26

Re: disable reject_sender_login_mismatch for only one user

Should I add or remove "reject_sender_login_mismatch"
from "smtpd_sender_restrictions" of postfix main.cf?

With the removed setting every user seems to be allowed to manipulate sender address.

Best,
Achim

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

27

Re: disable reject_sender_login_mismatch for only one user

aemaething wrote:

Should I add or remove "reject_sender_login_mismatch"
from "smtpd_sender_restrictions" of postfix main.cf?
With the removed setting every user seems to be allowed to manipulate sender address.

*) You should remove it from Postfix, that's why you need this plugin for per-user restriction.
*) Did you send a test email with different From and SASL username? And what's the log in iRedAPD log file?
*) Did you set allowed senders in plugin "sender_login_mismatch" (file /opt/iredapd/plugins/sender_login_mismatch.py)? For example:

# Allow sender login mismatch for below senders.
ALLOWED_SENDERS = ['sender01@mydomain.com', 'sender02@mydomain.com', 'sender03@mydomain.com', ]

28

Re: disable reject_sender_login_mismatch for only one user

ZhangHuangbin wrote:

*) You should remove it from Postfix, that's why you need this plugin for per-user restriction.

Check!

It works now. I just updated the plugin a little:

"""Reject sender login mismatch (sender in mail header and SASL username)."""

import logging
from libs import SMTP_ACTIONS

REQUIRE_LOCAL_SENDER = False
REQUIRE_LOCAL_RECIPIENT = False
SENDER_SEARCH_ATTRLIST = []
RECIPIENT_SEARCH_ATTRLIST = []

# Allow sender login mismatch for below senders.
ALLOWED_SENDERS = ['some-email-address@here.com']

def restriction(**kwargs):
    # The sender appears in 'From:' header.
    sender = kwargs['sender']

    # Username used to perform SMTP auth
    sasl_username = kwargs['smtp_session_data'].get('sasl_username', '').lower()

    logging.debug('Sender: %s, SASL username: %s' % (sender, sasl_username))

    if sasl_username:    # Is a outgoing email
        # Compare them
        if sender != sasl_username:
            if sasl_username in ALLOWED_SENDERS:
                return SMTP_ACTIONS['default']
            else:
                # Log message without reject.
                logging.info('Sender login mismatch.')

                # Reject without reason.
                #return SMTP_ACTIONS['reject']

                # Reject with reason.
                # There must be a space between smtp action and reason text.
                return SMTP_ACTIONS['reject'] + ' ' + 'Sender login mismatch.'

    return SMTP_ACTIONS['default']

Within the "else" tree, there was no return statement active.
So it always returned SMTP_ACTIONS['default'] even if it should have returned SMTP_ACTIONS['reject'].

Thank you very much! A very nice feature!

Best,
Achim

29

Re: disable reject_sender_login_mismatch for only one user

aemaething wrote:

So it always returned SMTP_ACTIONS['default'] even if it should have returned SMTP_ACTIONS['reject'].

Oh, for testing reason, i set it to just log. If it works as expected, you can disable logging and return rejection directly.

Anyway, glad to hear that it works for you. smile

30

Re: disable reject_sender_login_mismatch for only one user

Yep, excellent work.
Thanks again! smile

31

Re: disable reject_sender_login_mismatch for only one user

I committed this plugin in iRedAPD:
https://bitbucket.org/zhb/iredapd/commi … 8e160fa3e5

I think we should allow system admin to define "ALLOWED_SENDERS" in settings.py, so that we don't need to touch plugin file during upgrading iRedAPD. I will try later.

32

Re: disable reject_sender_login_mismatch for only one user

Hi Achim,

I updated the plugin, you can now define allowed senders in global setting file /opt/iredapd/settings.py, parameter 'ALLOWED_LOGIN_MISMATCH_SENDERS'. For example:

# File: /opt/iredapd/settings.py
ALLOWED_LOGIN_MISMATCH_SENDERS = ['some-email-address@here.com']

With this small change, you don't need to touch other files while upgrading iRedAPD (from 1.4.0 to newer releases).

33

Re: disable reject_sender_login_mismatch for only one user

Hello,

good idea! I will update my settings.py & the plugin itself.

Thanks again!


Best,
Achim

34

Re: disable reject_sender_login_mismatch for only one user

aemaething wrote:

Hello,

good idea! I will update my settings.py & the plugin itself.

Thanks again!


Best,
Achim

Hi aemaething,

How about the status of this plugin?
How can I install and use it?
Thanks!

35

Re: disable reject_sender_login_mismatch for only one user

Hey,

it's working well for us.
I think, you can download it here - if it's not already part of the package.
https://bitbucket.org/zhb/iredapd/src/5 … at=default

Best,
Achim

36

Re: disable reject_sender_login_mismatch for only one user

I was looking for this feature and just found this solution - many thanks for this great plugin, it's working out of the box!

Best regards
Frank