Dec 29, 2023: iRedMail-1.6.8 has been released.

**awkpavo** · 2017-05-10 07:01:16

awkpavo
Member
Offline

Registered: 2017-04-24
Posts: 11

Topic: Mail group with members-only access policy doesn't accept mail

==== Required information ====
- iRedMail version (check /etc/iredmail-release): v0.9.6
- Linux/BSD distribution name and version: Ubuntu 16.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Related log if you're reporting an issue: See below
====

I've created a mail group with an access policy 'members only'. One of the recipients is a mail forward to Gmail and sends mail for the same address via a SMTP Relay (using Sendgrid) to reply. The mail should be allowed as the e-mail address where the message is sent from is a legit member of the mail group. All other members work ok. But the mail gets rejected, here is the log part:

May 10 00:46:09 mx postfix/smtpd[31209]: connect from o1.7nn.fsharedserv.sendgrid.net[167.89.00.00]
May 10 00:46:10 mx postfix/smtpd[31209]: Anonymous TLS connection established from o1.7nn.fsharedserv.sendgrid.net[167.89.00.00]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 10 00:46:10 mx postfix/smtpd[31209]: NOQUEUE: reject: RCPT from o1.7nn.fsharedserv.sendgrid.net[167.89.00.00]: 554 5.7.1 <myteam@domain.com>: Recipient address rejected: Not authorized; from=<bounces+1429439-103a-myteam=domain.com@sendgrid.net> to=<myteam@domain.com> proto=ESMTP helo=<o1.7nn.fsharedserv.sendgrid.net>
May 10 00:46:11 mx postfix/smtpd[31209]: lost connection after RCPT from o1.7nn.fsharedserv.sendgrid.net[167.89.00.00]
May 10 00:46:11 mx postfix/smtpd[31209]: disconnect from o1.7nn.fsharedserv.sendgrid.net[167.89.00.00] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5

It seems that the SMTP relay swapped the original 'from' address with a bounce e-mail address from them. I asked Sendgrid what the possible issue and best solution would be and there answer was:

The reason for this bounce is that the recipient inbox is looking at the Return-Path instead of the From address. Change a setting on the filtering to look at the from address instead of the return path address.

Can anyone clarify which root cause is correct and how to possibly fix this issue?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2017-05-10 23:34:39

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Mail group with members-only access policy doesn't accept mail

iRedAPD gets the sender address from the info piped by Postfix. Doc below:
http://www.postfix.org/SMTPD_POLICY_REA … l#protocol

The attribute is "sender=". Postfix doesn't pipe any mail header because in current state, mail message has not yet been sent by sender server to Postfix, so it cannot get the Return-Path header.

**awkpavo** · 2017-05-11 20:04:25

awkpavo
Member
Offline

Registered: 2017-04-24
Posts: 11

Re: Mail group with members-only access policy doesn't accept mail

So how could this issue best be fixed, so that the mail isn't blocked for valid senders from such SMTP's?

**ZhangHuangbin** · 2017-05-13 12:07:03

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Mail group with members-only access policy doesn't accept mail

Please turn on debug mode in iRedAPD, then reproduce this issue, copy full iRedAPD log related to this testing email and paste here so that others can help troubleshoot.
FYI: http://www.iredmail.org/docs/debug.iredapd.html

Also, is it possible to configure Sendgrid to set the Return-Path same as sender address?

**awkpavo** · 2017-05-15 20:55:06

awkpavo
Member
Offline

Registered: 2017-04-24
Posts: 11

Re: Mail group with members-only access policy doesn't accept mail

It's possible to enable it, but it needs to be done by a support agent manually. Which is not the best use case of you want clients to make use of that feature without problems from a smtp relay service like Sendgrid. They just don't understand what that means or implicates. I was looking for a more seamless solution there.

I turned on debug mode and it was pretty clear to me:

2017-05-15 14:43:34 DEBUG Connect from 127.0.0.1, port 48438.
2017-05-15 14:43:34 DEBUG smtp session: request=smtpd_access_policy
2017-05-15 14:43:34 DEBUG smtp session: protocol_state=RCPT
2017-05-15 14:43:34 DEBUG smtp session: protocol_name=ESMTP
2017-05-15 14:43:34 DEBUG smtp session: client_address=167.89.00.000
2017-05-15 14:43:34 DEBUG smtp session: client_name=o1678950229.outbound-mail.sendgrid.net
2017-05-15 14:43:34 DEBUG smtp session: client_port=61060
2017-05-15 14:43:34 DEBUG smtp session: reverse_client_name=o1678950229.outbound-mail.sendgrid.net
2017-05-15 14:43:34 DEBUG smtp session: helo_name=o1678950229.outbound-mail.sendgrid.net
2017-05-15 14:43:34 DEBUG smtp session: sender=bounces+1429439-103a-myteam=domain.com@sendgrid.net
2017-05-15 14:43:34 DEBUG smtp session: recipient=myteam@domain.com
2017-05-15 14:43:34 DEBUG smtp session: recipient_count=0
2017-05-15 14:43:34 DEBUG smtp session: queue_id=
2017-05-15 14:43:34 DEBUG smtp session: instance=77ad.5919a276.16041.0
2017-05-15 14:43:34 DEBUG smtp session: size=0
2017-05-15 14:43:34 DEBUG smtp session: etrn_domain=
2017-05-15 14:43:34 DEBUG smtp session: stress=
2017-05-15 14:43:34 DEBUG smtp session: sasl_method=
2017-05-15 14:43:34 DEBUG smtp session: sasl_username=
2017-05-15 14:43:34 DEBUG smtp session: sasl_sender=
2017-05-15 14:43:34 DEBUG smtp session: ccert_subject=
2017-05-15 14:43:34 DEBUG smtp session: ccert_issuer=
2017-05-15 14:43:34 DEBUG smtp session: ccert_fingerprint=
2017-05-15 14:43:34 DEBUG smtp session: ccert_pubkey_fingerprint=
2017-05-15 14:43:34 DEBUG smtp session: encryption_protocol=TLSv1.2
2017-05-15 14:43:34 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES128-GCM-SHA256
2017-05-15 14:43:34 DEBUG smtp session: encryption_keysize=128
2017-05-15 14:43:34 DEBUG smtp session: policy_context=
2017-05-15 14:43:34 DEBUG --> Apply plugin: reject_null_sender
2017-05-15 14:43:34 DEBUG <-- Result: DUNNO
2017-05-15 14:43:34 DEBUG --> Apply plugin: reject_sender_login_mismatch
2017-05-15 14:43:34 DEBUG Not an authenticated sender (no sasl_username).

The original e-mail address is totally lost in translation and only the Sendgrid addresses are visible.I tested all big smtp relays (Mailgun, Mailjet, Send in Blue, etc). Would there be some workaround (like allowing the sending domain Sendgrid to pass) in any way? It seems that would be the only option to make it work.

**ZhangHuangbin** · 2017-05-16 12:45:10

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Mail group with members-only access policy doesn't accept mail

awkpavo wrote:

2017-05-15 14:43:34 DEBUG smtp session: sender=bounces+1429439-103a-myteam=domain.com@sendgrid.net

The sender address becomes "bounces+1429439-103a-myteam=domain.com@sendgrid.net", but i suppose the original one is "myteam@domain.com"?

The best way to fix this issue is improving iRedAPD to reverse the address to the original one, i will give it a try these days. stay tuned.

**ZhangHuangbin** · 2017-05-16 13:07:35

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Mail group with members-only access policy doesn't accept mail

The problem is, address "bounces+1429439-103a-myteam=domain.com@sendgrid.net" is not in standard SRS address format, so it's not easy to detect and reverse.

**awkpavo** · 2017-05-17 21:05:29

awkpavo
Member
Offline

Registered: 2017-04-24
Posts: 11

Re: Mail group with members-only access policy doesn't accept mail

Got it. Can it be fixed with modifying SRS on this?

**ZhangHuangbin** · 2017-05-19 16:48:34

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,770

Re: Mail group with members-only access policy doesn't accept mail

The problem is, address "bounces+1429439-103a-myteam=domain.com@sendgrid.net" is not in standard SRS address format. Although this one seems easier to convert, but i won't do that.

BTW, is "myteam@domain.com" the original sender address?

**awkpavo** · 2017-05-19 23:52:11

awkpavo
Member
Offline

Registered: 2017-04-24
Posts: 11

Re: Mail group with members-only access policy doesn't accept mail

No, it's the group mail address. The original sender address is one of the recipients (= members) of the mail group who uses Sendgrid's SMTP to send mail for his mail address.

Dec 29, 2023: iRedMail-1.6.8 has been released.

Mail group with members-only access policy doesn't accept mail

Posts: 10

1 Topic by awkpavo 2017-05-10 07:01:16 (edited by awkpavo 2017-05-10 07:02:18)

Topic: Mail group with members-only access policy doesn't accept mail

2 Reply by ZhangHuangbin 2017-05-10 23:34:39

Re: Mail group with members-only access policy doesn't accept mail

3 Reply by awkpavo 2017-05-11 20:04:25

Re: Mail group with members-only access policy doesn't accept mail

4 Reply by ZhangHuangbin 2017-05-13 12:07:03

Re: Mail group with members-only access policy doesn't accept mail

5 Reply by awkpavo 2017-05-15 20:55:06

Re: Mail group with members-only access policy doesn't accept mail

6 Reply by ZhangHuangbin 2017-05-16 12:45:10

Re: Mail group with members-only access policy doesn't accept mail

7 Reply by ZhangHuangbin 2017-05-16 13:07:35

Re: Mail group with members-only access policy doesn't accept mail

8 Reply by awkpavo 2017-05-17 21:05:29

Re: Mail group with members-only access policy doesn't accept mail

9 Reply by ZhangHuangbin 2017-05-19 16:48:34

Re: Mail group with members-only access policy doesn't accept mail

10 Reply by awkpavo 2017-05-19 23:52:11

Re: Mail group with members-only access policy doesn't accept mail

Posts: 10