Skip to content
A simple Postfix policy server.
Python Shell PLpgSQL TSQL
Branch: master
Clone or download
iredmail - tools/cleanup_db.py: instead of deleting all matched records in one
  command, it now deletes limited records (defaults to 1000) each time.
  If some SQL table has a lot records, deleting all in one command may
  take a long time and causes deadlock/conflict, SQL server may abort
  the transaction.
Latest commit 58c866c Jan 24, 2020
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
SQL Don't create senderscore_cache.id column. Oct 9, 2019
libs - tools/cleanup_db.py: instead of deleting all matched records in one Jan 24, 2020
plugins
rc_scripts Use 'python2' instead of 'python'. Feb 24, 2019
samples Switch from 'except Exception, e:' to 'except Exception as e:'. Sep 17, 2019
tests
tools
.hgignore Log some useful greylisting info at INFO level. Jan 22, 2016
ChangeLog - tools/cleanup_db.py: instead of deleting all matched records in one Jan 24, 2020
INSTALL.md Typo. Sep 24, 2019
README.md
README_PLUGINS.md Typo. Sep 24, 2019
UPGRADE.md New file: UPGRADE.md. Mar 17, 2016
iredapd.py Support --foreground argument to run in foreground. Useful for buildi… Dec 27, 2019
settings.py.sample Switch to syslog. Mar 26, 2019

README.md

Introduction

  • iRedAPD is a simple Postfix policy server, written in Python and runs as a low-privileged user (iredapd by default), with plugin support.
  • The latest iRedAPD works with OpenLDAP, MySQL/MariaDB and PostgreSQL backends.
  • License: GPL v3, except few files are in different licenses, shipped in iRedAPD for easier setup, but not license change.
    • file libs/daemon.py is BSD license.
    • file libs/srslib.py is Apache License, Version 2.0.
  • Author: Zhang Huangbin .

NOTES:

  • iRedAPD is a sub-project of iRedMail project.
  • iRedAPD is installed and enabled in iRedMail by default, you don’t need this tutorial if you already have iRedMail running. For standard installation please check document INSTALL.md.
  • iRedAPD listens on 3 ports by default:
    • 7777: normal smtp policy service
    • 7778: SRS (Sender Rewriting Scheme) for sender address rewriting
    • 7779: SRS (Sender Rewriting Scheme) for recipient address rewriting
  • You can manage iRedAPD with iRedMail web admin panel - iRedAdmin-Pro.

Manage iRedAPD with command line tools

iRedMail project has a detailed tutorial to show you how to manage iRedAPD with command line tools: Manage iRedAPD

Available plugins

Plugins are files placed under plugins/ directory, plugin name is file name without file extension .py. It's recommended to read comment lines in plugin source files to understand how it works and what it does.

Plugins for all backends

  • reject_to_hostname: reject emails sent to xxx@<server hostname> from external network.

  • reject_sender_login_mismatch: Reject sender login mismatch (addresses in From: and SASL username). It will verify user alias addresses against SQL/LDAP database.

    This plugin also verifies forged sender address, e.g. sending email as a local domain to local domain.

  • reject_null_sender: Reject message submitted by sasl authenticated user but use null sender in From: header (from=<> in Postfix log). RECOMMENDED to enable this plugin. It doesn't require SQL/LDAP query.

    If your user's password was cracked by spammer, spammer can use this account to bypass smtp authentication, but with a null sender in From: header, throttling won't be triggered.

  • amavisd_wblist: Whitelist/blacklist for both inbound and outbound messages.

    The white/blacklists are used by both iRedAPD (before-queue) and Amavisd (after-queue).

  • greylisting: for greylisting service.

  • throttle: Throttling based on:

    • max number of mail messages sent/received in specified period of time
    • total mail size sent in specified period of time
    • size of single message
  • whitelist_outbound_recipient: automatically whitelist recipient addresses of outgoing emails sent by sasl authenticated (local) users. It's able to whitelist single recipient address or domain for greylisting and normal white/blacklist.

Plugins for OpenLDAP backend

  • ldap_maillist_access_policy: restrict who can send email to mail list.
  • ldap_force_change_password_in_days: force users to change password in days (default 90 days). User cannot send email before resetting password.

Plugins for MySQL/MariaDB and PostgreSQL backends

  • sql_alias_access_policy: restrict who can send email to mail alias.
  • sql_force_change_password_in_days: force users to change password in days (default 90 days). User cannot send email before resetting password.
You can’t perform that action at this time.