1

Topic: iredadmin maillist problem

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.0
- Linux/BSD distribution name and version: Centos 6.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

Hello, we realized today that any e-mail address can send mail to a maillist even it is not member or moderator of the maillist. Also we disabled the maillist, still anyone can send mail to disabled maillist. What can I do about it, any idea? (Iredadmin-pro v 2.3.0)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iredadmin maillist problem

Mailing list access restriction is implemented in iRedAPD plugin 'ldap_maillist_access_policy', d you have this plugin enabled in /opt/iredapd/settings.py? If yes, please turn on debug mode in iredapd and send one more testing email to reproduce this issue, extract related log in iredapd log file (/var/log/iredapd.log) and paste here.

Reference: http://www.iredmail.org/docs/debug.iredapd.html

3

Re: iredadmin maillist problem

Plugin is enabled, related line in settings.py is below
plugins = ['ldap_maillist_access_policy', 'ldap_amavisd_block_blacklisted_senders']

I sent an e-mail from nuh.87@hotmail.com which is not member or moderator of deneme@nevsehir.edu.tr disabled maillist. Log is here;

2015-09-16 11:27:46 DEBUG smtp session: request=smtpd_access_policy
2015-09-16 11:27:46 DEBUG smtp session: protocol_state=RCPT
2015-09-16 11:27:46 DEBUG smtp session: protocol_name=ESMTP
2015-09-16 11:27:46 DEBUG smtp session: client_address=157.55.2.102
2015-09-16 11:27:46 DEBUG smtp session: client_name=dub004-omc4s27.hotmail.com
2015-09-16 11:27:46 DEBUG smtp session: reverse_client_name=dub004-omc4s27.hotmail.com
2015-09-16 11:27:46 DEBUG smtp session: helo_name=DUB004-OMC4S27.hotmail.com
2015-09-16 11:27:46 DEBUG smtp session: sender=nuh.87@hotmail.com
2015-09-16 11:27:46 DEBUG smtp session: recipient=deneme@nevsehir.edu.tr
2015-09-16 11:27:46 DEBUG smtp session: recipient_count=0
2015-09-16 11:27:46 DEBUG smtp session: queue_id=
2015-09-16 11:27:46 DEBUG smtp session: instance=6de7.55f92801.de254.0
2015-09-16 11:27:46 DEBUG smtp session: size=1694
2015-09-16 11:27:46 DEBUG smtp session: etrn_domain=
2015-09-16 11:27:46 DEBUG smtp session: stress=
2015-09-16 11:27:46 DEBUG smtp session: sasl_method=
2015-09-16 11:27:46 DEBUG smtp session: sasl_username=
2015-09-16 11:27:46 DEBUG smtp session: sasl_sender=
2015-09-16 11:27:46 DEBUG smtp session: ccert_subject=
2015-09-16 11:27:46 DEBUG smtp session: ccert_issuer=
2015-09-16 11:27:46 DEBUG smtp session: ccert_fingerprint=
2015-09-16 11:27:46 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-09-16 11:27:46 DEBUG smtp session: encryption_protocol=TLSv1.2
2015-09-16 11:27:46 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES256-SHA384
2015-09-16 11:27:46 DEBUG smtp session: encryption_keysize=256
2015-09-16 11:27:46 DEBUG LDAP connection initialied success.
2015-09-16 11:27:46 DEBUG LDAP bind success.
2015-09-16 11:27:46 DEBUG [+] Getting LDIF data of account: deneme@nevsehir.edu.tr
2015-09-16 11:27:46 DEBUG search base dn: o=domains,dc=nevsehir,dc=edu,dc=tr
2015-09-16 11:27:46 DEBUG search scope: SUBTREE
2015-09-16 11:27:46 DEBUG search filter: (&(|(mail=deneme@nevsehir.edu.tr)(shadowAddress=deneme@nevsehir.edu.tr))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2015-09-16 11:27:46 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy', 'amavisBlacklistSender', 'amavisWhitelistSender']
2015-09-16 11:27:46 DEBUG result: [('mail=deneme@nevsehir.edu.tr,ou=Groups,domainName=nevsehir.edu.tr,o=domains,dc=nevsehir,dc=edu,dc=tr', {'objectClass': ['mailList'], 'accessPolicy': ['domain'], 'listAllowedUser': ['kursat@nevsehir.edu.tr']})]
2015-09-16 11:27:46 DEBUG --> Apply plugin: ldap_maillist_access_policy
2015-09-16 11:27:46 DEBUG Access policy of mailing list (deneme@nevsehir.edu.tr): domain
2015-09-16 11:27:46 DEBUG <!> Error: 'conn'
2015-09-16 11:27:46 DEBUG --> Apply plugin: ldap_amavisd_block_blacklisted_senders
2015-09-16 11:27:46 DEBUG <-- Result: DUNNO (Not a amavisdAccount object)
2015-09-16 11:27:46 INFO [157.55.2.102] RCPT, nuh.87@hotmail.com -> deneme@nevsehir.edu.tr, DUNNO
2015-09-16 11:27:46 DEBUG Session ended
2015-09-16 11:27:46 DEBUG Close LDAP connection.

4

Re: iredadmin maillist problem

nevsehiredu wrote:

2015-09-16 11:27:46 DEBUG Access policy of mailing list (deneme@nevsehir.edu.tr): domain
2015-09-16 11:27:46 DEBUG <!> Error: 'conn'

There's something wrong within plugin file '/opt/iredapd/plugins/ldap_maillist_access_policy.py'.

Could you please try to upgrade iRedAPD to the latest iRedAPD-1.6.0 and try again? You can upgrade it by following tutorial below:
http://www.iredmail.org/docs/upgrade.iredapd.html

5 (edited by nevsehiredu 2015-09-16 22:19:48)

Re: iredadmin maillist problem

ZhangHuangbin wrote:
nevsehiredu wrote:

2015-09-16 11:27:46 DEBUG Access policy of mailing list (deneme@nevsehir.edu.tr): domain
2015-09-16 11:27:46 DEBUG <!> Error: 'conn'

There's something wrong within plugin file '/opt/iredapd/plugins/ldap_maillist_access_policy.py'.

Could you please try to upgrade iRedAPD to the latest iRedAPD-1.6.0 and try again? You can upgrade it by following tutorial below:
http://www.iredmail.org/docs/upgrade.iredapd.html

I upgraded to Iredapd 1.6.0 and tried to send from an e-mail address that is not member or moderator of a disabled maillist. E-mail still receives to members of the maillist. Log is as seen below;

2015-09-16 17:07:57 DEBUG smtp session: request=smtpd_access_policy
2015-09-16 17:07:57 DEBUG smtp session: protocol_state=RCPT
2015-09-16 17:07:57 DEBUG smtp session: protocol_name=ESMTP
2015-09-16 17:07:57 DEBUG smtp session: client_address=157.55.2.110
2015-09-16 17:07:57 DEBUG smtp session: client_name=dub004-omc4s35.hotmail.com
2015-09-16 17:07:57 DEBUG smtp session: reverse_client_name=dub004-omc4s35.hotmail.com
2015-09-16 17:07:57 DEBUG smtp session: helo_name=DUB004-OMC4S35.hotmail.com
2015-09-16 17:07:57 DEBUG smtp session: sender=nuh.87@hotmail.com
2015-09-16 17:07:57 DEBUG smtp session: recipient=deneme@nevsehir.edu.tr
2015-09-16 17:07:57 DEBUG smtp session: recipient_count=0
2015-09-16 17:07:57 DEBUG smtp session: queue_id=
2015-09-16 17:07:57 DEBUG smtp session: instance=4f45.55f977bd.374b4.0
2015-09-16 17:07:57 DEBUG smtp session: size=1696
2015-09-16 17:07:57 DEBUG smtp session: etrn_domain=
2015-09-16 17:07:57 DEBUG smtp session: stress=
2015-09-16 17:07:57 DEBUG smtp session: sasl_method=
2015-09-16 17:07:57 DEBUG smtp session: sasl_username=
2015-09-16 17:07:57 DEBUG smtp session: sasl_sender=
2015-09-16 17:07:57 DEBUG smtp session: ccert_subject=
2015-09-16 17:07:57 DEBUG smtp session: ccert_issuer=
2015-09-16 17:07:57 DEBUG smtp session: ccert_fingerprint=
2015-09-16 17:07:57 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-09-16 17:07:57 DEBUG smtp session: encryption_protocol=TLSv1.2
2015-09-16 17:07:57 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES256-SHA384
2015-09-16 17:07:57 DEBUG smtp session: encryption_keysize=256
2015-09-16 17:07:57 DEBUG LDAP connection initialied success.
2015-09-16 17:07:57 DEBUG LDAP bind success.
2015-09-16 17:07:57 DEBUG [+] Getting LDIF data of account: deneme@nevsehir.edu.tr
2015-09-16 17:07:57 DEBUG search base dn: o=domains,dc=nevsehir,dc=edu,dc=tr
2015-09-16 17:07:57 DEBUG search scope: SUBTREE
2015-09-16 17:07:57 DEBUG search filter: (&(|(mail=deneme@nevsehir.edu.tr)(shadowAddress=deneme@nevsehir.edu.tr))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2015-09-16 17:07:57 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy', 'amavisBlacklistSender', 'amavisWhitelistSender']
2015-09-16 17:07:57 DEBUG No such account.
2015-09-16 17:07:57 DEBUG --> Apply plugin: ldap_maillist_access_policy
2015-09-16 17:07:57 DEBUG <-- Result: DUNNO (No recipient LDIF data)
2015-09-16 17:07:57 DEBUG --> Apply plugin: ldap_amavisd_block_blacklisted_senders
2015-09-16 17:07:57 DEBUG <-- Result: DUNNO (No recipient LDIF data)
2015-09-16 17:07:57 INFO [157.55.2.110] RCPT, nuh.87@hotmail.com -> deneme@nevsehir.edu.tr, DUNNO
2015-09-16 17:07:57 DEBUG Session ended
2015-09-16 17:07:57 DEBUG Close LDAP connection.

6

Re: iredadmin maillist problem

nevsehiredu wrote:

2015-09-16 17:07:57 DEBUG [+] Getting LDIF data of account: deneme@nevsehir.edu.tr
2015-09-16 17:07:57 DEBUG search base dn: o=domains,dc=nevsehir,dc=edu,dc=tr
2015-09-16 17:07:57 DEBUG search scope: SUBTREE
2015-09-16 17:07:57 DEBUG search filter: (&(|(mail=deneme@nevsehir.edu.tr)(shadowAddress=deneme@nevsehir.edu.tr))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2015-09-16 17:07:57 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy', 'amavisBlacklistSender', 'amavisWhitelistSender']
2015-09-16 17:07:57 DEBUG No such account.
2015-09-16 17:07:57 DEBUG --> Apply plugin: ldap_maillist_access_policy
2015-09-16 17:07:57 DEBUG <-- Result: DUNNO (No recipient LDIF data)

As you can see, it cannot find your mailing list account.

Could you please export the LDIF data of this mailing list account for troubleshooting? You can replace sensitive info in LDIF data, but please keep it clear so that we can understand the data.

To export LDIF data of this mailing list account, please login to iRedAdmin-Pro as global admin, go to profile page of this mailing list, then you can find link "Export account to LDIF".

7

Re: iredadmin maillist problem

I deleted maillist before i send mail. It can not find maillist but, still able to send mail to members of deleted maillist. I couldnt take ldif data because of i deleted it. All maillists are same now, everyone can send mail to all maillists, even only moderators can send mail check box is selected.

I send LDIF data of another maillist.

dn: mail=nevsehirduyuru@nevsehir.edu.tr,ou=Groups,domainName=nevsehir.edu.tr,o=domains,dc=nevsehir,dc=edu,dc=tr
accessPolicy: allowedOnly
accountStatus: disabled
cn:: TmXDnCBEdXl1cnU=
enabledService: mail
enabledService: deliver
listAllowedUser: umut01@nevsehir.edu.tr
listAllowedUser: bidb@nevsehir.edu.tr
listAllowedUser: cem@nevsehir.edu.tr
listAllowedUser: ozelkalem@nevsehir.edu.tr
listAllowedUser: kutuphane@nevsehir.edu.tr
listAllowedUser: basin@nevsehir.edu.tr
listAllowedUser: nevsehiruniversitesirektorlugu@nevsehir.edu.tr
mail: nevsehirduyuru@nevsehir.edu.tr
objectClass: mailList

ZhangHuangbin wrote:
nevsehiredu wrote:

2015-09-16 17:07:57 DEBUG [+] Getting LDIF data of account: deneme@nevsehir.edu.tr
2015-09-16 17:07:57 DEBUG search base dn: o=domains,dc=nevsehir,dc=edu,dc=tr
2015-09-16 17:07:57 DEBUG search scope: SUBTREE
2015-09-16 17:07:57 DEBUG search filter: (&(|(mail=deneme@nevsehir.edu.tr)(shadowAddress=deneme@nevsehir.edu.tr))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2015-09-16 17:07:57 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy', 'amavisBlacklistSender', 'amavisWhitelistSender']
2015-09-16 17:07:57 DEBUG No such account.
2015-09-16 17:07:57 DEBUG --> Apply plugin: ldap_maillist_access_policy
2015-09-16 17:07:57 DEBUG <-- Result: DUNNO (No recipient LDIF data)

As you can see, it cannot find your mailing list account.

Could you please export the LDIF data of this mailing list account for troubleshooting? You can replace sensitive info in LDIF data, but please keep it clear so that we can understand the data.

To export LDIF data of this mailing list account, please login to iRedAdmin-Pro as global admin, go to profile page of this mailing list, then you can find link "Export account to LDIF".

8

Re: iredadmin maillist problem

Try this:

*) Create a new mailing list account with iRedAdmin-Pro. Assign some members, set the access policy.
*) Send email to this new mailing list to reproduce this issue.

Please show me related log in /var/log/iredapd.log.

9

Re: iredadmin maillist problem

Hi Zhang, I created a new maillist and set the access policy, it works as it must, so its ok now.

But deleted maillist stil receives maillist. smile How can I completely delete it? Thank for your time.

ZhangHuangbin wrote:

Try this:

*) Create a new mailing list account with iRedAdmin-Pro. Assign some members, set the access policy.
*) Send email to this new mailing list to reproduce this issue.

Please show me related log in /var/log/iredapd.log.

10

Re: iredadmin maillist problem

nevsehiredu wrote:

But deleted maillist stil receives maillist. smile

Did you delete mailing list with iRedAdmin-Pro? or phpldapadmin?

11

Re: iredadmin maillist problem

ZhangHuangbin wrote:
nevsehiredu wrote:

But deleted maillist stil receives maillist. smile

Did you delete mailing list with iRedAdmin-Pro? or phpldapadmin?

I deleted with iRedAdmin-Pro, then I controlled from phpldapadmin, it does not seem both of them.

12

Re: iredadmin maillist problem

I suggest you manage with iRedAdmin-Pro, because there're many data need to be synced between mail accounts.

For example, to delete a mailing list, iRedAdmin-Pro will delete the mailing list itself, and delete the membership stored in member accounts. That's why you can still send email to mailing list after deleting it. Use the iRedAdmin-Pro please.