Delegated mailbox with SOGo gives "Recipient address rejected: Sender is not same as SMTP authenticate username"

[ouitec]

Hello,

When activating Mailbox delegation under SOGo from contact@domain.com for user@domain.com

then I connect to SOGo with user@domain.com and use the automated available from "contact@domain.com" and get this error when sending to test@gmail.com :

Error :

5.7.1 <test@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username

REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER:

• iRedMail version (check /etc/iredmail-release): 1.6.1 OPENLDAP edition.
• Deployed with iRedMail Easy or the downloadable installer? downloadable installer
• Linux/BSD distribution name and version: Centos 8
• Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
• Web server (Apache or Nginx): NGINX
• Manage mail accounts with iRedAdmin-Pro? Yes
• [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

sogo.log :

2023-01-04 15:27:16.227 sogod[160453:160453] SMTP: STARTTLS successfully performed
2023-01-04 15:27:16.240 sogod[160453:160453] SMTP(RCPT TO) error: 5.7.1 <test@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username
Jan 04 15:27:16 sogod [160453]: [ERROR] <0x0x55730d2bb6b0[SOGoMailer]> Could not connect to the SMTP server smtp://127.0.0.1:587/?tls=YES&tlsVerifyMode=allowInsecureLocalhost
Jan 04 15:27:16 sogod [160453]: X.X.X.X "POST /SOGo/so/user@domain.com/Mail/0/folderDrafts/newDraft1672842134-1/send HTTP/1.0" 405 144/142 0.062 - - 28K - 19

dovecot.log :

Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: auth client connected (pid=0)
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client in: AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=127.0.0.1#011rip=127.0.0.1#011secured
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client passdb out: CONT#0111
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client in: CONT#0111#011cC5tZWRpbmFAb3VpdGVjLmZyAHAubWVkaW5hQG91aXRlYy5mcgA6QXJmOTEyUG9yTDQh (previous base64 data may contain sensitive data)
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap(user@ouitec.fr,127.0.0.1): Performing passdb lookup
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap(user@ouitec.fr,127.0.0.1): bind search: base=o=domains,dc=domains,dc=com filter=(&(objectClass=mailUser)(accountStatus=active)(!(domainStatus=disabled))(enabledService=mail)(enabledService=smtpsecured)(|(mail=user@domain.com)(&(enabledService=shadowaddress)(shadowAddress=user@domain.com))))
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap(user@domain.com,127.0.0.1): result: mail=user@domain.com; mail unused
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: ldap(user@domain.com,127.0.0.1): Finished passdb lookup
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: auth(user@domain.com,127.0.0.1): Auth request finished
Jan  4 15:10:20 mail dovecot[1074]: auth: Debug: client passdb out: OK#0111#011user=user@domain.com

maillog :

Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: connect from localhost[127.0.0.1]
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: discarding EHLO keywords: CHUNKING
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: discarding EHLO keywords: CHUNKING
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <test@gmail.com>: Recipient address rejected: Sender is not same as SMTP authenticate username; from=<contact@domain.com> to=<test@gmail.com> proto=ESMTP helo=<localhost>
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: lost connection after RCPT from localhost[127.0.0.1]
Jan  4 15:10:20 mail postfix/submission/smtpd[167907]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=0/1 commands=5/6

[iredmail]

FYI https://docs.iredmail.org/errors.html#recipient-address-rejected-sender-is-not-same-as-smtp-authenticate-username

[ouitec]

Hello,

I knew this documentation indeed. But this in not answering the issue.

This is allready aenabled :
ALLOWED_LOGIN_MISMATCH_LIST_MEMBER = True

About adding :
ALLOWED_LOGIN_MISMATCH_SENDERS = ['user@domain.com']

1. A manual modification is needed by administrators each time a user want to give a delegation to another user, this in not trivial at all.
2. Using SMTP, this will allow those users to send a mail with any from address, this is absolutely not possible in our case and not really professional in any other case because of possibility of identity usurpation.

Postfix should read a permit sender list from SOGo database.

Don't you want to add this feature ?

[iredmail]

• A manual modification is needed by administrators each time a user want to give a delegation to another user, this in not trivial at all.
• Using SMTP, this will allow those users to send a mail with any from address, this is absolutely not possible in our case and not really professional in any other case because of possibility of identity usurpation.

You're right. We should improve iRedAPD to query SQL/LDAP to get such (per-user) allowed senders in future release.

Postfix should read a permit sender list from SOGo database.

Don't you want to add this feature ?

• I think the most ideal way to implement such feature is improving iRedAPD plugin reject_sender_login_mismatch.py, not Postfix.
• Yes we're interested in implementing it in iRedAPD. Contributions are welcome. :)