1 Topic by Peter (edited by Peter 2015-07-01 00:14:22)

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Topic: Emails from "mynetworks"

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.2
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro? yes
- Related log if you're reporting an issue:
====

After migration to iRedMail emails from our webservers / monitoring scripts are rejected by iRedMail:

Recipient address rejected: Policy rejection

1.) NOQUEUE: reject: RCPT from unknown[xx.xx.xx.xx]: 554 5.7.1 <szsupport@example.com>: Recipient address rejected: Policy rejection; from=<> to=<szsupport@example.com> proto=ESMTP helo=<production.example.com>

- Recipient address exists and works
- maybe from=<> makes problem?

Anyway, I trust my servers and they should be allowed to send emails  to us despite some wrong settings.


Sender address rejected: Domain not found

2:) NOQUEUE: reject: RCPT from unknown[xx.xx.xx.xx]: 450 4.1.8 <root@postfix-fake-domain.com>: Sender address rejected: Domain not found;

- yes, the domain postfix-fake-domain.com doesn't exists but I don't care if our trusted server sends this rubbish.



Solution

- I did list our IP subnets in the mynetworks parameter at /etc/postfix/main.cf:

mynetworks = 127.0.0.1, [IP], [IP/Subnet], etc.


- I changed these rules:

smtpd_sender_restrictions =
        permit_mynetworks,
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        reject_unlisted_sender,
        permit_sasl_authenticated

smtpd_recipient_restrictions =
        reject_unknown_recipient_domain,
        reject_non_fqdn_recipient,
        reject_unlisted_recipient,
        permit_mynetworks, <----- was listed after :7777
        check_policy_service inet:127.0.0.1:7777,
        permit_sasl_authenticated,
        reject_unauth_destination

Question

- is this solution acceptable or does it open the door for others (spamers)?
- is there better solution?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Emails from "mynetworks"

Peter wrote:

Recipient address rejected: Policy rejection; from=<>

Caused by iRedAPD 'reject_null_sender', you should list trusted IP addresses in /opt/iredapd/settings.py like this:

MYNETWORKS = ['xx.xx.xx.xx', 'yy.yy.yy.yy']

Note: ip network is not supported right now, please use single IP address(es).

I suggest you reverse changes in other config files.

3 Reply by Peter

  • Peter
  • Member
  • Offline
  • Registered: 2014-10-14
  • Posts: 54

Re: Emails from "mynetworks"

There might be other wrong configurations to our servers (some are old). We do not have the time to solve those problems. MYNETWORKS will pass all emails from our servers if recipient exists? Even the second case with non existing sender domain?

Would be nice if iRedAPD uses mynetworks from postfix configuration ;-)

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Emails from "mynetworks"

Peter wrote:

MYNETWORKS will pass all emails from our servers if recipient exists? Even the second case with non existing sender domain?

In iRedAPD, MYNETWORKS is only used by plugin 'reject_null_sender'.

Peter wrote:

Would be nice if iRedAPD uses mynetworks from postfix configuration ;-)

No plan yet, sorry.