1

Topic: SASL Authentication

==== Required information ====
  iRedAdmin-Pro    v1.6.0 (MySQL)
  MySQL
  CentOS 6.4 with kernel patch 2013-05-29
====

I believe this has to with SASL Authentication. Essentially, a program a client uses from a 3rd party company sends mail out to his clients as his email. It get's delivered to the clients however, he always receives a bounce notification for himself.

If I remove from smtpd_sender_restriction the option "reject_sender_login_mismatch" it works.

Is there an alternative that will only affect the user or domain rather than globally?

Thanks,
Neil

2

Re: SASL Authentication

We have a discuss thread below, and there's a iRedAPD plugin available for your purpose:
http://www.iredmail.org/forum/topic4534 … -user.html

3

Re: SASL Authentication

Hey Zhang,

Thanks for the response! I read that thread over and it's a huge relief that this is now possible. It's also nice that it was already implemented with the version I have installed.

My question now, however, is which file do i edit to add the exception for the user, domain, etc.? The one you mentioned was in the plugins folder and I do not see that script in there.

I have:
dr-xr-xr-x 2 iredapd iredapd 4096 May 14 17:01 .
dr-xr-xr-x 5 iredapd iredapd 4096 May 14 17:01 ..
-r-xr-xr-x 1 iredapd iredapd    0 Mar  5 05:56 __init__.py
-r-xr-xr-x 1 iredapd iredapd  216 Mar  5 05:56 .___init__.py
-r-xr-xr-x 1 iredapd iredapd  216 Mar  5 05:56 ._ldap_amavisd_block_blacklisted_senders.py
-r-xr-xr-x 1 iredapd iredapd 2275 Mar  5 05:56 ldap_amavisd_block_blacklisted_senders.py
-r-xr-xr-x 1 iredapd iredapd  216 Mar  5 05:56 ._ldap_domain_wblist.py
-r-xr-xr-x 1 iredapd iredapd 4673 Mar  5 05:56 ldap_domain_wblist.py
-r-xr-xr-x 1 iredapd iredapd  216 Mar  5 05:56 ._ldap_expired_password.py
-r-xr-xr-x 1 iredapd iredapd 1128 Mar  5 05:56 ldap_expired_password.py
-r-xr-xr-x 1 iredapd iredapd  216 Mar  5 05:56 ._ldap_maillist_access_policy.py
-r-xr-xr-x 1 iredapd iredapd 4326 Mar  5 05:56 ldap_maillist_access_policy.py
-r-xr-xr-x 1 iredapd iredapd 2223 Apr 12 04:30 ldap_recipient_restrictions.py
-r-xr-xr-x 1 iredapd iredapd  216 Mar  5 05:56 ._sql_alias_access_policy.py
-r-xr-xr-x 1 iredapd iredapd 3771 Mar  5 05:56 sql_alias_access_policy.py
-r-------- 1 root    root    2491 May 14 17:01 sql_alias_access_policy.pyc
-r-xr-xr-x 1 iredapd iredapd  216 Mar  5 05:56 ._sql_user_restrictions.py
-r-xr-xr-x 1 iredapd iredapd 4933 Mar  5 05:56 sql_user_restrictions.py
-r-------- 1 root    root    2649 May 14 17:01 sql_user_restrictions.pyc

I assume the file I want to edit is "sql_user_restrictions.py" although I may be looking in the wrong location.
Also, with editing this, I no longer need to remove reject_sender_login _mismatch from main.cf?

Thank you,
Neil

4

Re: SASL Authentication

It's already mentioned in my replies (in that thread): You can download the iRedAPD plugin here:
https://bitbucket.org/zhb/iredapd/src/d … at=default

Don't forget to read the comment in the plugin file:

Reject sender login mismatch (sender in mail header and SASL username).

*) You should remove "sender_login_mismatch" in Postfix
   "smtpd_sender_restrictions" and let this plugin do it for you.

*) Please list all allowed senders in in iRedAPD config file (settings.py),
   parameter ALLOWED_LOGIN_MISMATCH_SENDERS. For example:

    ALLOWED_LOGIN_MISMATCH_SENDERS = ['user1@here.com', 'user2@here.com']

5

Re: SASL Authentication

Hi Zhang,

Excellent, I seem to have overlooked that post. I thought perhaps it was already included.

Anyways, I have the "ALLOWED_LOGIN_MISMATCH_SENDERS = ['user1@here.com', 'user2@here.com']" parameter included in the settings.py file.

Forgive me, i'm not a programmer, but am learning. On that last line, should I specify the addresses there? Or does the first line take care of it and if it's not found in settings, it'll reject it?

# Allowed senders.
try:
    ALLOWED_LOGIN_MISMATCH_SENDERS = settings.ALLOWED_LOGIN_MISMATCH_SENDERS
except AttributeError:
    ALLOWED_LOGIN_MISMATCH_SENDERS = []

Thanks,
Neil

6

Re: SASL Authentication

Just list all senders you want to allow sender login mismatch in variable "ALLOWED_LOGIN_MISMATCH_SENDERS", and place it in iRedAPD config file. For example:

# file: /opt/iredapd/settings.py

ALLOWED_LOGIN_MISMATCH_SENDERS = ['myuser@domain.ltd', 'second@domain.ltd', 'third@domain.ltd']

Restarting iRedAPD is recommended.

7

Re: SASL Authentication

Hi Zhang,

I appreciate your assistance! I have just a couple more questions.

It appears that since I put that plugin in place, some users are receiving a 554 Not logged in error bounce back. Also, by putting '@domain.com' in settings.py, will that allow the whole doamin, or must I add each user?

Thanks,
Neil

8

Re: SASL Authentication

Hi Neil,

Sorry about my late response.

Please turn on debug mode in iRedAPD (log_level = "debug"), restart iRedAPD service, then re-send an email and paste detailed debug log here to help troubleshoot.

And, what did you add in settings.py?