1

Topic: Inbound email from local servers & applications

==== Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.3
- Linux/BSD distribution name and version:   Centos 6.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?   Pro
- Related log if you're reporting an issue:
====


An iredadmin-pro machine with a few domains hosted on it.  Another server with various websites hosted on it including some WordPress sites ranging in versions.    E-mail can be configured to go out via private IP as relay from web server to mail system or via public.  When sending mail to local domains hosted on iredmail, the inbound email address varies from user accounts, PHP processing configuraitons (apache fast cgi as: apache@domain_name.tld) to just "wordpress@domain_name.tld". 

So, their is no user to authenticate to iredmail.
How does one allow the system to accept the emails bound for iredmail without authentication.

Does one need to have an alias in iredmail?
Does one add the email address to the domain's whitelist?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Inbound email from local servers & applications

*) Please show us your Postfix configuration with command "postconf -n". Did you modify any settings?
*) Show us your IP address of the server which hosts web sites. Is it listed in Postfix setting "mynetworks ="?
*) How do you configure WordPress to send email? Is it configured to perform SMTP authentication?

3

Re: Inbound email from local servers & applications

Hello,
Yes it is in mynetworks and when set to relay makes the connection. 

WordPress can have a variety of settings depending upon custom forms and plugins.
However, I do not know of any that actually authenticate to the mail server.   

I was actually about to post a question about the point of entry of email when listed in mynetworks.  What software/processes does an email bypass when the sending server is set to use relayhost=iredmail and mynetworks has the private IP listed for acceptance? 

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailbox_size_limit = 104857600
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 104857600
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain

mydomain = host.domain.tld
myhostname = host.domain.tld

mynetworks = 127.0.0.1, x.x.x.x/24  (private 10.x)
  -- should be removed -- mynetworks_style = host

myorigin = host.domain.tld
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.11.0/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.11.0/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client b.barracudacentral.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre

smtpd_tls_CAfile = /etc/pki/tls/certs/__my_domain_chained_bundle.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/__my_domain_chained_bundle.pem
smtpd_tls_dh1024_param_file = /etc/pki/tls/dhparams.pem
smtpd_tls_key_file = /etc/pki/tls/private/__my_domain__.key

smtpd_tls_loglevel = 1
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

4

Re: Inbound email from local servers & applications

pbf343 wrote:

Yes it is in mynetworks and when set to relay makes the connection. 

Clients listed in "mynetworks=" are allowed to send email without authentication.

FYI:
http://www.postfix.org/postconf.5.html#mynetworks
http://www.postfix.org/postconf.5.html# … strictions

5

Re: Inbound email from local servers & applications

ZhangHuangbin wrote:
pbf343 wrote:

Yes it is in mynetworks and when set to relay makes the connection. 

Clients listed in "mynetworks=" are allowed to send email without authentication.

FYI:
http://www.postfix.org/postconf.5.html#mynetworks
http://www.postfix.org/postconf.5.html# … strictions

Thanks for the quick reply and reference.  What is not clear is at what point does such message enter the system and what processes will it encounter.
For example:
  no greylisting
  any virus scans
  if going out of system to another, is it scanned, throttled, etc.

Hopefully that makes sense.

6

Re: Inbound email from local servers & applications

Please check Postfix settings in /etc/postfix/main.cf:

smtpd_sender_restrictions
smtpd_recipient_restrictions

The order of restriction rules matters, and pay close attention to restriction rule 'permit_mynetwork', it will bypass emails sent from clients which are defined in "mynetworks=".