1

Topic: mailing list write issue

==== Required information ====
- iRedMail version: 0.8.4 / iRedAPD-1.4.0 / iRedAdmin-Pro-MySQL-1.5.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS release 6.4 (Final)
- Related log if you're reporting an issue:
====

Hello,
we have iredmail Pro installed on our server and it is working fine but we have issue in mailing lists:

we have selected only moderator can send mail, but unfortunately everyone can send mail to this list. Not only the one in domain or list, but everyone who know the address used for mailing.

That's a huge security hole for spam!

We have also checked that on another system with:
- iRedMail-0.8.4 upgraded to 0.8.5
- iRedAPD-1.4.1
- iRedAdmin-Pro-MySQL-1.7.0

Regards Mattia

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: mailing list write issue

Sorry about this trouble. We need some info to help troubleshoot:

*) Turn on debug mode in iRedAPD: set loglevel="debug" in /opt/iredapd/settings.py.
*) Restart iRedAPD service.
*) Send a testing email as non-moderator to this mailing list. Find log related to this testing email in iRedAPD log file /var/log/iredapd.log.

3

Re: mailing list write issue

Hi, we've created a new mailing list named "MYMAILINGLIST@MYDOMAIN.COM" with 3 members (USER1@MYDOMAIN.COM, USER2@MYDOMAIN.COM, USER3@MYDOMAIN.COM).

The external address is SENDERNOTINLIST@gmail.com.

Here the log:

------------------------------------------------
2013-10-01 17:48:03 DEBUG Closed SQL connection.
2013-10-01 17:48:08 DEBUG Connect from 127.0.0.1, port 40622.
2013-10-01 17:48:08 DEBUG smtp session: request=smtpd_access_policy
2013-10-01 17:48:08 DEBUG smtp session: protocol_state=RCPT
2013-10-01 17:48:08 DEBUG smtp session: protocol_name=ESMTP
2013-10-01 17:48:08 DEBUG smtp session: client_address=209.85.212.66
2013-10-01 17:48:08 DEBUG smtp session: client_name=unknown
2013-10-01 17:48:08 DEBUG smtp session: reverse_client_name=unknown
2013-10-01 17:48:08 DEBUG smtp session: helo_name=mail-vb0-f66.google.com
2013-10-01 17:48:08 DEBUG smtp session: sender=SENDERNOTINLIST@gmail.com
2013-10-01 17:48:08 DEBUG smtp session: recipient=MYMAILINGLIST@MYDOMAIN.COM
2013-10-01 17:48:08 DEBUG smtp session: recipient_count=0
2013-10-01 17:48:08 DEBUG smtp session: queue_id=
2013-10-01 17:48:08 DEBUG smtp session: instance=13dd.524aeeb8.c637c.0
2013-10-01 17:48:08 DEBUG smtp session: size=0
2013-10-01 17:48:08 DEBUG smtp session: etrn_domain=
2013-10-01 17:48:08 DEBUG smtp session: stress=
2013-10-01 17:48:08 DEBUG smtp session: sasl_method=
2013-10-01 17:48:08 DEBUG smtp session: sasl_username=
2013-10-01 17:48:08 DEBUG smtp session: sasl_sender=
2013-10-01 17:48:08 DEBUG smtp session: ccert_subject=
2013-10-01 17:48:08 DEBUG smtp session: ccert_issuer=
2013-10-01 17:48:08 DEBUG smtp session: ccert_fingerprint=
2013-10-01 17:48:08 DEBUG smtp session: encryption_protocol=TLSv1
2013-10-01 17:48:08 DEBUG smtp session: encryption_cipher=RC4-SHA
2013-10-01 17:48:08 DEBUG smtp session: encryption_keysize=128
2013-10-01 17:48:08 DEBUG --> Apply plugin: sql_alias_access_policy
2013-10-01 17:48:08 DEBUG SQL: SELECT accesspolicy, goto, moderators
            FROM alias
            WHERE
                address="MYMAILINGLIST@MYDOMAIN.COM"
                AND address <> goto
                AND domain="MYDOMAIN.COM"
                AND active=1
            LIMIT 1

2013-10-01 17:48:08 DEBUG SQL Record: ('allowedonly', 'USER1@MYDOMAIN.COM,USER2@MYDOMAIN.COM,USER3@MYDOMAIN.COM', 'USER1@MYDOMAIN.COM')
2013-10-01 17:48:08 DEBUG SENDERNOTINLIST@gmail.com -> MYMAILINGLIST@MYDOMAIN.COM, access policy: allowedonly (Only moderators/allowed are allowed)
2013-10-01 17:48:08 DEBUG policy: allowedonly
2013-10-01 17:48:08 DEBUG members: USER1@MYDOMAIN.COM, USER2@MYDOMAIN.COM, USER3@MYDOMAIN.COM
2013-10-01 17:48:08 DEBUG moderators: USER1@MYDOMAIN.COM
2013-10-01 17:48:08 DEBUG <!> Error: global name 'senderReceiver' is not defined
2013-10-01 17:48:08 DEBUG --> Apply plugin: sql_user_restrictions
2013-10-01 17:48:08 DEBUG SQL to get restriction rules of sender (SENDERNOTINLIST@gmail.com):
        SELECT
            allowedrecipients, rejectedrecipients,
            allowedsenders, rejectedsenders
        FROM mailbox
        WHERE username="SENDERNOTINLIST@gmail.com"
        LIMIT 1

2013-10-01 17:48:08 DEBUG Returned SQL Record: None
2013-10-01 17:48:08 DEBUG SQL to get restriction rules of recipient (MYMAILINGLIST@MYDOMAIN.COM):
            SELECT
                allowedrecipients, rejectedrecipients,
                allowedsenders, rejectedsenders
            FROM mailbox
            WHERE username="MYMAILINGLIST@MYDOMAIN.COM"
            LIMIT 1

2013-10-01 17:48:08 DEBUG Returned SQL Record: None
2013-10-01 17:48:08 DEBUG <-- Result: DUNNO
2013-10-01 17:48:08 INFO [209.85.212.66] SENDERNOTINLIST@gmail.com -> MYMAILINGLIST@MYDOMAIN.COM, DUNNO
2013-10-01 17:48:08 DEBUG Connection closed
2013-10-01 17:48:08 DEBUG Closed SQL connection.
------------------------------------------------

The mail from SENDERNOTINLIST@gmail.com is sent to everyone in  MYMAILINGLIST@MYDOMAIN.COM , but from log the policy is: "allowedonly" .

Our version of iRedAPD (1.4.0) have some SQL bug that i've fixed before run the test (in 1.4.1 that bug doesn't exists anymore).

Regards Mattia

4

Re: mailing list write issue

According to iRedAPD changelog (https://bitbucket.org/zhb/iredapd/src/d … at=default), i believe you issue was fixed in iRedAPD-1.4.1:

+ Incorrect variable name in plugins/sql_alias_access_policy.py.

Please upgrade iRedAPD from 1.4.0 to 1.4.1 by following this tutorial:
http://iredmail.org/wiki/index.php?titl … .4.0-1.4.1

mattia.bitservice wrote:

Our version of iRedAPD (1.4.0) have some SQL bug that i've fixed before run the test (in 1.4.1 that bug doesn't exists anymore).

Please do report these bugs in our forum, so that we can fix them for you immediately, and, for others.

5

Re: mailing list write issue

We've upgraded iRedAPD to 1.4.1 and now external users can't write anymore on the list. That's good.
Reading the changelog, the sql bug is already fixed in 1.4.1, no need to open a new bug track.

Thank you.

Regards Mattia