Hi Dean,
Thanks for your input.
Per your suggestion, I just tried:
exim -v -bv good-user@mydomain
Result is one line of output:
good-user@mydomain failed to verify: Unknown user good-user
That is the message generated by the localuser: router
Same result for any address, good or bad, except local users. Local
users are accepted as verified. But, of course, what I want is for all
valid aliases to also be accepted as verified.
My RCPT acl and routers are as follows:
============== A C L ===============
# -------------------------
acl_check_rcpt:
# -------------------------
# accept any emails originated in this host
accept hosts = :
control = dkim_disable_verify
# Reject anybody in spamhaus zen list
deny message = X-Warning: $sender_host_address is listed at
$dnslist_domain. $dnslist_text
log_message = $sender_host_address is listed at
$dnslist_domain ($dnslist_value: $dnslist_text)
dnslists = zen.spamhaus.org
# deny any email pretending to be sending from our domain (local
origination was already accepted)
drop message = You are not who you say you are
!hosts = +relay_from_hosts
condition = ${if
match_domain{$sender_address_domain}{+local_domains}{yes}{no}}
# No bad stuff allowed in address
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# Make sure we allow postmaster emails for our domains
accept local_parts = postmaster
domains = +local_domains
# allow our own domains
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
# No delivery to any domains but our own
require message = relay not permitted
domains = +local_domains : +relay_to_domains
# Following causes rejection of all emails
# require message = Unknown recipient $local_part
# hosts = ! +relay_from_hosts
# domains = +local_domains
# verify = recipient
accept
============ R O U T E R S =============
begin routers
# -------------------------
dnslookup:
# -------------------------
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
transport = remote_smtp
no_more
# -------------------------
virtual_aliases_nostar:
# -------------------------
driver = redirect
allow_defer
allow_fail
data = ${if
exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch{/etc/virtual/$domain/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
# -------------------------
virtual_aliases:
# -------------------------
driver = redirect
allow_defer
allow_fail
condition = ${if eq {}{${if
exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}}{yes}{no}}
data = ${if
exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch*{/etc/virtual/$domain/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
# -------------------------
system_aliases:
# -------------------------
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
# -------------------------
localuser:
# -------------------------
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user $local_part
=======================================================
On 10/28/2014 8:04 AM, Dean Brooks wrote:
Hi,
Without seeing the entire al_check_rcpt ACL and you entire list of
routers, it's going to be difficult to guess. However, if you haven't
already, try running address verification testing with both the "-bv"
and the "-v" options on the command line. That may help shed some light.
--
Dean Brooks
[email protected]
On Mon, Oct 27, 2014 at 12:41:22PM -0700, Phillip Carroll wrote:
Using exim 4.80 on Centos 5.5.
My exim configuration uses virtual domain routers similar to shown
in chapter 49.7 of the current doc. This has been working perfectly
for about 10 years on several different servers I have migrated to
over the years. I have never used recipient verification, but
instead have simply bounced the email back to sender in the delivery
phase.
Because of a recent spate of spam emails with forged senders, most
of which are also addressed to nonexistent local_parts, I would now
prefer to reject the emails at RCPT time. However, try as I may, I
cannot get "verify = recipient" to work. If I put this into the
acl_check_rcpt ACL, all email is rejected with "550 Unknown user
xxx".
Somewhere in the manual I read that verify in an ACL uses the same
router sequence as used in delivery. Clearly it does not! Tearing my
hair out with this. Basically everything I thought I understood
about exim seems to be under suspicion. As usual, it seems there is
what the manual says...and then there is what the code actually
does. I am hoping that someone with deeper understanding of the
inner mysteries of exim can explain why unverified recipients are
routed perfectly, but any attempt to verify them rejects every
recipient. And, can tell me a workaround.
None of the redirect routers have "no_more", because all emails are
ultimately routed by the local_user router, using the final data
from the redirect routers.
Running exim from command line with -bh gives me no clues, as it
routes to all addresses perfectly, cascading down through all
routers as expected, finally routing to the actual local user. (By
the way, no local user id is ever used as an actual external email
address, although is used internally) I presume this -bh doesn't pay
any attention to ACLs.
It would also be nice if someone can tell me how to test this kind
of issue without using the live system. Users tend to get cranky if
their mail is returned to sender.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
