Delegated mailbox with SOGo gives "Recipient address rejected: Sender is not same as SMTP authenticate username"

[ouitec]

Hello,

When activating Mailbox delegation under SOGo from [email protected] for [email protected]

then I connect to SOGo with [email protected] and use the automated available from "[email protected]" and get this error when sending to [email protected] :

Error :

5.7.1 <[email protected]>: Recipient address rejected: Sender is not same as SMTP authenticate username

REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER:

• iRedMail version (check /etc/iredmail-release): 1.6.1 OPENLDAP edition.
• Deployed with iRedMail Easy or the downloadable installer? downloadable installer
• Linux/BSD distribution name and version: Centos 8
• Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
• Web server (Apache or Nginx): NGINX
• Manage mail accounts with iRedAdmin-Pro? Yes
• [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

sogo.log :

2023-01-04 15:27:16.227 sogod[160453:160453] SMTP: STARTTLS successfully performed
2023-01-04 15:27:16.240 sogod[160453:160453] SMTP(RCPT TO) error: 5.7.1 <[email protected]>: Recipient address rejected: Sender is not same as SMTP authenticate username
Jan 04 15:27:16 sogod [160453]: [ERROR] <0x0x55730d2bb6b0[SOGoMailer]> Could not connect to the SMTP server smtp://127.0.0.1:587/?tls=YES&tlsVerifyMode=allowInsecureLocalhost
Jan 04 15:27:16 sogod [160453]: X.X.X.X "POST /SOGo/so/[email protected]/Mail/0/folderDrafts/newDraft1672842134-1/send HTTP/1.0" 405 144/142 0.062 - - 28K - 19

dovecot.log :

Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: auth client connected (pid=0)
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=127.0.0.1#011rip=127.0.0.1#011secured
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client passdb out: CONT#0111
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client in: CONT#0111#011cC5tZWRpbmFAb3VpdGVjLmZyAHAubWVkaW5hQG91aXRlYy5mcgA6QXJmOTEyUG9yTDQh (previous base64 data may contain sensitive data)
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap([email protected],127.0.0.1): Performing passdb lookup
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap([email protected],127.0.0.1): bind search: base=o=domains,dc=domains,dc=com filter=(&(objectClass=mailUser)(accountStatus=active)(!(domainStatus=disabled))(enabledService=mail)(enabledService=smtpsecured)(|([email protected])(&(enabledService=shadowaddress)([email protected]))))
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap([email protected],127.0.0.1): result: [email protected]; mail unused
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap([email protected],127.0.0.1): Finished passdb lookup
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: auth([email protected],127.0.0.1): Auth request finished
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client passdb out: OK#0111#[email protected]

maillog :

Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: connect from localhost[127.0.0.1]
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: discarding EHLO keywords: CHUNKING
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: discarding EHLO keywords: CHUNKING
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <[email protected]>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<localhost>
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: lost connection after RCPT from localhost[127.0.0.1]
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6

[iredmail]

FYI https://docs.iredmail.org/errors.html#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username

[ouitec]

Hello,

I knew this documentation indeed. But this in not answering the issue.

This is allready aenabled :
ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

About adding :
ALLOWED_LOGIN_MISMATCH_SENDERS = ['[email protected]']

1. A manual modification is needed by administrators each time a user want to give a delegation to another user, this in not trivial at all.
2. Using SMTP, this will allow those users to send a mail with any from address, this is absolutely not possible in our case and not really professional in any other case because of possibility of identity usurpation.

Postfix should read a permit sender list from SOGo database.

Don't you want to add this feature ?

[iredmail]

• A manual modification is needed by administrators each time a user want to give a delegation to another user, this in not trivial at all.
• Using SMTP, this will allow those users to send a mail with any from address, this is absolutely not possible in our case and not really professional in any other case because of possibility of identity usurpation.

You're right. We should improve iRedAPD to query SQL/LDAP to get such (per-user) allowed senders in future release.

Postfix should read a permit sender list from SOGo database.

Don't you want to add this feature ?

• I think the most ideal way to implement such feature is improving iRedAPD plugin reject_sender_login_mismatch.py, not Postfix.
• Yes we're interested in implementing it in iRedAPD. Contributions are welcome. :)