1

Topic: Moderators in maillist

==== Provide required information to help troubleshoot and get quick answer ====
- Linux/BSD distribution name and version:
- iRedMail version and backend (LDAP/MySQL):
- Any related log? Log is helpful for troubleshooting.
====
Centos 5.6, iRedMail-0.7.2 , iRedProLdDAPAdmin-1.6.3

Hi Zhang,

I have enabled mail sending restriction to  a maillist for only moderators, even after that members of that mailling list and other internal users are able to send mails to that  maillist.

Kindly help us to restrict only moderator should send mail to that maillist.

Thanks,
Regards,
Mohan

2

Re: Moderators in maillist

Hi Mohan,

Please post the same info as your another topic here to help troubleshoot:
http://www.iredmail.org/forum/post13765.html#p13765

3

Re: Moderators in maillist

Hi Zhang,

I have pasted the ldif export details of the maillist below , the logs of iredadp.log and redapd-rr.log no logs while sending mails from other users in the domain to maillist
LDIFF outputof maillist Sales:

dn: mail=sales@mydomain.com,ou=Groups,domainName=mydomain.com,o=domains,dc=safe,dc=mydomain,dc=com
accessPolicy: allowedOnly
accountStatus: active
cn: Sales
enabledService: mail
enabledService: deliver
enabledService: displayedInGlobalAddressBook
hasMember: yes
listAllowedUser: test1@mydomain.com
mail: sales@mydomain.com
objectClass: mailList

Regards,
Mohan

4

Re: Moderators in maillist

mohan wrote:

the logs of iredadp.log and redapd-rr.log no logs while sending mails from other users in the domain to maillist

Please turn on debug mode in both iRedAPD and iredapd-rr, then post log here.
There must be some log, if not, iRedAPD related Postfix settings might be misconfigured. Please post output of command 'postconf -n' here to help troubleshoot.

5 (edited by mohan 2012-03-01 12:26:19)

Re: Moderators in maillist

Hi Zhang,
I have pasted the postconf -n output for your reference below. I have enabled debug in iredapd.ini and iredapd-rr.ini files.
I am not getting any logs while sending mails from other users to the maillist to which I have allowed only the moderator to send mail.

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = mydomain.com
myhostname = secure.mydomain.com
mynetworks = 127.0.0.0/8, 192.168.1.0/24
mynetworks_style = subnet
myorigin = secure.mydomain.com
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.5.9/README_FILES
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf,                                                                              proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
relayhost = 10.3.11.50:25
sample_directory = /usr/share/doc/postfix-2.5.9/samples
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf,proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_accesspcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:7777, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, permit_mynetworks, permit_sasl_authenticated,reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_policy_service inet:127.0.0.1:10031
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7778, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf,
proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf, hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf,
proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf,
proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.c                                                                             f
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500

Regards,
Mohan

6

Re: Moderators in maillist

You have below Postfix settings, so iRedAPD and iRedAPD-rr are enabled correctly:

smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:7777, ...
smtpd_sender_restrictions = check_policy_service inet:127.0.0.1:7778, ...

There should be some log related to your testing email. May i know how you send out this testing email? Could you please try again with a desktop mail client (Thunderbird, Outlook, etc), not Roundcube webmail?

7

Re: Moderators in maillist

Hi Zhang,

I tried with mail client outlook it is working , and the mails are getting delivered only if sent from moderator and not from the members of that group and other users.

Why when sending from rouncube webmail it is not restricting is there any reason for that.
Thanks,
Regards,
Mohan

8

Re: Moderators in maillist

Could you please check /etc/postfix/master.cf, find below two lines:

pickup    fifo  n       -       n       60      1       pickup
  -o content_filter=

Please comment out the second line like below:

pickup    fifo  n       -       n       60      1       pickup
#  -o content_filter=

Then restart Postfix service and try again.

9

Re: Moderators in maillist

Hi Zhang,

I have commented content_filter= line as per your suggestion in /etc/postfix/master.cf file, now also when sending mails roundcube mail from other user are getting delivered. Only moderators should be able to send mails to the group, but other users are able to send. I have pasted the iredapd-rr.log below.

2012-03-27 15:55:01 INFO test5@mydomain.com -> grouptest2@mydomain.com, DUNNO

No logs in iredadp.log file.

Thanks,
Regards,
Mohan

10

Re: Moderators in maillist

Could you please set 'log_level = debug' in iredapd.ini, restart iRedAPD, monitor its log file and send one more testing email?
Paste log here to help troubleshoot.

11

Re: Moderators in maillist

Hi Zhang,
I have enabled log_level=debug in iredapd.ini and iredapd-rr.ini files and restarted the services iredapd and iredapd-rr services.
Now sent a test mail the log is getting in iredapd-rr.log but not in iredapd.log file.  I am pasting the log for your reference below.
When sending test mail from test5@mydomain.com to groutest2@mydomain.com maillist it is getting delivered , but I have given the moderator test2@mydomain.com only to send mails to that maillist.

I am sending mail from roundcube mail:

INFO test5@mydomain.com -> grouptest2@mydomain.com, DUNNO
2012-03-28 16:37:08 INFO test5@mydomain.com -> grouptest2@mydomain.com, DUNNO
2012-03-28 16:44:37 INFO test5@mydomain.com -> grouptest2@mydomain.com, DUNNO
2012-03-28 16:45:58 INFO Starting iredapd (v1.3.6, pid: 15090), listening on 127.0.0.1:7778.
2012-03-28 16:45:58 DEBUG Forking first child.
2012-03-28 16:45:58 DEBUG Creating new session
2012-03-28 16:45:58 DEBUG Forking second child.
2012-03-28 16:45:58 DEBUG Setting umask
2012-03-28 16:45:58 DEBUG Changing working directory to "/"
2012-03-28 16:45:58 DEBUG Redirecting file descriptors
2012-03-28 16:46:48 DEBUG Connect from 127.0.0.1
2012-03-28 16:46:48 DEBUG smtp session: request=smtpd_access_policy
2012-03-28 16:46:48 DEBUG smtp session: protocol_state=RCPT
2012-03-28 16:46:48 DEBUG smtp session: protocol_name=ESMTP
2012-03-28 16:46:48 DEBUG smtp session: client_address=127.0.0.1
2012-03-28 16:46:48 DEBUG smtp session: client_name=safe.myhostname.com
2012-03-28 16:46:48 DEBUG smtp session: reverse_client_name=safe.myhostname.com
2012-03-28 16:46:48 DEBUG smtp session: helo_name=mail.mydomain.com
2012-03-28 16:46:48 DEBUG smtp session: sender=test5@mydomain.com
2012-03-28 16:46:48 DEBUG smtp session: recipient=grouptest2@mydomain.com
2012-03-28 16:46:48 DEBUG smtp session: recipient_count=0
2012-03-28 16:46:48 DEBUG smtp session: queue_id=
2012-03-28 16:46:48 DEBUG smtp session: instance=3afc.4f72f320.4f711.0
2012-03-28 16:46:48 DEBUG smtp session: size=0
2012-03-28 16:46:48 DEBUG smtp session: etrn_domain=
2012-03-28 16:46:48 DEBUG smtp session: stress=
2012-03-28 16:46:48 DEBUG smtp session: sasl_method=LOGIN
2012-03-28 16:46:48 DEBUG smtp session: sasl_username=test5@mydomain.com
2012-03-28 16:46:48 DEBUG smtp session: sasl_sender=
2012-03-28 16:46:48 DEBUG smtp session: ccert_subject=
2012-03-28 16:46:48 DEBUG smtp session: ccert_issuer=
2012-03-28 16:46:48 DEBUG smtp session: ccert_fingerprint=
2012-03-28 16:46:48 DEBUG smtp session: encryption_protocol=
2012-03-28 16:46:48 DEBUG smtp session: encryption_cipher=
2012-03-28 16:46:48 DEBUG smtp session: encryption_keysize=0
2012-03-28 16:46:48 DEBUG LDAP connection initialied success.
2012-03-28 16:46:48 DEBUG LDAP bind success.
2012-03-28 16:46:48 DEBUG __get_sender_dn_ldif (sender): test5@epoxymail.com
2012-03-28 16:46:48 DEBUG __get_sender_dn_ldif: Quering LDAP
2012-03-28 16:46:48 DEBUG __get_sender_dn_ldif (result): [('mail=test5@mydomain.com,ou=Users,domainName=mydomain.com,o=domains,dc=safe,dc=myhostname,dc=com', {'uid': ['test5'], 'mailQuota': ['104857600'], 'objectClass': ['inetOrgPerson', 'mailUser', 'shadowAccount', 'amavisAccount'], 'userRecipientBccAddress': ['test5@mydomain.local'], 'userPassword': ['{SSHA}VdXqXmzGpHHzP8AiJx/omMXbBgkAkx2dL517eg=='], 'accountStatus': ['active'], 'userSenderBccAddress': ['test5@mydomain.local'], 'amavisLocal': ['TRUE'], 'sn': ['test5'], 'homeDirectory': ['/var/vmail/vmail1/mydomain.com/t/e/s/test5-2011.11.24.21.44.30/'], 'mail': ['test5@mydomain.com'], 'storageBaseDirectory': ['/var/vmail'], 'mailMessageStore': ['vmail1/mydomain.com/t/e/s/test5-2011.11.24.21.44.30/'], 'enabledService': ['mail', 'internal', 'smtp', 'pop3', 'pop3secured', 'imap', 'imapsecured', 'deliver', 'forward', 'shadowaddress', 'managesieve', 'managesievesecured', 'recipientbcc', 'senderbcc', 'displayedinglobaladdressbook', 'sieve', 'sievesecured'], 'cn': ['Test']})]
2012-03-28 16:46:48 DEBUG Apply plugin (ldap_recipient_restrictions).
2012-03-28 16:46:48 DEBUG Response from plugin (ldap_recipient_restrictions): DUNNO
2012-03-28 16:46:48 DEBUG Final action: DUNNO.
2012-03-28 16:46:48 INFO test5@mydomain.com -> grouptest2@epoxymail.com, DUNNO
2012-03-28 16:46:48 DEBUG Connection closed

Thanks,
Regards,
Mohan

12

Re: Moderators in maillist

Moderator in maillist should be restricted in iredapd, not iredapd-rr.
Could you please paste config file of /opt/iredapd/etc/iredapd.ini here to help troubleshoot? REPLACE password and sensitive info before posting.

13

Re: Moderators in maillist

Hi Zhang,

I have pasted below the iredapd.ini file
[general]
# Listen address and port.
listen_addr = 127.0.0.1
listen_port = 7777

# Run as a low privileged user.
# If you don't want to create one, you can try 'nobody'.
run_as_user = iredapd

# Background/daemon mode: yes, no.
# Run iRedAPD as daemon, detach iredapd from terminal.
run_as_daemon = yes

# Path to pid file.
pid_file        = /var/run/iredapd.pid

# Log type: file.
# Set 'log_file = /dev/null' if you don't want to keep the log.
log_type        = file
log_file        = /var/log/iredapd.log

# Log level: info, error, debug.
log_level       = debug

# Backend: ldap, mysql.
backend = ldap

[ldap]
# For ldap backend only.
# LDAP server setting.
# Uri must starts with ldap:// or ldaps:// (TLS/SSL).
#
# Tip: You can get binddn, bindpw from /etc/postfix/ldap_*.cf.
#
uri = ldap://127.0.0.1:389
binddn = cn=vmail,dc=safe,dc=myhostname,dc=com
bindpw = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
basedn = o=domains,dc=safe,dc=myhostname,dc=com

# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
#
# Available plugins:
#   * ldap_domain_wblist: per-domain white/blacklist support.
#       Note: If you want to enable this plugin, it's better to make it the
#             first one in enabled plugin list.
#   * ldap_maillist_access_policy: mail list deliver restrictions.
#   * block_amavisd_blacklisted_senders: per-user white/blacklist support.
plugins = block_amavisd_blacklisted_senders, ldapmaillist_access_policy

[mysql]
# For MySQL backend only.
server      = 127.0.0.1
db          = vmail
user        = vmail
password    = xxxxxxxxxxxxxxxxxxxxxxx

# Enabled plugins.

#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
plugins = ldap_maillist_access_policy

Thanks,
Regards,
Mohan

14

Re: Moderators in maillist

There's a type error in plugin list:

plugins = block_amavisd_blacklisted_senders, ldapmaillist_access_policy

It should be 'ldap_maillist_access_policy'.

15

Re: Moderators in maillist

Hi Zhang,

I have corrected the type error in the line plugins = block_amavisd_blacklisted_senders, ldap_maillist_access_policy, now also mail sent other than moderators are getting delivered to the maillist.

I have pasted below the iredapd.ini file
[general]
# Listen address and port.
listen_addr = 127.0.0.1
listen_port = 7777
# Run as a low privileged user.
# If you don't want to create one, you can try 'nobody'.
run_as_user = iredapd
# Background/daemon mode: yes, no.
# Run iRedAPD as daemon, detach iredapd from terminal.
run_as_daemon = yes
# Path to pid file.
pid_file        = /var/run/iredapd.pid
# Log type: file.
# Set 'log_file = /dev/null' if you don't want to keep the log.
log_type        = file
log_file        = /var/log/iredapd.log
# Log level: info, error, debug.
log_level       = debug
# Backend: ldap, mysql.
backend = ldap
[ldap]
# For ldap backend only.
# LDAP server setting.
# Uri must starts with ldap:// or ldaps:// (TLS/SSL).
#
# Tip: You can get binddn, bindpw from /etc/postfix/ldap_*.cf.
#
uri = ldap://127.0.0.1:389
binddn = cn=vmail,dc=safe,dc=myhostname,dc=com
bindpw = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
basedn = o=domains,dc=safe,dc=myhostname,dc=com
# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
#
# Available plugins:
#   * ldap_domain_wblist: per-domain white/blacklist support.
#       Note: If you want to enable this plugin, it's better to make it the
#             first one in enabled plugin list.
#   * ldap_maillist_access_policy: mail list deliver restrictions.
#   * block_amavisd_blacklisted_senders: per-user white/blacklist support.
plugins = block_amavisd_blacklisted_senders, ldap_maillist_access_policy
[mysql]
# For MySQL backend only.
server      = 127.0.0.1
db          = vmail
user        = vmail
password    = xxxxxxxxxxxxxxxxxxxxxxx
# Enabled plugins.
#   - Plugin name is file name which placed under 'src/plugins/' directory.
#   - Plugin names MUST be seperated by comma.
plugins = ldap_maillist_access_policy

Thanks,
Regards,
Mohan

16

Re: Moderators in maillist

Could you please paste debug log in /var/log/iredapd.log also?