Re: [exim] Routing failed deliveries through an ESP
On 2023-04-20, Lance Lovette via Exim-users wrote:
>> There's a rational basis for an exception for 5xx before MAIL FROM,
>> when the target only has the connection parameters and HELO
>> name to use as a basis for rejection
>
> Unfortunately, Google, in the case of an outright IP-based block, doesn't
> reject the message until after DATA has been submitted.
>
> After wrestling with this for a few days, my solution to mitigate some
> fallout from host-based rejections is a router condition that allows me to
> easily avoid routing to problematic domains while the issue is resolved.
> (The router after this sends everything through the ESP.)
>
> FIRST_MX_HOST = ${extract{2}{ \n}{${lookup
> dnsdb{mx=$domain}{$value}}}{$value}fail}
> r_direct:
> driver = dnslookup
> transport = t_smtp
> domains = ! +local_domains
> condition = first_delivery
> condition = ${if !eq{$return_path}{}}
> condition = ${lookup
> {FIRST_MX_HOST}nwildlsearch{/etc/exim/force-esp-mxhosts}{false}{true}}
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>
> Two questions for the experts:
>
> - Is there a more efficient way to achieve this?
you could put the ip addresses in ignore target hosts instead.
> - Does Exim have a mechanism to invoke a script with rejected messages, so
> I can either re-send the message or add the host to my force-esp-mxhosts?
you can detect rejections using event_action
But it's not very easy to set up.
you setup event action as an ${acl... expansion and then in the acl branch
according to
which event is happening.
When you detect a fake rejection you could then store the fact in a ratelimit.
the ratelimit can then be tested in the main delivery router (again via a
${acl... expansion) and a rateliomit failure used to skip that router.
Preventing the processing of the bounce is harder but you can do it by
arranging for the not-smtp ACL to return "drop" when it sees a bounce
from one of these messages - you'll probably need to pass some
details to this ACL in the headers of the bounce message so that
the ACL can know which trasport is producing the error..
Detecting the rejection and setting the ratelimit could also be done
here instead I guess.
This is tying exim up in knots, it will probably be fairly fragile.
--
Jasen.
Слава Україні
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 2023-04-20, Jeremy Harris via Exim-users wrote: > On 20/04/2023 06:18, Jasen Betts via Exim-users wrote: >> On 2023-04-18, Lance Lovette via Exim-users wrote: This is a name mismatch: mailgun.org != mailgun.com. >>> >>> Perhaps it's time for a larger font size :) I will put on my dunce cap and >>> go sit in the corner. But shame on Mailgun for responding to .com with a >>> .org certificate! >>> >>> Lance >> >> Their .com is a cname pointing to the .org, so the same host is both >> .com and .org, but their host isn't using SNI. > > This raises the question: should the name-check be against the CNAME-resolved > name rather than the initial? Both? > I've not hunted through standards yet. Web browsers just use the initial domain name given by the user: the resolver is treated as a black box. -- Jasen. Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 2023-04-20 at 10:47:15 UTC-0400 (Thu, 20 Apr 2023 10:47:15 -0400) Lance Lovette via Exim-users is rumored to have said: There's a rational basis for an exception for 5xx before MAIL FROM, when the target only has the connection parameters and HELO name to use as a basis for rejection Unfortunately, Google, in the case of an outright IP-based block, doesn't reject the message until after DATA has been submitted. Then you should not, under any circumstances, retry sending that message via ANY path. Just don't do it. That message has FAILED. It has been REJECTED. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] log_reject_target
On 20/04/2023 16:21, Ian Z via Exim-users wrote: I was not sure I was interpreting the expression "current ACL" correctly. Things like warn and deny are what, ACL rules? Verbs. See https://exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html section 18. For hunting about for info like this, use the Concept Index. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 20/04/2023 15:47, Lance Lovette via Exim-users wrote: Does Exim have a mechanism to invoke a script with rejected messages We already told you no. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On Thu, 20 Apr 2023, Lance Lovette via Exim-users wrote:
There's a rational basis for an exception for 5xx before MAIL FROM,
when the target only has the connection parameters and HELO
name to use as a basis for rejection
Unfortunately, Google, in the case of an outright IP-based block, doesn't
reject the message until after DATA has been submitted.
After wrestling with this for a few days, my solution to mitigate some
fallout from host-based rejections is a router condition that allows me to
easily avoid routing to problematic domains while the issue is resolved.
(The router after this sends everything through the ESP.)
FIRST_MX_HOST = ${extract{2}{ \n}{${lookup
dnsdb{mx=$domain}{$value}}}{$value}fail}
r_direct:
driver = dnslookup
transport = t_smtp
domains = ! +local_domains
condition = first_delivery
condition = ${if !eq{$return_path}{}}
condition = ${lookup
{FIRST_MX_HOST}nwildlsearch{/etc/exim/force-esp-mxhosts}{false}{true}}
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
Two questions for the experts:
- Is there a more efficient way to achieve this?
- Does Exim have a mechanism to invoke a script with rejected messages, so
${run ...} will run the command.
I am not sure how you test for a rejected message.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] log_reject_target
On Thu, Apr 20, 2023 at 03:33:55PM +0100, Jeremy Harris via Exim-users wrote: > > First, does this mean that here nothing will be logged: > > > >acl_check_rcpt: > > > > warn log_reject_target = > > > > deny condition = true > I've not tried that, but at first sight yes. > Why are you asking? I was not sure I was interpreting the expression "current ACL" correctly. Things like warn and deny are what, ACL rules? -- Ian -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
> There's a rational basis for an exception for 5xx before MAIL FROM,
> when the target only has the connection parameters and HELO
> name to use as a basis for rejection
Unfortunately, Google, in the case of an outright IP-based block, doesn't
reject the message until after DATA has been submitted.
After wrestling with this for a few days, my solution to mitigate some
fallout from host-based rejections is a router condition that allows me to
easily avoid routing to problematic domains while the issue is resolved.
(The router after this sends everything through the ESP.)
FIRST_MX_HOST = ${extract{2}{ \n}{${lookup
dnsdb{mx=$domain}{$value}}}{$value}fail}
r_direct:
driver = dnslookup
transport = t_smtp
domains = ! +local_domains
condition = first_delivery
condition = ${if !eq{$return_path}{}}
condition = ${lookup
{FIRST_MX_HOST}nwildlsearch{/etc/exim/force-esp-mxhosts}{false}{true}}
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
Two questions for the experts:
- Is there a more efficient way to achieve this?
- Does Exim have a mechanism to invoke a script with rejected messages, so
I can either re-send the message or add the host to my force-esp-mxhosts?
Thanks!
Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] log_reject_target
On 19/04/2023 16:24, Ian Z via Exim-users wrote:
First, does this mean that here nothing will be logged:
acl_check_rcpt:
warn log_reject_target =
deny condition = true
I've not tried that, but at first sight yes.
Why are you asking?
Second, what about nested ACLs? Both with the acl= condition
and with the ${acl .. } expansion. Is the value of log_reject_target
restored upon return to the top level ACL?
The value is reset to default on an expansion condition or item which
calls an ACL, and on any of the top-level ACL calls specified by
main-config options. It is not reset for or after an "acl=" ACL
condition (i.e. a nested ACL call)/
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
> Just using * for those two would have the same effect, and save work. True. Good advice, thanks! I put together most of this configuration in 2001 and haven't needed to pay much attention to it until recently. Lance -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On Thu, Apr 20, 2023 at 09:26:38AM +0100, Jeremy Harris via Exim-users wrote: > On 20/04/2023 06:18, Jasen Betts via Exim-users wrote: > > Their .com is a cname pointing to the .org, so the same host is both > > .com and .org, but their host isn't using SNI. > > This raises the question: should the name-check be against the CNAME-resolved > name rather than the initial? Both? Initial. Cert should contain SANs for all supported names. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
As a side-note, On 18/04/2023 20:08, Lance Lovette via Exim-users wrote: smtp_mailgun: [...]] hosts_require_auth = <; $host_address hosts_require_tls = <; $host_address Just using * for those two would have the same effect, and save work. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 20/04/2023 06:18, Jasen Betts via Exim-users wrote: On 2023-04-18, Lance Lovette via Exim-users wrote: This is a name mismatch: mailgun.org != mailgun.com. Perhaps it's time for a larger font size :) I will put on my dunce cap and go sit in the corner. But shame on Mailgun for responding to .com with a .org certificate! Lance Their .com is a cname pointing to the .org, so the same host is both .com and .org, but their host isn't using SNI. This raises the question: should the name-check be against the CNAME-resolved name rather than the initial? Both? I've not hunted through standards yet. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
