Re: [exim] bounce message with hosts_require_tls
I had a set of custom patches to Exim to do something like this for a product. I no longer have or maintain them, but it wasn't -too- difficult to whack up the hosts_require_tls error handling to generate a custom DSN. I'll see if I can dig back through memory lane with something more helpful, but it was never quality enough to want to push upstream back into Exim ;) On Thu, Jan 11, 2018 at 4:38 PM, Daniel Jostwrote: > Hi! > > I created a route and a transport in my exim configuration to allow > certain sender domains to enforce encrypted transfer (mandantory tls). The > idea is that if an authenticated user sends an email, the server looks up > if the domain has mandantory tls enabled and routes the message through the > transport that only succeeds if the remote mail server supports tls. > > That was the easy part. :-) Another part of the idea is that the sender > receives a bouncer if remote server doesn't support tls. Unfortunately exim > seems to handle a failed hosts_require_tls condition as an temporary error, > puts the mail to the queue and tries again and again to deliver the mail. > If the retry timeout is exceeded, the error message in the bouncer mail is: > > "retry timeout exceeded" > > instead of something like > > "remote server doesn't support tls delivery" > > Any idea how to change that behavior so that the sender gets a bouncer > with a meaningful return message? > > My config parts are: > > # router/150_exim4-config_mandantorytls_route > # > # route for mandantory tls > mandantorytls_route: > debug_print = "R: mandantorytls_route for $domain" > driver = dnslookup > domains = +mandantorytls_domains > transport = remote_smtp_mandantorytls > > ### transport/30_exim4-config_remote_smtp_mandantorytls > ### > # enforce tls > remote_smtp_mandantorytls: > debug_print = "T: remote_smtp_mandantorytls for $local_part@$domain" > driver = smtp > hosts_require_tls = * > tls_tempfail_tryclear = false > > Thanks a lot! > > Daniel > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Best OS to run EXIM
Redhat stopped shipping Exim - so we build our own RPMs and run Exim many places. We run mostly CentOS 7 and 6. Very good success for better part of a decade. On Tue, Oct 18, 2016 at 7:01 PM, 3YSTech Services <3ystechservi...@gmail.com > wrote: > Hi, > > I currently run exim 4.81 on rhel6 , looking to run latest EXIM 4.87 on > RHEL7, couldn't find compiled RPMs for RHEL7 (no fedora).I don't want to > compile and prefer to get ready compiled RPMs. > > Which OS will have RPMs compiled in OS repository (like rhn on rhel)? > > Is there appliance that have all EXIM dependency and RPMs installed ?. > > Thanks > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] safe handling of $tls_sni
I'd like that - and if we were at it, I'd want a safe $sender_host_address so we can use RHS expansion without modifying the Makefile :) On Mon, Oct 17, 2016 at 2:53 PM, Mike Tubby <m...@tubby.org> wrote: > > Couldn't we have - per perhaps shouldn't we have - a "safe domain name" > function in Exim that could be used for this and elsewhere where an > untrusted domain name enters - it would: > > * remove white space (tab, space, etc) > * remove non-printing chars > * remove 'quoting' and 'escaping' > * make it lower case > * only allow valid characters for a FQDN > > call it something like "safe_fqdn" and then you could do: > > ${if exists{/etc/mail/ssl/${safe_fqdn:tls_sni}.pem}{/etc/mail/ssl > /${safe_fqdn:tls_sni}.pem}{/etc/mail/default-cert.pem} > > aren't computers are supposed to be doing the work for us...? > > > Mike > > > > > On 10/17/2016 10:09 PM, Phil Pennock wrote: > >> On 2016-10-12 at 14:50 +0200, Arkadiusz Miśkiewicz wrote: >> >>> Docs say that $tls_sni has raw data from client: >>> >>> "Great care should be taken to deal with matters of case, various >>> injection >>> attacks in the string (../ or SQL), and ensuring that a valid filename >>> can >>> always be referenced; it is important to remember that $tls_sni is >>> arbitrary >>> unverified data provided prior to authentication." >>> >> Someone read the text I wrote! Woohoo! >> >> (It only took a few years ...) >> >> What is safest approach to handle $tls_sni when trying >>> to expand it to file on filesystem? >>> >> Use a cryptographic hash for the filename. Or base64-encode it. >> Use symlinks for human-convenience names and any aliases. >> >> Your trade-offs are: >> * a cryptographically-skilled attacker might find a collision and ... >>get you to issue, to _them_ (and only them) a certificate for a known >>system, while on their side they should be looking to validate against >>something else. Woo, they just attacked themselves: on your side, you >>don't need to care. >> * A very long SNI with base64 might look up a very long filename on >>disk. Shouldn't be an issue, unless you're mass-hosting on an OS >>which only maintains dir hashing for filenames up to a certain length >>and need to accept customer-controlled SNI names. >>Of course, the systems like that, if memory serves, broke at 32 >>characters long and a SHA1 hex digest is 40 characters long, so you'd >>also want to use ${substr...} to take the first N characters. >> * If you have a lot of similar names, sha1 will give you more >>readily-distinct values which you can tell apart at a glance. >> >>> ${sha1:${lc:mx.spodhuis.org}} >>F0DF49E8B2ACF84D5D290E89F9B673EF44B60E74 >>> ${str2b64:${lc:mx.spodhuis.org}} >>bXguc3BvZGh1aXMub3Jn >> >> So, eg, `/etc/mail/ssl/bXguc3BvZGh1aXMub3Jn.pem` should exist for this >> approach, to issue a cert for the name `mx.spodhuis.org`. >> >> Rule like: >>> ${if exists{/etc/mail/ssl/${tls_sni}.pem}{/etc/mail/ssl/${tls_sni >>> }.pem}{/etc/mail/default-cert.pem} >>> >> ${if exists{/etc/mail/ssl/${str2b64:${lc:tls_sni}}.pem}{/etc/ >> mail/ssl/${str2b64:${lc:tls_sni}}.pem}{/etc/mail/default-cert.pem} >>OR >> ${if exists{/etc/mail/ssl/${sha1:${lc:tls_sni}}.pem}{/etc/mail/ss >> l/${sha1:${lc:tls_sni}}.pem}{/etc/mail/default-cert.pem} >> >> -Phil >> >> > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] EXIM 'Completed' hook'
Was the experimental_events slated to be called 'stable', I thought I recalled something to that effect :) On Fri, Oct 30, 2015 at 10:39 AM, Jeremy Harris <j...@wizmail.org> wrote: > On 30/10/15 17:29, Gary Stainburn wrote: > > I am using Postgresql with EXIM and I'm storing various details about > emails. > > I can hook into various stages of the emails using the various ACL's but > I > > can't work out how to detect a "Completed" message. > > > > Is this possible? > > Yes, if you use the EXPERIMENTAL_EVENTS facility. You'll probably > need to compile your own for that. > -- > Cheers, > Jeremy > > > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] POODLE...
Why not just disable the impacted ciphers? This seems reasonable to me: tls_require_ciphers = -ALL:+HIGH:-SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-MD5:AES256-SHA:AES128-SHA On Fri, Oct 17, 2014 at 6:44 AM, Viktor Dukhovni exim-us...@dukhovni.org wrote: On Fri, Oct 17, 2014 at 02:44:16AM -0400, Chris Siebenmann wrote: (This is not to say that you should leave SSLv3 on. I'd turn it off for various reasons, including that it's ancient.) My advice is to leave it on. I understand that turning it off feels good, and may even appease some auditors, but the net effect of turning it off for SMTP is very slightly negative. A tiny, but perhaps sensitive, fraction of systems (some older anti-spam/anti-virus appliances) will now only be able to send you email in the clear. If you want to gain some security, consider disabling RC4 on port 587, where TLS should be mandatory, and if any of the submission clients are bots or other MTAs that use PLAIN auth, RC4 might leak their credentials after some millions of messages. All this said, most sites that choose to disable SSLv3, will likely not notice any difference either way. The fraction of SMTP traffic that is SSLv3 is tiny for most domains. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Experimental Redis lookup
I haven't use it yet, but would like to. Would you mind sharing snippets of how you are using it? On Tue, Apr 22, 2014 at 3:33 AM, Warren Baker war...@decoy.co.za wrote: HI all, I just wanted to ask whether anyone is making use of Redis as a lookup? I have been using it for a number of months now without any issue but need to find out whether others are or have attempted using it and if it is working or didn't work for them. Thanks -- .warren -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] test database conn to prevent rejecting messages
Peeked at the source code, but it is outside my abilities to modify. Wonder if it could be a feature request :) On Tue, Oct 15, 2013 at 12:53 PM, Brent Jones br...@brentrjones.com wrote: What about extending the defer_ok function to ACLs other than callouts and virus scanning? That way, if you have an ACL that does a DB lookup, you can add the /defer_ok switch to the condition, and allow that ACL to accept itself if there is a problem? If you do this on blacklist or whitelist style ACLs, and not actual user lookups or routers, you can safely pass them, error on the side of caution if you wanted to just accept the message. I'll look at the source, to see what that defer_ok looks like On Sat, Oct 5, 2013 at 8:31 AM, Graeme Fowler gra...@graemef.net wrote: On Fri, 2013-10-04 at 18:16 -0400, josh trier wrote: I am writing an ACL that a few of my relay servers will use. All is fine with code. However if the central database server can not be connected to I want to disable the ACL to prevent messages from being rejected. Right now this is what happens if DB conn fails (example of stopping mysqld service) SMTP 451 Temporary local problem - please try later451 Temporary local problem - please try later LOG: MAIN REJECT H=localhost [127.0.0.1] F=r...@relay8.hrnoc.net temporarily rejected after DATA: MYSQL connection failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock'(2) Although that is indeed a rejection, it's a temporary one. Well-behaved remote servers receiving that will simply re-queue the mail and try again later. Jasen's readsocket approach might have legs, but I think I'd create a shell or perl script that can give you a DB is available or DB is dead response and call that from a warn statement using $run. That way you could set a variable and check for its value in later ACLs, at the cost of making one extra DB connection per message. How to do that will be left as an exercise :) Graeme -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- Brent Jones br...@brentrjones.com -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] test database conn to prevent rejecting messages
What about extending the defer_ok function to ACLs other than callouts and virus scanning? That way, if you have an ACL that does a DB lookup, you can add the /defer_ok switch to the condition, and allow that ACL to accept itself if there is a problem? If you do this on blacklist or whitelist style ACLs, and not actual user lookups or routers, you can safely pass them, error on the side of caution if you wanted to just accept the message. I'll look at the source, to see what that defer_ok looks like On Sat, Oct 5, 2013 at 8:31 AM, Graeme Fowler gra...@graemef.net wrote: On Fri, 2013-10-04 at 18:16 -0400, josh trier wrote: I am writing an ACL that a few of my relay servers will use. All is fine with code. However if the central database server can not be connected to I want to disable the ACL to prevent messages from being rejected. Right now this is what happens if DB conn fails (example of stopping mysqld service) SMTP 451 Temporary local problem - please try later451 Temporary local problem - please try later LOG: MAIN REJECT H=localhost [127.0.0.1] F=r...@relay8.hrnoc.net temporarily rejected after DATA: MYSQL connection failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock'(2) Although that is indeed a rejection, it's a temporary one. Well-behaved remote servers receiving that will simply re-queue the mail and try again later. Jasen's readsocket approach might have legs, but I think I'd create a shell or perl script that can give you a DB is available or DB is dead response and call that from a warn statement using $run. That way you could set a variable and check for its value in later ACLs, at the cost of making one extra DB connection per message. How to do that will be left as an exercise :) Graeme -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Goodbye all
On Tue, Jun 25, 2013 at 1:42 AM, Alun a...@aber.ac.uk wrote: Dear all, I've been a lurker and sometime-contributer for many years, but I think today's the day to unsubscribe. For 15 years we've run exim as our primary mail service here at Aber. And it's done a sterling, almost faultless job. But management has decreed that we shall be an entirely Exchange site and outsource the student e-mail service to Office 365. While we'll still have exim here in some small way (to paper over the manifest cracks in the facilities provided by Exchange and O365) it's not going to be doing anything interesting or exciting any more. Thanks for all your interesting messages over the years, and best wishes to you all for the future. Cheers, Alun. -- Alun Jones,a...@aber.ac.uk,01970 622494 Gwasanaethau Gwybodaeth / Information Services Prifysgol Aberystwyth / Aberystwyth University -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ If it counts, my employer handles millions of messages a day through Exim, coming from primarily Exchange systems with limited to no support for advanced routing or services :) Suffice to say, Exchange has its place, but its certainly not at the core of e-mail routing! I'm sure your management will realize that in short order -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Using readsocket for ratelimiting?
Has anyone considered, or already made a rate limiting ACL using readsocket? Besides writing a simple daemon, I don't see any reason not to try this out. I envision sending various data to the daemon, like sender IP, recipients, sender address, then getting a pass/fail from the socket depending. On that pass fail, I guess you could wrap it in a defer or reject ACL, however you want. This way, the rate limit database doesn't need to reside on a single box, the socket daemon could use memcache or a proper DB. Any thoughts? -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim and SQL Database performance
On Fri, Jul 13, 2012 at 12:47 PM, Jeremy Harris j...@wizmail.org wrote: On 2012-07-13 17:18, Robert Blayzor wrote: When using Exim to pull domainlists, say: domainlist db_localdoms = pgsql; Run it with suitable debug, and you'll see results being reused from cache. It even knows that some SQL ought not to be cached. -- Jeremy -- ## List details at https://lists.exim.org/**mailman/listinfo/exim-usershttps://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ The lookup caching is only for that specific Exim process, on each new message, it must perform the lookups again. Such lookups are pretty trivial though, unless later down in your config you perform joins and such. -- Brent Jones br...@brentrjones.com -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] ratelimiting outgoing mail
On Mon, Oct 17, 2011 at 5:46 AM, Mikhail Lischuk mlisc...@itx.com.ua wrote: Greetings! I am searching for some easy way to ratelimit my outgoing emails. My provider requires me to send no more than 30 messages per 10 minutes. I've tried to search for some solution at Google and was not successfull. What I was planning to do is setting Exim run qeue say once per minute, and setting connection_max_messages = 3 However, I fear that it would ruin performance and some emails will be delivered with a significant delay. Is there anything to be advised in such situation? -- With Best Regards Mikhail Lischuk [1] Links: -- [1] mailto:mlisc...@itx.com.ua -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ Exim documentation has a fully detailed section on its built in rate limiting facility. Boiling down a quick example: warn hosts = * ratelimit = 60 / 1h / strict / per_rcpt / {$sender_host_address}_sender_rcptlimit log_message = Rate limit in effect ( $sender_host_address ) exceeds $sender_rate in $sender_rate_period Put that into an ACL where it makes sense (do they restrict number of deliveries, recipients, commands?) -- Brent Jones br...@servuhome.net -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Calling Cisco PIX Exim users
On Sun, Jan 16, 2011 at 11:19 PM, Phil Pennock exim-us...@spodhuis.org wrote: A while back there were some people with issues using a Cisco PIX and wanting to be able to work around their outbound connections passing through such a device being broken by bugs in the PIX. Postfix has smtp_pix_workaround_delay_time and I've written a patch for Exim to add smtp_dotcrlf_delay as an SMTP Transport option, for much the same thing: to delay sending the final dot at the end of sending the body of the email. The patch is attached to: http://bugs.exim.org/show_bug.cgi?id=1069 However, while the code is correct by inspection and delayed a test outbound connection when I tried it, I haven't got a PIX to test against to be *sure* that it actually does what's needed. I do not intend to push this patch into the main repo unless and until we get confirmation that it actually works. So, any PIX users want to confirm it works? Thanks, -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ I'll have an ASA available soonish to test. Not a PIX, but has similar, if not the same SMTP inspection garbage. -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Anybody else getting temporarily rejected RCPT from gmail.com ?
On Fri, Dec 31, 2010 at 3:51 PM, mark david mcCreary m...@internet-tools.com wrote: H... nothing has changed here in a while, and I'm now getting 2010-12-31 22:08:55 H=mail-ww0-f48.google.com [74.125.82.48]:42929 F=edspho...@gmail.com temporarily rejected RCPT aachat-cont...@cirrus.mail-list.com 2010-12-31 22:08:55 H=mail-ww0-f48.google.com [74.125.82.48]:42929 incomplete transaction (QUIT) from edspho...@gmail.com Which does not tell me much. I'm thinking it's DNS related, and it's interesting that it's none of my custom ACL messages. On Gmail's end, they are saying Technical details of temporary failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 451 451 Temporary local problem - please try later (state 14). Reverse DNS looks ok for Google. 74.125.82.48 resolves to mail-ww0-f48.google.com Almost, if not all of my ACL defers have a custom message written to my log. So I think this must be some low level Exim error. Can anybody shed some light on how to track this down ? Thanks mark p.s. Also getting this on some Google Apps domains. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ I'm not new to issues with Google SMTP services. Just a month or so ago, they completely broke TLS or several weeks: http://www.brentrjones.com/?p=65 Throughout this time, I've seen some wildly random behavior with Google's SMTP. Good luck :) -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unseen routers and catch-all
On Wed, Nov 10, 2010 at 2:11 AM, Alan Pinder a...@fastvision.com wrote: Hi, First-time poster to this list, please be gentle :) Currently we have 3 main routers: alias (for forwarders), mailbox and catch_all (for all other ones - this performs different actions depending on the domain configuration). We recently had some customers asking us whether they could have the same e-mail address for both mailboxes and forwarders - so the message gets delivered to a mailbox as well as being forwarded to seperate destinations. Looking through the Exim documentation, I noticed the `unseen` directive - and added this to tbe bottom of the alias router. The worked well in that messages were delivered to both the mailbox and the forwarders, however this has the unfortunate side-effect of also running the catch-all router for the e-mail (causing a bounce message to be sent back in certain cases!). I temporarily resolved this by copying the alias router and placing this just above the catch-all router: alias_blackhole_router: driver = redirect condition = condition data = :blackhole: Our router system now goes: alias - mailbox - alias_blackhole - catchall This technique seems like a such a `hack` however - running the same router twice, just to blackhole a message? Can anybody in the Exim community recommend a better way of doing this? For example, is there a way to retrieve a flag saying whether delivery has actually been attempted for this mail (even from an `unseen` router). Kind regards, Alan Pinder -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ You can use address_data http://www.exim.org/exim-html-current/doc/html/spec_html/ch15.html -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] CIDR mask matching behavior
Eximers, I noticed some unexpected behavior in Exim when doing send IP address checks in the SMTP ACL, and later on in the system filter. In ACL's, you can specify CIDR masks on a non-network address. IE you can have 10.10.10.15/24, which is valid as 10.10.10.15 would fit inside a /24 under 10.10.10.0 However, in a system filter doing something like this: ${mask:$sender_host_address/24} is 10.10.10.15/24 Will not evaluate true, but it will work in the following: ${mask:$sender_host_address/24} is 10.10.10.0/24 I tried finding in the source code where the system filter does netmask checking, but could only find the section where ACLs evaluate netmasks. Has anyone encountered this before, or is this working as intended in the system filter? -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CIDR mask matching behavior
On Tue, Sep 14, 2010 at 8:03 PM, Phil Pennock exim-us...@spodhuis.org wrote: On 2010-09-14 at 19:42 -0700, Brent Jones wrote: I noticed some unexpected behavior in Exim when doing send IP address checks in the SMTP ACL, and later on in the system filter. In ACL's, you can specify CIDR masks on a non-network address. IE you can have 10.10.10.15/24, which is valid as 10.10.10.15 would This is the specification of a netblock which uses a masklen; the lower bits don't matter and can be ignored. fit inside a /24 under 10.10.10.0 However, in a system filter doing something like this: ${mask:$sender_host_address/24} is 10.10.10.15/24 The ${mask:...} expansion operator is explicitly defined to mask out the address so that you can do a literal comparison and ignore the lower bits. ${mask:$sender_host_address/24} is ${mask:10.10.10.15/24} Has anyone encountered this before, or is this working as intended in the system filter? As intended. -Phil As usual, I was using a function incorrectly :) Thank you for the clarification! -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Ports
On Mon, Aug 16, 2010 at 3:45 PM, David Woodhouse dw...@infradead.org wrote: On Mon, 2010-08-16 at 23:24 +0100, Stephen Gran wrote: On Mon, Aug 16, 2010 at 10:37:19PM +0100, Martin A. Brooks said: On Mon, August 16, 2010 21:55, Grant Peel wrote: Hi all, What are all the ports that exim might use for the control channell and data transfers? I have a hole punched in my switche's firewall, (port 25 and 587). but somehow I am still getting operation timeouts when it talking with other servers. What has your research into the SMTP protocol suggested to you so far? I suspect that the twin bugbears of ident and name service are going to prove fruitful areas of research. And ICMP, of course. Blocking that could lead to timeouts as soon as you actually start trying to transfer data. -- dwmw2 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ Shouldnt need any ICMP ports open inbound for SMTP, its all TCP. I would suggest that if you are NATing, that you have the correct configuration to keep state for your connections. Your firewall should also allow all the common SMTP ports outbound (25, 465). -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] allow RCPT unconditionally when target domain is local?
On Mon, Aug 16, 2010 at 6:53 PM, Morgan Gangwere 0.fracta...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to set up Exim4 still, and this time I've figured out half my problem: the split configuration wasn't set up right. Duh. Now onto my /new/ problem: Getting mail. I can send mail no problem, and routing tests out fine. My machine has 2 domains tied to it: indrora.homelinux.org and kabuki-duke.ath.cx. Both are marked to have the MX domain as indrora.homelinux.org. If I send mail from my gmail address to my indrora.homelinux.org email address I get: 2010-08-16 18:11:11 H=mail-yw0-f51.google.com [209.85.213.51] F=0.fracta...@gmail.com rejected RCPT m...@indrora.homelinux.org: relay not permitted how can I unconditionally allow messages in from the outside world as long as they are in the aliases file? - -- Morgan Gangwere It seems to be you don't have those domains in your local domains list, regardless of entries in your alias file. -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim retry bypasses system filter
JR, Upon looking more at the debug output, another entry in the system filter evaluated true, and had a significant action itself and was not going to the later bits of the system filter. I wasn't using the filter debug flag correctly earlier, which led me to believe it wasn't even reaching the system filter, but in fact it is, but hitting another rule. The rule behaved similar to the first_delivery, I add headers to the message, and if they exist, I exit the filter for normal delivery. Once the message passed through successfully the first time, those headers were present in the retry, and triggered the filter to setup normal delivery. So this was all my fault ;) Thank you all for looking into the issue though. I learn something new with Exim every day, quite a flexible mailer, this is. On Tue, Jun 8, 2010 at 1:38 AM, J.R.Haynes j.hay...@cranfield.ac.uk wrote: On Tue, 8 Jun 2010 at 04:06 +0100, Brent Jones wrote The behavior as I understand it written on: http://www.exim.org/exim-html-current/doc/html/spec_html/ch43.html The system filter is run at the start of a delivery attempt, before any routing is done. If a message fails to be completely delivered at the first attempt, the system filter is run again at the start of every retry. The sentence after that says 'If you want your filter to do something only once per message, you can make use of the first_delivery condition in an if command in the filter to prevent it happening on retries.' Have you perhaps got an if (first_delivery) around the whole filter or part of it? -- -- J. R. Haynes Senior Network Specialist IT Department, e-mail: j.hay...@cranfield.ac.uk Bld 63, Cranfield University, Tel: Bedford (01234) 754205 Wharley End, Bedford (01234) 750111 Extn 4205 Cranfield, Fax: Bedford (01234) 751814 Beds., MK43 0AL. -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim retry bypasses system filter
Hello Exim users, We have some Exim servers that uses the system filter to save certain messages to an NFS backing store. While this works a majority of the time, we would like a graceful way to handle when the NFS server may be down for maintenance. The OS handles it find using soft mounts, if the server is unavailable it will notify Exim for example that a timeout occured. Exim will properly defer the message at that point and keep it spooled/retry queue. However, when the message is tried next, it will not go through the system filter as I would like it to, it will instead use the first router than can handle the message. The behavior as I understand it written on: http://www.exim.org/exim-html-current/doc/html/spec_html/ch43.html The system filter is run at the start of a delivery attempt, before any routing is done. If a message fails to be completely delivered at the first attempt, the system filter is run again at the start of every retry. That to me means for retry deliveries, it should re-process the system filter, instead of jumping to the routers immediately. However, my system filter does take into account sender host address, and sender address domain. Do retry attempts not include this information with it comes up for delivery again? If not, how would I re-process these messages and categorize them correctly? An example system filter rule: if ${mask:$sender_host_address/24} is 10.0.0.0 and ( $sender_address_domain is spammer.com ) then save /some/nfs/share/ endif Any thoughts would be greatly appreciated -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Retry hint left over after successful delivery
On Tue, May 25, 2010 at 6:37 PM, Simon Johnstone si...@abominable.org.uk wrote: Hi all, Encountered a strange issue I was hoping someone might be able to explain. Exim 4.69/Debian (although a 4.71 source build seems to do the same). An email was sent on the 19th to a domain with two MXes: * first MX responded to 'RCPT TO' with a 4xx code (greylisting, AFAICT) * second MX accepted the message However, a retry entry was still created: R:j...@somedomain.co.uk:si...@mydomain.co.uk -44 13133 SMTP error from remote mail server after RCPT TO:j...@somedomain.co.uk: host mx2.SOMEDOMAIN.co.uk [xx.xx.xx.xxx]: 451 Deferred: Temporary error, please 19-May-2010 00:27:48 25-May-2010 22:58:40 26-May-2010 04:58:40 * Fast-forward to today - the retry time (4 days) has expired, which seems to be causing subsequent messages sent with the same retry key (recipient:sender) to bounce *immediately* if both MXes return a 4xx code (which they do, again due to the other end's greylisting). Is this expected behaviour and/or am I missing something obvious? I imagined a successful delivery would *always* remove the retry hint (in this case, perhaps not even bothering to create one in the first place, since I suspect the delivery process adding the entry was the same to deliver the message moments later, when it tried the second MX). Thanks, Simon. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ I see that behavior as well, especially with Postini's greylisting (they will accept one recipient, but 400 defer another recipient to the same domain). Exim will abort the entire message, enter an entry into the retry database, and not retry any recipient to that domain until the entry expires. Sometimes, I wish you could disable Exim's retry database and run it as a dumb server almost, but the benefits outweigh disabling it in most cases still. But I'm still struggling to find a proper way to handle these cases. -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] System filter file size too big
Hello Exim users, We have a relatively large system filter, it just crossed the 1MB barrier. We are now getting this in the logs, and deliveries are appearing to be problematic now: 2010-03-26 14:30:37 1NvEIn-000MUt-SL Error in system filter: /etc/exim/prereview_filters is too big (max 1048576) I haven't found any variables to increase the maximum allowable file size, is it a tuneable in the Makefile somewhere? -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] System filter file size too big
On Fri, Mar 26, 2010 at 3:14 PM, B. Johannessen b...@db.org wrote: On 26/03/10 19:33, Brent Jones wrote: I haven't found any variables to increase the maximum allowable file size, is it a tuneable in the Makefile somewhere? Set MAX_FILTER_SIZE in Local/Makefile and rebuild. Bob -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ Bob, Your suggestion worked great, thank you Regards, -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] 451 deferral for one recipient causes Exim to put entire domain in retry db
Hello, We are running into a strange issue with Postini. We have a message that is submitted to multiple users on the same domain, however, Postini responds with 451 recipients not all at same mail host -psmtp for just one or two recipients. Exim interprets this as a deferral for entire recipients domain, and will not complete the message even to the recipients that were OK. This puts the entire domain in the retry database, even though only 1 recipient had a temporary failure. However, you can telnet to Postini, manually add the recipients, some will give the 451 deferral, but you can continue to submit the message and Postini will accept it, minus the recipients who were deferred. Postini's behavior is strange admittedly, and I've read reports of some other mail servers struggling with this, but I believe Exim could work around this. Is there a way to have Exim continue past a single deferral for recipients on the same domain, and deliver to the recipients that were accepted? My Config: FreeBSD 8.0, Exim 4.68, pretty standard relay configuration -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] google postini services and exim
On Wed, Dec 16, 2009 at 2:18 PM, Francesco Pasqualini fra...@gmail.com wrote: Hi all, I'm an happy exim user. I'm considering to use the google postini services as antispam solution for the exim server I administer for a customer... Is exim supported ? http://www.google.com/support/appsecurity/bin/answer.py?answer=91332 *Supported Mail Servers*: The service supports all common mail servers, including Microsoft Exchange Server, Lotus Domino, Postfix, Sendmail, Macintosh OS X Server, and Novell Groupwise. Is there somebody that already tried the google antispam solution with exim4? thanks -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ I've used Postini services in the past with a wide variety of mail servers. While Postini won't even know what an Exim is, it will certainly work just perfect. While you're at it, I'd suggest locking down your Exim to only accept mail from Postini's IP ranges, and a small subset of trusted hosts on your network. Will cut down on the amount of traffic wasted by you having to accept connections from hosts not using MX records. -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] System filter length
Hello, I was wondering how long a system filter could get, in terms of lines, statements, and actions. We have an application which write a new system filter based on new rules on where to save mail to, add/remove headers, delivery rules, etc. Our needs have made the filter get very long, up to 1,000 lines right now, with about 100 statement blocks. Has anyone hit any 'limits' on the size of the system filter, or severe performance degradation? The servers still have pretty low load, even with processing 100,000+ messages daily. Any experience or thoughts would be appreciated -- Brent Jones br...@servuhome.net -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Queue_run_max question
I have a small load server (70k deliveries a day) and thought I'd try using queue_only, with queue_run_max = 15 to see if it makes things a bit more efficient. I've discovered it will only spawn about 5 queue runners, and messages will queue up for up to 15 minutes before a runner finally gets to it. I have split_spool_directory enabled, load on the server is 0.05, disk IO is negligible, I don't see why Exim spawns so few queue runners and why they take so long to process messages. It performs flawlessly when it is not in queue_only, queue time and delivery time is ~1 second, and the only messages in the queue are frozen or in retry state (about 100 messages on average). Here is so relevant lines from my config, Exim 4.68, FreeBSD 6.2, Quad Cores with 4GB RAM and 15k SAS disks. split_spool_directory queue_only queue_run_max = 20 remote_max_parallel = 10 ignore_bounce_errors_after = 4d timeout_frozen_after = 4d delay_warning = 2h:8h:24h smtp_accept_max = 1000 smtp_accept_max_per_connection = 4000 smtp_accept_queue_per_connection = 4000 smtp_accept_max_per_host = 200 smtp_accept_reserve = 40 smtp_reserve_hosts = obscan_hosts message_size_limit = 50M Any thoughts? -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Queue_run_max question
On Thu, Nov 20, 2008 at 1:34 PM, Dean Brooks [EMAIL PROTECTED] wrote: On Thu, Nov 20, 2008 at 10:34:55AM -0800, Brent Jones wrote: I have a small load server (70k deliveries a day) and thought I'd try using queue_only, with queue_run_max = 15 to see if it makes things a bit more efficient. Couple of things: 1. Exim only starts a queue runner every nn minutes, where nn is specified on the -q flag on the startup command line of Exim daemon itself. This is commonly set to -q15m, but you can certainly lower it to something lower, such as -q1m. Just watch the system load carefully. This is typically set in your /etc/rc2.d startup directory where Exim daemon is first started. I have it set to -q1m 2. When the -q time limit above is reached, it only spawns a single extra queue runner. Therefore, if you set your daemon to -q1m, it could take 15 minutes from restart before all 15 queue runners are running (per your queue_run_max=15 setting). That I didn't know, I thought it would spawn 15 runners, and each would process the queue and be off. 3. Remember that queued messages will be skipped if they are pending a retry due to a previous temporary failure. As a result, sometimes a queue runner will start and skip over a large number of messages. That is normal if those messages haven't reached their retry time yet. Yah, anything that ends up in the retry queue will eventually get frozen and timeout. Lots of messages get skipped. 4. After a day or so running, you'll likely not see all 15 queue runners running at same time unless you have a lot of undeliverables on your queue. The reason is that most messages will not have hit their retry time yet, and the queue runner will fly through all the messages and then end. Once a queue runner has run through all the messages, it quietly ends. 5. Setting queue_only may not help performance much if your box is already sitting idle most of the time. The most it will do is delay processing of your message. If your machine isn't heavily loaded and you don't fear spikes of heavy use, its safe to revert back to immediate processing of incoming messages. Setting queue_only does keep the load a bit more consistent though. Hope this helps some. Helps a lot, thank you for explaining those options. I was hoping to make sure the load was steady even if we got a big spike, but it like wont be an issue for a while. It was just odd seeing deliveries not be captured by the queue runners and delivered the way I thought it would work, seeing some normal deliveries sit in the queue even with multiple queue runners, passing up those messages even if they hadn't been tried yet. I'll revert from queue_only, and just let things operate as they were which worked perfectly. Thanks -- Dean Brooks [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] clamd not scanning?
On Sun, Nov 16, 2008 at 12:16 PM, lee [EMAIL PROTECTED] wrote: Hi, it seems that clamd is not scanning mails. I have: av_scanner = clamd:/var/run/clamav/clamd.ctl acl_check_data: # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. # denymessage= This message contains a virus ($malware_name). demime = * malware= */defer_ok Clamd is running, exim doesn't complain about it not being available. I don't see any indication in any of the logfiles that clamd is getting any mail to scan, and I can send eicar test files without them being detected, not even when the test string is plain in the body of the testmail. Scanning the file with clamscan detects the eicar test correctly. What am I missing? How can I see if exim actually feeds mail through clamd? Shouldn't there something about scanning activity show up in the logfiles? -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ Make sure you use freshclam to update definitions. Also make sure that path is correct. Turn on Log Clean Messages in Clamd so you can see if it thinks the messages are clean. -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim include file for routers
Exim users, Is there a way to include a separate file from within the routers section? I would like to put the include file before other routers take place, but am unsure the order that Exim will process it if inside another file. Is this possible, and which order will Exim process the routers? Thanks! -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim include file for routers
On Fri, Nov 14, 2008 at 5:05 PM, Ted Cooper [EMAIL PROTECTED] wrote: Brent Jones wrote: Exim users, Is there a way to include a separate file from within the routers section? I would like to put the include file before other routers take place, but am unsure the order that Exim will process it if inside another file. Is this possible, and which order will Exim process the routers? The routers are always processed in order. See 6.3. File inclusions in the configuration file http://docs.exim.org/current/spec_html/ch06.html#SECID41 You also need to read 3. How Exim receives and delivers mail http://docs.exim.org/current/spec_html/ch03.html -- The Exim Manual http://www.exim.org/docs.html http://docs.exim.org/current/ Something else entirely. http://spudlugs.com -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ Thank you, I have the Exim4 book, but couldn't find the .include info in it, but I did find it later. The book wasn't exactly clear in which order it would process the includes, but it looks like it will see the .include, read the file, then come back to the rest of the routers if the .include did not match anything. -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DNS blacklists downloads?
On Tue, Nov 11, 2008 at 6:35 AM, Peter Kirk [EMAIL PROTECTED] wrote: Hi All I have noticed about 3 times today my exim server has used a lot on DNS, about 2GB a time. Below are the logs from my bandwidth monitoring x.x.x.x b.dns.br2135.61 MB x.x.x.x 200.160.0.102135.47 MB x.x.x.x jim1.us.archive.org 2135.32 MB x.x.x.x ns20.ja.net 223MB x.x.x.x ns8.spamhaus.org199.27MB I have checked the ip addresses and it has to do with the dns blacklisting in exim. Any ideas why it would use so much bandwidth. I looked more into the logs for 200.160.0.10 on our Cisco ASA and got the following Nov 11 15:16:57 %ASA-6-302015: Built outbound UDP connection 17443293 for outside:200.160.0.10/53 (200.160.0.10/53) to hsn:x.x.x.x/55074 (x.x.x.x/55074) Nov 11 15:16:57 %ASA-6-302015: Built outbound UDP connection 17443293 for outside:200.160.0.10/53 (200.160.0.10/53) to hsn:x.x.x.x /55074 (x.x.x.x /55074) Nov 11 15:16:57 %ASA-6-302015: Built outbound UDP connection 17443293 for outside:200.160.0.10/53 (200.160.0.10/53) to hsn:x.x.x.x /55074 (x.x.x.x /55074) Nov 11 15:19:01 %ASA-6-302016: Teardown UDP connection 17443293 for outside:200.160.0.10/53 to hsn:x.x.x.x /55074 duration 0:02:03 bytes 176 Nov 11 15:19:01 %ASA-6-302016: Teardown UDP connection 17443293 for outside:200.160.0.10/53 to hsn:x.x.x.x /55074 duration 0:02:03 bytes 176 Nov 11 15:19:01 %ASA-6-302016: Teardown UDP connection 17443293 for outside:200.160.0.10/53 to hsn:x.x.x.x /55074 duration 0:02:03 bytes 176 Nov 11 16:05:33 %ASA-6-302015: Built outbound UDP connection 17614488 for outside:200.160.0.10/53 (200.160.0.10/53) to hsn:x.x.x.x /55074 (x.x.x.x /55074) Nov 11 16:05:33 %ASA-6-302015: Built outbound UDP connection 17614488 for outside:200.160.0.10/53 (200.160.0.10/53) to hsn:x.x.x.x /55074 (x.x.x.x /55074) Nov 11 16:05:33 %ASA-6-302015: Built outbound UDP connection 17614488 for outside:200.160.0.10/53 (200.160.0.10/53) to hsn:x.x.x.x /55074 (x.x.x.x /55074) Nov 11 16:07:37 %ASA-6-302016: Teardown UDP connection 17614488 for outside:200.160.0.10/53 to hsn:x.x.x.x /55074 duration 0:02:03 bytes 2239204366 Nov 11 16:07:37 %ASA-6-302016: Teardown UDP connection 17614488 for outside:200.160.0.10/53 to hsn:x.x.x.x /55074 duration 0:02:03 bytes 2239204366 Nov 11 16:07:37 %ASA-6-302016: Teardown UDP connection 17614488 for outside:200.160.0.10/53 to hsn:x.x.x.x /55074 duration 0:02:03 bytes 2239204366 As you can see, it downloaded about 1GB at a time :-( Thanks for help in advance -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ What does the mail volume on this server look like? Do you use any caching resolver locally? Does the ASA perform any DNS inspection? (enabled by default) -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SMTP-AUTH problem
Ian Roberts wrote: Hello, I have a slight problem, my users are in Ldap, and smtp auth is working correctly. BUT, we have some code running on remote systems that we have no access to, trying to supply the username as the full email address of the account instead of just the givename. How can I edit my authenticator in exim4 to allow both user and [EMAIL PROTECTED] as the supplied username? Here are my current authenticators: pam_plain: driver = plaintext public_name = PLAIN server_condition = ${if pam{$2:$3}{1}{0}} server_set_id = $2 server_prompts = : pam_login: driver = plaintext public_name = LOGIN server_prompts = Username:: : Password:: #server_prompts = : server_condition = ${if pam{$1:$2}{1}{0}} # server_condition = ${if or [EMAIL PROTECTED]:$2}{1}{0}}} {pam{$1:$2}{1}{0}}} server_set_id = $1 Thanks so much, Ian Exim can do text substitution with 'sg' Heres the chapter from Google Books (not sure how much you're allowed to read at once): http://books.google.com/books?id=foCRVaMeRMgCpg=RA1-PA388lpg=RA1-PA388dq=exim+text+substitutionsource=webots=wpogDhTpTVsig=l7tMlrenKp682OHpFxupZK6QRX0hl=ensa=Xoi=book_resultresnum=3ct=result Could find and replace the @domain.com field, and just pass the username to the authenticator. Brent Jones -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Maildir file names
Exim users, I have a few Exim servers all running latest Exim. However, one server in particular is writing Maildir filenames different than the rest. For example, I'm used to seeing something like this: 1213327320.M661768P70844V005BI00764960_0.server.domain.com,S=2076:2, This server is only writing these filenames: 1215326800.H536521P26074.:2,S I doubt I'll ever get a file with the same name in either case (one in ... too high to count chances) But I was wondering what decides this behavior? And is something configured wrong for the incredible difference? Regards, -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Maildir file names
On Sun, Jul 6, 2008 at 2:57 AM, Phil Pennock [EMAIL PROTECTED] wrote: On 2008-07-06 at 01:54 -0700, Brent Jones wrote: I have a few Exim servers all running latest Exim. However, one server in particular is writing Maildir filenames different than the rest. For example, I'm used to seeing something like this: 1213327320.M661768P70844V005BI00764960_0.server.domain.com,S=2076:2, Are you sure that this later version isn't a rename by the software which reads the email? (POP3 server, whatever) Exim documents the filename construction in The Exim Specification, 26.5 Maildir delivery (and 26.6 for maildir_tag). The V..._0 part there is anomalous. Rephrasing, it should be: time.seconds.Mtime.microsecondsPpid.primary_hostnametag where tag typically starts with a comma ','. It could be an IMAP client renaming these files, but not likely, the application simply does a copy/purge on messages (in-house application) This server is only writing these filenames: 1215326800.H536521P26074.:2,S That suggests that primary_hostname is unset, which is weird, since it should be derived from uname if not explicitly set. Do you have anything in your config explicitly setting 'primary_hostname = ' ? What does: shell$ exim -bP primary_hostname show? Shows the fully qualified hostname of the server. One thing to note, I am using SA-Exim on the server that is naming the Maildir files odd, maybe that has something to do with it? I'll take it out of the configuration and see what happens. -- Brent Jones [EMAIL PROTECTED] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Maildir file names
Phil Pennock wrote: On 2008-07-06 at 15:12 -0700, Brent Jones wrote: It could be an IMAP client renaming these files, but not likely, the application simply does a copy/purge on messages (in-house application) So when the IMAP server sees the files and shows them to the user, doesn't it move them from the new/ sub-directory to the cur/ sub-directory? This being intrinsic to Maildir, rather than IMAP-level copy/purge. -Phil It does, but we have an in-house application that comes in via IMAP, does some message processing, and moves them out of the Inbox into processed folders. But it shouldnt be changing the name at all, since when it moves them, it simply does a copy to another folder, mark the old message for deletion, then purges. Brent Jones -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Spool file is locked leading to long retry time
Quoting Doug [EMAIL PROTECTED]: Hi all, I have a problem with some mail on my system. Whenever a queue runner comes across a message with a locked spool file, it will not attempt to deliver the message for another 4 hours or so. We see the following, and the next thing we see in the logs for this message would be the delivery some 4 hours later. DATE ID Spool file is locked (another process is handling this message) Has anyone seen similar symptoms and does anyone know of a retry rule tweak to capture these messages? Thanks in advance, D.A. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ I'm seeing this more often lately, and it seems to be only mail going to hosts which implement a level of graylisting or tar trap. The host graylists, but doesn't send a temporary error, just keeps the connection alive for an obscenely long time, long enough that the next time a queue runner comes by, the previous runner is still holding the file and then it will get deferred for as long as the retry time is. This is particularly bad with Barracuda spam filters, which seem to get dead SMTP connections quite often, where the SMTP process never finished, just hangs during DATA or some such and Exim will diligently try to finish it until it finally times out. E-mails to Barracuda about the issue were unanswered (we run a couple of them and the issue has been verified with other outside mail server sources). I haven't found a way to resolve it, except to just accept the fact that many mail servers and gateways on the internet are broken. Brent Jones [EMAIL PROTECTED] This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Duplicates using unseen deliver
Exim users, I'm attempting to troubleshoot an issue for a client, they are using Exim 4.68 that came bundled with cPanel. They are trying to archive all messages to/from a certain domain to another e-mail address. A problem arises when there are multiple recipients for the local domain. If someone outside sends to [EMAIL PROTECTED], and CC:'s others at localdomain.com, the unseen delivery creates a copy for each user, with a new message ID for the unseen delivery each recipient. Here is the system filter in use: if $recipients contains localdomain.com or $sender_address_domain contains localdomain.com then unseen deliver [EMAIL PROTECTED] else finish endif I have a few thoughts on what could be duplicating, such as a program called BoxTrapper, which according to cPanel does anti spam and anti virus. It seems it may be accepting the messages, scanning, then resubmitting to Exim thus triggering multiple system filters for each recipient. I have limited access to the server unfortunately. Is there a way from within the system filter to tell if it is a resubmitted message, such as the method it was submitted (local delivery?) Brent Jones brent [at] servuhome [dot] net This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Should MX offer TLS ?
Quoting Chris Edwards [EMAIL PROTECTED]: Hi, Many sites now have an elegant setup where submission happens on port 465/587, where both TLS and AUTH are mandatory. Port 25 is used for MTA-MTA traffic, hence no need for AUTH on port 25. However I'm noticing many such sites with the above setup who don't offer TLS on port 25 of the MX servers. Is there a particular reason for this ? OK, for MTA-MTA traffic, there's normally no check of a certificate, so no defence against man-in-the-middle attacks. But at least you get opportunistic encryption of incoming mail, whereby the traffic is scrambled over the wire, defending against a passive eavesdropper. Any obvious pitfalls in supporting TLS on port 25 of the MX servers ? Are folk just turning it off to save CPU ? Thanks for any clue. Chris -- Chris Edwards, Glasgow University Computing Service -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ TLS can add a bit of overhead, true. But there is also the fact that many MTA's don't advertise/use TLS by default on port 25 (Exchange comes to mind). It could be argued that there aren't expectations of privacy or security with e-mail, that why would you send sensitive data when there are more suitable protocols for secure data transmission. There is nothing inherently wrong with advertising TLS on port 25 though, should the other server negotiate with you to use it. Regards, Brent Jones brent [at] servuhome [dot] net This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim system filter lookup search
Quoting Odhiambo Washington [EMAIL PROTECTED]: On 10/23/07, Brent Jones [EMAIL PROTECTED] wrote: Exim users, I'm trying to write a system filter that saves all e-mail that comes from certain domains. The list of domains is rather large, and I want to do a lookup to a file from within the system filter file. However, when I look up the file, it never matches a record, and does not save a copy to another destination. Example: if $sender_address_domain contains ${lookup{$sender_address_domain}lsearch*{/etc/exim/domains}} then save /usr/exim/mail/ endif The /etc/exim/domains file contains various domain in a list. I know lsearch is not supposed to be used as a list, but rather a key lookup. But I am at a loss to read in a list any other method. Does anyone have any thoughts on that system filter rule? if (${lookup {$sender_address_domain} [EMAIL PROTECTED]/etc/exim/domains} {1}} is 1) then -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Oh My God! They killed init! You Bastards! --from a /. post That worked perfectly, I hadn't read about the partial-lsearch function, and it seems to be doing the job perfectly. Thanks! Regards Brent Jones brent [at] servuhome [dot] net This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim system filter lookup search
Exim users, I'm trying to write a system filter that saves all e-mail that comes from certain domains. The list of domains is rather large, and I want to do a lookup to a file from within the system filter file. However, when I look up the file, it never matches a record, and does not save a copy to another destination. Example: if $sender_address_domain contains ${lookup{$sender_address_domain}lsearch*{/etc/exim/domains}} then save /usr/exim/mail/ endif The /etc/exim/domains file contains various domain in a list. I know lsearch is not supposed to be used as a list, but rather a key lookup. But I am at a loss to read in a list any other method. Does anyone have any thoughts on that system filter rule? Brent Jones brent [at] servuhome [dot] net This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] OT - Webmail options
Quoting WJCarpenter [EMAIL PROTECTED]: check roundcube. it was awesome. Agree at full ... What is it that people find so awesome about RoundCube? I'm not trying to start an argument :-). We have it installed here side by side with SquirrelMail. There is no doubt that RC is much, much better looking than SM, and it has some very nice stuff, like drag-and-drop. But it also seems to be very basic in features compared to SM (some of the SM stuff comes from plugins, and the RC plugin mechanism isn't available yet). That's all fine since it's early days for RC, but it's more like something that *will be* awesome than something that *is* awesome. Am I missing something about RC? Is it actually awesome already and I'm just not paying attention? :-) Lets start an argument, and I believe you're all wrong ;) I manage Horde / IMP on several systems including my personal server. Its feature set, navigation, and looks are all very professional. If you have a extensible authentication backend, you can do some impressive stuff such as quotas, automatic vacation messages, etc. http://www.horde.org Enjoy Brent Jones This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Transport directory based on sender address
Quoting Jakob Hirsch [EMAIL PROTECTED]: Brent Jones wrote: directory = ${lookup{$sender_host_address}lsearch{/etc/storetable}} And here is what the /etc/storetable contains 10.0.0.1: /var/mail/catch/main/ appendfile: file or directory name is not absolute I'd say it should, but it seems that the lookup returns nothing, so the resulting string is . Run a debug session with exim -d+expand -bh 10.0.0.1 (or use the swaks tool) to see what's going wrong. Oh, and what do you expect to happen when the sender's host address has no match in /etc/storetable? I found that lsearch wasn't returning any results, but came across another function, iplsearch. The lookup now works correctly. If it doesn't match something, I don't know what I'll do yet, maybe I'll do some checking in an ACL to reject hosts that don't fall into known IP ranges before it even gets to the transport. Regards This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Transport directory based on sender address
Exim users, I'm trying to set a rule that will set the Maildir storage directory partly based on the sending server's IP address using lsearch. I'm getting errors that is not a absolute path to the maildir directory, but the lsearch should be returning the proper string. Here is the rule: obstore: driver = appendfile directory = ${lookup{$sender_host_address}lsearch{/etc/storetable}} delivery_date_add envelope_to_add return_path_add maildir_format = true create_directory = true And here is what the /etc/storetable contains 10.0.0.1: /var/mail/catch/main/ Here is what the error_log shows: appendfile: file or directory name is not absolute Pardon my ignorance, but shouldn't that lsearch line return /var/mail/catch/main/ as the directory path? Any hits on to where I am off would be appreciated! Brent Jones brent [at] servuhome [dot] net This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim as a filtering appliance
Exim users, I'm embarking on a project to use Exim as part of an outbound scanning host for clients. I'm hung up on whether or not Exim is well suited for this task, or if we should look at another mail server. The goal of this project is to have clients use us as their outbound relay/smarthost. Mail coming into our system from their IP range/domain name will have to stay on our system, delivering to local mailbox files and/or maildir folders. A program will then come by later on, scan said mail for text qualities (not necessarily spam), and if the mail is good, will then complete the next stage of delivery to the recipient. In essence, I want Exim to be a caching relay. Take in all mail for specified hosts, hold onto it for processing, and deliver when the processing is finished. We likely won't be doing processing as messages come through, but rather using scheduled jobs to check mail via IMAP or equivalent, and then send off the e-mail. I've used Exim for other unorthodox tasks, but this one presents larger challenges in my opinion, and just not sure if Exim is right for this specific task. Has anyone used Exim in this fashion, or have any thoughts on this? Thanks! Brent Jones [EMAIL PROTECTED] This message was sent using IMP, the Internet Messaging Program. -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] hosts_randomize not working as expected
Marc Silver wrote: Hi folks, I apologise for reposting this, but I'm desperate for some insight here... any feedback would be very much appreciated... On Tue, Apr 24, 2007 at 08:13:27AM +0200, Marc Silver wrote: Hey guys, I am currently responsible for the administration of four exim servers (running 4.66) which we utilize as our inbound MX servers. Mail for our domain is then manually routed via the exim machines back to our main offices using the manualroute option over a compressed ssh tunnel. I'm using the randomize option to give me crude load balancing, but it doesn't appear to be working very well. What I'm seeing is that one or two of the servers at our main office seem to be getting much more load than the other two. I am using the following router: forcepath: debug_print = R: forcepath for [EMAIL PROTECTED] driver = manualroute domains = !+local_domains:partial0-lsearch;CONFDIR/forcepath.list route_data = ${lookup{$domain}partial0-lsearch{CONFDIR/forcepath.list}} transport = remote_smtp host_find_failed = defer same_domain_copy_routing = yes self = send no_more And the following transport: remote_smtp: driver = smtp Here are the contents of forcepath.list: domain.co.za: 127.0.0.1::10025:127.0.0.1::10026:127.0.0.1::10027:127.0.0.1::10028 randomize byname Can anyone help me to get these machines to balance more equally? What am I missing? Marc, I hate to say it, but I experienced the same behavior. We put a simple Exim mail gateway that only did RBL and anti-virus checking, then forwarded it on to internal mail servers that did mail delivery for the users. We specified two internal mail servers, using the randomize function. Turned out, it would almost 'prefer' a host for a short while, then use the next for a brief moment, then switch back to the other one. It wasn't very random, and the load split was more like 70/30. Never did figure it out, we eventually settled on a load balancing switch. But the randomization does need some work, or else its pretty useless. Regards; Brent Jones brent [at] servuhome [dot] net -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Re: [exim] Archiving Email
Joseph wrote: Sander Smeenk wrote: Quoting Joseph ([EMAIL PROTECTED]): With flat files, your friend would be grep. With maildir you would need a mail client, which might be ok, unless we are talking hundreds of thousands of messages. Thing is, to get a specific message i have to know the exact maildir filename or i have to untar the complete archive and go from there... Which isn't all that bad if you are talking about your private mailsetup with a couple of mailinglists, but company wide this can be a real pain. With mbox format you can usually just zless or zgrep through the gzipped mbox. Even cooler, mutt is able to read gzipped mboxes!. Mbox can easily be searched through with numerous tools from the cli too... So i'd say... Go for mbox format :-) Thanks for all the comments. The format I am using is neither maildir or mbox, but just plain files. Which means I have to use grep to do anything with them. One thing that bothers me, is how I would get to the attachments, if need be. A person would need a perl mime tool or something to break them out. I like the idea of tar'ing them up every day or week and saving the disk space. I always have been leery of mbox, because if it gets corrupted, than you are in trouble although that should not really happen with todays file systems. regards, Joseph A little off-topic from the original, but what methods are people using to even begin archiving e-mails? I've read into the Exim specification on unseen deliveries, but I don't know if it will archive local deliveries (ones that are user to user on the same system). It also seemed a bit cumbersome to build maps of user's to archive, but maybe theres a way to specify lists of entire domains to archive (to/from a certain domain maybe) Any hints on that aspect of archiving? Regards; Brent Jones -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/