Users cannot change passwords

June 12, 2018, 1:05 pm

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.97
- Linux/BSD distribution name and version: CentOS 6.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Users receive "Could not save new password. Encryption function missing." When trying to change their passwords

I can change their password in the iredadmin area.

The error log /var/log/nginx/error.log states:

2018/06/12 14:20:32 [error] 12634#0: *24 FastCGI sent in stderr: "PHP message: PHP Warning: proc_open() has been disabled for security reasons in /var/www/roundcubemail-1.2.0/plugins/password/password.php on line 606" while reading response header from upstream, client: 216.36.139.243, server: _, request: "POST /mail/?_task=settings&_action=plugin.password-save HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.socket:", host: "mail.domain.ca", referrer: "https://mail.domain.ca/mail/?_task=sett … n.password"

I have enabled proc_open and proc_close in php.ini

The password.php is below:

<?php

/**
* Password Plugin for Roundcube
*
* @author Aleksander Machniak <alec@alec.pl>
*
* Copyright (C) 2005-2015, The Roundcube Dev Team
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see http://www.gnu.org/licenses/.
*/

define('PASSWORD_CRYPT_ERROR', 1);
define('PASSWORD_ERROR', 2);
define('PASSWORD_CONNECT_ERROR', 3);
define('PASSWORD_IN_HISTORY', 4);
define('PASSWORD_CONSTRAINT_VIOLATION', 5);
define('PASSWORD_SUCCESS', 0);

/**
* Change password plugin
*
* Plugin that adds functionality to change a users password.
* It provides common functionality and user interface and supports
* several backends to finally update the password.
*
* For installation and configuration instructions please read the README file.
*
* @author Aleksander Machniak
*/
class password extends rcube_plugin
{
public $task = 'settings|login';
public $noframe = true;
public $noajax = true;

private $newuser = false;

function init()
{
$rcmail = rcmail::get_instance();

$this->load_config();

if ($rcmail->task == 'settings') {
if (!$this->check_host_login_exceptions()) {
return;
}

$this->add_texts('localization/');

$this->add_hook('settings_actions', array($this, 'settings_actions'));

$this->register_action('plugin.password', array($this, 'password_init'));
$this->register_action('plugin.password-save', array($this, 'password_save'));
}
else if ($rcmail->config->get('password_force_new_user')) {
$this->add_hook('user_create', array($this, 'user_create'));
$this->add_hook('login_after', array($this, 'login_after'));
}
}

function settings_actions($args)
{
// register as settings action
$args['actions'][] = array(
'action' => 'plugin.password',
'class' => 'password',
'label' => 'password',
'title' => 'changepasswd',
'domain' => 'password',
);

return $args;
}

function password_init()
{
$this->register_handler('plugin.body', array($this, 'password_form'));

$rcmail = rcmail::get_instance();
$rcmail->output->set_pagetitle($this->gettext('changepasswd'));

if (rcube_utils::get_input_value('_first', rcube_utils::INPUT_GET)) {
$rcmail->output->command('display_message', $this->gettext('firstloginchange'), 'notice');
}
else if (!empty($_SESSION['password_expires'])) {
if ($_SESSION['password_expires'] == 1) {
$rcmail->output->command('display_message', $this->gettext('passwdexpired'), 'error');
}
else {
$rcmail->output->command('display_message', $this->gettext(array(
'name' => 'passwdexpirewarning',
'vars' => array('expirationdatetime' => $_SESSION['password_expires'])
)), 'warning');
}
}

$rcmail->output->send('plugin');
}

function password_save()
{
$this->register_handler('plugin.body', array($this, 'password_form'));

$rcmail = rcmail::get_instance();
$rcmail->output->set_pagetitle($this->gettext('changepasswd'));

$form_disabled = $rcmail->config->get('password_disabled');
$confirm = $rcmail->config->get('password_confirm_current');
$required_length = intval($rcmail->config->get('password_minimum_length'));
$check_strength = $rcmail->config->get('password_require_nonalpha');

if (($confirm && !isset($_POST['_curpasswd'])) || !isset($_POST['_newpasswd'])) {
$rcmail->output->command('display_message', $this->gettext('nopassword'), 'error');
}
else {
$charset = strtoupper($rcmail->config->get('password_charset', 'ISO-8859-1'));
$rc_charset = strtoupper($rcmail->output->get_charset());

$sespwd = $rcmail->decrypt($_SESSION['password']);
$curpwd = $confirm ? rcube_utils::get_input_value('_curpasswd', rcube_utils::INPUT_POST, true, $charset) : $sespwd;
$newpwd = rcube_utils::get_input_value('_newpasswd', rcube_utils::INPUT_POST, true);
$conpwd = rcube_utils::get_input_value('_confpasswd', rcube_utils::INPUT_POST, true);

// check allowed characters according to the configured 'password_charset' option
// by converting the password entered by the user to this charset and back to UTF-8
$orig_pwd = $newpwd;
$chk_pwd = rcube_charset::convert($orig_pwd, $rc_charset, $charset);
$chk_pwd = rcube_charset::convert($chk_pwd, $charset, $rc_charset);

// WARNING: Default password_charset is ISO-8859-1, so conversion will
// change national characters. This may disable possibility of using
// the same password in other MUA's.
// We're doing this for consistence with Roundcube core
$newpwd = rcube_charset::convert($newpwd, $rc_charset, $charset);
$conpwd = rcube_charset::convert($conpwd, $rc_charset, $charset);

if ($chk_pwd != $orig_pwd) {
$rcmail->output->command('display_message', $this->gettext('passwordforbidden'), 'error');
}
// other passwords validity checks
else if ($conpwd != $newpwd) {
$rcmail->output->command('display_message', $this->gettext('passwordinconsistency'), 'error');
}
else if ($confirm && $sespwd != $curpwd) {
$rcmail->output->command('display_message', $this->gettext('passwordincorrect'), 'error');
}
else if ($required_length && strlen($newpwd) < $required_length) {
$rcmail->output->command('display_message', $this->gettext(
array('name' => 'passwordshort', 'vars' => array('length' => $required_length))), 'error');
}
else if ($check_strength && (!preg_match("/[0-9]/", $newpwd) || !preg_match("/[^A-Za-z0-9]/", $newpwd))) {
$rcmail->output->command('display_message', $this->gettext('passwordweak'), 'error');
}
// password is the same as the old one, warn user, return error
else if ($sespwd == $newpwd && !$rcmail->config->get('password_force_save')) {
$rcmail->output->command('display_message', $this->gettext('samepasswd'), 'error');
}
// try to save the password
else if (!($res = $this->_save($curpwd, $newpwd))) {
$rcmail->output->command('display_message', $this->gettext('successfullysaved'), 'confirmation');

// allow additional actions after password change (e.g. reset some backends)
$plugin = $rcmail->plugins->exec_hook('password_change', array(
'old_pass' => $curpwd, 'new_pass' => $newpwd));

// Reset session password
$_SESSION['password'] = $rcmail->encrypt($plugin['new_pass']);

// Log password change
if ($rcmail->config->get('password_log')) {
rcube::write_log('password', sprintf('Password changed for user %s (ID: %d) from %s',
$rcmail->get_user_name(), $rcmail->user->ID, rcube_utils::remote_ip()));
}

// Remove expiration date/time
$rcmail->session->remove('password_expires');
}
else {
$rcmail->output->command('display_message', $res, 'error');
}
}

$rcmail->overwrite_action('plugin.password');
$rcmail->output->send('plugin');
}

function password_form()
{
$rcmail = rcmail::get_instance();

// add some labels to client
$rcmail->output->add_label(
'password.nopassword',
'password.nocurpassword',
'password.passwordinconsistency'
);

$form_disabled = $rcmail->config->get('password_disabled');

$rcmail->output->set_env('product_name', $rcmail->config->get('product_name'));
$rcmail->output->set_env('password_disabled', !empty($form_disabled));

$table = new html_table(array('cols' => 2));

if ($rcmail->config->get('password_confirm_current')) {
// show current password selection
$field_id = 'curpasswd';
$input_curpasswd = new html_passwordfield(array(
'name' => '_curpasswd',
'id' => $field_id,
'size' => 20,
'autocomplete' => 'off',
));

$table->add('title', html::label($field_id, rcube::Q($this->gettext('curpasswd'))));
$table->add(null, $input_curpasswd->show());
}

// show new password selection
$field_id = 'newpasswd';
$input_newpasswd = new html_passwordfield(array(
'name' => '_newpasswd',
'id' => $field_id,
'size' => 20,
'autocomplete' => 'off',
));

$table->add('title', html::label($field_id, rcube::Q($this->gettext('newpasswd'))));
$table->add(null, $input_newpasswd->show());

// show confirm password selection
$field_id = 'confpasswd';
$input_confpasswd = new html_passwordfield(array(
'name' => '_confpasswd',
'id' => $field_id,
'size' => 20,
'autocomplete' => 'off',
));

$table->add('title', html::label($field_id, rcube::Q($this->gettext('confpasswd'))));
$table->add(null, $input_confpasswd->show());

$rules = '';

$required_length = intval($rcmail->config->get('password_minimum_length'));
if ($required_length > 0) {
$rules .= html::tag('li', array('id' => 'required-length'), $this->gettext(array(
'name' => 'passwordshort',
'vars' => array('length' => $required_length)
)));
}

if ($rcmail->config->get('password_require_nonalpha')) {
$rules .= html::tag('li', array('id' => 'require-nonalpha'), $this->gettext('passwordweak'));
}

if (!empty($rules)) {
$rules = html::tag('ul', array('id' => 'ruleslist'), $rules);
}

$disabled_msg = '';
if ($form_disabled) {
$disabled_msg = is_string($form_disabled) ? $form_disabled : $this->gettext('disablednotice');
$disabled_msg = html::div(array('class' => 'boxwarning', 'id' => 'password-notice'), $disabled_msg);
}

$submit_button = $rcmail->output->button(array(
'command' => 'plugin.password-save',
'type' => 'input',
'class' => 'button mainaction',
'label' => 'save',
));
$form_buttons = html::p(array('class' => 'formbuttons'), $submit_button);

$out = html::div(array('class' => 'box'),
html::div(array('id' => 'prefs-title', 'class' => 'boxtitle'), $this->gettext('changepasswd'))
. html::div(array('class' => 'boxcontent'),
$disabled_msg . $table->show() . $rules . $form_buttons));

$rcmail->output->add_gui_object('passform', 'password-form');

$this->include_script('password.js');

return $rcmail->output->form_tag(array(
'id' => 'password-form',
'name' => 'password-form',
'method' => 'post',
'action' => './?_task=settings&_action=plugin.password-save',
), $out);
}

private function _save($curpass, $passwd)
{
$config = rcmail::get_instance()->config;
$driver = $config->get('password_driver', 'sql');
$class = "rcube_{$driver}_password";
$file = $this->home . "/drivers/$driver.php";

if (!file_exists($file)) {
rcube::raise_error(array(
'code' => 600,
'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Unable to open driver file ($file)"
), true, false);
return $this->gettext('internalerror');
}

include_once $file;

if (!class_exists($class, false) || !method_exists($class, 'save')) {
rcube::raise_error(array(
'code' => 600,
'type' => 'php',
'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Broken driver $driver"
), true, false);
return $this->gettext('internalerror');
}

$object = new $class;
$result = $object->save($curpass, $passwd);
$message = '';

if (is_array($result)) {
$message = $result['message'];
$result = $result['code'];
}

switch ($result) {
case PASSWORD_SUCCESS:
return;
case PASSWORD_CRYPT_ERROR:
$reason = $this->gettext('crypterror');
break;
case PASSWORD_CONNECT_ERROR:
$reason = $this->gettext('connecterror');
break;
case PASSWORD_IN_HISTORY:
$reason = $this->gettext('passwdinhistory');
break;
case PASSWORD_CONSTRAINT_VIOLATION:
$reason = $this->gettext('passwdconstraintviolation');
break;
case PASSWORD_ERROR:
default:
$reason = $this->gettext('internalerror');
}

if ($message) {
$reason .= ' ' . $message;
}

return $reason;
}

function user_create($args)
{
$this->newuser = true;
return $args;
}

function login_after($args)
{
if ($this->newuser && $this->check_host_login_exceptions()) {
$args['_task'] = 'settings';
$args['_action'] = 'plugin.password';
$args['_first'] = 'true';
}

return $args;
}

// Check if host and login is allowed to change the password, false = not allowed, true = not allowed
private function check_host_login_exceptions()
{
$rcmail = rcmail::get_instance();

// Host exceptions
$hosts = $rcmail->config->get('password_hosts');
if (!empty($hosts) && !in_array($_SESSION['storage_host'], (array) $hosts)) {
return false;
}

// Login exceptions
if ($exceptions = $rcmail->config->get('password_login_exceptions')) {
$exceptions = array_map('trim', (array) $exceptions);
$exceptions = array_filter($exceptions);
$username = $_SESSION['username'];

foreach ($exceptions as $ec) {
if ($username === $ec) {
return false;
}
}
}

return true;
}

/**
* Hashes a password and returns the hash based on the specified method
*
* Parts of the code originally from the phpLDAPadmin development team
* http://phpldapadmin.sourceforge.net/
*
* @param string Clear password
* @param string Hashing method
* @param bool|string Prefix string or TRUE to add a default prefix
*
* @return string Hashed password
*/
static function hash_password($password, $method = '', $prefixed = true)
{
$method = strtolower($method);
$rcmail = rcmail::get_instance();
$prefix = '';
$crypted = '';
$default = false;

if (empty($method) || $method == 'default') {
$method = $rcmail->config->get('password_algorithm');
$prefixed = $rcmail->config->get('password_algorithm_prefix');
$default = true;
}
else if ($method == 'crypt') { // deprecated
if (!($method = $rcmail->config->get('password_crypt_hash'))) {
$method = 'md5';
}

if (!strpos($method, '-crypt')) {
$method .= '-crypt';
}
}

switch ($method) {
case 'des':
case 'des-crypt':
$crypted = crypt($password, rcube_utils::random_bytes(2));
$prefix = '{CRYPT}';
break;

case 'ext_des': // for BC
case 'ext-des-crypt':
$crypted = crypt($password, '_' . rcube_utils::random_bytes(8));
$prefix = '{CRYPT}';
break;

case 'md5crypt': // for BC
case 'md5-crypt':
$crypted = crypt($password, '$1$' . rcube_utils::random_bytes(9));
$prefix = '{CRYPT}';
break;

case 'sha256-crypt':
$rounds = (int) $rcmail->config->get('password_crypt_rounds');
$prefix = '$5$';

if ($rounds > 1000) {
$prefix .= 'rounds=' . $rounds . '$';
}

$crypted = crypt($password, $prefix . rcube_utils::random_bytes(16));
$prefix = '{CRYPT}';
break;

case 'sha512-crypt':
$rounds = (int) $rcmail->config->get('password_crypt_rounds');
$prefix = '$6$';

if ($rounds > 1000) {
$prefix .= 'rounds=' . $rounds . '$';
}

$crypted = crypt($password, $prefix . rcube_utils::random_bytes(16));
$prefix = '{CRYPT}';
break;

case 'blowfish': // for BC
case 'blowfish-crypt':
$cost = (int) $rcmail->config->get('password_blowfish_cost');
$cost = $cost < 4 || $cost > 31 ? 12 : $cost;
$prefix = sprintf('$2a$%02d$', $cost);

$crypted = crypt($password, $prefix . rcube_utils::random_bytes(22));
$prefix = '{CRYPT}';
break;

case 'md5':
$crypted = base64_encode(pack('H*', md5($password)));
$prefix = '{MD5}';
break;

case 'sha':
if (function_exists('sha1')) {
$crypted = pack('H*', sha1($password));
}
else if (function_exists('hash')) {
$crypted = hash('sha1', $password, true);
}
else if (function_exists('mhash')) {
$crypted = mhash(MHASH_SHA1, $password);
}
else {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function"
), true, true);
}

$crypted = base64_encode($crypted);
$prefix = '{SHA}';
break;

case 'ssha':
$salt = rcube_utils::random_bytes(8);

if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_SHA1, $password, $salt, 4);
$crypted = mhash(MHASH_SHA1, $password . $salt);
}
else if (function_exists('sha1')) {
$salt = substr(pack("H*", sha1($salt . $password)), 0, 4);
$crypted = sha1($password . $salt, true);
}
else if (function_exists('hash')) {
$salt = substr(pack("H*", hash('sha1', $salt . $password)), 0, 4);
$crypted = hash('sha1', $password . $salt, true);
}
else {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Your PHP install does not have the mhash()/hash() nor sha1() function"
), true, true);
}

$crypted = base64_encode($crypted . $salt);
$prefix = '{SSHA}';
break;

case 'smd5':
$salt = rcube_utils::random_bytes(8);

if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
$salt = mhash_keygen_s2k(MHASH_MD5, $password, $salt, 4);
$crypted = mhash(MHASH_MD5, $password . $salt);
}
else if (function_exists('hash')) {
$salt = substr(pack("H*", hash('md5', $salt . $password)), 0, 4);
$crypted = hash('md5', $password . $salt, true);
}
else {
$salt = substr(pack("H*", md5($salt . $password)), 0, 4);
$crypted = md5($password . $salt, true);
}

$crypted = base64_encode($crypted . $salt);
$prefix = '{SMD5}';
break;

case 'samba':
if (function_exists('hash')) {
$crypted = hash('md4', rcube_charset::convert($password, RCUBE_CHARSET, 'UTF-16LE'));
$crypted = strtoupper($crypted);
}
else {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: Your PHP install does not have hash() function"
), true, true);
}
break;

case 'ad':
$crypted = rcube_charset::convert('"' . $password . '"', RCUBE_CHARSET, 'UTF-16LE');
break;

case 'cram-md5': // deprecated
require_once __DIR__ . '/../helpers/dovecot_hmacmd5.php';
$crypted = dovecot_hmacmd5($password);
$prefix = '{CRAM-MD5}';
break;

case 'dovecot':
if (!($dovecotpw = $rcmail->config->get('password_dovecotpw'))) {
$dovecotpw = 'dovecotpw';
}
if (!($method = $rcmail->config->get('password_dovecotpw_method'))) {
$method = 'CRAM-MD5';
}

$spec = array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'), 2 => array('file', '/dev/null', 'a'));
$pipe = proc_open("$dovecotpw -s '$method'", $spec, $pipes);

if (!is_resource($pipe)) {
return false;
}

fwrite($pipes[0], $password . "\n", 1+strlen($password));
usleep(1000);
fwrite($pipes[0], $password . "\n", 1+strlen($password));

$crypted = trim(stream_get_contents($pipes[1]), "\n");

fclose($pipes[0]);
fclose($pipes[1]);
proc_close($pipe);

if (!preg_match('/^\{' . $method . '\}/', $crypted)) {
return false;
}

if (!$default) {
$prefixed = (bool) $rcmail->config->get('password_dovecotpw_with_method');
}

if (!$prefixed) {
$crypted = trim(str_replace('{' . $method . '}', '', $crypted));
}

$prefixed = false;

break;

case 'hash': // deprecated
if (!extension_loaded('hash')) {
rcube::raise_error(array(
'code' => 600, 'file' => __FILE__, 'line' => __LINE__,
'message' => "Password plugin: 'hash' extension not loaded!"
), true, true);
}

if (!($hash_algo = strtolower($rcmail->config->get('password_hash_algorithm')))) {
$hash_algo = 'sha1';
}

$crypted = hash($hash_algo, $password);

if ($rcmail->config->get('password_hash_base64')) {
$crypted = base64_encode(pack('H*', $crypted));
}

break;

case 'clear':
$crypted = $password;
}

if ($crypted === null || $crypted === false) {
return false;
}

if ($prefixed && $prefixed !== true) {
$prefix = $prefixed;
$prefixed = true;
}

if ($prefixed === true && $prefix) {
$crypted = $prefix . $crypted;
}

return $crypted;
}
}

Attached is my php.ini

↧

Mail transport unavailable

June 13, 2018, 1:35 am

≫ Next: SMTP Error (500) Authentication failed

≪ Previous: Users cannot change passwords

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL/MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I'm seeing a bunch of messages to only one domain on the server in the queue that look like this:

CEF33C61438 10113 Tue Jun 12 09:32:40 sender@example.com
(mail transport unavailable)
recipient@domainonourserver.com

I found references to Amavis in the archives, but why is this affecting only one domain?

↧

SMTP Error (500) Authentication failed

June 13, 2018, 5:55 am

≫ Next: helo_access.pcre

≪ Previous: Mail transport unavailable

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MARIADB edition
- Linux/BSD distribution name and version: Ubuntu 16.04.4 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mariadb
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

this pops up in a box (no new window or tab) when i try to send a mail, i resently installed iredmail on my ubuntu server 16.04 which already has a dns with bind and dhcp running i followed the instructions from the site whle installing it

↧

helo_access.pcre

June 13, 2018, 7:50 am

≫ Next: Setup second iredmail to redirect email on first server

≪ Previous: SMTP Error (500) Authentication failed

Nothing very important, but in your helo_access.pcre is there also "eutelia.it".
This is a legal working domain. It is an italian voip company. And I becomed crazy to understand why their mails doens't reach some users. :-)

↧

Setup second iredmail to redirect email on first server

June 14, 2018, 12:44 pm

≫ Next: Whitelisting not working

≪ Previous: helo_access.pcre

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: main centos 6.x , second centos 7 (fresh install)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): mysql
- Web server (Apache or Nginx): no matter
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, stuck with simply case. I guess it should be standard scenario.

1. I have iredmail mail server - it would be Main (old installation on centos 6 + updated iredmail 0.9.8)
2. I have setup second mail server - Second (fresh install on cestos 7 + iredmail 0.9.8)

What i need:
Second server redirecting to Main emails
Second server is storing emails if Main server unavailable.

I am looking on https://docs.iredmail.org/relayhost.html, but get Recipient address rejected: User unknown in virtual mailbox table.

Could somebody please make little plan looks like:
1. Main server - what to do
2. Second server - what to do
3. Main server - what to do etc

thanks in advance

↧

Whitelisting not working

June 13, 2018, 3:45 am

≫ Next: sogo/amavis blacklist/whitelist priority

≪ Previous: Setup second iredmail to redirect email on first server

In my logs I have the following lines:

Jun 13 10:29:41 nc036 postfix/smtpd[1338]: NOQUEUE: reject: RCPT from xxx.yyy.cctld[1.2.3.4]: 450 4.7.1 <server.yyy.cctld>: Helo command rejected: Host not found; from=<sender@yyy.cctld> to=<recipient@example.com> proto=ESMTP helo=<server.yyy.cctld>

I have communicated with the admin of the server at yyy.cctld, and they refuse to set up their DNS properly. Unfortunately, they are a legitimate sender; in fact, they are the national tax authority of a country!

I have tried adding each of the following to the "Whitelisted senders" (for inbound mails) at System -> Anti Spam -> Whitelists & Blacklists, but their mails are still blocked:

* @.yyy.cctld
* @yyy.cctld
* 1.2.3.4 (the IP address of their server)

I also tried restarting both Postfix and iRedAPD, but this didn't change the result.

How can I let them bypass the HELO check without letting everyone else bypass it too?

Thanks.

↧

sogo/amavis blacklist/whitelist priority

June 15, 2018, 3:47 am

≫ Next: Can't access Webmail (Rouncube)

≪ Previous: Whitelisting not working

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): v0.9.8
- Linux/BSD distribution name and version: Centos 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Not yet
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello, newly installed server, v0.9.8. Working well, no issues, send/receive ok. (technically, not receiving yet, secondary mx. Sends no issue)
Wanted to be very restrictive, internal server only, send receive from one domain only (separate service)

Method selected was to blacklist/whitelist in Amavis (included with the standard iredmail install)
Understand there are outbound and inbound black/whitelists

added @. to blacklists (all users)
added alloweddomain.com to whitelists

Roundcube works perfectly, exactly as expected

Sogo appears to have an issue, perhaps applying the lists out of order?

If I set the INBOUND list to @. then try to SEND and email from sogo, fails
"Cannot send message: all recipients are invalid."

maillog:
Jun 15 20:09:51 mx postfix/postscreen[10139]: CONNECT from [127.0.0.1]:47762 to [127.0.0.1]:25
Jun 15 20:09:51 mx postfix/postscreen[10139]: WHITELISTED [127.0.0.1]:47762
Jun 15 20:09:51 mx postfix/smtpd[10140]: connect from localhost[127.0.0.1]
Jun 15 20:09:52 mx postfix/smtpd[10140]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <d.lee@alloweddomain.com>: Recipient address rejected: Blacklisted; from=<postmaster@iredmailserverdomain.com> to=<d.lee@alloweddomain.com> proto=ESMTP helo=<localhost>
Jun 15 20:09:52 mx postfix/smtpd[10140]: disconnect from localhost[127.0.0.1]

Any ideas?

If I remove blacklist @. everything works again.

Sogo, for the Activesync

thankyou

↧

Can't access Webmail (Rouncube)

June 16, 2018, 1:18 am

≫ Next: Install on FreeBSD 11.1

≪ Previous: sogo/amavis blacklist/whitelist priority

Topic: Can't access Webmail (Rouncube)
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): iRedMail-0.9.6 PostgreSQL edition.
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PostgreSQL
- Web server (Apache or Nginx): NGINX
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello

when I'm Trying to access on to my Webmail (Roundcube) here https://mail.globalit-eng.com/

I have a nginx message "502 Bad Gateway"

The Weird thing is that I can successfully access to iredadmin and also send and receive message

only Webmail have an issue and I don't know how to fix it

Please Help

↧

Install on FreeBSD 11.1

June 16, 2018, 3:10 am

≫ Next: Install on FreeBSD 11.1

≪ Previous: Can't access Webmail (Rouncube)

============ Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: FreeBSD 11.1 x86
- Store mail accounts in which backend (MySQL):
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Jun 5 10:25:38 test kernel: Starting clamav_clamd.
Jun 5 10:25:40 test kernel: WARNING: Ignoring deprecated option AllowSupplementaryGroups at line 714
Jun 5 10:26:39 test kernel: Starting clamav_freshclam.
Jun 5 10:26:42 test kernel: doveconf: Error: t_readlink(/var/run/dovecot/dovecot.conf) failed: readlink() failed: No such file or directory
Jun 5 10:26:42 test kernel: Starting dovecot.

↧

Install on FreeBSD 11.1

June 16, 2018, 3:23 am

≫ Next: Install on FreeBSD 11.1

≪ Previous: Install on FreeBSD 11.1

↧

Install on FreeBSD 11.1

June 16, 2018, 3:24 am

≫ Next: Install on FreeBSD 11.1

≪ Previous: Install on FreeBSD 11.1

↧

Install on FreeBSD 11.1

June 16, 2018, 3:25 am

≫ Next: Install on FreeBSD clamav_clamd, dovecot

≪ Previous: Install on FreeBSD 11.1

================ Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: FreeBSD 11.1 x86
- Store mail accounts in which backend (MySQL):
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

↧

Install on FreeBSD clamav_clamd, dovecot

June 16, 2018, 3:26 am

≫ Next: Logwatch httpd

≪ Previous: Install on FreeBSD 11.1

↧

Logwatch httpd

June 16, 2018, 4:03 am

≫ Next: Cant send mail Temporary MTA Failure need help

≪ Previous: Install on FreeBSD clamav_clamd, dovecot

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MARIADB edition
- Linux/BSD distribution name and version: Deian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Nope
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I got some spamming in my logwatch under httpd:

Requests with error response codes
400 Bad Request
null: 8699 Time(s)
\xEE: 3 Time(s)
$: 2 Time(s)
\x08: 2 Time(s)
\x93: 2 Time(s)
\xBE: 2 Time(s)
\xD0: 2 Time(s)
d: 2 Time(s)
!1\xA61\x80\xE0\xDA\xB8f:\xE8\x9En}s\x8Fd\ ... xFC\xF7\x02\xE1: 1 Time(s)
!1o\xE7C\x83\xD5P\x84\x1B\xCB\xF6@\xAD\x91 ... D\xBC\xA7j9\x98: 1 Time(s)
!>6\x82(B\x9D\xFD\x87\x10\xF6Ck\x03\xF2;\x ... 02\xE0N\x19\xA1: 1 Time(s)
!G\xCC\xA4\x1A\x05\x0E\xE7\xF1\x0B5%\xAAA7 ... xA2\xE5\x96\x84: 1 Time(s)
!\x80\x8C.0\x0B'\xCE7-\xFA\x03jr\x12v*[\xA ... \xDD\xF8@\x93h6: 1 Time(s)
!\x97\xBF\xEF;\xFF\x86\x9B\xE1|b8\xD3\x00\ ... 9RS~1\x08\xB0px: 1 Time(s)
!\x97\xC5\xF8=A\x17\xAE\x8D\xBB<\x80\xEF\x ... $\x10Z\x19\xB4o: 1 Time(s)
!\xB3e#\x06O\x92\x1A\x8DR\xAF\x88\xB4\x02R ... \x85\x22\xA0!EY: 1 Time(s)
!\xB7\xCB\x80I\x06\xC8F\xBC\x1D\xD8g\xCB\x ... 18\xC4\xE9\xFCK: 1 Time(s)
!\xB7\xD9\x8B\xC2\xD39;\xAD\xE3G\xD7: 1 Time(s)
!\xCF\xC9U\x08\x8EN\xAD\xF7Y\x87=\xBA5e\xA ... $\x08\xDAJD\xEB: 1 Time(s)
!v\x9C#?\x93\xB6\xB4guH\xE8\xBCh\x19\x8CA\ ... $\xB1w\xAD5\x9A: 1 Time(s)
#: 1 Time(s)
#)H\x08\x97\xDE\x00z\x8A\x0EL\xF5eD\x97\xC ... \x15f~\x10\x13-: 1 Time(s)
#:\x1C\x8BL\xB8\xB2\x83qb\x9D\xF1\xB2E\xE39: 1 Time(s)
#F`\xF7e\x9B|\x10\xF9\x92E\x9E\x1D\x96\x0C ... 04s\x0F\xB2\x08: 1 Time(s)
etc etc etc

Possible am a victim of some kind of an attack?
What can i do to stop this?

↧

Cant send mail Temporary MTA Failure need help

June 16, 2018, 7:17 am

≫ Next: Cant send mail Temporary MTA Failure need help

≪ Previous: Logwatch httpd

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): iRedMail Pro 2.9.0
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Since I upgraded to IRM Pro an attempted to configure Postfix and DoveCot for SSL and security I have not been able to send any email. Here is an example message form the Postfix Log. I am confused by the mapping.

##################################################################
505BC7E908 2018/06/16 2:25 AM 2:25 AM root@email.powersend.org root@email.powersend.org 48.13 kB host 127.0.0.1[127.0.0.1] said: 451 4.5.0 id=21027-04 - Temporary MTA failure on relaying, From MTA() during fwd-connect (No greeting, dt: 1.006 s): id=21027-04 (in reply to end of DATA command)
##################################################################

And here is a more detailed info from the Log:

################### Logwatch 7.4.2 (02/27/16) ####################
Processing Initiated: Sat Jun 16 06:25:02 2018
Date Range Processed: yesterday
( 2018-Jun-15 )
Period is day.
Detail Level of Output: 0
Type of Output/Format: mail / text
Logfiles for Host: email
##################################################################

--------------------- Amavisd-new Begin ------------------------

Redundant argument in sprintf at /usr/share/logwatch/scripts/services/amavis line
1338, <> line 271.
3 Miscellaneous warnings

**Unmatched Entries**
1 (13900-01) Blocked MTA-BLOCKED {TempFailedInbound}, [127.0.0.1] <root@email.powersend.org>
-> , Message-ID: <20180615062543.7FAAF7EA43@email.powersend.org>, mail_id: qsUvLA_IY6l7,
Hits: 0, size: 43595, 2068 ms, Tests: [NO_RELAYS=-0.001,URIBL_BLOCKED=0.001]
1 (13917-02) Blocked MTA-BLOCKED {TempFailedInbound}, [127.0.0.1] <root@email.powersend.org>
-> , Message-ID: <20180615033002.03C1C7E949@email.powersend.org>, mail_id: MibbrZ6GATxL,
Hits: 0, size: 1222, 1193 ms, Tests: [NO_RELAYS=-0.001,TVD_SPACE_RATIO=0.001]
1 (13913-01) Blocked MTA-BLOCKED {TempFailedInbound}, [127.0.0.1] <root@email.powersend.org>
-> , Message-ID: <20180615062543.7FAAF7EA43@email.powersend.org>, mail_id: JThmeM5u3fE6,
Hits: 0, size: 43595, 2294 ms, Tests: [NO_RELAYS=-0.001,URIBL_BLOCKED=0.001]

Before I attempted configuration, when we were using IRM Free I was able to send to and receive email from both RoundCube and Microsoft Outlook. I cannot do that now and I'm running out of time to get this server configured. It's been 2 weeks I have been working at it. I know very little about Linux and it's Applications...even though I have 25 years experience in the Windows environment.

Here is what we are trying to accomplish. We have been sending 300,000 emails a day to our subscribers using Amazon SES. We will be sending more email soon for other customers. We want to be able to send our Newsletter 3 times a day but cannot afford the SES cost for that. So we are setting up our own SMTP relay with IRM Pro.

We use the email client software MailWizz on a server different than the one iRedMail is on. But We should be able to send/receive through iRedMail from any client anywhere with the right credentials.

I will be happy to pay you to help me set this up. But I want you to understand what we need before I issue a paid ticket. So that I will not need to spend for more than 1 incident. I am not good at Linux terminology so I may not be able to explain what needs to be done.

What additional information will you need from me so that I can gather it up ahead of time for the Paid Ticket.
Thank you for your help.

↧

Cant send mail Temporary MTA Failure need help

June 16, 2018, 7:20 am

≫ Next: Cant send mail Temporary MTA Failure need help

≪ Previous: Cant send mail Temporary MTA Failure need help

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): iRedMail Pro 2.9.0
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Since I upgraded to IRM Pro and attempted to configure Postfix and DoveCot for SSL and security I have not been able to send any email. Here is an example message form the Postfix Log. I am confused by the mapping.

And here is a more detailed info from the Log:

--------------------- Amavisd-new Begin ------------------------

Redundant argument in sprintf at /usr/share/logwatch/scripts/services/amavis line
1338, <> line 271.
3 Miscellaneous warnings

What additional information will you need from me so that I can gather it up ahead of time for the Paid Ticket.
Thank you for your help.

↧

Cant send mail Temporary MTA Failure need help

June 16, 2018, 8:47 am

≫ Next: Backup and restore the Contacts

≪ Previous: Cant send mail Temporary MTA Failure need help

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): iRedMail Pro 2.9.0
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

And here is a more detailed info from the Log:

--------------------- Amavisd-new Begin ------------------------

Redundant argument in sprintf at /usr/share/logwatch/scripts/services/amavis line
1338, <> line 271.
3 Miscellaneous warnings

What additional information will you need from me so that I can gather it up ahead of time for the Paid Ticket.
Thank you for your help.

↧

Backup and restore the Contacts

June 11, 2018, 8:11 pm

≫ Next: autoconfig/autodiscover: Different configurations

≪ Previous: Cant send mail Temporary MTA Failure need help

============ Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MARIADB edition.
- Linux/BSD distribution name and version: centos-release-7-5.1804.el7.centos.2.x86_64
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? Not yet
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
A.
I made a full backup and restored a new server with:
1 - /var/vmail/backup
2 - /var/vmail/vmail1/

And everything is working well but don't restored the contacts.
Where I find the contacts directory to make a backup and then restore them in the new server?

B. There are anything more that I need to backup to make a full restore?

Thanks for your excellent work

↧

autoconfig/autodiscover: Different configurations

June 12, 2018, 12:08 am

≫ Next: f2ban/iptables keeps banning a NAT address

≪ Previous: Backup and restore the Contacts

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.8
- Linux/BSD distribution name and version: CentOS 7.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL/MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro?: Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Is it possible to send different configurations depending on the email client? For example, some versions of Outlook don't work with TLS on port 110 for POP, but will only work with SSL on port 995. But Thunderbird will work with the recommended port 110 over TLS. If I send the recommended configuration to Outlook users, they'll complain that the mail server is broken. This defeats the purpose of automatic configuration.

↧

f2ban/iptables keeps banning a NAT address

June 12, 2018, 5:28 am

≫ Next: Users cannot change passwords

≪ Previous: autoconfig/autodiscover: Different configurations

==== Required information ====
- iRedMail version (check /etc/iredmail-release):
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
======== Required information ====
- iRedMail version (check /etc/iredmail-release): .096
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have an iRedMail server external to my network, and all of my hosts are NAT'd behind a firewall. All of the hosts inside the network can resolve the host name of the external mail server and use it for mail transactions.
I think what is happening is I have multiple hosts connecting for inbound/outbound emails and when the mail transactions overlap on postfix on the iRedmail server, (maybe too many hits per minute?) which causes the email to be dropped and eventually fail2ban activates on the postifx jail for the public IP address for the network. I see issues in the logs where there are complaints about hoist names not resolving too.

I have poked around the forum but I don't see anyone talking about this type of setup.
I assume everyone else doing this is doing a local DMZ and can allow the iRedMail access to the local DNS - in this case the iRedMail server is offsite and can't gain access to the local DNS.

Is the best option to run the mail server inside the network and allow SMTP traffic through the firewall, or run on a locla DMZ with access to the local DNS?

↧