1. Zhang Huangbin
  2. iredapd


iredapd / ChangeLog

    * Fixed issues:
        - tools/spf_to_greylisting_whitelists.py: combine splited IP address
          in SPF record.
        - plugins/reject_sender_login_mismatch.py: not correctly handle email
          sent by external user.

    * New SQL table "greylisting_whitelist_domains", used to store mail domain
      names which you want to disable greylisting for their mail servers.

      Note: these domain names are not used by iRedAPD plugin `greylisting`
            directly, you need to setup a daily cron job to run script
            'tools/spf_to_greylisting_whitelists.py' to whitelist IP addresses
            and networks of their mail servers.

    * New script:
        - tools/greylisting_admin.py: used to manage greylisting settings.
        - tools/wblist_admin.py: used to manage inbound/outbound whitelists
          and blacklists.
        - tools/spf_to_greylist_whitelists.py: it queries SPF DNS records of
          given domains and imports converted IP addresses/networks as
          greylisting whitelists.
          if no domain name specified, it queries from NEW sql table

          if no SPF record for specified domain name, MX records will be used.

    * Fixed issues:
        - plugins/throttle.py:
            * Cannot apply throttle setting correctly if `max_quota` is set to
              Thanks Tu Ngoc Tan <tantn3 _at_ fpt.com.vn> for the report.
        - plugins/reject_sender_login_mismatch.py:
            * not bypass email which is not sent by authenticated user.
              Note: it won't cause incorrect email rejection.
            * raise error if we have both ALLOWED_LOGIN_MISMATCH_STRICTLY and
              Thanks rk <rk _at_ redb.cz> for the report in forum.
        - plugins/amavisd_wblist.py:
            * fix improper high priority, it should be run after other plugins.
            * incorrect priority for outbound wblist.
              Thanks bigman <jenri.tan _at_ gmail> fot the report in forum.
            * not bypass email which doesn't contain a sender or sasl_username
              address. Note: it won't cause incorrect mail rejection.
        - Not correctly update log file path in tools/upgrade_iredapd.sh.
        - Not enable greylisting by default.

    * New plugins:
        + plugins/greylisting.py.
        + plugins/throttle.py. used to throttle inbound/outbound emails based
          on amount of mails, total mail size sent over a given period of time,
          or size of single message.

          - New script tools/cleanup_db.py, used to clean up expired throttle
            tracking records, it's supposed to be run every hour as a cron job.
          - New script tools/migrate_cluebringer_throttle.py, used to migrate
            Cluebringer throttle settings.
          - New script tools/migrate_cluebringer_greylisting.py, used to
            migrate Cluebringer greylisting settings, including whitelists.

    * Removed plugins:
        - plugins/ldap_amavisd_block_blacklisted_senders.py
        - plugins/ldap_recipient_restrictions.py
        - plugins/sql_user_restrictions.py
        - plugins/amavisd_message_size_limit.py

      First 3 plugins are replaced by 'plugins/amavisd_wblist.py', last one
      is replaced by new plugin 'plugins/throttle.py'.

    * Improvements:
        - Auto rotate log files (under /var/log/iredapd/). Supports rotating
          based on file size or time interval (e.g. everyday, every week,
          every 3 midnight), rotated log file will be compressed with zip.
          Default is rotating every Sunday, keeping 12 copies (3 months).
        - Allow to use IP network in MYNETWORKS. e.g.
        - Allow plugins to work in multiple protocol states.
        - Drop invalid smtp session attributes.
        - plugins/reject_sender_login_mismatch.py:
            + able to allow certain user/domain to send email as sender
              address under the same domain.
            + able to not check forged sender which sent without smtp auth, or
              bypass specified forged sender addresses.

        - plugins/amavisd_wblist.py:
            + Able to check white/blacklist for outbound message.
              Note: new SQL table `amavisd.outbound_wblist` is required.
            + Able to not check white/blacklists on outgoing emails sent by
              authenticated user. Default is not bypassed.
              Note: Controlled by new setting: `WBLIST_BYPASS_OUTGOING_EMAIL`,
              default value is False (not bypassed).

        - plugins/{sql,ldap}_force_change_password_in_days.py:
            + Allow specified users or domains to never change password.

    * Fixed issues:
        * plugins/sql_access_policy.py:
            - not check alias domain.
              Thanks <mlocati _at_ gmail.com> for the report in forum.
        * plugins/sql_force_change_password_in_days.py:
            - Not correctly compare password last change date.
        * plugins/amavisd_wblist.py:
            - sender 'user@*' doesn't work.
              Thanks <kmihalj _at_ efzg.hr> for the report in forum.
        * Not correctly return value in libs/amavisd/core.py, function
          Thanks <kmihalj _at_ efzg.hr> for the report in forum.

    * New setting: `MYNETWORKS`. used to set trusted or internal networks.
    * Plugin `ldap_domain_wblist` was removed, we didn't use it at all.
    * Plugin `ldap_recipient_restrictions` is marked as deprecated, please use
      `amavisd_wblist` instead.

    * Fixed issues:
        * plugins/ldap_maillist_access_policy.py: not use correct ldap
          connection cursor. this causes access policy not work.
        * plugins/reject_sender_login_mismatch.py: Not return correct value for
          allowed senders.
        * Not correctly fetch SQL query result with SQLAlchemy.
        * Doesn't work with PostgreSQL backend.
        * iRedAPD daemon exits with error (9, 'Bad file descriptor').

    * Improvements:
        * Use sql connection pool provided by SQLAlchemy.
        * Log reject and other non-DUNNO actions in iredadmin database
          (log_action_in_db = True).
        * plugins/amavisd_wblist: able to use 'user@*' as white/blacklist
        * plugins/sql_alias_access_policy, plugins/ldap_maillist_access_policy:
          able to use `*@domain.com` (all senders from `domain.com`) as
        * plugins/reject_sender_login_mismatch.py:
            + New optional setting ALLOWED_LOGIN_MISMATCH_LIST_MEMBER, used to
              allow member of mail list/alias to send as mail list/alias.
              Default is False.
            + Setting ALLOWED_LOGIN_MISMATCH_SENDERS is now optional.
        * Log smtp protocol state in log file.

    * Fixed issues:
        * plugins/amavisd_message_size_limit.py: just use the first valid
          policy (with highest priority) and skip rest.
        * plugins/reject_sender_login_mismatch.py: not reject email if sender
          is forged address (sender domain is hosted locally).
        * Not close sql connection explicitly.

    * New plugins:
        * plugins/amavisd_wblist.py.
          Used to reject blacklisted senders and bypass whitelisted senders in
          Amavisd per-recipient white/blacklists stored in SQL table
          Works with OpenLDAP/MySQL/PostgreSQL backends.

        * plugins/amavisd_message_size_limit.py.
          Wworks with Postfix 'smtpd_end_of_data_restrictions'.
          Used to reject email if current message size exceeds per-recipient
          message_size_limit stored in Amavisd database (column
          Works with OpenLDAP/MySQL/PostgreSQL backends.

        * plugins/reject_null_sender.py.
          Used to reject message submitted by sasl authenticated user but
          specifying null sender in 'From:' header (from=<> in mail log).
          Works with OpenLDAP/MySQL/PostgreSQL backends.

    * Improvements:
        * New tool to help upgrade iRedAPD: tools/upgrade_iredapd.sh.
        * Verify whether sender (From:) is an alias address of sasl username
        * Able to bypass whole domain if sender login mismatch
        * Detect alias domains while check mail list access policy

        * Detect current smtp protocol state and pick up applicable plugins.
          It's now working with Postfix 'smtpd_end_of_data_restrictions'.

    * Fixed:
        - plugins/sql_force_change_password_in_days.py: not correctly set
          password last change date if user didn't reset password before.
          Thanks Joel A.G.Oliveira <joel _at_ gabrieldeoliveira dot com.br>
          for the report.
        - Close socket channel after each smtp session.
          Thanks Václav Bílek <vaclav.bilek _at_ livesport dot eu> for the
        - Improper rc script for FreeBSD: set_rcvar -> set_rcvar_obsolete.

    * New plugin to force user to change password in certain days. Please
      read comment in plugin file to understand how to configure it and how
      it works.
        + For LDAP backend: ldap_force_change_password_in_days
        + For MySQL/PostgreSQL backend: sql_force_change_password_in_days

    * Fixed:
        + Not detect returned values before processing (split string) in
          plugin sql_user_restrictions.py.
          Thanks jford <jford _at_ cisp dot com> for the report.
        + Incorrect detection of sender domain (missing '@') in plugin
          Thanks Tim Lau for the report.

    * Fixed:
        + Incorrect detection of domain (missing '@') in plugin
          Thanks wildweasel@forum for the report.
        + Fix Python path on FreeBSD after the latest ports tree update.
          Thanks hainan <hasanalpinan _at_ gmail> in our online support forum
          for the report and fix.

    * Fixed:
        + Incorrect return values of service status in rc scripts on Linux.
          Thanks Marek Skubela <marek.skubela _at_ gmail> for the report.
        + Don't return DUNNO if sender address has less than 6 characters.
          Thanks warriornew for the report in our bbs.
        + Incorrect variable name in plugins/sql_alias_access_policy.py.
        + Not quote email address and domain name in SQL command in plugins
          sql_alias_access_policy.py, sql_user_restrictions.py.
          Thanks Petr Pytelka <pytelka _at_ lightcomp.cz> for the report.
        + Check sender domain immediately instead of querying addition domain
          names: plugins/ldap_maillist_access_policy.py.
        + Incorrect LDAP attribute name in plugins/ldap_recipient_restrictions:
          mailBlacklistedRecipient -> mailBlacklistRecipient (no 'ed').
          Thanks Ho ho <ho.iredmail _at_ gmail.com> for the report.

    * New plugin for all backends: reject_sender_login_mismatch.
      Reject sender login mismatch (sender in mail header and SASL username).
    * No iredapd-rr.py any more, we need only one instance of iRedAPD.
    * Remove dependence of web.py.
    * Better user alias and alias domain support in plugin
    * Plugin renamed:
      block_amavisd_blacklisted_senders -> ldap_amavisd_block_blacklisted_senders
    * New plugin for SQL backends: sql_user_restrictions.
      Note: 4 new columns on table `vmail.mailbox`, please refer to iRedMail
      upgrade tutorials.

    * Add rc scripts for OpenBSD.
    * Fixed:
        + Ignore signal SIGHUP, so that it will continue running after log
          rotation with newsyslog on FreeBSD.
          Thanks viq@bitbucket for the report.
        + Cannot correctly hander mail list access policy 'subdomain'.
        + Cannot handle '@.' (without quotes) to match all destinations.

    * New plugin for LDAP backend: ldap_expired_password. Used to force mail
      user to change the password in 90 days.
    * Log client IP address.
    * Supports PostgreSQL.
    * Excluding mail user in SQL query (plugin: sql_alias_access_policy).

    * Use MySQLdb directly for SQL related operations. Avoid 'too many
      connections' issue.
    * Fixed incorrect policy name in plugin 'sql_alias_access_policy.py':
      allowedOnly -> allowedonly (convert to lower case).

    * Fix incorrect ldap search scope in plugin 'ldap_maillist_access_policy'.

    * Bypass sender if it's under domainAliasName when access policy is
      'domain' or 'subdomain'. Thanks Alvin Chen <zhhchen@>.
    * New option for iredapd-rr: bypass_mynetworks. Used to bypass mails sent
      from postfix mynetworks.
    * Bypass user alias addresses (shadowAddress) if user is allowed to send
      to mail list. Thanks Henri Veldsink for his feedback and testing.
    * Allow to use same logging hander in plugins, print plugin debug message.
    * Query user aliases as allowed sender.
    * Print error message if plugin module doesn't exist.

    * Fix bug in src/plugins-rr/ldap_recipient_restriction.py. Thanks
      avrajesh@forum for his/her feedback.
    * Set default umask to 0077. Thanks rizkiwicaksono@forum.
    * New parameter: run_as_user. Used to force running iRedAPD as a low
      privileged user. Thanks rizkiwicaksono@forum.

    * Fix bypassing whitelisted sender issue in plugin:
      block_amavisd_blacklisted_senders. Thanks HoHo for his report.

    * Fix defective sender address list in plugin:
    * Fix incorrect recipient address in plugin: ldap_recipient_restrictions.

    * Ability to bypass or block centain domains or users in OpenLDAP backend.
      WARNING: This feature requires at least iRedMail-0.6.0.
    * Ability to handle policy 'subdomain'. Bypass if sender is under same
      domain or sub domains.
    * Ability to handle policy 'membersAndAllowedOnly'.
    * Support MySQL backend.
    * Add rc script for FreeBSD.

    * Change default action to 'DUNNO', so that we won't miss any email while
      incorrect config.
    * Add handle of LDAP quering of non exist recipient. Thanks Bill Holt for
      his report.
    * Prepend 'action=' only one time.

    * Fix incorrect member list, return all instead of one the first one.
    * Don't ignore external mail list members.

    * Fix incorrect ps parameter on FreeBSD.

    * Support plugins.

    * Fixed: return moderator list instead of the first one.
    * Fixed: remove accountStatus and enabledService in filter.
      mail list doesn't use it.

    * Initialize version.