|
|
|
|
|
|
| Author |
Message |
Guest
|
 Posted: Mon Jan 10, 2005 2:15 am Post subject:
Re: SMTP AUTH help
|
|
|
Ok, I tried changing the settings. I changed:
relay_to_domains =
acl_whitelist_local_deny:
accept hosts = ${if exists{CONFDIR/local_host_whitelist}\
{CONFDIR/local_host_whitelist}\
{}}
accept senders = ${if exists{CONFDIR/local_sender_whitelist}\
{CONFDIR/local_sender_whitelist}\
{}}
acl_check_rcpt:
accept hosts = :
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
message = restricted characters in address
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
message = restricted characters in address
accept local_parts = postmaster
domains = +local_domains
deny message = sender envelope address $sender_address is locally
blacklisted here. If you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
senders = ${if exists{CONFDIR/local_sender_blacklist}\
{CONFDIR/local_sender_blacklist}\
{}}
deny message = sender IP address $sender_host_address is locally
blacklisted here. If you think this is wrong, get in touch with postmaster
!acl = acl_whitelist_local_deny
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
{}}
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
deny message = relay not permitted
acl_check_data:
warn condition = ${if !def:h_Message-ID: {1}}
hosts = +relay_from_hosts
message = Message-ID: <E$message_id@$primary_hostname>
accept
login:
driver = plaintext
public_name = PLAIN
server_prompts = Username:: : Password::
server_condition = ${if and {{eq{$2}{user}}{eq{$3}{pass}}}{yes}{no}}
server_set_id = $2
For some reason with these settings, I cannot authenticate. Apparently I was
wrong when I said authentication was working because when I tried it, it
just kept prompting me over and over. So, I changed authenticators to this,
which in theory should allow a connection with login of user, and password
of pass. Pretty simple, but, it does the same thing. Any ideas?
----- Original Message -----
From: "Tony Finch" <dot@dotat.at>
To: "Joe Csernik" <joe@csernik.com>
Cc: <exim-users@exim.org>
Sent: Sunday, February 06, 2005 1:54 PM
Subject: Re: [exim] SMTP AUTH help
| Quote: | On Sat, 5 Feb 2005, Joe Csernik wrote:
I REALLY need to deny access to SMTP from users that are not
authenticated.
Your relay_from_hosts list only contains localhost, so your ACL below
says that your users must be authenticated if they want to send email to
non-local domains, but don't have to be if they send to local domains.
Unless you separate your MX from your outgoing relay (which is a very good
idea, because it makes life harder for spammers) this is the best you can
do.
accept domains = +local_domains
endpass
message = unknown user
verify = recipient
accept domains = +relay_to_domains
endpass
message = unrouteable address
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
Tony.
--
fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at http://www.exim.org/ ##
|
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
 |
Toralf Lund
*nix forums beginner
Joined: 27 Jan 2005
Posts: 25
|
| Posted: Thu Jan 27, 2005 11:18 am Post subject:
Re: Returning mail via filter/how to avoid frozen messages
|
|
|
Tony Finch wrote:
| Quote: | On Thu, 27 Jan 2005, Toralf Lund wrote:
2. Principally speaking, I'm doing this as a normal (Exim) e-mail
user, not as an administrator. Now, I happen to know the root
password and have access to the Exim config, as you probably have
guessed by now, but I'm still not sure it's right to mess up the
global config with all sorts of special cases for my personal needs.
It's possible to cause Exim to run .forward files at RCPT time by removing
the no_verify option from the userforward redirect router. This means that
users (independent of the sysadmin) can cause messages to be rejected
rather than bounced. This might be useful in a setup which supports
local-part suffixes. One reason that the standard configuration does not
do this is that Exim is running as the exim user at verification time, so
users must make their .forward files globally readable.
Hmm. Yeah, maybe that's worth considering... So how would I reject a |
message? The "fail" command?
What happens if the .forward file can't be read? Will the address
verification fail? Maybe I could use "ignore_eaccess" to prevent that?
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Jeremy Harris
*nix forums Guru Wannabe
Joined: 27 Jan 2005
Posts: 234
|
| Posted: Thu Jan 27, 2005 11:52 am Post subject:
Re: "drop" verb and logging ..
|
|
|
Tony Finch wrote:
| Quote: | On Thu, 27 Jan 2005, Philip Hazel wrote:
I'm a bit chary about not writing stuff to the main log, because it
would then be telling an incomplete story.
I find I often want to grep for lines only related to messages we
accepted, so I think it would be useful to have a log file containing
everything except the contents of the rejectlog. Grepping the whole
mainlog is time-consuming, given that ours are about 500MB/day, and the
machines don't have enough RAM to keep it in the buffer cache on the off
chance I need to do some searching.
|
You could run a continuous "tail -f mainlog | grep '<='".
But this runs into problems at log switchover time. It'd
be nice if exim could integrate the restart of such external
log-munchers. How does eximon manage? Could it do the job?
- Jeremy
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Toralf Lund
*nix forums beginner
Joined: 27 Jan 2005
Posts: 25
|
| Posted: Thu Jan 27, 2005 12:20 pm Post subject:
Re: Returning mail via filter/how to avoid frozen messages
|
|
|
Tony Finch wrote:
| Quote: | On Thu, 27 Jan 2005, Toralf Lund wrote:
2. Principally speaking, I'm doing this as a normal (Exim) e-mail
user, not as an administrator. Now, I happen to know the root
password and have access to the Exim config, as you probably have
guessed by now, but I'm still not sure it's right to mess up the
global config with all sorts of special cases for my personal needs.
It's possible to cause Exim to run .forward files at RCPT time by removing
the no_verify option from the userforward redirect router. This means that
users (independent of the sysadmin) can cause messages to be rejected
rather than bounced. This might be useful in a setup which supports
local-part suffixes. One reason that the standard configuration does not
do this is that Exim is running as the exim user at verification time, so
users must make their .forward files globally readable.
Actually, it turns out to be a bit harder than this. If user is set, |
exim will actually try to change to that user when reading the forward
file, at least if it's a filter. It will fail to do that during the
verification, of course, unless the user happens to be the same one as
the one Exim is running as, i.e. often "exim". (This is essentially the
same problem as one discussed on another of my recent threads - on
failing alias expansion.) Furthermore, you typically want the forward
router to set "local user", not Exim. And you need *some* user if
filters are to be allowed.
However, I've now tried adding the following router instead:
forwardtest:
driver = redirect
allow_filter
allow_fail
check_local_user
user=exim
group=exim
no_check_owner
no_check_group
check_ancestor
file = $home/.forward-test
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
ignore_eacces
verify_only
- with quite promising results. Notice how group and user are
overridden. check_local_user is still there, though, so that $home is
still set. Also, permission checks are skipped, and unreadable files are
treated as missing. I'm not using the read forward file(s) for this yet,
though. And I'm wondering if I need the transports etc.
- Toralf
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Jim Roberts
*nix forums beginner
Joined: 27 Jan 2005
Posts: 11
|
| Posted: Thu Jan 27, 2005 1:14 pm Post subject:
Re: closed connection in response to end of data
|
|
|
----- Original Message -----
From: "Jan-Piet Mens" <jpm@retail-sc.com>
To: "Tony Finch" <dot@dotat.at>
Cc: <exim-users@exim.org>
Sent: Wednesday, January 26, 2005 10:13 AM
Subject: Re: [exim] closed connection in response to end of data
| Quote: | On Wed Jan 26 2005 at 15:49:39 CET, Tony Finch wrote:
exim 4.44 on an internal one. On excess of 30k messages are correctly
being
transferred from outside to inside, except certain messages from
a single sending domain.
Is there a firewall between the two machines? It might be buggering
things
up. The other thing to try is to run the exim daemon in debugging mode on
the recipient host when the problem message is sent.
There is a Nokia appliance with Checkpoint FW1 between the two, but it
can't
really be the culprit as delivery is only flawed with messages from a
single
sending domain, although I cannot see any problem with the message
content...
The size of the message doesn't appear to matter either.
snip hugelog
15:59:02 13954 SMTP<< QUIT
15:59:02 13954 SMTP>> 221 m1.intdus.retail-sc.com closing connection
15:59:02 13954 ---0 Get 0x81057a8 88 string.c 347
15:59:02 13954 LOG: smtp_connection MAIN
15:59:02 13954 SMTP connection from gatem.intdus.retail-sc.com
(gatem.retail-sc.com) [10.0.240.133] closed by QUIT
15:59:02 13954 search_tidyup called
15:59:02 13884 child 13954 ended: status=0x0
I don't see any indication of trouble in this. Do you?
-JP
|
No, I don't see any problem on the Exim (receiving) side. (Though my
log-scanning eyes are not very good).
Perhaps there is a problem with the firewall on the sending side? I've seen
firewalls do funny things with the last packets, such as drop them because
they "lose" the "related connection" state after the internal side sends a
"close connection". So the client MUA may be sitting about waiting for your
server to send a final ACK (TCP/IP) packet, which was sent, but may have
been dropped by the *client's* firewall, not yours. See if you can get a
log from the sending end. In particular, see if they will search their
firewall logs for dropped packets from/to you.
Jim Roberts
Punster Productions, Inc.
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Bill Hacker
*nix forums Guru
Joined: 27 Jan 2005
Posts: 427
|
| Posted: Thu Jan 27, 2005 1:23 pm Post subject:
Re: FW: dnslists : Mysql Lookup
|
|
|
Eli wrote:
| Quote: | Michael wrote:
Thanks,
I've just dumped it to a file and it reads two results
One after another without a space in a text file which would explain
something but doesn't really match up with my error from the Exim log.
You mentioned concatenating the result but will this work with
multiple rows as they are just not fields from within the same result
set
The correct answer to your question is already documented in Exim with
regards to SQL queries. It mentions that you get newlines and such at each
row of a query, so if you're getting multiple rows, you're getting
word1>\n<word2> (maybe another \n at the end but that's not your problem).
Exim sees the \n in between and barfs - it's not built to understand what
you want with the \n character.
To fix this, wrap your query reply (final field in your lookup statement,
normally either blank, or {$value}) like this:
${sg{$value}{\\n}{, }}
This translates all \n's to a comma and space, or in your case you'll want a
colon and a space because this is what 2 blacklists look like:
dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net
Bill Hacker wrote:
.... and no need for the above monkey-motion at all.
Talk about monkey-motion! For such a relatively simple answer, you had the
man running around town with his pants down ;P
Eli.
|
ROFLMAO!
- 'Mea Culpa' - I am so accustomed to manually formating before I leave
SQL that I hadn't a clue that Exim had it's own tools for doing that....
(line end per record)
Fact is, I am beginning to wonder if there is anything Phil and helpers
*haven't* thought of already...
Great stuff!
- and more tools in the kit both ways.....
BTW - not overly impressed with SpamCop ... falsing a lot?
Thanks!
Bill
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Tony Finch
*nix forums Guru
Joined: 22 Mar 2002
Posts: 1222
|
| Posted: Thu Jan 27, 2005 1:30 pm Post subject:
Re: closed connection in response to end of data
|
|
|
On Thu, 27 Jan 2005, Jim Roberts wrote:
| Quote: |
Perhaps there is a problem with the firewall on the sending side? I've seen
firewalls do funny things with the last packets, such as drop them because
they "lose" the "related connection" state after the internal side sends a
"close connection". So the client MUA may be sitting about waiting for your
server to send a final ACK (TCP/IP) packet, which was sent, but may have been
dropped by the *client's* firewall, not yours. See if you can get a log from
the sending end.
|
The problem occurs earlier than that, because the sender never sees the
response to CRLF.CRLF and aborts at that point, but the recipient thinks
the sender received it and said QUIT despite the sender thinking
otherwise. Definitely firewall protocol fux-up.
Tony.
--
f.a.n.finch <dot@dotat.at> http://dotat.at/
CAPE WRATH TO RATTRAY HEAD INCLUDING ORKNEY: NORTHWEST 4 OR 5, OCCASIONALLY 6
IN EAST. PATCHY RAIN OR DRIZZLE AT TIMES. GOOD OR MODERATE. MODERATE TO ROUGH,
LOCALLY SLIGHT.
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Philip Hazel
*nix forums Guru
Joined: 27 Jan 2005
Posts: 863
|
| Posted: Thu Jan 27, 2005 2:00 pm Post subject:
Re: "drop" verb and logging ..
|
|
|
On Thu, 27 Jan 2005, Tony Finch wrote:
| Quote: | I find I often want to grep for lines only related to messages we
accepted, so I think it would be useful to have a log file containing
everything except the contents of the rejectlog. Grepping the whole
mainlog is time-consuming, given that ours are about 500MB/day, and the
machines don't have enough RAM to keep it in the buffer cache on the off
chance I need to do some searching.
|
Clearly the changing nature of the email load is causing people to want
different things. I am even more convinced that the solution from Exim's
point of view is to implement hooks for filtering log lines. Then you
can split them up any way you want.
--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Adrian Phillips
*nix forums beginner
Joined: 27 Jan 2005
Posts: 7
|
|
| Back to top |
|
|
Adrian Phillips
*nix forums beginner
Joined: 27 Jan 2005
Posts: 7
|
| Posted: Thu Jan 27, 2005 2:08 pm Post subject:
Re: "drop" verb and logging ..
|
|
|
| Quote: | "Philip" == Philip Hazel <ph10@cus.cam.ac.uk> writes:
|
Philip> Eximon does it by remembering the inode of the log file,
Philip> and checking to see whether it has changed. When I wrote
Philip> the code, I didn't know that there were file systems that
Philip> do not use inodes.
Philip> I believe that reiserfs doesn't have inodes. Is anybody
If I'm not mistaken it doesn't have "inodes" but simulates them for
those programs that need to know :-
tandem@freeze:tandem 721# touch tt
tandem@freeze:tandem 722# ls -li tt
175005 -rw-r--r-- 1 tandem tandem 0 Jan 27 15:07 tt
tandem@freeze:tandem 723# mv tt tt.old
tandem@freeze:tandem 724# touch tt
tandem@freeze:tandem 725# ls -li tt
175058 -rw-r--r-- 1 tandem tandem 0 Jan 27 15:07 tt
tandem@freeze:tandem 726# ls -li tt.old
175005 -rw-r--r-- 1 tandem tandem 0 Jan 27 15:07 tt.old
Sincrely,
Adrian Phillips
--
Who really wrote the works of William Shakespeare ?
http://www.pbs.org/wgbh/pages/frontline/shakespeare/
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Philip Hazel
*nix forums Guru
Joined: 27 Jan 2005
Posts: 863
|
| Posted: Thu Jan 27, 2005 2:12 pm Post subject:
Re: "drop" verb and logging ..
|
|
|
On Thu, 27 Jan 2005, Jeremy Harris wrote:
| Quote: | You could run a continuous "tail -f mainlog | grep '<='".
But this runs into problems at log switchover time.
snip
How does eximon manage?
|
A very good question that I think has turned up a bug!
Eximon does it by remembering the inode of the log file, and checking to
see whether it has changed. When I wrote the code, I didn't know that
there were file systems that do not use inodes.
I believe that reiserfs doesn't have inodes. Is anybody running Exim
with log files being written to such a file system? If so, what does
Eximon do when you rename a log file?
--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Ryan Tracey
*nix forums beginner
Joined: 27 Jan 2005
Posts: 6
|
| Posted: Thu Jan 27, 2005 3:01 pm Post subject:
Re: Wildcard certs
|
|
|
Hi Mark
| Quote: | As far as I can tell from the archives, Exim's TLS will work just fine
with a wildcard certificate, but before I shell out I thought I'd get
confirmation from the list.
To be specific, we're talking about a Thawte wildcard certificate,
chained through an intermediary (yes, Thawte is selling wildcards
again as of yesterday).
Any issues I should be aware of?
|
I have a wildcard cert installed on obiwan.thawte.com. Give it a shot.
Thawte's production servers, which still run exim3, seem to be TLSing to the exim4 box just fine. The logs show no errors for other tls hosts so far.
Let me know if you experience any problems.
Cheers,
Ryan
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Ben Giddings
*nix forums beginner
Joined: 27 Jan 2005
Posts: 5
|
| Posted: Thu Jan 27, 2005 3:20 pm Post subject:
Re: Removing a wildcard address
|
|
|
On Jan 27, 2005, at 02:58, Michael Dominok wrote:
| Quote: | On Wed, 2005-01-26 at 22:57, Mike White wrote:
Ben Giddings wrote:
Now, one of the addresses I use has started being nothing but spam,
so
I want any email sent to that email address to be bounced. I think I
If you _bounce_ it you will most propably molest innocent users whose
eMail-addresses have been hijacked by some spammer/bot.
It is sensible to _reject_ at SMTP time or do the next best thing.
That's what Mike suggested: Silently drop the crap.
|
Believe me, nobody who has this address is an innocent user, I think
there's a decent chance that if I bounce the mail, they'll remove me
from their lists, but I don't think they'll remove me if I ask, or fill
out forms or whatever.
I do really want to bounce the email -- to make it clear that that
address doesn't exist.
Ben
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Ben Giddings
*nix forums beginner
Joined: 27 Jan 2005
Posts: 5
|
| Posted: Thu Jan 27, 2005 3:28 pm Post subject:
Re: Very long delay after RCPT
|
|
|
On Jan 27, 2005, at 05:57, Tony Finch wrote:
| Quote: | On Wed, 26 Jan 2005, Ben Giddings wrote:
The problem is the long time between "RCPT TO:" and the response
(11s), in
this case apparently causing a timeout. I've tried the same message
again,
and although there a long time again (17s), this time the message was
sent.
Eleven seconds is MUCH shorter than the minimum SMTP timeout of five
minutes. You weren't very clear about whether Exim is being the client
or the server, and what other software is involved.
|
The client is Mozilla thunderbird, Exim is the SMTP server it's
connecting to, and it's doing local delivery, so no other software is
involved, as far as I know. (I'm confused though, how could Exim be
the client?)
Anyhow, from the error message, it looks like it's not Thunderbird
which is giving up after 11s, but Exim.
Ben
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Tony Finch
*nix forums Guru
Joined: 22 Mar 2002
Posts: 1222
|
| Posted: Thu Jan 27, 2005 3:30 pm Post subject:
Re: Wildcard certs
|
|
|
On Thu, 27 Jan 2005, Ryan Tracey wrote:
| Quote: |
I have a wildcard cert installed on obiwan.thawte.com. Give it a shot.
Thawte's production servers, which still run exim3, seem to be TLSing to the
exim4 box just fine. The logs show no errors for other tls hosts so far.
|
Are you using wildcard certs with MUAs? They often have really shoddy
protocol implementations.
Tony.
--
<fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Tue Dec 02, 2008 6:15 am | All times are GMT
|
|
Free Advertising | Loans | Loan | Web Advertising | Facebook Proxy
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Exim
