|
|
|
|
|
|
| Author |
Message |
Tony Finch
*nix forums Guru
Joined: 22 Mar 2002
Posts: 1222
|
 Posted: Thu Jan 27, 2005 3:30 pm Post subject:
Re: Wildcard certs
|
|
|
On Thu, 27 Jan 2005, Ryan Tracey wrote:
| Quote: |
I have a wildcard cert installed on obiwan.thawte.com. Give it a shot.
Thawte's production servers, which still run exim3, seem to be TLSing to the
exim4 box just fine. The logs show no errors for other tls hosts so far.
|
Are you using wildcard certs with MUAs? They often have really shoddy
protocol implementations.
Tony.
--
<fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
 |
Peter Bowyer
*nix forums Guru
Joined: 27 Jan 2005
Posts: 340
|
| Posted: Thu Jan 27, 2005 3:30 pm Post subject:
Re: Removing a wildcard address
|
|
|
On Thu, 27 Jan 2005 11:20:56 -0500, Ben Giddings <bg-exim@infofiend.com> wrote:
| Quote: | On Jan 27, 2005, at 02:58, Michael Dominok wrote:
On Wed, 2005-01-26 at 22:57, Mike White wrote:
Ben Giddings wrote:
Now, one of the addresses I use has started being nothing but spam,
so
I want any email sent to that email address to be bounced. I think I
If you _bounce_ it you will most propably molest innocent users whose
eMail-addresses have been hijacked by some spammer/bot.
It is sensible to _reject_ at SMTP time or do the next best thing.
That's what Mike suggested: Silently drop the crap.
Believe me, nobody who has this address is an innocent user, I think
there's a decent chance that if I bounce the mail, they'll remove me
from their lists, but I don't think they'll remove me if I ask, or fill
out forms or whatever.
I do really want to bounce the email -- to make it clear that that
address doesn't exist.
|
No, you want to deny the mail at SMTP time. That gets a ''win' either
way - if a genuine MTA is sending the mail, it will deliver a
notification to the genuine sender. If it's a spambot and the from
address was forged, it will ignore you.
This is well-known best practice, and easy to implement in your RCPT
ACL with the 'deny' verb.
'Accept-then-bounce' is pretty much never the right thing to do.
Peter
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Tony Finch
*nix forums Guru
Joined: 22 Mar 2002
Posts: 1222
|
| Posted: Thu Jan 27, 2005 3:32 pm Post subject:
Re: Very long delay after RCPT
|
|
|
On Thu, 27 Jan 2005, Ben Giddings wrote:
| Quote: |
The client is Mozilla thunderbird, Exim is the SMTP server it's connecting to,
and it's doing local delivery, so no other software is involved, as far as I
know. (I'm confused though, how could Exim be the client?)
|
When it is sending to another site.
| Quote: | Anyhow, from the error message, it looks like it's not Thunderbird which is
giving up after 11s, but Exim.
|
You have a configuration error. Look in your logs.
Tony.
--
<fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Ryan Tracey
*nix forums beginner
Joined: 27 Jan 2005
Posts: 6
|
| Posted: Thu Jan 27, 2005 3:45 pm Post subject:
Re: Wildcard certs
|
|
|
Hi
| Quote: | I have a wildcard cert installed on obiwan.thawte.com. Give it a shot.
Thawte's production servers, which still run exim3, seem to be TLSing to the
exim4 box just fine. The logs show no errors for other tls hosts so far.
Are you using wildcard certs with MUAs? They often have really shoddy
protocol implementations.
|
No, sadly, and internally, at least mail clients speak to the exchange box, which in turn speaks to the mail gateway with the wildcard cert.
I'll see about some testing for that.
Cheers,
Ryan
p.s. I see from the mail logs that postini seems to be using a wildcard cert. Not one of ours, though:
paveway:/etc/exim4# openssl s_client -connect corp.idt.net.mail5.psmtp.com:25 -tls1 -starttls smtp
CONNECTED(00000003)
....cut...
Certificate chain
0 s:/C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
....cut...
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Jan-Piet Mens
*nix forums beginner
Joined: 27 Jan 2005
Posts: 24
|
| Posted: Thu Jan 27, 2005 3:50 pm Post subject:
Re: closed connection in response to end of data
|
|
|
On Thu Jan 27 2005 at 15:30:34 CET, Tony Finch wrote:
| Quote: | The problem occurs earlier than that, because the sender never sees the
response to CRLF.CRLF and aborts at that point, but the recipient thinks
the sender received it and said QUIT despite the sender thinking
otherwise. Definitely firewall protocol fux-up.
|
It doesn't appear to be a protocol "fux-up" as you call it  We've traced
the outside (i.e. in this case sending side) and the inside (i.e. receiving
Exim). The Checkpoint FW1 is not "fixing" anything. The packet flow is
gatem (outside) ====> m1 (inside)
-----------------------------------------------------------
HELO
SMTP body
....
SMTP Message body [2] > SMTP Message
TCP ACK < TCP ACK
TCP ACK (for previous packets)
TCP ACK ""
TCP ACK ""
TCP ACK ""
TCP FIN,ACK < TCP FIN,ACK
TCP FIN > TCP FIN,ACK
< TCP ACK
TCP ACK
The last body packet sent direction inside actually doesn have the "\r\n.\r\n"
in it, which is correctly read by m1 on the inside. We don't see the 220 code
returning (neither to outside, nor from "inside"). This leads me to believe,
that the Exim process on "inside" has simply died off. Unfortunately, when
I try to re-run delivery on the same message-id by running the "inside" Exim
with `-d+all', the message is correctly processed, so I can't prove Exim's
original possible death.
What leads me to believe that Exim really has died is that I see the corresponding
files for the message-id in the spool/input directory. That is when they are subsequently
delivered by a normal queue runner process later, resulting in multiple deliveries.
During this time, the original message is still queued for delivery on "outside", and
sometimes is correctly delivered after one, two or more hours; again, this leads me
to believe in Exim's death.
It appears then, that it is a *content* problem. I have exiscan-acl configured, but
disabling that entirely doesn't solve the problem.
Any more ideas gentlemen?
-JP
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Thomas CLavier
*nix forums beginner
Joined: 27 Jan 2005
Posts: 1
|
| Posted: Thu Jan 27, 2005 3:59 pm Post subject:
Re: special transport for special domains
|
|
|
Peter Bowyer wrote:
| Quote: | Look in the documentation - you need a 'manualroute' router.
|
Yes ! thanks a lot, width goods key words, it's so better.
I even found in my debian a solution done everything with the hubbed_hosts.
hubbed_hosts:
debug_print = "R: hubbed_hosts for $domain"
driver = manualroute
domains = "${if exists{CONFDIR/hubbed_hosts}\
{partial-lsearch;CONFDIR/hubbed_hosts}\
fail}"
route_data = ${lookup{$domain}partial-lsearch{CONFDIR/hubbed_hosts}}
transport = remote_smtp
--
Thomas Clavier http://www.tcweb.org
Lille Sans Fil http://www.lillesansfil.org
+33 (0)6 20 81 81 30 JabberID : tom@jabber.tcweb.org
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Tony Finch
*nix forums Guru
Joined: 22 Mar 2002
Posts: 1222
|
| Posted: Thu Jan 27, 2005 4:01 pm Post subject:
Re: closed connection in response to end of data
|
|
|
On Thu, 27 Jan 2005, Jan-Piet Mens wrote:
| Quote: |
The last body packet sent direction inside actually doesn have the "\r\n.\r\n"
in it, which is correctly read by m1 on the inside. We don't see the 220 code
returning (neither to outside, nor from "inside").
|
According to the debugging output you posted, it saw a successfully
terminated SMTP conversation with a QUIT from the sender.
| Quote: | During this time, the original message is still queued for delivery on "outside", and
sometimes is correctly delivered after one, two or more hours; again, this leads me
to believe in Exim's death.
|
According to the debugging output you posted, it never saw the response to
CRLF.CRLF from the inside, and never said QUIT.
This inconsistency between the inside and the outside leads me to believe
that your firewall is the culprit. It might not have SMTP fux-up, but is
it doing any other kind of TCP proxying or content scanning?
If you're going to post tcpdump traces, please do so with -s1500 -vvv -X
from BOTH sides of the firewall.
Tony.
--
<fanf@exim.org> <dot@dotat.at> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Philip Hazel
*nix forums Guru
Joined: 27 Jan 2005
Posts: 863
|
| Posted: Thu Jan 27, 2005 4:09 pm Post subject:
Re: "drop" verb and logging ..
|
|
|
On Thu, 27 Jan 2005, Adrian Phillips wrote:
| Quote: | If I'm not mistaken it doesn't have "inodes" but simulates them for
those programs that need to know :-
|
Thanks for that info. I'll do some further research/tests in due course.
--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Ben Giddings
*nix forums beginner
Joined: 27 Jan 2005
Posts: 5
|
| Posted: Thu Jan 27, 2005 5:20 pm Post subject:
Re: Removing a wildcard address
|
|
|
Peter Bowyer wrote:
| Quote: | No, you want to deny the mail at SMTP time. That gets a ''win' either
way - if a genuine MTA is sending the mail, it will deliver a
notification to the genuine sender. If it's a spambot and the from
address was forged, it will ignore you.
|
Ah, you're right, that's what I meant. I want to deny the message. So
is there a way to do that by modifying /etc/aliases or do I have to
hard-code a rule in the config file?
Ben
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Ben Giddings
*nix forums beginner
Joined: 27 Jan 2005
Posts: 5
|
| Posted: Thu Jan 27, 2005 7:13 pm Post subject:
Re: Very long delay after RCPT
|
|
|
Tony Finch wrote:
| Quote: | Anyhow, from the error message, it looks like it's not Thunderbird which is
giving up after 11s, but Exim.
You have a configuration error. Look in your logs.
|
Very likely, but nothing at all is showing up in my logs, that was the
first place I looked. That's why I need some more help figuring out why
it's not working properly.
Ben
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Eli
*nix forums addict
Joined: 08 Feb 2005
Posts: 95
|
| Posted: Thu Jan 27, 2005 8:08 pm Post subject:
RE: FW: dnslists : Mysql Lookup
|
|
|
Bill Hacker wrote:
| Quote: | BTW - not overly impressed with SpamCop ... falsing a lot?
|
I don't really check the logs of the Exim servers too much, but no I don't
believe it to be falsing too much - just too many dorks getting themselves
listed for having spammers on their systems (so many clueless web designers
setting up hackable formmail scripts).
Besides, falsing blacklists (meaning hitting too much) is good for me & the
servers - less email to process :D
I've had good results using just spamcop and spamhaus. Doesn't block out
too much, and doesn't block out too little. It's nice because spamhaus
lists the known baddies and is a more static list since it's manually
maintained (afaik), and then spamcop gets all those newbies since it's
automatic - if it's listing a falser then it's not a big sweat since they'll
get pulled in a few days of no issues anyhow which is acceptable.
Eli.
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
ppichlak
*nix forums beginner
Joined: 27 Jan 2005
Posts: 1
|
| Posted: Thu Jan 27, 2005 8:37 pm Post subject:
Re: iplist filtering
|
|
|
Hello,
I am running Spamassassin from exim on a per email basis via exiscan-acl.
Stored in some file I have a list of ips that signify users whose email
should always be allowed through.
To prevent Spamassassin from filtering that email out as spam I wanted to
append
a header to each email with some message that Spamassassin would look for,
that way it would know that this message is allowed.
My solution was to do this using one of exim's ACL's, unfortunately
Spamassassin can't see the appended header.
Any ideas, or different ways to go about this?
Peter
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Alan J. Flavell
*nix forums Guru
Joined: 05 Mar 2005
Posts: 311
|
| Posted: Thu Jan 27, 2005 9:26 pm Post subject:
Re: Removing a wildcard address
|
|
|
I haven't followed this in detail, but I think I get the gist of your
question:
On Thu, 27 Jan 2005, Ben Giddings wrote:
| Quote: | Ah, you're right, that's what I meant. I want to deny the message. So is
there a way to do that by modifying /etc/aliases
|
So long as your RCPT ACL does a verify for the recipient address of
incoming mail, you can have entries in your alias files like
uucp: :fail: This system account does not read mail.
fred: :fail: Not accepting mail, consult postmaster@ourdomain.example
and so on. These will be triggered when recipient verification is
attempted. RTFM for details. You may need to set
smtp_return_error_details = true
in the main configuration to be sure these details get back to the
offering MTA - I can't exactly remember.
| Quote: | or do I have to hard-code a rule in the config file?
|
Oh no: the aliases file can be updated without having to kick the
daemon.
As ever, you should try running a test transaction (if necessary with
some debugging enabled) to be sure it's doing what you intended.
hth
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Alan J. Flavell
*nix forums Guru
Joined: 05 Mar 2005
Posts: 311
|
| Posted: Thu Jan 27, 2005 9:42 pm Post subject:
Re: FW: dnslists : Mysql Lookup
|
|
|
On Thu, 27 Jan 2005, Bill Hacker wrote:
| Quote: | BTW - not overly impressed with SpamCop ... falsing a lot?
|
I wouldn't say so: it does pretty much what it says on the tin. It
would be inadvisable to reject on that alone. They pretty-much make
that clear on their documentation.
We have two areas where spamcop features.
After the tests of dnsRBLs on which we reject outright (which does not
include spamcop), we have some tests which feature two dnsRBL
conditions. One condition is a bunch of RBLs which register technical
issues such as probable-dialup, open mail relay, open web/mail relay,
open proxy, trojan infestation and so on. The other condition is some
RBLs which register, basically, "spam has been sighted" (currently we
do that with spamcop and with spam.sorbs, but this can change
according to experience). If *both* conditions trigger, then it's an
outright reject. If only one triggers, then it's points in the
spamassassin bucket (e.g 4), and we hope for SA to catch them on some
other criteria and hit the rejection threshold.
So, spamcop features in a rejection rule, but only if one of the
technical blacklists also triggers; and it features in the dnsRBLs
which toss some points into the spamassassin bucket.
hth
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Michael Dominok
*nix forums beginner
Joined: 28 Jan 2005
Posts: 15
|
| Posted: Fri Jan 28, 2005 8:23 am Post subject:
Re: Removing a wildcard address
|
|
|
On Thu, 2005-01-27 at 22:26, Alan J. Flavell wrote:
| Quote: | I haven't followed this in detail, but I think I get the gist of your
question:
On Thu, 27 Jan 2005, Ben Giddings wrote:
Ah, you're right, that's what I meant. I want to deny the message. So is
there a way to do that by modifying /etc/aliases
So long as your RCPT ACL does a verify for the recipient address of
incoming mail, you can have entries in your alias files like
uucp: :fail: This system account does not read mail.
And if that fails there still is /etc/exim4/local_sender_blacklist |
Though, I'm not sure if it's enabled by default (/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt)
Cheers
Michael
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ## |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Tue Dec 02, 2008 6:39 am | All times are GMT
|
|
Credit Cards | Loans | Loans | Remortgages | Loan
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
Apps
»
Exim
