OPNsense Forum
English Forums => Zenarmor (Sensei) => Topic started by: astranova on July 26, 2022, 06:38:22 pm
-
I have a Postfix docker container running that I use to send email from all services on my network. It works fine for everything so far except for Zenarmor, using the same settings.
When I test the connection, it's giving me an "access denied" error, and looking at the postfix log, it looks like Zenarmor is not including the "from" parameter when it's connecting.
Here's an example of the (scrubbed) logs from Monit on the same device when it sent an email successfully:
2022-07-25T21:22:03.586198+00:00 INFO postfix/smtpd[27765]: connect from OPNsense.mydomain[10.10.0.1]
2022-07-25T21:22:03.641992+00:00 INFO postfix/smtpd[27765]: 9B5BA460496: client=OPNsense.mydomain[10.10.0.1]
2022-07-25T21:22:03.685299+00:00 INFO postfix/cleanup[28526]: 9B5BA460496: message-id=<1658784123.d72d7861dc0a9c1f@OPNsense.mydomain>
2022-07-25T21:22:03.689927+00:00 INFO postfix/smtpd[27765]: disconnect from OPNsense.mydomain[10.10.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2022-07-25T21:22:03.690487+00:00 INFO postfix/qmgr[227]: 9B5BA460496: from=<root@opnsense.mydomain>, size=813, nrcpt=1 (queue active)
2022-07-25T21:22:04.890003+00:00 INFO postfix/smtp[28527]: 9B5BA460496: to=<myemail@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.115.26]:25, delay=1.3, delays=0.1/0.01/0.71/0.48, dsn=2.0.0, status=sent (250 2.0.0 OK 1658784124 i14-20020a056870344e00b0010c38471ee7si9722681oah.78 - gsmtp)
2022-07-25T21:22:04.890585+00:00 INFO postfix/qmgr[227]: 9B5BA460496: removed
but here is what happens when Zenarmor tries and fails:
2022-07-26T01:00:18.698596+00:00 INFO postfix/smtpd[32282]: connect from OPNsense.mydomain[10.10.0.1]
2022-07-26T01:00:18.737756+00:00 INFO postfix/smtpd[32282]: NOQUEUE: reject: RCPT from OPNsense.mydomain[10.10.0.1]: 554 5.7.1 <myemail@gmail.com>: Recipient address rejected: Access denied; from=<> to=<myemail@gmail.com> proto=ESMTP helo=<OPNsense.mydomain>
2022-07-26T01:00:18.779415+00:00 INFO postfix/smtpd[32282]: lost connection after RSET from OPNsense.mydomain[10.10.0.1]
2022-07-26T01:00:18.779572+00:00 INFO postfix/smtpd[32282]: disconnect from OPNsense.mydomain[10.10.0.1] ehlo=2 mail=1 rcpt=0/1 rset=1 commands=4/5
it doesn't seem to matter what I put in the From field in the ZenArmor config, it doesn't show up in the postfix logs, which seems to indicate it's not being sent in the connection.
-
Hi,
We are going to check it and will inform you.
-
Prohibiting empty MAIL FROM in a mail server is silly, because in general it's empty to inform the receiving server that it should not bounce the message, which is what you want for non-delivery of automatically generated messages.
https://serverfault.com/questions/151955/why-an-empty-mail-from-address-can-sent-out-email
Cheers,
Franco
-
I don't mind changing the setting, this is just the defaults for the postfix docker container I used. I still think there may be a bug since it's not including it, though.
-
Looked further into this and error 554 5.7.1 apparently means it's rejected on the recipient server - sorry, I'm slightly ignorant on SMTP. So apparently Gmail is rejecting it, but why are my other services using the same postfix server going through to the same gmail address correctly?
Also read that a From=<> might be correct to prevent a loop of bounce messages. So I'm not 100% sure what ZenArmor is doing or where it's failing.
-
Due to sensitive nature of reports from internal network components forwarding them over the Internet is questionable as well. Normally you want them locally so it doesn't leak any information. That's why you should have at least a mail server under your control or better yet a mail gateway to encrypt messages from there also adding MAIL FROM if necessary for forwarding.
Mail infrastructure as a whole is uncomfortably complex.
Cheers,
Franco