Re: [exim] Temporary reject when random sender verification should succeed

Thu, 07 Jun 2018 14:01:26 -0700 

On Wed, 30 May 2018, Ian Zimmerman via Exim-users wrote:


I just turned on callout sender verify with the random option.
Strangely, the first (and only the first) connect from many domains
after that is temporarily rejected, although the callout seems to
succeed with a 250 status code.  The log lines look like this:

2018-05-29 12:25:26 acl_check_connect: connect from 23.253.242.70
2018-05-29 12:25:28 acl_check_connect: host geoip us
2018-05-29 12:25:34 acl_check_connect: 23.253.242.70 accepted
2018-05-29 12:25:34 acl_check_mail: mail from haskell-cafe-boun...@haskell.org
2018-05-29 12:25:40 [23.253.242.70] SSL verify error: depth=0 error=certificate 
has expired cert=/OU=Domain Control Validated/CN=*.haskell.org
2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify defer for 
<haskell-cafe-boun...@haskell.org>: Could not complete sender verify callout: mail.haskell.org 
[23.253.242.70] : response to "RCPT TO:<mymx.com-1527621934-test...@haskell.org>" 
was: 250 2.1.5 Ok
2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 
F=<haskell-cafe-boun...@haskell.org> temporarily rejected RCPT 
<i...@mydomain.com>: Could not complete sender verify callout
2018-05-29 12:25:40 SMTP connection from haskell.org [23.253.242.70]:51176 
closed by QUIT

I obfuscated my mx hostname and my domain name, and only these two
items.

Why exim "Could not complete" the callout when it got a success code?
Again, this only happened for the first time for each domain after the
configuration change. Subsequent connections work normally and log
nothing about the callout.


Sorry. The first time that you posted this,
I didn't notice the certificate expiry error (which
  openssl s_client -connect mail.haskell.org:25 -starttls smtp -verify 0
confirms for me
).

I  *think* that the wire callout is succeeding, but the expired certificate
means that exim considers the callout verify to have failed.

Once that callout has failed, exim caches the result and doesn't bother
to callout verify subsequent connections, hence the successful connections with no callouts logged (again assuming that I have correctly understood exim). 

--
Andrew C. Aitchison                                     Cambridge, UK
                        and...@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to