Re: [exim] secondary MX: allow only a set of users
On Thu, Dec 20, 2007 at 02:15:48PM -0800, Phil Pennock wrote: On 2007-12-20 at 14:23 +0100, Wouter Verhelst wrote: Look for 'smtp_reserve_hosts'. With this, you can allow the backup MX to connect to the master even when the master is already 4xx'ing other hosts because of things like smtp_load_reserve. Look up Single Point Of Failure. Trust me, I know all about SPOFs. The point of secondary MX is to remove SPOFs whilst still accepting email to within your administrative control, so that you can clear things up quickly when problems are resolved and don't have to worry about broken remote systems doing things like auto-unsubscribing you from a mailing-list, etc. Yes, yes. If you're happy for mail to remain with the senders' systems, then you don't need secondary MXs; if you treat email as sufficiently mission-critical that you should be able to deliver mail within a certain time-period, then secondary MXs aren't enough. Fully redundant parallel delivery which works is hard, secondary MX is good enough for most people. The router crashed, mail couldn't get through for 10 minutes, but all the stuff sent by real MTAs went to the backup MX on the different network and I've flushed the queues, so all delayed email has now been delivered. If you don't have the important business document yet, it wasn't sent or is still in the sender's systems for some reason and it's their technical problem, not ours This will still work with receiver callout verification, for the very simple reason that callout verification is actually cached. It will be problematic to receive spam to non-existing email addresses which hadn't been seen before during the downtime of the primary, but that's a feature, not a bug. It only becomes a problem once the cache times out; this setup will therefore not help when you're talking about the server will be down for maintenance during the next 8 hours, but you'll probably have problems then, anyway. -- Lo-lan-do Home is where you have to wash the dishes. -- #debian-devel, Freenode, 2004-09-22 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On 2007-12-28 at 15:32 +0100, Wouter Verhelst wrote: This will still work with receiver callout verification, for the very simple reason that callout verification is actually cached. It will be problematic to receive spam to non-existing email addresses which hadn't been seen before during the downtime of the primary, but that's a feature, not a bug. The secondary won't normally be getting much legitimate mail whilst the primary is up and working, just whatever might trickle through from some place with weird connectivity problems to the primary MX. So the cache is not going to be very warm. Further, the callout cache has various expire timeouts. So relying upon the callout cache as adequate is only going to even partially work if you know when the primary is going down and put a packet filter on it to only accept SMTP connections from the secondary for a while ahead of time. This seems to be a practice with limited utility. For a secondary MX to be useful it needs to not depend upon the primary and to know which recipients are valid for any given domain. Really, it's not hard to adjust configuration build systems to push data out to more than one place; if the config build is on the primary system, then it's not hard to push out to a second place. Heck, if anyone's using CDB files or other non-linear lookup type, then hopefully they already have a tool set to build the data and can just put replicate with rsync over passphraseless SSH key in as the last step. Set that script as Exim's bi_command so that exim -bi/sendmail -bi will do the right thing and you're laughing. Where I've previously had to arrange for various people to be able to edit config files, I had a script which did the real work run as a dedicated user with the passphraseless SSH key (locked down on receiving server side, of course) and a wrapper script which was bi_command and that wrapper used sudo to invoke the real script as the right user. sudoers had NOPASSWD: on the relevant item. Hey presto, configs built as one consistent user, replicated with a key which the invokers can't get hold of (unless they have root). In the live production system for customer mail it was best to be able to guarantee that all customer updates happened at once. A couple of SSH connections, one of which did rsync (with --link-dest, I think; I forget the details) and the other which would do the management of sorting out updating the live config and cleaning up sufficienly old copies of config; I think that I settled for the race condition of a symlink update and 4xx delays for the relevant nanoseconds of missing config. Atomic symlink replacement would be nice. *sigh* Multiple machines in MX, multiple IPs, so clients would always just retry another MX host and there was no outage. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On Fri, 21 Dec 2007, Phil Pennock wrote: On 2007-12-22 at 02:46 +0100, Leonardo Boselli wrote: i also added _before_ this one the routers that use a local_part_prefix This way such prefixes are handled directly. however this led me to have 7 routers all similar. is possible to usa a file not only for local parts but also for local_parts_prefixes ??? The local_part affices are normally patterns and follow one consistent style for a given policy. These days, it's normally: local_part_suffix = +* local_part_suffix_optional perhaps with a prefix of real- allowed in a special-case. If you want more help, you're going to need to post your configuration, or at least the Routers section of it, so that we're not working blind. the 7 routers are all in the form: sb_dir: driver = accept domains = doma.in local_part_prefix = sb- retry_use_local_part transport = dipolo and change just the pt into other sequences of charchters i would linke to know if i could write local_part_prefix = /etc/exim4/allowed_prefixes.doma_in (also: is so, there prefixes are read ar start time or every time a message is coming ?) -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On 22/12/2007 09:46, Leonardo Boselli wrote: i would linke to know if i could write local_part_prefix = /etc/exim4/allowed_prefixes.doma_in I don't see why not; you can certainly have local_part_prefix = ab- : cd- : ef- In fact you might even have domains = example.com example.net example.org local_part_prefix = /etc/exim4/allowed_prefixes.$domain Just try it; exim's testing facilities are excellent. (also: is so, there prefixes are read ar start time or every time a message is coming ?) The file would be stat'ed every time it was referred to (e.g. every time a message arrives), and reloaded when it changed, so changes to the file would be effective immediately rather than at the next restart. Cheers, John. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
Il 20 Dec 2007 alle 3:17 Phil Pennock immise in rete Make the very first Router something like (untested): It works fine ... it is important is the first router. i also added _before_ this one the routers that use a local_part_prefix This way such prefixes are handled directly. however this led me to have 7 routers all similar. is possible to usa a file not only for local parts but also for local_parts_prefixes ??? -- Leonardo Boselli Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze tel +39 0554796431 cell +39 3488605348 fax +39 055495333 http://www.dicea.unifi.it/~leo -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On 2007-12-22 at 02:46 +0100, Leonardo Boselli wrote: i also added _before_ this one the routers that use a local_part_prefix This way such prefixes are handled directly. however this led me to have 7 routers all similar. is possible to usa a file not only for local parts but also for local_parts_prefixes ??? The local_part affices are normally patterns and follow one consistent style for a given policy. These days, it's normally: local_part_suffix = +* local_part_suffix_optional perhaps with a prefix of real- allowed in a special-case. If you want more help, you're going to need to post your configuration, or at least the Routers section of it, so that we're not working blind. Thanks, -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
Il 19 Dec 2007 alle 22:11 Daniel Collis-Puro immise in rete Leonardo Boselli wrote: I want: avoid that the secondary mx accept email that in turn is sent to the primary and then bounced. So i would like to set a list of possible address that are accepted. such list however is not just a plain list of addresses, but it could be also a list with some addresses written as: abc-g* to say that it must accept any address whose five characters are abc-g what is the easier and quicher way to accomplish this, other than adding many director sections in exim4.conf ??? Why not use a recipient verification callout for the destination mail server? Something like: NOT feasible: the secondary mx is usually used when the primary is of, or overloaded and do not accept more connections or give immediately a 421 error. Also for other reason caching, unless on a file that can be easily moved between the MX 13 and MX 20, is not usable. -- Leonardo Boselli Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze tel +39 0554796431 cell +39 3488605348 fax +39 055495333 http://www.dicea.unifi.it/~leo -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On 2007-12-19 at 22:46 +0100, Leonardo Boselli wrote: I have two servers and two more secondary MX. I want: avoid that the secondary mx accept email that in turn is sent to the primary and then bounced. So i would like to set a list of possible address that are accepted. such list however is not just a plain list of addresses, but it could be also a list with some addresses written as: abc-g* to say that it must accept any address whose five characters are abc-g what is the easier and quicher way to accomplish this, other than adding many director sections in exim4.conf ??? There are no Directors since Exim3, so I think that you mean Routers. The secondary MXs have your domain(s) in the relay_domains domainlist, right? Or some other domainlist which you can substitute in below? Make the very first Router something like (untested): relay_domains_filter: driver = redirect domains = +relay_domains local_parts = ! /etc/mail-config-dir/relay-accept allow_fail data = :fail: No such user If the domain matches +relay_domains and if the local_part does *NOT* match the local_part patterns in the relay-accept file, then reject the address. This assumes one set of domains, to be treated identically, so that the same LHS is the same in each domain. If you want to do this for just one domain that you relay for, that's easy, just change the value of +domains. If you want a directory with a file for each domain, then instead try something like this router; note that it still checks relay_domains for safety, so that you can't end up filtering mail for a domain that isn't yours. Note that both require_files and condition are evaluated after local_parts, which is why I put the file checks in domains; there are other valid ways of doing this. relay_domains_filter: driver = redirect domains = ${if and{\ {match_domain {$domain}{+relay_domains}}\ {exists {/etc/mail-config-dir/relay-filters/$domain}}\ } {$domain}{}} local_parts = ! /etc/mail-config-dir/relay-filters/$domain allow_fail data = :fail: No such user -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On Thu, 20 Dec 2007, Phil Pennock wrote: There are no Directors since Exim3, so I think that you mean Routers. ok ... but i remember they were called in the first exim4 documentation director-routers Make the very first Router something like (untested): relay_domains_filter: driver = redirect domains = +relay_domains local_parts = ! /etc/mail-config-dir/relay-accept If the domain matches +relay_domains and if the local_part does *NOT* match the local_part patterns in the relay-accept file, then reject the address. i wull try it -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On Thu, Dec 20, 2007 at 09:50:01AM +0100, Leonardo Boselli wrote: Il 19 Dec 2007 alle 22:11 Daniel Collis-Puro immise in rete Leonardo Boselli wrote: I want: avoid that the secondary mx accept email that in turn is sent to the primary and then bounced. So i would like to set a list of possible address that are accepted. such list however is not just a plain list of addresses, but it could be also a list with some addresses written as: abc-g* to say that it must accept any address whose five characters are abc-g what is the easier and quicher way to accomplish this, other than adding many director sections in exim4.conf ??? Why not use a recipient verification callout for the destination mail server? Something like: NOT feasible: Sure it is. the secondary mx is usually used when the primary is of, or overloaded and do not accept more connections or give immediately a 421 error. Look for 'smtp_reserve_hosts'. With this, you can allow the backup MX to connect to the master even when the master is already 4xx'ing other hosts because of things like smtp_load_reserve. Also for other reason caching, unless on a file that can be easily moved between the MX 13 and MX 20, is not usable. -- Care to give a bit more info on that? -- Lo-lan-do Home is where you have to wash the dishes. -- #debian-devel, Freenode, 2004-09-22 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On Wed, Dec 19, 2007 at 10:46:01PM +0100, Leonardo Boselli wrote: I have two servers and two more secondary MX. I want: avoid that the secondary mx accept email that in turn is sent to the primary and then bounced. So i would like to set a list of possible address that are accepted. such list however is not just a plain list of addresses, but it could be also a list with some addresses written as: abc-g* to say that it must accept any address whose five characters are abc-g what is the easier and quicher way to accomplish this, other than adding many director sections in exim4.conf ??? You could use receiver callout verification on the backup MX: accept domains = +local_domains message = No such user endpass verify = recipient/callout -- Lo-lan-do Home is where you have to wash the dishes. -- #debian-devel, Freenode, 2004-09-22 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On Thu, 20 Dec 2007, Wouter Verhelst wrote: On Thu, Dec 20, 2007 at 09:50:01AM +0100, Leonardo Boselli wrote: Il 19 Dec 2007 alle 22:11 Daniel Collis-Puro immise in rete Why not use a recipient verification callout for the destination mail server? Something like: NOT feasible: Sure it is. the secondary mx is usually used when the primary is of, or overloaded and do not accept more connections or give immediately a 421 error. Look for 'smtp_reserve_hosts'. With this, you can allow the backup MX to connect to the master even when the master is already 4xx'ing other hosts because of things like smtp_load_reserve. Also for other reason caching, unless on a file that can be easily moved between the MX 13 and MX 20, is not usable. -- Care to give a bit more info on that? I expect that for some weeks will be some erratic maintenace periods when one or more of the server will be off or just unreacheable. so i cannot consider any solution that cannaot be carried across reboot or requires the availability of the main server. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
On 2007-12-20 at 14:23 +0100, Wouter Verhelst wrote: Look for 'smtp_reserve_hosts'. With this, you can allow the backup MX to connect to the master even when the master is already 4xx'ing other hosts because of things like smtp_load_reserve. Look up Single Point Of Failure. The point of secondary MX is to remove SPOFs whilst still accepting email to within your administrative control, so that you can clear things up quickly when problems are resolved and don't have to worry about broken remote systems doing things like auto-unsubscribing you from a mailing-list, etc. If you're happy for mail to remain with the senders' systems, then you don't need secondary MXs; if you treat email as sufficiently mission-critical that you should be able to deliver mail within a certain time-period, then secondary MXs aren't enough. Fully redundant parallel delivery which works is hard, secondary MX is good enough for most people. The router crashed, mail couldn't get through for 10 minutes, but all the stuff sent by real MTAs went to the backup MX on the different network and I've flushed the queues, so all delayed email has now been delivered. If you don't have the important business document yet, it wasn't sent or is still in the sender's systems for some reason and it's their technical problem, not ours It's ensuring that delivery is as timely as possible with recovery that's as quick as possible because delayed mail flushing is under the control of people who _know_ when the problem is gone. -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] secondary MX: allow only a set of users
I have two servers and two more secondary MX. I want: avoid that the secondary mx accept email that in turn is sent to the primary and then bounced. So i would like to set a list of possible address that are accepted. such list however is not just a plain list of addresses, but it could be also a list with some addresses written as: abc-g* to say that it must accept any address whose five characters are abc-g what is the easier and quicher way to accomplish this, other than adding many director sections in exim4.conf ??? -- Leonardo Boselli Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze tel +39 0554796431 cell +39 3488605348 fax +39 055495333 http://www.dicea.unifi.it/~leo -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] secondary MX: allow only a set of users
Leonardo Boselli wrote: I have two servers and two more secondary MX. I want: avoid that the secondary mx accept email that in turn is sent to the primary and then bounced. So i would like to set a list of possible address that are accepted. such list however is not just a plain list of addresses, but it could be also a list with some addresses written as: abc-g* to say that it must accept any address whose five characters are abc-g what is the easier and quicher way to accomplish this, other than adding many director sections in exim4.conf ??? Why not use a recipient verification callout for the destination mail server? Something like: * deny domains = +relay_to_domains message = unknown user !verify = recipient/callout=30s,defer_ok * in your ACLs. Then the destination mail server can handle telling you what addresses are valid. These lookups are cached as well, look at the callout cache section of the docs for options. --DJCP -- -**----**----** Daniel Collis-Puro Software Engineer End Point Corp. [EMAIL PROTECTED] (office) 781-477-0885 **----**----**- -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/