-21 17:54:17 DEBUG smtp session: size=2299
2015-01-21 17:54:17 DEBUG smtp session: etrn_domain=
2015-01-21 17:54:17 DEBUG smtp session: stress=
2015-01-21 17:54:17 DEBUG smtp session: sasl_method=
2015-01-21 17:54:17 DEBUG smtp session: sasl_username=
2015-01-21 17:54:17 DEBUG smtp session: sasl_sender=
2015-01-21 17:54:17 DEBUG smtp session: ccert_subject=
2015-01-21 17:54:17 DEBUG smtp session: ccert_issuer=
2015-01-21 17:54:17 DEBUG smtp session: ccert_fingerprint=
2015-01-21 17:54:17 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-01-21 17:54:17 DEBUG smtp session: encryption_protocol=
2015-01-21 17:54:17 DEBUG smtp session: encryption_cipher=
2015-01-21 17:54:17 DEBUG smtp session: encryption_keysize=0
2015-01-21 17:54:17 DEBUG --> Apply plugin: reject_null_sender
2015-01-21 17:54:17 DEBUG <-- Result: DUNNO
2015-01-21 17:54:17 DEBUG --> Apply plugin: reject_sender_login_mismatch
2015-01-21 17:54:17 DEBUG SKIP: No SASL username.
2015-01-21 17:54:17 DEBUG <-- Result: DUNNO
2015-01-21 17:54:17 DEBUG Creating Amavisd database connection.
2015-01-21 17:54:17 DEBUG Error while creating Amavisd database connection: 'module' object has no attribute 'amavisd_db_server'
2015-01-21 17:54:17 DEBUG Skip plugin, error while getting db cursor: AmavisdDBWrap instance has no attribute 'cursor'
2015-01-21 17:54:17 DEBUG --> Apply plugin: sql_alias_access_policy
2015-01-21 17:54:17 DEBUG SQL: query access policy: SELECT accesspolicy, goto, moderators
            FROM alias
            WHERE
                address='xxxxxxx@xxxxxx.xx'
                AND address <> goto
                AND active=1
            LIMIT 1
    
2015-01-21 17:54:17 DEBUG SQL: record: None
2015-01-21 17:54:17 DEBUG <-- Result: DUNNO (Not mail alias)
2015-01-21 17:54:17 DEBUG --> Apply plugin: sql_user_restrictions
2015-01-21 17:54:17 DEBUG SQL to get restriction rules of sender (gitlab@repositorios.red): 
        SELECT
            allowedrecipients, rejectedrecipients,
            allowedsenders, rejectedsenders
        FROM mailbox
        WHERE username='gitlab@repositorios.red'
        LIMIT 1
    
2015-01-21 17:54:17 DEBUG Returned SQL Record: None
2015-01-21 17:54:17 DEBUG SQL to get restriction rules of recipient (xxxxxxx@xxxxxx.xx): 
            SELECT
                allowedrecipients, rejectedrecipients,
                allowedsenders, rejectedsenders
            FROM mailbox
            WHERE username='xxxxxxx@xxxxxx.xx'
            LIMIT 1
        
2015-01-21 17:54:17 DEBUG Returned SQL Record: (None, None, None, None)
2015-01-21 17:54:17 DEBUG No recipient restriction.
2015-01-21 17:54:17 DEBUG <-- Result: DUNNO
2015-01-21 17:54:17 DEBUG Error while closing Amavisd database connection: AmavisdDBWrap instance has no attribute 'cursor'
2015-01-21 17:54:17 INFO [83.52.60.242] gitlab@repositorios.red -> xxxxxxx@xxxxxx.xx, DUNNO
2015-01-21 17:54:17 DEBUG Session ended
2015-01-21 17:54:17 DEBUG Closed SQL connection.

Greetings!!

17 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,785

Re: Postfix whitelist, how i can add a host?

InformaticaTTU wrote:

Now email pass from postfix to iredapd

We don't expect to get some useful info in iRedAPD log in this case, we just want to find out which Postfix restriction rule rejected your email. And it turns out it's 'reject_unknown_sender_domain' in 'smtpd_recipient_restrictions'.

Maybe you can place additional restriction rule in Postfix parameter 'smtpd_sender_restrictions' like this:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, ...

Then create file /etc/postfix/sender_access with below content:

gitlab@repositorios.red OK
# OR:
#repositorios.red OK

Execute 'postmap' to generate/update hash db:

# postmap hash:/etc/postfix/sender_access

18 Reply by InformaticaTTU (edited by InformaticaTTU 2015-01-22 17:54:37)

  • InformaticaTTU
  • Member
  • Offline
  • Registered: 2014-07-21
  • Posts: 47

Re: Postfix whitelist, how i can add a host?

ZhangHuangbin wrote:
InformaticaTTU wrote:

Now email pass from postfix to iredapd

We don't expect to get some useful info in iRedAPD log in this case, we just want to find out which Postfix restriction rule rejected your email. And it turns out it's 'reject_unknown_sender_domain' in 'smtpd_recipient_restrictions'.

Maybe you can place additional restriction rule in Postfix parameter 'smtpd_sender_restrictions' like this:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, ...

Then create file /etc/postfix/sender_access with below content:

gitlab@repositorios.red OK
# OR:
#repositorios.red OK

Execute 'postmap' to generate/update hash db:

# postmap hash:/etc/postfix/sender_access

Thanks for tip!! didn't work for me in smtpd_sender_restrictions, but i've added to smtpd_recipient_restrictions and is working fine:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/recipient_access, reject_unknown_sender_domain, ...

Greetings!!