1 (edited by Casa.it 2011-02-17 19:29:45)

Topic: IREDAPD Problem

Hi All,
I have a problem with IREDAPD, i use IredAdmin 1.4 to set blacklist -----> Reject mails sent to below recipients enrico@xxxxx.com  but mail go always..  and when i set log to debug i view this:

2011-02-17 12:24:22 DEBUG LDAP bind success.
2011-02-17 12:24:22 DEBUG __get_recipient_dn_ldif (recipient): enrico@xxxxx.com
2011-02-17 12:24:22 DEBUG __get_recipient_dn_ldif (result): []
2011-02-17 12:24:22 DEBUG !!! ERROR !!! __get_recipient_dn_ldif (result): list index out of range
2011-02-17 12:24:22 DEBUG Recipient DN or LDIF is none.
2011-02-17 12:24:22 DEBUG Final action: DUNNO.

I am using iredapd 1.3.3 with plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders


Thanks
Enrico

2

Re: IREDAPD Problem

Could you please try the latest iRedAPD, turn on debug mode and paste log here?

I uploaded the latest iRedAPD here, it will log more detail with debug mode:
http://iredmail.googlecode.com/files/iR … a1.tar.bz2

Here's iRedAPD installation guide:
http://www.iredmail.org/doc.html#iredapd

3

Re: IREDAPD Problem

I install it, but the error is the same:

/var/log/iredapd.log:

2011-02-17 14:28:38 DEBUG smtp session: recipient_count=0
2011-02-17 14:28:38 DEBUG smtp session: queue_id=
2011-02-17 14:28:38 DEBUG smtp session: instance=89f.4d5d2286.5d196.0
2011-02-17 14:28:38 DEBUG smtp session: size=0
2011-02-17 14:28:38 DEBUG smtp session: etrn_domain=
2011-02-17 14:28:38 DEBUG smtp session: stress=
2011-02-17 14:28:38 DEBUG smtp session: sasl_method=
2011-02-17 14:28:38 DEBUG smtp session: sasl_username=
2011-02-17 14:28:38 DEBUG smtp session: sasl_sender=
2011-02-17 14:28:38 DEBUG smtp session: ccert_subject=
2011-02-17 14:28:38 DEBUG smtp session: ccert_issuer=
2011-02-17 14:28:38 DEBUG smtp session: ccert_fingerprint=
2011-02-17 14:28:38 DEBUG smtp session: encryption_protocol=
2011-02-17 14:28:38 DEBUG smtp session: encryption_cipher=
2011-02-17 14:28:38 DEBUG smtp session: encryption_keysize=0
2011-02-17 14:28:38 DEBUG LDAP connection initialied success.
2011-02-17 14:28:38 DEBUG LDAP bind success.
2011-02-17 14:28:38 DEBUG __get_recipient_dn_ldif (recipient): enrico@xxxxx.com
2011-02-17 14:28:38 DEBUG __get_recipient_dn_ldif (result): []
2011-02-17 14:28:38 DEBUG !!! ERROR !!! __get_recipient_dn_ldif (result): list index out of range
2011-02-17 14:28:38 DEBUG Recipient DN or LDIF is none.
2011-02-17 14:28:38 DEBUG Final action: DUNNO.

/var/log/iredapd-rr.log:

2011-02-17 14:28:38 DEBUG smtp session: recipient_count=0
2011-02-17 14:28:38 DEBUG smtp session: queue_id=
2011-02-17 14:28:38 DEBUG smtp session: instance=89f.4d5d2286.5d196.0
2011-02-17 14:28:38 DEBUG smtp session: size=0
2011-02-17 14:28:38 DEBUG smtp session: etrn_domain=
2011-02-17 14:28:38 DEBUG smtp session: stress=
2011-02-17 14:28:38 DEBUG smtp session: sasl_method=
2011-02-17 14:28:38 DEBUG smtp session: sasl_username=
2011-02-17 14:28:38 DEBUG smtp session: sasl_sender=
2011-02-17 14:28:38 DEBUG smtp session: ccert_subject=
2011-02-17 14:28:38 DEBUG smtp session: ccert_issuer=
2011-02-17 14:28:38 DEBUG smtp session: ccert_fingerprint=
2011-02-17 14:28:38 DEBUG smtp session: encryption_protocol=
2011-02-17 14:28:38 DEBUG smtp session: encryption_cipher=
2011-02-17 14:28:38 DEBUG smtp session: encryption_keysize=0
2011-02-17 14:28:38 DEBUG LDAP connection initialied success.
2011-02-17 14:28:38 DEBUG LDAP bind success.
2011-02-17 14:28:38 DEBUG __get_sender_dn_ldif (sender):
2011-02-17 14:28:38 DEBUG __get_sender_dn_ldif: Sender is not a valid email address.
2011-02-17 14:28:38 DEBUG Sender DN or LDIF is none.
2011-02-17 14:28:38 DEBUG Final action: DUNNO.

4

Re: IREDAPD Problem

Can you try to perform LDAP query from command line, then paste output message here:

# ldapsearch -x -D 'BINDDN' -W -b 'BASEDN' "(&(|(mail=enrico@xxxxx.com)(shadowAddress=enrico@xxxxx.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))"

Note:
- Replace BINDDN with value of 'binddn' in iredapd.ini.
- Replace BASEDN with value of 'basedn' in iredapd.ini.
- Replace enrico@xxxxx.com by your real email address.

5 (edited by Casa.it 2011-02-18 16:14:22)

Re: IREDAPD Problem

this is the result:

# extended LDIF
#
# LDAPv3
# base <o=domains,dc=xxxxx,dc=xxxxx,dc=com> with scope subtree
# filter: (&(|(mail=enrico@xxxx.com)(shadowAddress=enrico@xxxx.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
# requesting: ALL

# enrico@xxxx.xxxx.com Users, xxxx.xxxx.com, domains, xxxx.xxxx.com
dn: mail=enrico@xxxx.xxxx.com,ou=Users,domainName=xxxx.xxxx.com,o=domain
s,dc=xxxx,dc=xxxx,dc=vom
objectClass: inetOrgPerson
objectClass: mailUser
objectClass: shadowAccount
objectClass: amavisAccount
mail: enrico@xxxx.xxxx.com
userPassword:: XXXXSXXXXXXXgvdFlMxxxxxxxxxxxxxxxxx
=
mailQuota: 1073741824
sn: enrico
uid: enrico
storageBaseDirectory: /var/vmail
mailMessageStore: vmail1/xxxx.xxxx.com/e/en/enr/enrico-2010.06.10.17.11.
16/
homeDirectory: /var/vmail/vmail1/xxxx.xxxx.com/e/en/enr/enrico-2010.06.1
0.17.11.16/
accountStatus: active
mtaTransport: dovecot
enabledService: mail
enabledService: smtp
enabledService: deliver
enabledService: pop3
enabledService: pop3secured
enabledService: imap
enabledService: imapsecured
enabledService: managesieve
enabledService: managesievesecured
enabledService: sieve
enabledService: sievesecured
enabledService: internal
enabledService: forward
enabledService: senderbcc
enabledService: recipientbcc
enabledService: shadowaddress
enabledService: displayedInGlobalAddressBook
cn: Enrico
shadowAddress: enrico@xxxx.xxxx.com
mailBlacklistRecipient: enri@gmail.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

6

Re: IREDAPD Problem

It's strange that iRedAPD can't get ldap query result. Could you try to apply attached patch and paste debug log message here? It will log some more detail about ldap query.

Steps to apply this patch:
- Upload/copy patch to your server which has iRedAPD-1.3.4-beta1 running. let's assume it's /root/iredapd.patch.
- Open a terminal, change working directory to root directory of iRedAPD, it should be /opt/iRedAPD-1.3.4-beta1/.
- Test patch (with option "--dry-run"):

# cd /opt/iRedAPD-1.3.4-beta1/
# patch -p1 --dry-run < /root/iredapd.patch
patching file src/iredapd.py

- If you get same output message as above, it's safe to patch it now (without option "--dry-run"):

# patch -p1 < /root/iredapd.patch
patching file src/iredapd.py

- Restart iRedAPD and try to debug it.

Post's attachments

iredapd.patch 1.87 kb, 3 downloads since 2011-02-18 

You don't have the permssions to download the attachments of this post.

7 (edited by Casa.it 2011-02-18 18:10:39)

Re: IREDAPD Problem

There is a problem iredapd test a recipient address not a sender address.

the last ldap query that you have post run if I use the sender address.

log is this:

2011-02-18 10:42:39 DEBUG LDAP bind success.
2011-02-18 10:42:39 DEBUG __get_recipient_dn_ldif (recipient): enri@gmail.com
2011-02-18 10:42:39 DEBUG __get_recipient_dn_ldif (ldap query filter): (&(|(mail=enri@gmail.com)(shadowAddress=enri@gmail.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2011-02-18 10:42:39 DEBUG Can not find recipient in LDAP server.
2011-02-18 10:42:39 DEBUG Recipient DN or LDIF is None.
2011-02-18 10:42:39 DEBUG Final action: DUNNO.

8

Re: IREDAPD Problem

Can you show us your postfix config with command "postconf -n"?

9 (edited by Casa.it 2011-02-18 19:15:08)

Re: IREDAPD Problem

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mail_name = iRedMail
mail_version = 0.6.1
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 15728640
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
minimal_backoff_time = 300s
mydestination = localhost, localhost.localdomain, localhost.$myhostname
mydomain =xxxx.xxxxx.com
myhostname = xxxx.xxxx.com
mynetworks = 127.0.0.0/8, 192.168.37.33
mynetworks_style = subnet
myorigin = xxxx.xxxx.com
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap_recipient_bcc_maps_domain.cf, proxy:ldap:/etc/postfix/ldap_recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap_relay_domains.cf
relayhost =
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap_sender_bcc_maps_domain.cf, proxy:ldap:/etc/postfix/ldap_sender_bcc_maps_user.cf
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain,                               reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, reject_unauth_pipelining,    reject_invalid_hostname, check_policy_service inet:127.0.0.1:7777,  permit_mynetworks,                               permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname,                   reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031                               
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap_sender_login_maps.cf
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7778, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:ldap:/etc/postfix/ldap_transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap_transport_maps_domain.cf
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap_virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap_sender_login_maps.cf, proxy:ldap:/etc/postfix/ldap_catch_all_maps.cf
virtual_gid_maps = static:1001
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap_virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
virtual_minimum_uid = 1001
virtual_transport = dovecot
virtual_uid_maps = static:1001

10

Re: IREDAPD Problem

There is any news?
Do you need other informarmation?

Thks

Enrico

11

Re: IREDAPD Problem

Which plugins are enabled in iredapd-rr.ini? It should be:

plugins = ldap_recipient_restrictions

12

Re: IREDAPD Problem

Yes this is only plugin enable in iredapd-rr.ini.

The log iredapd-rr.log is different from irepapd.log:

2011-02-18 11:14:41 DEBUG smtp session: recipient_count=0
2011-02-18 11:14:41 DEBUG smtp session: queue_id=
2011-02-18 11:14:41 DEBUG smtp session: instance=375e.4d5e4691.c36ac.0
2011-02-18 11:14:41 DEBUG smtp session: size=0
2011-02-18 11:14:41 DEBUG smtp session: etrn_domain=
2011-02-18 11:14:41 DEBUG smtp session: stress=
2011-02-18 11:14:41 DEBUG smtp session: sasl_method=
2011-02-18 11:14:41 DEBUG smtp session: sasl_username=
2011-02-18 11:14:41 DEBUG smtp session: sasl_sender=
2011-02-18 11:14:41 DEBUG smtp session: ccert_subject=
2011-02-18 11:14:41 DEBUG smtp session: ccert_issuer=
2011-02-18 11:14:41 DEBUG smtp session: ccert_fingerprint=
2011-02-18 11:14:41 DEBUG smtp session: encryption_protocol=
2011-02-18 11:14:41 DEBUG smtp session: encryption_cipher=
2011-02-18 11:14:41 DEBUG smtp session: encryption_keysize=0
2011-02-18 11:14:41 DEBUG LDAP connection initialied success.
2011-02-18 11:14:41 DEBUG LDAP bind success.
2011-02-18 11:14:41 DEBUG __get_sender_dn_ldif (sender):
2011-02-18 11:14:41 DEBUG __get_sender_dn_ldif: Sender is not a valid email address.
2011-02-18 11:14:41 DEBUG Sender DN or LDIF is none.
2011-02-18 11:14:41 DEBUG Final action: DUNNO.

13

Re: IREDAPD Problem

I found a strange situation in your debug log, there's no "sasl_username" in smtp session, but there's "sender".

Could you please try to change /opt/iRedAPD-x.y.z/src/iredapd-rr.py, find this line (about line 254):

                senderDN, senderLdif = self.__get_sender_dn_ldif(map['sasl_username'])

Change "sasl_username" to "sender", restart iRedAPD and test it again. If it doesn't work, please paste log content here, thanks.

Did you send this test mail from shell command line, then it bypass SASL authentication?

14

Re: IREDAPD Problem

Forgot to mention that, please paste full log instead of last 20 lines. at least includes full smtp sessions.

15

Re: IREDAPD Problem

Now it's run.

here the log:


2011-02-21 12:39:15 DEBUG smtp session: request=smtpd_access_policy
2011-02-21 12:39:15 DEBUG smtp session: protocol_state=RCPT
2011-02-21 12:39:15 DEBUG smtp session: protocol_name=ESMTP
2011-02-21 12:39:15 DEBUG smtp session: client_address=192.168.37.33
2011-02-21 12:39:15 DEBUG smtp session: client_name=unknown
2011-02-21 12:39:15 DEBUG smtp session: reverse_client_name=unknown
2011-02-21 12:39:15 DEBUG smtp session: helo_name=DELL
2011-02-21 12:39:15 DEBUG smtp session: sender=enrico@xxxx.xxxx.com
2011-02-21 12:39:15 DEBUG smtp session: recipient=enri@gmail.com
2011-02-21 12:39:15 DEBUG smtp session: recipient_count=0
2011-02-21 12:39:15 DEBUG smtp session: queue_id=
2011-02-21 12:39:15 DEBUG smtp session: instance=5998.4d624ee3.bdaa3.0
2011-02-21 12:39:15 DEBUG smtp session: size=0
2011-02-21 12:39:15 DEBUG smtp session: etrn_domain=
2011-02-21 12:39:15 DEBUG smtp session: stress=
2011-02-21 12:39:15 DEBUG smtp session: sasl_method=
2011-02-21 12:39:15 DEBUG smtp session: sasl_username=
2011-02-21 12:39:15 DEBUG smtp session: sasl_sender=
2011-02-21 12:39:15 DEBUG smtp session: ccert_subject=
2011-02-21 12:39:15 DEBUG smtp session: ccert_issuer=
2011-02-21 12:39:15 DEBUG smtp session: ccert_fingerprint=
2011-02-21 12:39:15 DEBUG smtp session: encryption_protocol=
2011-02-21 12:39:15 DEBUG smtp session: encryption_cipher=
2011-02-21 12:39:15 DEBUG smtp session: encryption_keysize=0
2011-02-21 12:39:15 DEBUG LDAP connection initialied success.
2011-02-21 12:39:15 DEBUG LDAP bind success.
2011-02-21 12:39:15 DEBUG __get_sender_dn_ldif (sender): enrico@xxxx.xxxx.com
2011-02-21 12:39:15 DEBUG __get_sender_dn_ldif: Quering LDAP
2011-02-21 12:39:15 DEBUG __get_sender_dn_ldif (result): [('mail=enrico@xxxx.xxxx.com,ou=Users,domainName=xxxx.xxxx.com,o=domains,dc=xxxx,dc=xxxx,dc=com', {'shadowAddress': ['enrico@xxxx.xxxx.it'], 'uid': ['enrico'], 'mailQuota': ['1073741824'], 'objectClass': ['inetOrgPerson', 'mailUser', 'shadowAccount', 'amavisAccount'], 'userPassword': ['{SSHA}GsvLTawjgV8xxxxx2LDtB4muFWxxxxw=='], 'homeDirectory': ['/var/vmail/vmail1/xxxx.xxxx.com/e/en/enr/enrico-2010.06.10.17.11.16/'], 'accountStatus': ['active'], 'mailBlacklistRecipient': ['enri@gmail.com'], 'amavisBlacklistSender': ['enri@gmail.com'], 'mtaTransport': ['dovecot'], 'sn': ['enrico'], 'storageBaseDirectory': ['/var/vmail'], 'mail': ['enrico@xxxx.xxxx.com'], 'mailMessageStore': ['vmail1/xxxx.xxxx.com/e/en/enr/enrico-2010.06.10.17.11.16/'], 'enabledService': ['mail', 'smtp', 'deliver', 'pop3', 'pop3secured', 'imap', 'imapsecured', 'managesieve', 'managesievesecured', 'sieve', 'sievesecured', 'internal', 'forward', 'senderbcc', 'recipientbcc', 'shadowaddress', 'displayedInGlobalAddressBook'], 'cn': ['Enrico']})]
2011-02-21 12:39:15 DEBUG Apply plugin (ldap_recipient_restrictions).
2011-02-21 12:39:15 DEBUG Response from plugin (ldap_recipient_restrictions): REJECT Not authorized
2011-02-21 12:39:15 INFO Response from plugin (ldap_recipient_restrictions): REJECT Not authorized
2011-02-21 12:39:15 DEBUG Final action: REJECT Not authorized.
2011-02-21 12:39:15 INFO enrico@xxxx.xxxx.com -> enri@gmail.com, REJECT Not authorized
2011-02-21 12:39:15 DEBUG Connection closed

There is no SASL authentication my ip is in mynetwork in main.cf of postfix.

16

Re: IREDAPD Problem

Casa.it wrote:

There is no SASL authentication my ip is in mynetwork in main.cf of postfix.

That's the root cause.

So, it works for you now?

17

Re: IREDAPD Problem

ZhangHuangbin wrote:

That's the root cause.
So, it works for you now?


Yes it work now.

I was thinking the ldap query was made with sender address, not with saslusername.

Thks.

Enrico

18

Re: IREDAPD Problem

Casa.it wrote:

I was thinking the ldap query was made with sender address, not with saslusername.

Improved iRedAPD, add a new option in iredapd-rr.ini, used to bypass mails sent from postfix 'mynetworks':

bypass_mynetworks = yes

Code commit log:
http://code.google.com/p/iredmail/sourc … po=iredapd

19

Re: IREDAPD Problem

ZhangHuangbin wrote:

Improved iRedAPD, add a new option in iredapd-rr.ini, used to bypass mails sent from postfix 'mynetworks':

in this line missing quotes on sender:

senderDN, senderLdif = self.__get_sender_dn_ldif(sender)


Bye

20

Re: IREDAPD Problem

Casa.it wrote:

in this line missing quotes on sender:
senderDN, senderLdif = self.__get_sender_dn_ldif(sender)

It's correct, because 'sender' is defined in above lines:

                    if bypass_mynetworks == 'yes':
                        sender = map['sasl_username']
                    else:
                        sender = map['sender']
    
                    senderDN, senderLdif = self.__get_sender_dn_ldif(sender)

21

Re: IREDAPD Problem

Casa.it wrote:
ZhangHuangbin wrote:

Improved iRedAPD, add a new option in iredapd-rr.ini, used to bypass mails sent from postfix 'mynetworks':

in this line missing quotes on sender:

senderDN, senderLdif = self.__get_sender_dn_ldif(sender)


Bye


Sorry it's ok