1

Topic: Access policies not working on moderated alias

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.2
- Linux/BSD distribution name and version:  CentOS 7 (3.10.0-229.14.1.el7.x86_64)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):  Apache
- Manage mail accounts with iRedAdmin-Pro?  No
- Related log if you're reporting an issue:
====

I've been trying to create an alias and restrict it to only allow mail from certain senders through.  I'm using MySQL as m back end and have the following entry for the list in vmail.alias:

address: listname@domain.com
goto:  currently a single user on another domain that I have access to - will be updated to a comma separated list once working.
name:  blank <- optional name for the list for Pro I'm guessing? 
moderators:  comma separated list of one mail domain and one other domain user that should be able to email the list.
accesspolicy: "moderators"
domain: domain.com
islist:  0  <-- What does this setting do?  It was set to 0 by default when I followed the basic instructions for adding an alias.
Created and Modified both: 0000-00-00 00:00:00  <-- will update to add the real time of creation on future entries.
expired: 9999-12-31 00:00:00
active: 1

The list itself does work and forwards mail to my account on another domain but it accepts email from any sender, not just the two addresses that I've listed as moderators.  I've tried mailing it from both local accounts and my gmail account with the same results.  We want to run several moderated distribution lists on this server so any help you can provide for getting this functionality working would be appreciated.

Purchasing iRedMail Pro to manage aliases is planned for the future but for now I have to manage these through the DB directly.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Access policies not working on moderated alias

fulkren wrote:

islist:  0  <-- What does this setting do?  It was set to 0 by default when I followed the basic instructions for adding an alias.

This must be 'islist=1' for a mail alias account, please update it and try again.

3

Re: Access policies not working on moderated alias

ZhangHuangbin wrote:
fulkren wrote:

islist:  0  <-- What does this setting do?  It was set to 0 by default when I followed the basic instructions for adding an alias.

This must be 'islist=1' for a mail alias account, please update it and try again.

I've updated 'islist' to 1 and so far no difference.  The list still accepts email from non-moderator email addresses.  It even accepts mail from my gmail account.   The 'moderators' should just be a comma separated (no space between comma and entries) list of email addresses correct?  I currently have two email addresses listed, one mail domain user and my work email.

4

Re: Access policies not working on moderated alias

Please turn on debug mode in iRedAPD, then send one more testing email again. Extract full log related to this testing email in /var/log/iredapd.log and paste here.

Reference: http://www.iredmail.org/docs/debug.iredapd.html

5

Re: Access policies not working on moderated alias

Here's the extract from the log:

2015-10-15 08:18:00 INFO Starting iRedAPD (version: 1.6.0, backend: mysql), listening on 127.0.0.1:7777.
2015-10-15 08:18:00 INFO Loading plugin: reject_null_sender
2015-10-15 08:18:00 INFO Loading plugin: amavisd_message_size_limit
2015-10-15 08:18:00 INFO Loading plugin: amavisd_wblist
2015-10-15 08:18:00 INFO Loading plugin: sql_alias_access_policy
2015-10-15 08:18:08 DEBUG Connect from 127.0.0.1, port 37067.
2015-10-15 08:18:08 DEBUG smtp session: request=smtpd_access_policy
2015-10-15 08:18:08 DEBUG smtp session: protocol_state=RCPT
2015-10-15 08:18:08 DEBUG smtp session: protocol_name=ESMTP
2015-10-15 08:18:08 DEBUG smtp session: client_address=10.232.1.199
2015-10-15 08:18:08 DEBUG smtp session: client_name=at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: reverse_client_name=at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: helo_name=at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: sender=testsender@at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: recipient=testlist@priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: recipient_count=0
2015-10-15 08:18:08 DEBUG smtp session: queue_id=
2015-10-15 08:18:08 DEBUG smtp session: instance=7bac.561fb5a0.a35d3.0
2015-10-15 08:18:08 DEBUG smtp session: size=382
2015-10-15 08:18:08 DEBUG smtp session: etrn_domain=
2015-10-15 08:18:08 DEBUG smtp session: stress=
2015-10-15 08:18:08 DEBUG smtp session: sasl_method=
2015-10-15 08:18:08 DEBUG smtp session: sasl_username=
2015-10-15 08:18:08 DEBUG smtp session: sasl_sender=
2015-10-15 08:18:08 DEBUG smtp session: ccert_subject=
2015-10-15 08:18:08 DEBUG smtp session: ccert_issuer=
2015-10-15 08:18:08 DEBUG smtp session: ccert_fingerprint=
2015-10-15 08:18:08 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-10-15 08:18:08 DEBUG smtp session: encryption_protocol=
2015-10-15 08:18:08 DEBUG smtp session: encryption_cipher=
2015-10-15 08:18:08 DEBUG smtp session: encryption_keysize=0
2015-10-15 08:18:08 DEBUG --> Apply plugin: reject_null_sender
2015-10-15 08:18:08 DEBUG <-- Result: DUNNO
2015-10-15 08:18:08 DEBUG Skip plugin: amavisd_message_size_limit (protocol_state != RCPT)
2015-10-15 08:18:08 DEBUG --> Apply plugin: amavisd_wblist
2015-10-15 08:18:08 DEBUG Possible policy senders: ['@.', 'testsender@at1.priv.ccconline.org', '@at1.priv.ccconline.org', '@.at1.priv.ccconline.org', '@priv.ccconline.org', '@.priv.ccconline.org', '@ccconline.org', '@.ccconline.org', '@org', '@.org', '10.232.1.199', '10.*.*.*', '10.*.*.199', '10.232.*.*', '10.232.*.199', '10.232.1.*', '*.*.1.199', '10.*.1.199', '*.232.1.199', '*.*.*.*', '*.*.*.199']
2015-10-15 08:18:08 DEBUG Possible policy recipients: ['@.', 'testlist@priv.ccconline.org', '@priv.ccconline.org', '@.priv.ccconline.org', '@ccconline.org', '@.ccconline.org', '@org', '@.org', 'testlist@*']
2015-10-15 08:18:08 DEBUG SQL: Get policy senders: SELECT id,email FROM mailaddr WHERE email IN ('@.', 'testsender@at1.priv.ccconline.org', '@at1.priv.ccconline.org', '@.at1.priv.ccconline.org', '@priv.ccconline.org', '@.priv.ccconline.org', '@ccconline.org', '@.ccconline.org', '@org', '@.org', '10.232.1.199', '10.*.*.*', '10.*.*.199', '10.232.*.*', '10.232.*.199', '10.232.1.*', '*.*.1.199', '10.*.1.199', '*.232.1.199', '*.*.*.*', '*.*.*.199') ORDER BY priority DESC
2015-10-15 08:18:08 DEBUG No senders found in SQL database.
2015-10-15 08:18:08 DEBUG <-- Result: DUNNO
2015-10-15 08:18:08 DEBUG --> Apply plugin: sql_alias_access_policy
2015-10-15 08:18:08 DEBUG [SQL] query access policy:
SELECT accesspolicy, goto, moderators
               FROM alias
              WHERE
                    address='testlist@priv.ccconline.org'
                    AND islist=1
                    AND active=1
              LIMIT 1
   
2015-10-15 08:18:08 DEBUG SQL query result: ('moderators', 'justin.sherrill@cccs.edu', 'justin.sherrill@cccs.edu,jsherrill2@priv.ccconline.org')
2015-10-15 08:18:08 DEBUG Access policy: moderators
2015-10-15 08:18:08 DEBUG members: justin.sherrill@cccs.edu
2015-10-15 08:18:08 DEBUG moderators: justin.sherrill@cccs.edu, jsherrill2@priv.ccconline.org
2015-10-15 08:18:08 DEBUG [SQL] query alias domains:
SELECT alias_domain
               FROM alias_domain
              WHERE
                    alias_domain='at1.priv.ccconline.org'
                    AND target_domain='priv.ccconline.org'
              LIMIT 1
             
2015-10-15 08:18:08 DEBUG No alias domain.
2015-10-15 08:18:08 DEBUG <-- Result: DUNNO (Policy is not defined: moderators)
2015-10-15 08:18:08 INFO [10.232.1.199] RCPT, testsender@at1.priv.ccconline.org -> testlist@priv.ccconline.org, DUNNO
2015-10-15 08:18:08 DEBUG Session ended
2015-10-15 08:18:08 DEBUG smtp session: request=smtpd_access_policy
2015-10-15 08:18:08 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2015-10-15 08:18:08 DEBUG smtp session: protocol_name=ESMTP
2015-10-15 08:18:08 DEBUG smtp session: client_address=10.232.1.199
2015-10-15 08:18:08 DEBUG smtp session: client_name=at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: reverse_client_name=at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: helo_name=at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: sender=testsender@at1.priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: recipient=testlist@priv.ccconline.org
2015-10-15 08:18:08 DEBUG smtp session: recipient_count=1
2015-10-15 08:18:08 DEBUG smtp session: queue_id=B3A24C05BC
2015-10-15 08:18:08 DEBUG smtp session: instance=7bac.561fb5a0.a35d3.0
2015-10-15 08:18:08 DEBUG smtp session: size=382
2015-10-15 08:18:08 DEBUG smtp session: etrn_domain=
2015-10-15 08:18:08 DEBUG smtp session: stress=
2015-10-15 08:18:08 DEBUG smtp session: sasl_method=
2015-10-15 08:18:08 DEBUG smtp session: sasl_username=
2015-10-15 08:18:08 DEBUG smtp session: sasl_sender=
2015-10-15 08:18:08 DEBUG smtp session: ccert_subject=
2015-10-15 08:18:08 DEBUG smtp session: ccert_issuer=
2015-10-15 08:18:08 DEBUG smtp session: ccert_fingerprint=
2015-10-15 08:18:08 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-10-15 08:18:08 DEBUG smtp session: encryption_protocol=
2015-10-15 08:18:08 DEBUG smtp session: encryption_cipher=
2015-10-15 08:18:08 DEBUG smtp session: encryption_keysize=0
2015-10-15 08:18:08 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2015-10-15 08:18:08 DEBUG --> Apply plugin: amavisd_message_size_limit
2015-10-15 08:18:08 DEBUG Message size: 382
2015-10-15 08:18:08 DEBUG Getting applicable policies
2015-10-15 08:18:08 DEBUG Valid policy accounts for recipient testlist@priv.ccconline.org: 'testlist@priv.ccconline.org', '@priv.ccconline.org', '@.priv.ccconline.org', '@.'
2015-10-15 08:18:08 DEBUG SELECT policy_name,message_size_limit
                 FROM users, policy
                 WHERE
                    (users.policy_id=policy.id)
                    AND (users.email IN ('testlist@priv.ccconline.org', '@priv.ccconline.org', '@.priv.ccconline.org', '@.'))
                 ORDER BY users.priority DESC
                 
2015-10-15 08:18:08 DEBUG No policy found.
2015-10-15 08:18:08 DEBUG <-- Result: DUNNO
2015-10-15 08:18:08 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2015-10-15 08:18:08 DEBUG Skip plugin: sql_alias_access_policy (protocol_state != END-OF-MESSAGE)
2015-10-15 08:18:08 INFO [10.232.1.199] END-OF-MESSAGE, testsender@at1.priv.ccconline.org -> testlist@priv.ccconline.org, DUNNO
2015-10-15 08:18:08 DEBUG Session ended

6

Re: Access policies not working on moderated alias

This line:  2015-10-15 08:18:08 DEBUG <-- Result: DUNNO (Policy is not defined: moderators)
caught my attention in the debug output.  I took a look in /opt/iRedAPD-1.6.0/plugins/sql_alias_access_policy.py and looked for an entry for moderators but couldn't find one.  I then swtiched the policy to membersandmoderatorsonly and that did work.

Is the correct policy for allowing moderators only to publish to the list the AllowedOnly policy?

    elif policy == MAILLIST_POLICY_ALLOWEDONLY:
        # Bypass all moderators.
        if sender in moderators \
           or '*@' + sender_domain in moderators \
           or is_allowed_alias_domain_user(sender,
                                           sender_username,
                                           sender_domain,
                                           recipient_domain,
                                           rcpt_alias_domains,
                                           moderators):
            return SMTP_ACTIONS['default']

        return SMTP_ACTIONS['reject_not_authorized']

7

Re: Access policies not working on moderated alias

Please use policy 'allowedOnly' instead of 'moderators'.

8

Re: Access policies not working on moderated alias

using 'allowedOnly' instead of 'Moderators' resolved the issue.  I was using an outdated 3rd party document on how to create aliases.  This iredmail help document shows the currently available access policies:  http://www.iredmail.org/docs/sql.create.mail.alias.html

This issue can be closed.

Thanks.