1

Topic: blacklist recipient on catch-all domain

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.3
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): DAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes, 2.4.0
- Related log if you're reporting an issue:
====

I applied the patch from http://www.iredmail.org/forum/topic1041 … blem.html.  However, it appears that my blacklist is geting ignored.

in iRedAdmin Pro
I have the following Blacklisted recipients for the domain TESTDOMAIN.com
*bugreport@DESTDOMAIN.com

There is NOT a user with the name of bugreport in LDAP.  However, the domain does have a catch all.  So the idea is that bugreport@ would be an exception to this catchall.


2016-01-07 23:49:51 DEBUG smtp session: request=smtpd_access_policy
2016-01-07 23:49:51 DEBUG smtp session: protocol_state=RCPT
2016-01-07 23:49:51 DEBUG smtp session: protocol_name=ESMTP
2016-01-07 23:49:51 DEBUG smtp session: client_address=2600::::::
2016-01-07 23:49:51 DEBUG smtp session: client_name=mail-io0-x22c.google.com
2016-01-07 23:49:51 DEBUG smtp session: reverse_client_name=mail-io0-x22c.google.com
2016-01-07 23:49:51 DEBUG smtp session: helo_name=mail-io0-x22c.google.com
2016-01-07 23:49:51 DEBUG smtp session: sender=TESTSEND@gmail.com
2016-01-07 23:49:51 DEBUG smtp session: recipient=bugreport@DESTDOMAIN.com
2016-01-07 23:49:51 DEBUG smtp session: recipient_count=0
2016-01-07 23:49:51 DEBUG smtp session: queue_id=
2016-01-07 23:49:51 DEBUG smtp session: instance=42c5.568f3fef.dcbe9.0
2016-01-07 23:49:51 DEBUG smtp session: size=2038
2016-01-07 23:49:51 DEBUG smtp session: etrn_domain=
2016-01-07 23:49:51 DEBUG smtp session: stress=
2016-01-07 23:49:51 DEBUG smtp session: sasl_method=
2016-01-07 23:49:51 DEBUG smtp session: sasl_username=
2016-01-07 23:49:51 DEBUG smtp session: sasl_sender=
2016-01-07 23:49:51 DEBUG smtp session: ccert_subject=
2016-01-07 23:49:51 DEBUG smtp session: ccert_issuer=
2016-01-07 23:49:51 DEBUG smtp session: ccert_fingerprint=
2016-01-07 23:49:51 DEBUG smtp session: ccert_pubkey_fingerprint=
2016-01-07 23:49:51 DEBUG smtp session: encryption_protocol=TLSv1.2
2016-01-07 23:49:51 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES128-GCM-SHA256
2016-01-07 23:49:51 DEBUG smtp session: encryption_keysize=128
2016-01-07 23:49:51 DEBUG LDAP connection initialied success.
2016-01-07 23:49:51 DEBUG LDAP bind success.
2016-01-07 23:49:51 DEBUG --> Apply plugin: reject_null_sender
2016-01-07 23:49:51 DEBUG <-- Result: DUNNO
2016-01-07 23:49:51 DEBUG --> Apply plugin: greylisting
2016-01-07 23:49:51 DEBUG [SQL] Query greylisting whitelists:
SELECT id, sender
               FROM greylisting_whitelists
              WHERE account IN ('bugreport@DESTDOMAIN.com', '@DESTDOMAIN.com', '@.')
2016-01-07 23:49:51 DEBUG No whitelist found.
2016-01-07 23:49:51 DEBUG [SQL] query greylisting settings:
SELECT id, account, sender, sender_priority, active
               FROM greylisting
              WHERE account IN ('bugreport@DESTDOMAIN.com', '@DESTDOMAIN.com', '@.')
              ORDER BY priority DESC, sender_priority DESC
2016-01-07 23:49:51 DEBUG [SQL] query result: []
2016-01-07 23:49:51 DEBUG No setting found, greylisting is disabled for this client.
2016-01-07 23:49:51 DEBUG <-- Result: DUNNO


2016-01-07 23:49:51 DEBUG --> Apply plugin: amavisd_wblist
2016-01-07 23:49:51 DEBUG Possible policy senders: ['@.', 'TESTSEND@gmail.com', '@gmail.com', '@.gmail.com', '@com', '@.com', 'TESTSEND@*', '2600::::::']
2016-01-07 23:49:51 DEBUG Possible policy recipients: ['@.', 'bugreport@DESTDOMAIN.com', '@DESTDOMAIN.com', '@.DESTDOMAIN.com', '@com', '@.com']
2016-01-07 23:49:51 DEBUG Apply wblist for inbound message.
2016-01-07 23:49:51 DEBUG [SQL] Query local addresses:
SELECT id, email
               FROM users
              WHERE email IN ('@.', 'bugreport@DESTDOMAIN.com', '@DESTDOMAIN.com', '@.DESTDOMAIN.com', '@com', '@.com')
           ORDER BY priority DESC
2016-01-07 23:49:51 DEBUG Local addresses (in `users`): [(2L, '@DESTDOMAIN.com'), (1L, '@.')]
2016-01-07 23:49:51 DEBUG [SQL] Query external addresses:
SELECT id, email
               FROM mailaddr
              WHERE email IN ('@.', 'TESTSEND@gmail.com', '@gmail.com', '@.gmail.com', '@com', '@.com', 'TESTSEND@*', '2600::::::')
           ORDER BY priority DESC
2016-01-07 23:49:51 DEBUG No record found in SQL database.
2016-01-07 23:49:51 DEBUG No valid sender id or recipient id.
2016-01-07 23:49:51 DEBUG <-- Result: DUNNO
2016-01-07 23:49:51 DEBUG --> Apply plugin: throttle
2016-01-07 23:49:51 DEBUG Check sender throttling.
2016-01-07 23:49:51 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='outbound' AND account IN ('2600::::::', '@ip', '@.', 'TESTSEND@gmail.com', '@gmail.com', '@.gmail.com', '@com', '@.com')
         ORDER BY priority DESC
         
2016-01-07 23:49:51 DEBUG [SQL] Query result:
[]
2016-01-07 23:49:51 DEBUG No sender throttle setting.
2016-01-07 23:49:51 DEBUG Check recipient throttling.
2016-01-07 23:49:51 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('2600::::::', '@ip', '@.', 'bugreport@DESTDOMAIN.com', '@DESTDOMAIN.com', '@.DESTDOMAIN.com', '@com', '@.com')
         ORDER BY priority DESC
         
2016-01-07 23:49:51 DEBUG [SQL] Query result:
[]
2016-01-07 23:49:51 DEBUG No recipient throttle setting.
2016-01-07 23:49:51 DEBUG <-- Result: DUNNO
2016-01-07 23:49:51 DEBUG [+] Getting LDIF data of account: bugreport@DESTDOMAIN.com
2016-01-07 23:49:51 DEBUG search base dn: o=domains,dc=DESTDOMAIN,dc=com
2016-01-07 23:49:51 DEBUG search scope: SUBTREE
2016-01-07 23:49:51 DEBUG search filter: (&(|(mail=bugreport@DESTDOMAIN.com)(shadowAddress=bugreport@DESTDOMAIN.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2016-01-07 23:49:51 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy']
2016-01-07 23:49:51 DEBUG No such account.
2016-01-07 23:49:51 DEBUG --> Apply plugin: ldap_maillist_access_policy
2016-01-07 23:49:51 DEBUG <-- Result: DUNNO (No recipient LDIF data)
2016-01-07 23:49:51 INFO [2600::::::] RCPT, TESTSEND@gmail.com -> bugreport@DESTDOMAIN.com, DUNNO
2016-01-07 23:49:51 DEBUG Session ended
2016-01-07 23:49:51 DEBUG Close LDAP connection.
2016-01-07 23:49:52 DEBUG smtp session: request=smtpd_access_policy
2016-01-07 23:49:52 DEBUG smtp session: protocol_state=END-OF-MESSAGE
2016-01-07 23:49:52 DEBUG smtp session: protocol_name=ESMTP
2016-01-07 23:49:52 DEBUG smtp session: client_address=2600::::::
2016-01-07 23:49:52 DEBUG smtp session: client_name=mail-io0-x22c.google.com
2016-01-07 23:49:52 DEBUG smtp session: reverse_client_name=mail-io0-x22c.google.com
2016-01-07 23:49:52 DEBUG smtp session: helo_name=mail-io0-x22c.google.com
2016-01-07 23:49:52 DEBUG smtp session: sender=TESTSEND@gmail.com
2016-01-07 23:49:52 DEBUG smtp session: recipient=bugreport@DESTDOMAIN.com
2016-01-07 23:49:52 DEBUG smtp session: recipient_count=1
2016-01-07 23:49:52 DEBUG smtp session: queue_id=E135F17CB
2016-01-07 23:49:52 DEBUG smtp session: instance=42c5.568f3fef.dcbe9.0
2016-01-07 23:49:52 DEBUG smtp session: size=2038
2016-01-07 23:49:52 DEBUG smtp session: etrn_domain=
2016-01-07 23:49:52 DEBUG smtp session: stress=
2016-01-07 23:49:52 DEBUG smtp session: sasl_method=
2016-01-07 23:49:52 DEBUG smtp session: sasl_username=
2016-01-07 23:49:52 DEBUG smtp session: sasl_sender=
2016-01-07 23:49:52 DEBUG smtp session: ccert_subject=
2016-01-07 23:49:52 DEBUG smtp session: ccert_issuer=
2016-01-07 23:49:52 DEBUG smtp session: ccert_fingerprint=
2016-01-07 23:49:52 DEBUG smtp session: ccert_pubkey_fingerprint=
2016-01-07 23:49:52 DEBUG smtp session: encryption_protocol=TLSv1.2
2016-01-07 23:49:52 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES128-GCM-SHA256
2016-01-07 23:49:52 DEBUG smtp session: encryption_keysize=128
2016-01-07 23:49:52 DEBUG LDAP connection initialied success.
2016-01-07 23:49:52 DEBUG LDAP bind success.
2016-01-07 23:49:52 DEBUG Skip plugin: reject_null_sender (protocol_state != END-OF-MESSAGE)
2016-01-07 23:49:52 DEBUG Skip plugin: greylisting (protocol_state != END-OF-MESSAGE)
2016-01-07 23:49:52 DEBUG Skip plugin: amavisd_wblist (protocol_state != END-OF-MESSAGE)
2016-01-07 23:49:52 DEBUG --> Apply plugin: throttle
2016-01-07 23:49:52 DEBUG Check sender throttling.
2016-01-07 23:49:52 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='outbound' AND account IN ('2600::::::', '@ip', '@.', 'TESTSEND@gmail.com', '@gmail.com', '@.gmail.com', '@com', '@.com')
         ORDER BY priority DESC
         
2016-01-07 23:49:52 DEBUG [SQL] Query result:
[]
2016-01-07 23:49:52 DEBUG No sender throttle setting.
2016-01-07 23:49:52 DEBUG Check recipient throttling.
2016-01-07 23:49:52 DEBUG [SQL] Query throttle setting:

        SELECT id, account, priority, period, max_msgs, max_quota, msg_size
          FROM throttle
         WHERE kind='inbound' AND account IN ('2600::::::', '@ip', '@.', 'bugreport@DESTDOMAIN.com', '@DESTDOMAIN.com', '@.DESTDOMAIN.com', '@com', '@.com')
         ORDER BY priority DESC
         
2016-01-07 23:49:52 DEBUG [SQL] Query result:
[]
2016-01-07 23:49:52 DEBUG No recipient throttle setting.
2016-01-07 23:49:52 DEBUG <-- Result: DUNNO
2016-01-07 23:49:52 DEBUG Skip plugin: ldap_maillist_access_policy (protocol_state != END-OF-MESSAGE)
2016-01-07 23:49:52 INFO [2600::::::] END-OF-MESSAGE, TESTSEND@gmail.com -> bugreport@DESTDOMAIN.com, DUNNO
2016-01-07 23:49:52 DEBUG Session ended
2016-01-07 23:49:52 DEBUG Close LDAP connection.

Thank you for iRedMail!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: blacklist recipient on catch-all domain

copart wrote:

I have the following Blacklisted recipients for the domain TESTDOMAIN.com
*bugreport@DESTDOMAIN.com
...
2016-01-07 23:49:51 DEBUG [SQL] Query external addresses:
SELECT id, email ...
2016-01-07 23:49:51 DEBUG No record found in SQL database.
2016-01-07 23:49:51 DEBUG No valid sender id or recipient id.

According to the log, it says you don't have white/blacklists for this sender.

Could you please capture a screenshot of your wblist setting page of iRedAdmin-Pro to help us understand your setting?

3

Re: blacklist recipient on catch-all domain

Certainly.  I attempted to look at the amavisd mysql tables, but the import fields appear to be stored in binary form, making it hard for humans.

PunBB bbcode test

4 (edited by copart 2016-01-08 14:40:35)

Re: blacklist recipient on catch-all domain

figured out how to make sense of the amavis db

SELECT id,priority,cast(email as CHAR) FROM `mailaddr`


id
priority
cast(email as CHAR)

1
5
@THISWLWORKS.com

2
8
katie@TESTDOMAIN.com

3
8
bugreport@TESTDOMAIN.com

--------
EDIT:
----------

SELECT * FROM `wblist`

1
1
W

Nothing else.  In looking at the amavisd_wblist.py source it appears that I should have at least one B in wblist.  However, the code is not getting to this query as of now.

5

Re: blacklist recipient on catch-all domain

Okay, so looking into this further.

Looks like the Blacklisted senders only affects INCOMING mail.

And Blacklisted recipients only affects OUTGOING mail.

So, I will have to use sieve to get the desired affect.

6

Re: blacklist recipient on catch-all domain

Ideally I would like a way to reject BEFORE sieve (as it is I had to change postfix so that the original recipient header gets added).  The best would be for the sender to get a BOUNCE of "no mailbox defined for such user OR mailbox disabled"

I tried:
1. Creating a new account in the destination domain with various aliases defined in it.
     a) Disabling the account, when the account was disabled, the catchall was followed
     b) Throttle receive to 1byte per email (0 incoming mails per day is same as unlimited).  This worked ONLY for primary email, the aliases were delivered.  However, the bounce says that the user is over quota, so not the best avenue
     c)  Turning OFF the "Receiving mails for this account on mail server" service for the user.  I figured this would create a "mailbox disabled" bounce, but instead the email was delivered to catchall
     d) Set the quota to 1MB (smallest you can define) and wait until the quota is filled and I imagine then the BOUNCE will say mailbox full and will work for all aliases too.  I did this one, but did not fill the mailbox yet.

7 (edited by copart 2016-01-09 00:06:05)

Re: blacklist recipient on catch-all domain

I think I got a solution that works for me.

I removed the "(enabledService=deliver)" part from "/etc/postfix/ldap/virtual_mailbox_maps.cf", so this will IGNORE users that have the "Receiving mails for this account on mail server" service unchecked.

/etc/postfix/ldap/virtual_mailbox_maps.cf

query_filter    = (&(objectClass=mailUser)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(accountStatus=active)(enabledService=mail))

I added /etc/postfix/ldap/virtual_disabled_mailbox_maps.cf

server_host     = 127.0.0.1
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = HIDDEN
bind_pw         = HIDDEN
search_base     = o=domains,dc=HIDDEN,dc=com
scope           = sub
query_filter    = (&(objectClass=mailUser)(|(mail=%s)(&(enabledService=shadowaddress)(shadowAddress=%s)))(accountStatus=active)(enabledService=mail)(!(enabledService=deliver)))
result_attribute= accountStatus
result_format   = REJECT
debuglevel      = 0

Then I updated smtpd_recipient_restrictions in /etc/postfix/main.cf

smtpd_recipient_restrictions =
    reject_unknown_recipient_domain
    reject_non_fqdn_recipient
    reject_unlisted_recipient
    check_recipient_access ldap:/etc/postfix/ldap/virtual_disabled_mailbox_maps.cf
    check_policy_service inet:127.0.0.1:7777
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination

NOW, when you send an email to an account that has the "Receiving mails for this account on mail server" service unchecked, the sender will get a BOUNCE.  Only thing I still want to update is the error message in the bounce.