1

Topic: Mailing list security doesn't work

We have several mailinglists, but when we set it to moderators only still everyone can send emails to this address.
Also when we disable the mailinglist it still works.

In the iredapd.log we get the following error:

Error while importing plugin module (maillist_access_policy): No module named maillist_access_policy

Hope anyone can help me with this.

With kind regards

Luc Verhoeven

2

Re: Mailing list security doesn't work

What version of iRedMail and iRedAPD are you using?

Does file "/opt/iredapd/src/plugins/maillist_access_policy.py" exist?
All enabled plugins are listed in /opt/iredapd/etc/iredapd.ini, plugin name is same as file name under /opt/iredapd/src/plugins/ directory (remove ".py" extention).

3

Re: Mailing list security doesn't work

Hello Zhang,

We have already been emailing about this problem,
so you have allready seen my iredapd.ini

4

Re: Mailing list security doesn't work

Can you give me output of below command:

# cd /opt/iredapd/
# find . |xargs ls -l

5

Re: Mailing list security doesn't work

-rw------- 1 iredapd iredapd  1720 Jul 22 14:24 ./ChangeLog
-rw------- 1 iredapd iredapd  1604 Sep 30 08:52 ./etc/iredapd.ini
-rw------- 1 iredapd iredapd  1609 Jul 22 14:24 ./etc/iredapd.ini.sample
-rw------- 1 iredapd iredapd  1595 Jul 26 08:55 ./etc/iredapd-rr.ini
-rw------- 1 iredapd iredapd  1416 Jul 22 14:24 ./etc/iredapd-rr.ini.sample
-rw------- 1 iredapd iredapd   225 Jul 22 14:24 ./INSTALL
-rw------- 1 iredapd iredapd  2423 Jul 22 14:24 ./rc_scripts/iredapd
-rw------- 1 iredapd iredapd  2219 Jul 22 14:24 ./rc_scripts/iredapd.freebsd
-rw------- 1 iredapd iredapd  2432 Jul 22 14:24 ./rc_scripts/iredapd-rr
-rw------- 1 iredapd iredapd  2228 Jul 22 14:24 ./rc_scripts/iredapd-rr.freebsd
-rw------- 1 iredapd iredapd   464 Jul 22 14:24 ./README
-rw------- 1 iredapd iredapd  7254 Jul 22 14:24 ./src/daemon.py
-rw-r--r-- 1 root    root     5290 Jul 26 08:56 ./src/daemon.pyc
-rwx--x--x 1 iredapd iredapd 17957 Jul 22 14:24 ./src/iredapd.py
-rw------- 1 iredapd iredapd 12203 Jul 22 14:24 ./src/iredapd-rr.py
-rw------- 1 iredapd iredapd  1382 Jul 22 14:24 ./src/plugins/block_amavisd_blacklisted_senders.py
-rw------- 1 iredapd iredapd    99 Jul 22 14:24 ./src/plugins/__init__.py
-rw------- 1 iredapd iredapd  3969 Jul 22 14:24 ./src/plugins/ldap_maillist_access_policy.py
-rw------- 1 iredapd iredapd    99 Jul 22 14:24 ./src/plugins-rr/__init__.py
-rw------- 1 iredapd iredapd  2253 Jul 22 14:24 ./src/plugins-rr/ldap_recipient_restrictions.py
-rw------- 1 iredapd iredapd  3573 Jul 22 14:24 ./src/plugins/sql_alias_access_policy.py

.:
total 24
-rw------- 1 iredapd iredapd 1720 Jul 22 14:24 ChangeLog
drw------- 2 iredapd iredapd 4096 Sep 30 08:52 etc
-rw------- 1 iredapd iredapd  225 Jul 22 14:24 INSTALL
drw------- 2 iredapd iredapd 4096 Jul 26 08:44 rc_scripts
-rw------- 1 iredapd iredapd  464 Jul 22 14:24 README
drw------- 4 iredapd iredapd 4096 Jul 26 08:56 src

./etc:
total 16
-rw------- 1 iredapd iredapd 1604 Sep 30 08:52 iredapd.ini
-rw------- 1 iredapd iredapd 1609 Jul 22 14:24 iredapd.ini.sample
-rw------- 1 iredapd iredapd 1595 Jul 26 08:55 iredapd-rr.ini
-rw------- 1 iredapd iredapd 1416 Jul 22 14:24 iredapd-rr.ini.sample

./rc_scripts:
total 16
-rw------- 1 iredapd iredapd 2423 Jul 22 14:24 iredapd
-rw------- 1 iredapd iredapd 2219 Jul 22 14:24 iredapd.freebsd
-rw------- 1 iredapd iredapd 2432 Jul 22 14:24 iredapd-rr
-rw------- 1 iredapd iredapd 2228 Jul 22 14:24 iredapd-rr.freebsd

./src:
total 56
-rw------- 1 iredapd iredapd  7254 Jul 22 14:24 daemon.py
-rw-r--r-- 1 root    root     5290 Jul 26 08:56 daemon.pyc
-rwx--x--x 1 iredapd iredapd 17957 Jul 22 14:24 iredapd.py
-rw------- 1 iredapd iredapd 12203 Jul 22 14:24 iredapd-rr.py
drw------- 2 iredapd iredapd  4096 Sep 29 16:17 plugins
drw------- 2 iredapd iredapd  4096 Jul 22 14:24 plugins-rr

./src/plugins:
total 16
-rw------- 1 iredapd iredapd 1382 Jul 22 14:24 block_amavisd_blacklisted_senders.py
-rw------- 1 iredapd iredapd   99 Jul 22 14:24 __init__.py
-rw------- 1 iredapd iredapd 3969 Jul 22 14:24 ldap_maillist_access_policy.py
-rw------- 1 iredapd iredapd 3573 Jul 22 14:24 sql_alias_access_policy.py

./src/plugins-rr:
total 8
-rw------- 1 iredapd iredapd   99 Jul 22 14:24 __init__.py
-rw------- 1 iredapd iredapd 2253 Jul 22 14:24 ldap_recipient_restrictions.py

6

Re: Mailing list security doesn't work

I think i found the root cause: incorrect file permission.

Try below command and then test it again:

# chmod -R 0700 /opt/iredapd/

7

Re: Mailing list security doesn't work

This seems to solve the problem.

But when I send an email as a moderator I don't get a verification email, is it possible to build this in.

Also if I send an email is a non moderator I don't get an email telling me I'm not allowed to send e-mails to this mailinglist so I'll never know if the email is sent or not.

8

Re: Mailing list security doesn't work

veldsink wrote:

But when I send an email as a moderator I don't get a verification email, is it possible to build this in.

Why we need a verification email?

Also if I send an email is a non moderator I don't get an email telling me I'm not allowed to send e-mails to this mailinglist so I'll never know if the email is sent or not.

If it's not allowed, client will get a error message with their MUA.

9

Re: Mailing list security doesn't work

ZhangHuangbin wrote:

Why we need a verification email?

I think my boss wants this as an extra security measure.

If it's not allowed, client will get a error message with their MUA.

This works indeed, was a little problem with my private email

One more problem I found:

We have an email account hcn with an alias hypotheken,
when they try to send an email to a mailinglist as hypotheken the get a message not autherized.
But it is not possible to add hypotheken to the moderators, could this be solved or do we need to change al those email addresses?

10

Re: Mailing list security doesn't work

veldsink wrote:

One more problem I found:
We have an email account hcn with an alias hypotheken,
when they try to send an email to a mailinglist as hypotheken the get a message not autherized.
But it is not possible to add hypotheken to the moderators, could this be solved or do we need to change al those email addresses?

It's iRedAPD issue, it doesn't query user alias at all.

Try to fix it this way:

* Open /opt/iredapd/src/plugins/ldap_maillist_access_policy.py
* Find below lines:

        searchAttr = ['mail']
        searchAttr = ['mail', 'listAllowedUser']

* Add 'shadowAddress' in them:

        searchAttr = ['mail', 'shadowAddress',]
        searchAttr = ['mail', 'shadowAddress', 'listAllowedUser',]

* Restart iRedAPD.

It should work as expected.

11

Re: Mailing list security doesn't work

I commited this fix moment ago, thanks very much for your feedback. smile
http://code.google.com/p/iredmail/sourc … po=iredapd

12

Re: Mailing list security doesn't work

For as far as I can see it still doesn't work,
the part if ldap_maillist_access_policy.py looks like this:

    if policy == 'membersonly':
        # Filter used to get domain members.
        searchFilter = "(&(|(objectclass=mailUser)(objectClass=mailExternalUser))(accountStatus=active)(memberOfGroup=%s))" % (recipient, )
        searchAttr = ['mail', 'shadowAddress',]
    elif policy == 'allowedonly' or policy == 'moderatorsonly':
        basedn = listDn
        searchScope = 0     # Use SCOPE_BASE to improve performance.
        # Filter used to get domain moderators.
        searchFilter = "(&(objectclass=mailList)(mail=%s))" % (recipient, )
        searchAttr = ['listAllowedUser']
    else:
        # Policy: membersAndModeratorsOnly.
        # Filter used to get both members and moderators.
        searchFilter = "(|(&(|(objectClass=mailUser)(objectClass=mailExternalUser))(memberOfGroup=%s))(&(objectclass=mailList)(mail=%s)))" % (recipient, recipient, )
        searchAttr = ['mail', 'shadowAddress', 'listAllowedUser']

Shouldn't there be a change at the moderatorsonly part too?

13

Re: Mailing list security doesn't work

Can you please set 'log_level = debug' in /opt/iredapd/etc/iredapd.ini, restart iredapd, resend testing mail, and post related log in /var/log/iredapd.log? So that i can know the detail about LDAP data.

14

Re: Mailing list security doesn't work

2010-10-13 10:10:53 DEBUG Connect from 127.0.0.1
2010-10-13 10:10:53 DEBUG smtp session: request=smtpd_access_policy
2010-10-13 10:10:53 DEBUG smtp session: protocol_state=RCPT
2010-10-13 10:10:53 DEBUG smtp session: protocol_name=ESMTP
2010-10-13 10:10:53 DEBUG smtp session: client_address=192.168.10.64
2010-10-13 10:10:53 DEBUG smtp session: client_name=unknown
2010-10-13 10:10:53 DEBUG smtp session: reverse_client_name=unknown
2010-10-13 10:10:53 DEBUG smtp session: helo_name=[127.0.0.1]
2010-10-13 10:10:53 DEBUG smtp session: sender=luc[at]vcn.nl
2010-10-13 10:10:53 DEBUG smtp session: recipient=ict[at]vcn.nl
2010-10-13 10:10:53 DEBUG smtp session: recipient_count=0
2010-10-13 10:10:53 DEBUG smtp session: queue_id=
2010-10-13 10:10:53 DEBUG smtp session: instance=4a16.4cb5698d.80e56.0
2010-10-13 10:10:53 DEBUG smtp session: size=387
2010-10-13 10:10:53 DEBUG smtp session: etrn_domain=
2010-10-13 10:10:53 DEBUG smtp session: stress=
2010-10-13 10:10:53 DEBUG smtp session: sasl_method=PLAIN
2010-10-13 10:10:53 DEBUG smtp session: sasl_username=lverhoeven[at]vcn.nl
2010-10-13 10:10:53 DEBUG smtp session: sasl_sender=
2010-10-13 10:10:53 DEBUG smtp session: ccert_subject=
2010-10-13 10:10:53 DEBUG smtp session: ccert_issuer=
2010-10-13 10:10:53 DEBUG smtp session: ccert_fingerprint=
2010-10-13 10:10:53 DEBUG smtp session: encryption_protocol=TLSv1
2010-10-13 10:10:53 DEBUG smtp session: encryption_cipher=DHE-RSA-AES256-SHA
2010-10-13 10:10:53 DEBUG smtp session: encryption_keysize=256
2010-10-13 10:10:53 DEBUG LDAP connection initialied success.
2010-10-13 10:10:53 DEBUG LDAP bind success.
2010-10-13 10:10:53 DEBUG __get_recipient_dn_ldif (recipient): ict[at]vcn.nl
2010-10-13 10:10:53 DEBUG __get_recipient_dn_ldif (result): [('mail=ict[at]vcn.nl,ou=Groups,domainName=vcn.nl,o=domains,dc=advies4you,dc=nl', {'cn': ['ict'], 'listAllowedUser': ['mutatie2[at]vcn.nl', 'lverhoeven[at]vcn.nl'], 'objectClass': ['mailList'], 'accountStatus': ['active'], 'accessPolicy': ['allowedOnly'], 'mail': ['ict[at]vcn.nl'], 'enabledService': ['mail', 'deliver']})]
2010-10-13 10:10:53 DEBUG Apply plugin (ldap_maillist_access_policy).
2010-10-13 10:10:53 DEBUG Response from plugin (ldap_maillist_access_policy): REJECT Not Authorized
2010-10-13 10:10:53 INFO Response from plugin (ldap_maillist_access_policy): REJECT Not Authorized
2010-10-13 10:10:53 DEBUG Final action: REJECT Not Authorized.
2010-10-13 10:10:53 INFO luc[at]vcn.nl -> ict[at]vcn.nl, REJECT Not Authorized
2010-10-13 10:10:53 DEBUG Connection closed

15

Re: Mailing list security doesn't work

iRedAPD plugin doesn't log enough details, i have to improve it.
Please give me some more time to dive into it. Thanks very much for your patience. smile

16

Re: Mailing list security doesn't work

Hello Zhang,

What is the status on this problem?

17

Re: Mailing list security doesn't work

Hi, @veldsink.

I improved iRedAPD today, it will log plugin debug message now, could you please try again?
You can checkout source code here:
http://code.google.com/p/iredmail/sourc … po=iredapd

* Backup old iRedAPD first (/opt/iRedAPD-x.y.z/), and then just replace old iRedAPD by new version.
* Be careful that file owner should be "iredapd:iredapd".
* Set loglevel to debug and restart iredapd service.
* Monitor /var/log/iredapd.log, and post related log content here to help troubleshooting.

18

Re: Mailing list security doesn't work

the new log:

2010-10-26 09:27:18 DEBUG Connect from 127.0.0.1
2010-10-26 09:27:18 DEBUG smtp session: request=smtpd_access_policy
2010-10-26 09:27:18 DEBUG smtp session: protocol_state=RCPT
2010-10-26 09:27:18 DEBUG smtp session: protocol_name=ESMTP
2010-10-26 09:27:18 DEBUG smtp session: client_address=192.168.10.64
2010-10-26 09:27:18 DEBUG smtp session: client_name=unknown
2010-10-26 09:27:18 DEBUG smtp session: reverse_client_name=unknown
2010-10-26 09:27:18 DEBUG smtp session: helo_name=[127.0.0.1]
2010-10-26 09:27:18 DEBUG smtp session: sender=luc[at]vcn.nl
2010-10-26 09:27:18 DEBUG smtp session: recipient=ict[at]vcn.nl
2010-10-26 09:27:18 DEBUG smtp session: recipient_count=0
2010-10-26 09:27:18 DEBUG smtp session: queue_id=
2010-10-26 09:27:18 DEBUG smtp session: instance=79cf.4cc682d6.24cc6.0
2010-10-26 09:27:18 DEBUG smtp session: size=386
2010-10-26 09:27:18 DEBUG smtp session: etrn_domain=
2010-10-26 09:27:18 DEBUG smtp session: stress=
2010-10-26 09:27:18 DEBUG smtp session: sasl_method=PLAIN
2010-10-26 09:27:18 DEBUG smtp session: sasl_username=lverhoeven[at]vcn.nl
2010-10-26 09:27:18 DEBUG smtp session: sasl_sender=
2010-10-26 09:27:18 DEBUG smtp session: ccert_subject=
2010-10-26 09:27:18 DEBUG smtp session: ccert_issuer=
2010-10-26 09:27:18 DEBUG smtp session: ccert_fingerprint=
2010-10-26 09:27:18 DEBUG smtp session: encryption_protocol=TLSv1
2010-10-26 09:27:18 DEBUG smtp session: encryption_cipher=DHE-RSA-AES256-SHA
2010-10-26 09:27:18 DEBUG smtp session: encryption_keysize=256
2010-10-26 09:27:18 DEBUG LDAP connection initialied success.
2010-10-26 09:27:18 DEBUG LDAP bind success.
2010-10-26 09:27:18 DEBUG __get_recipient_dn_ldif (recipient): ict[at]vcn.nl
2010-10-26 09:27:18 DEBUG __get_recipient_dn_ldif (result): [('mail=ict[at]vcn.nl,ou=Groups,domainName=vcn.nl,o=domains,dc=advies4you,dc=nl', {'cn': ['ict'], 'listAllowedUser': ['mutatie2[at]vcn.nl', 'lverhoeven[at]vcn.nl'], 'objectClass': ['mailList'], 'accountStatus': ['active'], 'accessPolicy': ['allowedOnly'], 'mail': ['ict[at]vcn.nl'], 'enabledService': ['mail', 'deliver']})]
2010-10-26 09:27:18 DEBUG Apply plugin (ldap_maillist_access_policy).
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) Sender: luc[at]vcn.nl
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) Recipient: ict[at]vcn.nl
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) Policy: allowedonly
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) Get allowed senders...
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) base dn: mail=ict[at]vcn.nl,ou=Groups,domainName=vcn.nl,o=domains,dc=advies4you,dc=nl
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) search scope: 0
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) search filter: (&(objectclass=mailList)(mail=ict[at]vcn.nl))
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) search attributes: listAllowedUser
2010-10-26 09:27:18 DEBUG (ldap_maillist_access_policy.py) search result: ['mutatie2[at]vcn.nl', 'lverhoeven[at]vcn.nl']
2010-10-26 09:27:18 DEBUG Response from plugin (ldap_maillist_access_policy): REJECT Not Authorized.
2010-10-26 09:27:18 INFO Response from plugin (ldap_maillist_access_policy): REJECT Not Authorized.
2010-10-26 09:27:18 DEBUG Final action: REJECT Not Authorized..
2010-10-26 09:27:18 INFO luc[at]vcn.nl -> ict[at]vcn.nl, REJECT Not Authorized.
2010-10-26 09:27:18 DEBUG Connection closed

19

Re: Mailing list security doesn't work

Thanks for your feedback, i think i know why it happened.
Will reply you later tonight (Sorry, a little busy now).

20

Re: Mailing list security doesn't work

Hi, @veldsink.

Improved iRedAPD again, it will bypass user aliases now.

You can checkout source code here:
http://code.google.com/p/iredmail/sourc … po=iredapd

* Backup old iRedAPD first (/opt/iRedAPD-x.y.z/), and then just replace old iRedAPD by new version.
* Be careful that file owner should be "iredapd:iredapd".
* Set loglevel to debug and restart iredapd service.
* Monitor /var/log/iredapd.log, and post related log content here to help troubleshooting.

21

Re: Mailing list security doesn't work

It seems to work now,

I will let you know if I have some new problems

22

Re: Mailing list security doesn't work

Glad to hear that. Thanks very much for your feedback and testing. smile