Update allow.user.to.send.email.without.authentication.md with required settings in iRedAPD.

2016-12-14 20:10:23 +08:00 · 2016-12-14 20:10:23 +08:00 · 45651e86df
parent 01d213f40f
commit 45651e86df
4 changed files with 102 additions and 2 deletions
--- a/en_US/howto/allow.user.to.send.email.without.authentication.md
+++ b/en_US/howto/allow.user.to.send.email.without.authentication.md
@ -1,5 +1,7 @@
 # Allow user to send email without smtp authentication

+## Postfix
+
 Create a plain text file: `/etc/postfix/accepted_unauth_senders`, list all
 users' email addresses which are allowed to send email without smtp
 authentication. We use user email address `user@example.com` for example:
@ -37,3 +39,28 @@ Restart/reload postfix to make it work:
 ```
 # /etc/init.d/postfix restart
 ```
+
+## iRedAPD
+
+iRedAPD plugin `reject_sender_login_mismatch` will check forged sender address.
+If sender domain is hosted on your server, but no smtp auth, it will be
+considered as a forged email. In this case, iRedAPD will reject this email
+(with rejection message: `Policy rejection not logged in`), so we need to
+bypass either sender email address. If email is sent by an internal network
+device like printer, fax, we can also its IP address directly.
+
+* To bypass sender email address `user@example.com`, please add setting in
+  `/opt/iredapd/settings.py` like below:
+
+```
+ALLOWED_FORGED_SENDERS = ['user@example.com']
+```
+
+* To bypass sender IP address, for example, `192.168.0.1`, please add setting
+  in `/opt/iredapd/settings.py` like below:
+
+```
+MYNETWORKS = ['192.168.0.1']
+```
+
+Restarting iRedAPD service is required if you updated `/opt/iredapd/settings.py`.
--- a/html/allow.user.to.send.email.without.authentication-zh_CN.html
+++ b/html/allow.user.to.send.email.without.authentication-zh_CN.html
@ -20,6 +20,7 @@
 <p><a href="./allow.user.to.send.email.without.authentication.html">English</a> / <a href="./allow.user.to.send.email.without.authentication-it_IT.html">Italiano</a> /</p>
 </div>
 <h1 id="_1">允许用户无需身份验证发送邮件</h1>
+<h2 id="postfix">Postfix</h2>
 <p>创建文本文件 <code>/etc/postfix/accepted_unauth_senders</code>，列出无需身份验证就可以
 发送邮件的用户邮件地址。下面以用户 <code>user@example.com</code> 为例：</p>
 <pre><code>user@example.com OK
@ -37,7 +38,29 @@

 <p>重启 postfix 服务以使设置生效：</p>
 <pre><code># /etc/init.d/postfix restart
-</code></pre><div class="footer">
+</code></pre>
+
+<h2 id="iredapd">iRedAPD</h2>
+<p>iRedAPD 插件 <code>reject_sender_login_mismatch</code> 会检测伪造的发件人地址。如果发件人
+的域名在你的服务器托管，并且邮件不是经由 SMTP 验证发送的，就会被认为是伪造的
+发件人。这种情况下 iRedAPD 会直接拒收邮件（拒收提示信息为：<code>Policy rejection
+not logged in</code>），因此需要在 iRedAPD 里放行将该收件人邮件地址。如果邮件是由
+固定的内部网络设备发送（例如，打印机、传真机），可以直接放行 IP 地址。</p>
+<ul>
+<li>放行发件人邮件地址 <code>user@example.com</code>，请在  <code>/opt/iredapd/settings.py</code> 里
+  加以下参数：</li>
+</ul>
+<pre><code>ALLOWED_FORGED_SENDERS = ['user@example.com']
+</code></pre>
+
+<ul>
+<li>放行发件人 IP 地址，例如, <code>192.168.0.1</code>，请在 <code>/opt/iredapd/settings.py</code> 里
+  加以下参数：</li>
+</ul>
+<pre><code>MYNETWORKS = ['192.168.0.1']
+</code></pre>
+
+<p>修改后需要重启 iRedAPD 服务。</p><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
 </div>
 <script type="text/javascript">
--- a/html/allow.user.to.send.email.without.authentication.html
+++ b/html/allow.user.to.send.email.without.authentication.html
@ -20,6 +20,7 @@
 <p><a href="./allow.user.to.send.email.without.authentication-it_IT.html">Italiano</a> / <a href="./allow.user.to.send.email.without.authentication-zh_CN.html">简体中文</a> /</p>
 </div>
 <h1 id="allow-user-to-send-email-without-smtp-authentication">Allow user to send email without smtp authentication</h1>
+<h2 id="postfix">Postfix</h2>
 <p>Create a plain text file: <code>/etc/postfix/accepted_unauth_senders</code>, list all
 users' email addresses which are allowed to send email without smtp
 authentication. We use user email address <code>user@example.com</code> for example:</p>
@ -47,7 +48,30 @@ authentication. We use user email address <code>user@example.com</code> for exam

 <p>Restart/reload postfix to make it work:</p>
 <pre><code># /etc/init.d/postfix restart
-</code></pre><div class="footer">
+</code></pre>
+
+<h2 id="iredapd">iRedAPD</h2>
+<p>iRedAPD plugin <code>reject_sender_login_mismatch</code> will check forged sender address.
+If sender domain is hosted on your server, but no smtp auth, it will be
+considered as a forged email. In this case, iRedAPD will reject this email
+(with rejection message: <code>Policy rejection not logged in</code>), so we need to
+bypass either sender email address. If email is sent by an internal network
+device like printer, fax, we can also its IP address directly.</p>
+<ul>
+<li>To bypass sender email address <code>user@example.com</code>, please add setting in
+  <code>/opt/iredapd/settings.py</code> like below:</li>
+</ul>
+<pre><code>ALLOWED_FORGED_SENDERS = ['user@example.com']
+</code></pre>
+
+<ul>
+<li>To bypass sender IP address, for example, <code>192.168.0.1</code>, please add setting
+  in <code>/opt/iredapd/settings.py</code> like below:</li>
+</ul>
+<pre><code>MYNETWORKS = ['192.168.0.1']
+</code></pre>
+
+<p>Restarting iRedAPD service is required if you updated <code>/opt/iredapd/settings.py</code>.</p><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://bitbucket.org/zhb/iredmail-docs/src">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2">download the latest version</a> for offline reading. If you found something wrong, please do <a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
 </div>
 <script type="text/javascript">
--- a/zh_CN/howto/allow.user.to.send.email.without.authentication.md
+++ b/zh_CN/howto/allow.user.to.send.email.without.authentication.md
@ -1,5 +1,7 @@
 # 允许用户无需身份验证发送邮件

+## Postfix
+
 创建文本文件 `/etc/postfix/accepted_unauth_senders`，列出无需身份验证就可以
 发送邮件的用户邮件地址。下面以用户 `user@example.com` 为例：

@ -26,3 +28,27 @@ smtpd_sender_restrictions =
 ```
 # /etc/init.d/postfix restart
 ```
+
+## iRedAPD
+
+iRedAPD 插件 `reject_sender_login_mismatch` 会检测伪造的发件人地址。如果发件人
+的域名在你的服务器托管，并且邮件不是经由 SMTP 验证发送的，就会被认为是伪造的
+发件人。这种情况下 iRedAPD 会直接拒收邮件（拒收提示信息为：`Policy rejection
+not logged in`），因此需要在 iRedAPD 里放行将该收件人邮件地址。如果邮件是由
+固定的内部网络设备发送（例如，打印机、传真机），可以直接放行 IP 地址。
+
+* 放行发件人邮件地址 `user@example.com`，请在  `/opt/iredapd/settings.py` 里
+  加以下参数：
+
+```
+ALLOWED_FORGED_SENDERS = ['user@example.com']
+```
+
+* 放行发件人 IP 地址，例如, `192.168.0.1`，请在 `/opt/iredapd/settings.py` 里
+  加以下参数：
+
+```
+MYNETWORKS = ['192.168.0.1']
+```
+
+修改后需要重启 iRedAPD 服务。