iRedMail
// Document IndexAttention
Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.
Sample error message in Postfix log file:
Jul 24 06:43:08 mx0 postfix/smtpd[12719]: NOQUEUE: reject: RCPT from sender.com[xx.xx.xx.xx]: 451 4.7.1 recipient@my-domain.com: Recipient address rejected: Intentional policy rejection, please try again later; from=sender@sender-domain.com to=recipient@my-domain.com proto=SMTP helo=
This error is caused by greylisting service, sender server will retry to deliver the same email, and your server will accept it after few retries.
Sample error message in Postfix log file:
Jun 24 11:57:13 mx1 postfix/smtpd[2667]: NOQUEUE: reject: RCPT from mail.mydomain.com[1.2.3.4]: 553 5.7.1 <sombody@my-domain.com>: Sender address rejected: not logged in; from=<sombody@my-domain.com> to=<receipent@receipentdomain.com> proto=ESMTP helo=<client_helo.com>
This error is caused by incorrectly configured mail client application, not a server issue.
All mail users are forced to perform SMTP auth before sending email, so you must configure your mail client applications (Outlook, Thunderbird, ...) to enable SMTP authentication.
This error is caused by restriction rule reject_sender_login_mismatch in
Postfix parameter smtpd_recipient_restrictions, in file /etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
reject_sender_login_mismatch,
...
It will reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps. Check manual page of Postfix configuration file for more details.
Removing reject_sender_login_mismatch and restarting Postfix service fixes
this issue.
Note
If you want to allow some users to send as other users, or allow all users
to send as their alias addresses, or allow member of mail list/alias to send
as mail list/alias, you should try iRedAPD plugin reject_sender_login_mismatch
instead (requires iRedAPD-1.4.4 or later releases).
Read comments in file /opt/iredapd/plugins/reject_sender_login_mismatch.py,
then enable it in iRedAPD config file /opt/iredapd/settings.py (plugins =),
restart iRedAPD service. That's all.
With old iRedAPD releases, the error messages may be one of below:
SMTP AUTH is required, or it is a spam with forged sender domainRecipient address rejected: Policy rejection not logged in
This error message means sender domain is hosted locally on your iRedMail server, but sender doesn't perform SMTP AUTH to send email.
If the email is sent from a server or device NOT under your control,
you want to bypass the email sent from this sender address but not the whole
server, please list this sender address in iRedAPD config file
/opt/iredapd/settings.py, parameter ALLOWED_FORGED_SENDERS like below:
Warning
iredapd service after modified its config file.# Single address.
ALLOWED_FORGED_SENDERS = ['user@domain.com']
# Or, whole domain.
ALLOWED_FORGED_SENDERS = ['domain.com']
Notes:
/opt/iredapd/settings.py by default,
feel free to add it manually. You can find detailed comments in file
/opt/iredapd/libs/default_settings.py, read the comments to understand
it better.This parameter name must be in upper cases.
If the email is sent by a server or device under your control and you want to
trust this server/device and bypass all emails, you can whitelist the IP
address of this server/device in iRedAPD config file /opt/iredapd/settings.py like below:
MYNETWORKS = ['192.168.0.10', '192.168.0.20', '192.168.0.30']
Notes:
/opt/iredapd/settings.py by default,
feel free to add it manually. You can find detailed comments in file
/opt/iredapd/libs/default_settings.py, read the comments to understand
it better.Sample error message in Postfix log file:
Tue 15 16:00:17 mail postfix/submission/smtpd[412508]: NOQUEUE: reject: RCPT from unknown[119.12.37.112]: 554 5.7.1 user@domain.com: Recipient address rejected: Policy rejection due to null sender; from=<> to=user@domain.com proto=ESMTP helo=<...>
If end user sends email with smtp authentication, but specify null sender
in SMTP session (from=<> in Postfix log), iRedAPD plugin reject_null_sender
will reject the email with above error message.
This behaviour looks like spamming, and null sender won't trigger throttling.
The solution is making sure end user's MUA is configured to send email with SMTP authentication, and specify a sender address.
If the smtp authenticate username is different than the address in mail header
From: field, you will get this rejection (by iRedAPD).
Solutions:
From:.From:), please add one
setting in iRedAPD config file /opt/iredapd/settings.py, then restart
iRedAPD service:# Syntax:
# - Allow single user: ["user@mydomain.com"]
# - Allow all users under same domain: ["mydomain.com"]
# - Multiple values can be separated by a comma: ["user@mydomain.com", "domain2.com"]
ALLOWED_LOGIN_MISMATCH_SENDERS = ["user@mydomain.com"]
Notes: user@mydomain.com is the email address you used for smtp authentication.
If you're a member of mailing list or mail alias, and trying to send email with the email address of mailing list/alias as sender address, you will get same error. There's another setting you can try (either one is ok):
ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True
It will allow all members of mailing list/alias to send email with the email of mailing list/alias as the sender address.
Sample error message in Postfix log file:
Feb 11 19:59:06 mail postfix/cleanup[30575]: warning: 23C334232FB3: unreasonable virtual_alias_maps map expansion size for user@domain.com -- deferring delivery
It means the maximal number of addresses that virtual alias expansion produces from each original recipient exceeds hard limit, please either increase the hard limit (default is 1000), or reduce alias members.
To increase the limit to, for example, 1500, please add below setting in
Postfix config file /etc/postfix/main.cf:
virtual_alias_expansion_limit = 1500
Reference: Postfix Configuration Parameters
Sample error message in Postfix log file:
Sep 22 08:51:03 mail postfix/smtpd[22067]: NOQUEUE: reject: RCPT from dslb-092-074-062-133.092.074.pools.vodafone-ip.de[92.74.62.133]: 504 5.5.2 <EHSGmbHLUCASPC>: Helo command rejected: need fully-qualified hostname; from=user@domain-a.com to=user@domain-b.com proto=ESMTP helo=<EHSGmbHLUCASPC>
According to RFC document, HELO identity must be a FQDN (fully-qualified
hostname). Sender sends EHSGmbHLUCASPC as HELO hostname, but it's not a FQDN.
It's sender's fault, not your mistake.
As a temporary solution, you can whitelist this HELO hostname
by adding a line like below at the top of file /etc/postfix/helo_access.pcre
(Linux/OpenBSD) or /usr/local/etc/postfix/helo_access.pcre (FreeBSD):
/^EHSGmbHLUCASPC$/ OK
Sample error message in Postfix log file:
Aug 13 08:07:14 mail postfix/smtpd[8606]: NOQUEUE: reject: RCPT from mta02.globetel.com.ph[120.28.49.114]: 450 4.7.1
: Helo command rejected: Host not found; from=tcadd01@globetel.com.ph to=user@example.com proto=ESMTP helo=
Postfix does DNS query to verify whether A type of DNS record of HELO domain
name mta02.globetel.com exists, if not, Postfix rejects the email.
As a temporary solution, you can whitelist this HELO hostname
by adding a line like below at the top of file /etc/postfix/helo_access.pcre
(Linux/OpenBSD) or /usr/local/etc/postfix/helo_access.pcre (FreeBSD):
/^mta02\.globetel\.com$/ OK
It means sender mail server uses a FQDN hostname which ends with .local as
HELO identity. .local is not a valid top level domain name, and all mail
servers should use a valid domain name which is resolvable from DNS query.
Two solutions:
/etc/postfix/helo_access.pcre (Linux/OpenBSD) or
/usr/local/etc/postfix/helo_access.pcre (FreeBSD), then reload Postfix
service.Sample log in Postfix log file:
Feb 20 03:31:54 mail postfix/trivial-rewrite[2216]: warning: do not list domain mydomain.com in BOTH mydestination and virtual_mailbox_domains
This error message means mail domain name mydomain.com is:
mydestination. Most probably, this domain name
is value of Postfix parameter myhostname, and myhostname is value of
mydestination.To solve this, please either use a different myhostname or don't use this
domain name as mail domain (remove it with iRedAdmin). To use a different value
for Postfix parameter myhostname, you must also
change server hostname.
Error message in Dovecot log file:
[ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway. If anyone was listening, the password was exposed.
Dovecot is configured to force clients to use secure IMAP/POP3 connections, but your client is trying to use plain and insecure connection without TLS or SSL.
The BEST solution is updating IMAP/POP3 settings in the mail client application (e.g. Outlook, Thunderbird) to enable secure connection. Please check this link to see network port numbers and secure connection types.
The NOT RECOMMENDED solution is updating Dovecot config file to allow insecure connection, this is dangerous because your password is sent in plain text, if someone can trace the network traffic with network gateway / firewall, your password is explosed. if you clearly understand the risk and still want to enable insecure connections, please check this document.
This error means Amavisd service is not running, please try to start it first.
# service amavisd restart# service amavis restart# /etc/rc.d/amavisd restart or # rcctl restart amavisdAfter restarted amavisd service, please check its log file to make sure it's running.
Notes: