You are not logged in. Please login or register.
iRedMail → iRedMail Support → DUNNO policy is not defined in plugin.
Hi,
I get the following after enabling Debug in iredapd log :
Response from plugin (sql_alias_access_policy): DUNNO Policy is not defined in plugin (sql_alias_access_policy.py): .
Final action: None.
I have downloaded the latest sql_alias_access_policy.py
What can be the issue ???
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.
Do you have access policy defined for your mail alias account?
Access policy is defined as "moderatorsonly" in mail alias account.
moderators are also defined.
Could you please show me output of below SQL command? Replace 'USER@DOMAIN.LTD' by the real email address of your alias account.
mysql> USE vmail;
mysql> SELECT address,accesspolicy,active FROM alias WHERE address = 'USER@DOMAIN.LTD';Also, please paste /opt/iredapd/etc/iredapd.ini. Replace sensitive information before posting.
Could you please show me output of below SQL command? Replace 'USER@DOMAIN.LTD' by the real email address of your alias account.
mysql> USE vmail; mysql> SELECT address,accesspolicy,active FROM alias WHERE address = 'USER@DOMAIN.LTD';Also, please paste /opt/iredapd/etc/iredapd.ini. Replace sensitive information before posting.
Hi ZhangHuangbin,
Following is the output of query needed :
+-----------------------+----------------+--------+
| address | accesspolicy | active |
+-----------------------+----------------+--------+
| username@domain.ltd | moderatorsonly | 1 |
+-----------------------+----------------+--------+
output of /opt/iredapd/etc/iredapd.ini :
[general]
# Listen address and port.
listen_addr = 127.0.0.1
listen_port = 7777
# Run as a low privileged user.
# If you don't want to create one, you can try 'nobody'.
run_as_user = iredapd
# Background/daemon mode: yes, no.
# Run iRedAPD as daemon, detach iredapd from terminal.
run_as_daemon = yes
# Path to pid file.
pid_file = /var/run/iredapd.pid
# Log type: file.
# Set 'log_file = /dev/null' if you don't want to keep the log.
log_type = file
log_file = /var/log/iredapd.log
# Log level: info, error, debug.
log_level = debug
# Backend: ldap, mysql.
backend = mysql
[mysql]
# For MySQL backend only.
server = 127.0.0.1
db = vmail
user = username
password = password
alias_table = alias
# Enabled plugins.
# - Plugin name is file name which placed under 'src/plugins/' directory.
# - Plugin names MUST be seperated by comma.
plugins = sql_alias_access_policy
Weird, policy 'moderatorsonly' should work.
Could you please post output of command 'postconf -n' and the whole file of plugin sql_alias_access_policy.py?
Hi ZhangHuangbin,
Following is the Output :
postconf -n :
----------------
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 500
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 1d
message_size_limit = 15728640
minimal_backoff_time = 300s
mydestination = $myhostname
mydomain = domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8, 192.168.56.0/23
mynetworks_style = subnet
myorigin = mail.domain.com
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.5.9/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
sample_directory = /usr/share/doc/postfix-2.5.9/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10032
smtpd_enforce_tls = no
smtpd_hard_error_limit = 500
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_junk_command_limit = 500
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_sender_login_mismatch,reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, hash:/etc/postfix/reject_sender, check_policy_service inet:127.0.0.1:7778
smtpd_tls_CAfile = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 500
virtual_transport = dovecot
virtual_uid_maps = static:500
-----------------
iredapd :
-----------------
import os
from web import sqlquote
ACTION_REJECT = 'REJECT Permission denied'
PLUGIN_NAME = os.path.basename(__file__)
# Policies. MUST be defined in lower case.
POLICY_PUBLIC = 'public'
POLICY_DOMAIN = 'domain'
POLICY_SUBDOMAIN = 'subdomain'
POLICY_MEMBERSONLY = 'membersonly'
POLICY_MODERATORSONLY = 'moderatorsonly'
POLICY_ALLOWEDONLY = 'allowedonly' # Same as @POLICY_MODERATORSONLY
POLICY_MEMBERSANDMODERATORSONLY = 'membersandmoderatorsonly'
def restriction(dbConn, senderReceiver, smtpSessionData, logger, **kargs):
sql = '''SELECT accesspolicy, goto, moderators \
FROM alias \
WHERE address=%s AND domain=%s AND active=1 \
LIMIT 1 \
''' % (sqlquote(senderReceiver.get('recipient')), sqlquote(senderReceiver.get('recipient_domain')),)
logger.debug('SQL: %s' % sql)
dbConn.execute(sql)
sqlRecord = dbConn.fetchone()
logger.debug('SQL Record: %s' % str(sqlRecord))
# Recipient account doesn't exist.
if sqlRecord is None:
return 'DUNNO Alias account does not exist.'
policy = str(sqlRecord[0]).lower()
members = [str(v.lower()) for v in str(sqlRecord[1]).split(',')]
moderators = [str(v.lower()) for v in str(sqlRecord[2]).split(',')]
logger.debug('(%s) policy: %s' % (PLUGIN_NAME, policy))
logger.debug('(%s) members: %s' % (PLUGIN_NAME, ', '.join(members)))
logger.debug('(%s) moderators: %s' % (PLUGIN_NAME, ', '.join(moderators)))
if policy == POLICY_PUBLIC:
# Return if no access policy available or policy is @POLICY_PUBLIC.
return 'DUNNO'
elif policy == POLICY_DOMAIN:
# Bypass all users under the same domain.
if senderReceiver['sender_domain'] == senderReceiver['recipient_domain']:
return 'DUNNO'
else:
return ACTION_REJECT
elif policy == POLICY_SUBDOMAIN:
# Bypass all users under the same domain or sub domains.
if senderReceiver['sender'].endswith('.' + senderReceiver['recipient_domain']):
return 'DUNNO'
else:
return ACTION_REJECT
elif policy == POLICY_MEMBERSONLY:
# Bypass all members.
if senderReceiver['sender'] in members:
return 'DUNNO'
else:
return ACTION_REJECT
elif policy == POLICY_MODERATORSONLY or policy == POLICY_ALLOWEDONLY:
# Bypass all moderators.
if senderReceiver['sender'] in moderators:
return 'DUNNO'
else:
return ACTION_REJECT
elif policy == POLICY_MEMBERSANDMODERATORSONLY:
# Bypass both members and moderators.
if senderReceiver['sender'] in members or senderReceiver['sender'] in moderators:
return 'DUNNO'
else:
return ACTION_REJECT
else:
# Bypass all if policy is not defined in this plugin.
return 'DUNNO Policy is not defined in plugin (%s): %s.' % (PLUGIN_NAME, policy)
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_sender_login_mismatch,reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, hash:/etc/postfix/reject_sender, check_policy_service inet:127.0.0.1:7778
Obviously, you didn't configure Postfix for iRedAPD by following its installation guide strictly.
The correct setting for smtpd_recipient_restrictions and smtpd_sender_restrictions are:
smtpd_recipient_restrictions =
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostnamesmtpd_sender_restrictions =
check_policy_service inet:127.0.0.1:7778,
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated
reject_sender_login_mismatch should be placed in smtpd_sender_restrictions if you really want to use it.
Just want to emphasize the order of restriction rules is VERY IMPORTANT.
iRedMail → iRedMail Support → DUNNO policy is not defined in plugin.
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 2 official extensions. Copyright © 2003–2010 PunBB.
Generated in 0.017 seconds (73% PHP - 27% DB) with 9 queries