Bug#388460: Re: Bug#388460: exim4-daemon-light: sender verification is not working
tags #388460 confirmed pending thanks On Sun, Sep 24, 2006 at 02:10:16PM +0200, Andreas Metzler wrote: I think that it is ok that sender and recipient address verification does not work for smarthost setups by default. The fact that it took years for somebody to actually discover that address verification does not work as expected suports my position. Having something like this in docs might do trick: --- Sender and recipient address verification will not work for non-local domains using smarthost setups. As any non-local mail (or for satellite setups all mail) is simply sent on to the smarthost *all* non-local addresses are deliverable for exim and therefore verify. --- I agree. I have written something along these lines in the comments of the RCPT ACL and committed to svn. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On 2006-09-21 Marc Haber [EMAIL PROTECTED] wrote: [...] We'll need to think about a way to support sender verification on a system that uses a smarthost. Andreas' suggestion is a possible solution, but we'll need to bring our minimaldns configuration option in the game: We might be using a smarthost because we do not have world-wide DNS available. Probably the most promising idea would be to only activate the smarthost_verify_dnslookup router if minimaldns is not set and to warn in the config that sender/recipient verification on a smarthost-based system with minimaldns set is likely to generate false negatives (verifying false addresses as correct). [...] Hello, I think that it is ok that sender and recipient address verification does not work for smarthost setups by default. - These setups are used mainly or two purposes: leafsite, @home workstation. - These sites generally are not open for remote connections. gateway host: Will need to be manually configured to use callouts or a manually synced list of remote-parts. The fact that it took years for somebody to actually discover that address verification does not work as expected suports my position. Having something like this in docs might do trick: --- Sender and recipient address verification will not work for non-local domains using smarthost setups. As any non-local mail (or for satellite setups all mail) is simply sent on to the smarthost *all* non-local addresses are deliverable for exim and therefore verify. --- cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken.(c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On 20/09/06, Andreas Metzler [EMAIL PROTECTED] wrote: The interesting bit is this one: [...] check !verify = sender Verifying [EMAIL PROTECTED] [...] dsaodpojdopj.com in ! +local_domains? yes (end of list) R: smarthost for [EMAIL PROTECTED] calling smarthost router smarthost router called for [EMAIL PROTECTED] domain = dsaodpojdopj.com [...] routed by smarthost router envelope to: [EMAIL PROTECTED] transport: remote_smtp_smarthost host smtp.blueyonder.co.uk [195.188.53.60] --- end verify sender [EMAIL PROTECTED] verified ok i.e. the smarthost router accepts *everything* making the address deliverable for exim and therefore verified. I actually cannot see how this setup ever could have worked, the only two ways to actually verify addresses whike using a smarthost for delivery are 1# using callouts for verification I tried changing to verify = sender/callout but the address is still accepted. If I understand the log correctly then it contacts my ISP's SMTP server for the call out, which accepts it (probably because they don't do recipient verification). Why on earth does Exim call the smarthost for a local address? :-/ 2# setting no_verify on the smarthost router and having a dnslookup router with verify_only doing the verification. Could you go into a little more detail please. I'm still not to sure how the router thing works (and ties in with the ACLs). As I said, my knowledge of Exim is still a little basic. Perhaps you previously had callouts setup? No, but then the two Sarge boxes that work use the internet configuration. The Etch box is my personal server at home that I use as a backup MX record on my domain, so I use a smarthost because I don't have a static IP address. George. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On Thu, Sep 21, 2006 at 09:31:09AM +0100, George B. wrote: Why on earth does Exim call the smarthost for a local address? :-/ It looks like that your smarthost router is not recognizing the domain as local (... is in ! +local_domains? yes.) Does it correctly route the address as in exim -bt [EMAIL PROTECTED] as a local domain? I am not sure whether Andreas' Diagnosis is right. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On 21/09/06, Marc Haber [EMAIL PROTECTED] wrote: It looks like that your smarthost router is not recognizing the domain as local (... is in ! +local_domains? yes.) Does it correctly route the address as in exim -bt [EMAIL PROTECTED] as a local domain? I did: exim -bt [EMAIL PROTECTED] and it returned router = local_user, transport = maildir_home The domain name (and mailboxes) are virtual, defined in /etc/exim4/virtual/mydomain.co.uk George. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On Thu, Sep 21, 2006 at 11:23:17AM +0100, George B. wrote: On 21/09/06, Marc Haber [EMAIL PROTECTED] wrote: It looks like that your smarthost router is not recognizing the domain as local (... is in ! +local_domains? yes.) Does it correctly route the address as in exim -bt [EMAIL PROTECTED] as a local domain? I did: exim -bt [EMAIL PROTECTED] and it returned router = local_user, transport = maildir_home And that's the same address you want to fail verification? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On 21/09/06, Marc Haber [EMAIL PROTECTED] wrote: And that's the same address you want to fail verification? No, that is the recipient address. I am trying to verify sender addresses. Doing the exim -bt ... test with any other (non-local, even if it is a fake, non-existent domain) address returns router = smarthost, transport = remote_smtp_smarthost. George. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On Thu, Sep 21, 2006 at 11:41:40AM +0200, Marc Haber wrote: I am not sure whether Andreas' Diagnosis is right. I am sure now that Andreas' is right. I'll need to ponder (and ask exim-users) how to solve this. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On Thu, Sep 21, 2006 at 01:11:17PM +0200, Marc Haber wrote: And that's the same address you want to fail verification? No, it is not. After you answered my question in private e-mail (on purpose?), I now understand the issue. Finally. Sorry for being so slow on the mark. We'll need to think about a way to support sender verification on a system that uses a smarthost. Andreas' suggestion is a possible solution, but we'll need to bring our minimaldns configuration option in the game: We might be using a smarthost because we do not have world-wide DNS available. Probably the most promising idea would be to only activate the smarthost_verify_dnslookup router if minimaldns is not set and to warn in the config that sender/recipient verification on a smarthost-based system with minimaldns set is likely to generate false negatives (verifying false addresses as correct). Andreas, what do you think about that? Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On Thu, Sep 21, 2006 at 09:31:09AM +0100, George B. wrote: Why on earth does Exim call the smarthost for a local address? :-/ The sender you are trying is not a local address, and everything nonlocal is passed on to the smarthost. 2# setting no_verify on the smarthost router and having a dnslookup router with verify_only doing the verification. Could you go into a little more detail please. I'm still not to sure how the router thing works (and ties in with the ACLs). As I said, my knowledge of Exim is still a little basic. Exim does do sender verification by going through the motions of sending a message to the sender without actually sending a message. Since a message to the non-local sender will be sent to the smarthost, the local exim considers the sender address as verified. Perhaps you previously had callouts setup? No, but then the two Sarge boxes that work use the internet configuration. Ok. The issue we have here is specific to smarthost setups. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On Wed, Sep 20, 2006 at 07:53:39PM +0200, Andreas Metzler wrote: 1# using callouts for verification Only if the smarthost rejects invalid RCPT commands immediately. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On 21/09/06, Marc Haber [EMAIL PROTECTED] wrote: On Thu, Sep 21, 2006 at 01:11:17PM +0200, Marc Haber wrote: And that's the same address you want to fail verification? No, it is not. After you answered my question in private e-mail (on purpose?), I now understand the issue. Finally. Sorry for being so slow on the mark. No, it was an accident. If anything, it is my ability at explaining things clearly that sucks - sorry. (Work's a little hectic at the moment, too many things at once. :-/ ) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
Package: exim4-daemon-light Version: 4.63-3 Severity: normal Hello, For some reason, sender verification does not seem to work on my Etch Exim4 server. I have 2 Sarge servers with nearly identical configurations that have sender verification working just fine. I attach the config.autogenerated file for the problem server. I have set the appropriate option in the macros file and even tried adding a copy of the verification test to acl_check_mail, but no luck. :-( Telnet test: --- mail from: [EMAIL PROTECTED] 250 OK rcpt to: [EMAIL PROTECTED] 250 Accepted ^] --- Am I doing something wrong, or is this a bug? HTH, George. -- Package-specific info: Exim version 4.63 #1 built 23-Aug-2006 17:21:47 Copyright (c) University of Cambridge 2006 Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 6, 2005) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to replace # the DEBCONFsomethingDEBCONF strings in the configuration template files. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='smarthost' dc_other_hostnames='10.0.0.1 : -snip- : localhost.localdomain : dsearch;/etc/exim4/virtual' dc_local_interfaces='127.0.0.1 : 10.0.0.1' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='10.0.0.0/24' dc_smarthost='smtp.blueyonder.co.uk' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='false' dc_mailname_in_oh='true' dc_localdelivery=maildir_home mailname:-snip-.homelinux.org -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (700, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-2-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages exim4-daemon-light depends on: ii exim4-base 4.63-3 support files for all exim MTA (v4 ii libc62.3.6.ds1-4 GNU C Library: Shared libraries ii libdb4.3 4.3.29-6Berkeley v4.3 Database Libraries [ ii libgnutls13 1.4.3-2 the GNU TLS library - runtime libr ii libpcre3 6.4-2 Perl 5 Compatible Regular Expressi exim4-daemon-light recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On Wed, Sep 20, 2006 at 03:26:39PM +0100, George B. wrote: I attach the config.autogenerated file for the problem server. I do not see the attachment. I have set the appropriate option in the macros file Which option, which macros file? Try exim4 -d -bh some-ip-address and simulate an SMTP session with a invalid sender on the terminal. The debug output will probably help. If not, send the debug output to the bug report. Greetings Marc -- - Marc Haber | I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things.Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#388460: exim4-daemon-light: sender verification is not working
On 20/09/06, Marc Haber [EMAIL PROTECTED] wrote:
On Wed, Sep 20, 2006 at 03:26:39PM +0100, George B. wrote:
I attach the config.autogenerated file for the problem server.
I do not see the attachment.
Yeah I noticed, sorry. I posted a followup, but BTS took some time to accept.
I have set the appropriate option in the macros file
Which option, which macros file?
I tried /etc/exim4/conf.d/main/000_localmacros and then tried
switching to single file configuration and used
/etc/exim4/exim4.conf.localmacros
Try exim4 -d -bh some-ip-address and simulate an SMTP session with a
invalid sender on the terminal. The debug output will probably help.
If not, send the debug output to the bug report.
I attach the debug output (thanks, I never thought of using this test mode).
The verification test is run and it succeeds, not sure why though. I'm
afraid my understanding of Exim is still a little basic.
George.
Exim version 4.63 uid=0 gid=0 pid=23487 D=fbb95cfd
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 6, 2005)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis
nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=23487
auxiliary group list: none
seeking password data for user uucp: cache not available
getpwnam() succeeded uid=10 gid=10
configuration file is /var/lib/exim4/config.autogenerated
log selectors = 0ffc 00089001
trusted user
admin user
changed uid/gid: privilege not needed
uid=102 gid=102 pid=23487
auxiliary group list: 102
seeking password data for user mail: cache not available
getpwnam() succeeded uid=8 gid=8
user name root extracted from gecos field root
originator: uid=0 gid=0 login=root name=root
sender address = root@-snip-.homelinux.org
sender_fullhost = [10.0.0.1]
sender_rcvhost = [10.0.0.1]
SMTP testing session as if from host 10.0.0.1
but without any ident (RFC 1413) callback.
This is not for real!
host in hosts_connection_nolog? no (option unset)
LOG: smtp_connection MAIN
SMTP connection from [10.0.0.1]
host in host_lookup? yes (matched *)
looking up host name for 10.0.0.1
DNS lookup of 1.0.0.10.in-addr.arpa (PTR) gave HOST_NOT_FOUND
returning DNS_NOMATCH
IP address lookup using gethostbyaddr()
IP address lookup yielded mail
gethostbyname2(af=inet6) returned 1 (HOST_NOT_FOUND)
gethostbyname2 looked up these IP addresses:
name=mail address=10.0.0.1
checking addresses for mail
10.0.0.1 OK
sender_fullhost = mail [10.0.0.1]
sender_rcvhost = mail ([10.0.0.1])
set_process_info: 23487 handling incoming connection from mail [10.0.0.1]
host in host_reject_connection? no (option unset)
host in sender_unqualified_hosts? no (option unset)
host in recipient_unqualified_hosts? no (option unset)
host in helo_verify_hosts? no (option unset)
host in helo_try_verify_hosts? no (option unset)
host in helo_accept_junk_hosts? no (option unset)
SMTP 220 -snip-.homelinux.org ESMTP Exim 4.63 Wed, 20 Sep 2006 16:50:50
+0100
220 -snip-.homelinux.org ESMTP Exim 4.63 Wed, 20 Sep 2006 16:50:50 +0100
smtp_setup_msg entered
helo me
SMTP helo me
sender_fullhost = mail (me) [10.0.0.1]
sender_rcvhost = mail ([10.0.0.1] helo=me)
set_process_info: 23487 handling incoming connection from mail (me) [10.0.0.1]
250 -snip-.homelinux.org Hello mail [10.0.0.1]
SMTP 250 -snip-.homelinux.org Hello mail [10.0.0.1]
mail from: [EMAIL PROTECTED]
SMTP mail from: [EMAIL PROTECTED]
using ACL acl_check_mail
processing accept
accept: condition test succeeded
SMTP 250 OK
250 OK
rcpt to: [EMAIL PROTECTED]
SMTP rcpt to: [EMAIL PROTECTED]
using ACL acl_check_rcpt
processing accept
check hosts = :
host in :? no (end of list)
accept: condition test failed
processing deny
check domains = +local_domains
localhost in @:localhost:10.0.0.1 : -snip- : localhost.localdomain :
dsearch;/etc/exim4/virtual? yes (matched localhost)
localhost in +local_domains? yes (matched +local_domains)
check local_parts = ^[.] : [EMAIL PROTECTED]/|`#?]
root in ^[.] : [EMAIL PROTECTED]/|`#?]? no (end of list)
deny: condition test failed
processing deny
check domains = !+local_domains
cached yes match for +local_domains
cached lookup data = NULL
localhost in !+local_domains? no (matched !+local_domains - cached)
deny: condition test failed
processing accept
check local_parts = postmaster
root in postmaster? no (end of list)
accept: condition test failed
processing deny
check !acl = acl_whitelist_local_deny
using ACL acl_whitelist_local_deny
processing accept
check hosts = ${if
exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelist}{}}
host in ? no (end of list)
accept: condition test failed
processing accept
check senders = ${if
Bug#388460: exim4-daemon-light: sender verification is not working
On 2006-09-20 George B. [EMAIL PROTECTED] wrote: On 20/09/06, Marc Haber [EMAIL PROTECTED] wrote: [...] Try exim4 -d -bh some-ip-address and simulate an SMTP session with a invalid sender on the terminal. The debug output will probably help. If not, send the debug output to the bug report. I attach the debug output (thanks, I never thought of using this test mode). The verification test is run and it succeeds, not sure why though. I'm afraid my understanding of Exim is still a little basic. The interesting bit is this one: [...] check !verify = sender Verifying [EMAIL PROTECTED] [...] dsaodpojdopj.com in ! +local_domains? yes (end of list) R: smarthost for [EMAIL PROTECTED] calling smarthost router smarthost router called for [EMAIL PROTECTED] domain = dsaodpojdopj.com [...] routed by smarthost router envelope to: [EMAIL PROTECTED] transport: remote_smtp_smarthost host smtp.blueyonder.co.uk [195.188.53.60] --- end verify sender [EMAIL PROTECTED] verified ok i.e. the smarthost router accepts *everything* making the address deliverable for exim and therefore verified. I actually cannot see how this setup ever could have worked, the only two ways to actually verify addresses whike using a smarthost for delivery are 1# using callouts for verification 2# setting no_verify on the smarthost router and having a dnslookup router with verify_only doing the verification. Perhaps you previously had callouts setup? cu andreas -- The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal vision of the emperor's, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken.(c) Jasper Ffforde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
