Re: [exim] [Transport error]: message has lines too long for transport

2022-01-25 Thread Felipe Gasper via Exim-users 
(Adding to this thread because we only just now hit this issue …)

> On Nov 18, 2021, at 15:00, Jeremy Harris via Exim-users  
> wrote:
> 
> On 18/11/2021 10:35, Andrea Biscuola via Exim-users wrote:
>> One week ago, we upgraded to exim 4.95 and suddenly, some customers (using 
>> microsoft
>> outlook, nonetheless), started to experience the following error for *some* 
>> of their
>> e-mails:
>> message has lines too long for transport
>>  Reporting-MTA: dns; web017.shared.host.it
>> I received some examples of such e-mails from our customers service, and it 
>> appear that
>> the problem is with some badly formatted headers.
>> Unfortunately, we can't throw those customers out of the window :-) so we 
>> are searching
>> how to expand the line limits for the transports.
> 
> Warning: you would be sending onward messages that are explicitly
> exceeding the limits established by the relevant standards.
> 
> Any such might be lost (or worse, cause "unintended actions") on
> other systems they traverse after yours.
> 
> Are you certain you want to be responsible for that?
> You might wish to consult your legal staff.

RFC 5322 doesn’t stipulate server behaviour upon receipt of a message that 
violates this limitation.

On the contrary, the same section (2.1.1) that gives the 998-character limit 
adds, in the next paragraph:


Receiving implementations would do well to handle an arbitrarily large number 
of characters in a line for robustness sake.


While Exim’s new default behaviour is reasonable, it doesn’t seem to follow 
from the relevant standard. Outlook is in violation, to be sure, but servers 
that accept arbitrarily long lines don’t seem to be (by that virtue alone, 
anyhow).

-FG

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Perl integration - context?

2021-06-10 Thread Felipe Gasper via Exim-users 


> On Jun 10, 2021, at 00:52, Andrew C Aitchison  wrote:
> 
> 
>> On Wed, 9 Jun 2021, Felipe Gasper via Exim-users wrote:
>> 
>> The idea is more to prevent message delivery during a backup or account 
>> reconfiguration.
> 
> exim_lock is the tool you are looking for.

With this tool is there any way to differentiate “waiting for lock” from “lock 
acquired” other than parsing the output stream?

-F

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Perl integration - context?

2021-06-10 Thread Felipe Gasper via Exim-users 


> On Jun 10, 2021, at 12:39 AM, Andrew C Aitchison via Exim-users 
>  wrote:
> 
> On Wed, 9 Jun 2021, Felipe Gasper via Exim-users wrote:
> 
>> The idea is more to prevent message delivery during a backup or account 
>> reconfiguration.
> 
> exim_lock is the tool you are looking for.

Ah ok. I knew this tool existed but hadn’t realized it auto-unlocks.

Thank you!

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Perl integration - context?

2021-06-09 Thread Felipe Gasper via Exim-users 


> On Jun 9, 2021, at 3:00 PM, Andrew C Aitchison  wrote:
> 
> On Wed, 9 Jun 2021, Felipe Gasper via Exim-users wrote:
> 
>> Hello,
>> 
>>  Is it possible with Eximâ??s Perl integration to create a reference
>>  that will last throughout a messageâ??s delivery and then be reaped?
>> 
>>  Iâ??d like to explore an flock-based lock for mail delivery that
>>  would allow an external process to suspend delivery by holding a
>>  lock on a designated path: if Exim/Perl does flock($fh, LOCK_SH)
>>  and fails EAGAIN, then Exim will defer acceptance of the message.
>> 
>>  When the flock() succeeds, ideally that flock()ed Perl $fh will
>>  last until delivery is done and then be reaped. Is it safe to
>>  store that in a Perl global, then call something else at the end
>>  of the routing that deletes/undefs that global? Or is there some
>>  cleaner way to give Exim such a reference and have Exim hold onto
>>  it for me until routing/delivery is over?
> 
> I am reminded of the exim_lock utility, though that is an external process.
> 
> I'm a bit confused.
> Are you trying to stop a second message from being accepted *into the
> exim queue* whilst the first is being routed/delivered ?

The idea is more to prevent message delivery during a backup or account 
reconfiguration.

I specifically want to avoid this:

1. External process suspends user’s mail delivery.
2. External process gets SIGKILL.
3. User gets no more mail until user complains ($$) and someone manually ($$) 
reenables the user’s mail.

Using flock() for this would cause the mail suspension to go away automatically 
once whatever holds that lock goes away:

1. External process flock(EX)s user’s special designated file.
2. Exim tries to flock(SH) that same file, gets EAGAIN.
3. Exim tells clients :defer:
4. External process finishes or gets SIGKILL.
5. User can receive mail again, no manual intervention needed.

Alternatively:

1. Exim flock(SH)s the user’s special file.
2. External process tries to flock(EX), gets EAGAIN. Either retries later or 
just fails.

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Perl integration - context?

2021-06-09 Thread Felipe Gasper via Exim-users 
Hello,

Is it possible with Exim’s Perl integration to create a reference that 
will last throughout a message’s delivery and then be reaped?

I’d like to explore an flock-based lock for mail delivery that would 
allow an external process to suspend delivery by holding a lock on a designated 
path: if Exim/Perl does flock($fh, LOCK_SH) and fails EAGAIN, then Exim will 
defer acceptance of the message.

When the flock() succeeds, ideally that flock()ed Perl $fh will last 
until delivery is done and then be reaped. Is it safe to store that in a Perl 
global, then call something else at the end of the routing that deletes/undefs 
that global? Or is there some cleaner way to give Exim such a reference and 
have Exim hold onto it for me until routing/delivery is over?

Thank you!

cheers,
-Felipe Gasper
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] “condition check lookup defer”

2021-04-30 Thread Felipe Gasper via Exim-users 
Hi all,

Since our update to 4.94 we’re seeing a lot more of these messages. I 
see posts like this on the mailing list:

https://lists.exim.org/lurker/message/20050517.111852.2c71626f.en.html

… but in our case, there’s no actual _router_ being named. For example, this is 
in exim_mainlog:

2021-04-30 13:04:57 H=(mail.example.com) [11.22.33.44]:12345 
F= temporarily rejected RCPT : 
condition check lookup defer

We also aren’t having much luck reproducing this failure manually, though it 
happens many times daily.

Is it possible to make Exim’s logging more verbose, so it would report--at 
least internally--which lookup is failing for which router, and why? I’ve tried 
adding “+all” to log_selector, but it didn’t give any more detail.

Thank you!

cheers,
-Felipe Gasper
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] readsocket - errno?

2021-04-30 Thread Felipe Gasper via Exim-users 
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html

^ I don’t see anything that indicates that “fail string” has access to the 
actual errno value. Is there a variable that provides that value in the fail 
string?

Thank you!

cheers,
-Felipe Gasper
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] normalized config format?

2021-04-06 Thread Felipe Gasper via Exim-users 

> On Apr 5, 2021, at 5:43 PM, Heiko Schlittermann via Exim-users 
>  wrote:
> 
> Felipe Gasper  (Mo 05 Apr 2021 22:46:31 CEST):
>> 
>> 
>> On another note, I’ve noted via the same parse that this in exim.conf:
>> 
>> -
>> router_home_directory = 
>> ${extract{5}{::}{${lookup{${lookup{$domain_data}lsearch{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value
>> -
>> 
>> … gets parsed to this:
>> 
>> ---
>> router_home_directory = ${extract{5}{::}{${lookup 
>> passwd{${lookup{$domain_data}lsearch{/etc/userdomains}{$value}}}{$value
>> ---
>> 
>> ^^ Note the conversion of the first “lookup” to a “lookup passwd”.
> 
> Sure that you didn't confuse something.
> 
> Input /tmp/exim4.conf
> 
>begin routers
>test:
>driver = redirect
>file = .forward
>router_home_directory = 
> ${extract{5}{::}{${lookup{${lookup{$domain_data}lsearch{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value
> 
> 
> Output of `exim -C /tmp/exim4.conf -bP config`:
> 
># Exim Configuration (4.94-37-g062b77ca8)
># 1 "/tmp/exim4.conf"
> 
>begin routers
> 
>  test:
>   driver = redirect
>   file = .forward
>   router_home_directory = 
> ${extract{5}{::}{${lookup{${lookup{$domain_data}lsearch{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value

Right you are … we have an internal magic-rewriter thingie that I only just 
discovered.

Yay.

Thank you!

cheers,
-Felipe


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] normalized config format?

2021-04-05 Thread Felipe Gasper via Exim-users 


> On Apr 5, 2021, at 4:35 PM, Heiko Schlittermann via Exim-users 
>  wrote:
> 
> Hi,
> 
> Felipe Gasper via Exim-users  (Mo 05 Apr 2021 19:55:39 
> CEST):
>> 
>> It seems to leave certain (inconsequential?) whitespace changes in place 
>> that make it hard to compare a changeset in an automated way, e.g.:
>> 
>> -
>> -local_parts = ${if 
>> eq{$domain}{$primary_hostname}{+path_safe_localparts}{*}}
>> +local_parts = ${if eq {$domain} {$primary_hostname} 
>> {+path_safe_localparts} {*} }
>> -
> 
> I understand this, but we can't do that yet and there are no plans yet to
> implement it.

Understandable.

On another note, I’ve noted via the same parse that this in exim.conf:

-
router_home_directory = 
${extract{5}{::}{${lookup{${lookup{$domain_data}lsearch{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value
-

… gets parsed to this:

---
router_home_directory = ${extract{5}{::}{${lookup 
passwd{${lookup{$domain_data}lsearch{/etc/userdomains}{$value}}}{$value
---

^^ Note the conversion of the first “lookup” to a “lookup passwd”.

But, if I reflow the exim.conf a bit to:

-
router_home_directory = ${extract \
{5} \
{::} \
{${lookup \
{${lookup \
{$domain_data} \
lsearch \
{/etc/userdomains} \
{$value} \
}} \
lsearch {/etc/passwd} \
{$value} \
} } \
}
-

… then the conversion to “lookup passwd” doesn’t happen:

-
router_home_directory = ${extract {5} {::} {${lookup {${lookup {$domain_data} 
lsearch {/etc/userdomains} {$value} }} lsearch{/etc/passwd} {$value} } } }
-

Is this an optimization of some kind in Exim, which the breaking up into 
multiple lines is losing?

Thank you!

-F
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] normalized config format?

2021-04-05 Thread Felipe Gasper via Exim-users 
exim -bP config

-

^^ Is this meant to output a normalized parse of the config file?

It seems to leave certain (inconsequential?) whitespace changes in place that 
make it hard to compare a changeset in an automated way, e.g.:

-
-local_parts = ${if 
eq{$domain}{$primary_hostname}{+path_safe_localparts}{*}}
+local_parts = ${if eq {$domain} {$primary_hostname} 
{+path_safe_localparts} {*} }
-

I’d like to compare two versions of an exim.conf file, one of which uses 
different spacing from the other but *should* be otherwise identical. I’d love 
to do a diff on the two files and see it be identical to verify that they’re 
the same … is there anything out there that could do this?

Thank you!

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Express list in reduce?

2021-04-05 Thread Felipe Gasper via Exim-users 


> On Apr 5, 2021, at 11:44 AM, Jeremy Harris via Exim-users 
>  wrote:
> 
> On 05/04/2021 16:34, Felipe Gasper via Exim-users wrote:
>> domainlist manualmx_domains = ${if exists {/etc/manualmx} 
>> {lsearch;/etc/manualmx} {} }
> 
> That's not a valid definition for a named list.
> 
> I suspect you've misread "lists are (string-) expanded before use" as meaning
> that list *definitions* can have string-expansions.  Not so.  The 
> string-expansion
> is done on the text that should be a list, when some text is arrived at in the
> context of a list being needed.

Hrm. It … works for us? Is this something that happens to work but is 
undocumented?

The router that uses that list, at least, seems to work as we intend:

manualmx:
  driver = manualroute
  domains = +manualmx_domains
  transport = remote_smtp
  route_data = ${lookup{$domain}lsearch{/etc/manualmx}}

Or am I misunderstanding?

-F
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Express list in reduce?

2021-04-05 Thread Felipe Gasper via Exim-users 


> On Apr 2, 2021, at 2:02 PM, Jeremy Harris via Exim-users 
>  wrote:
> 
> On 02/04/2021 17:08, Felipe Gasper via Exim-users wrote:
>> domainlist mydomains = foo.com : bar.com
>> … is there any way to pass that domain list to, e.g, ${reduce}?
>>  For testing purposes I’d like to do something like:
>> -
>> ${reduce {+mydomains}{}{${if eq{$value}{}{}{$value,}}$item}}
>> -
>> … and have it give me “mydomains”, joined with a comma.
> 
> ${listnamed_d:mydomains} as source for your reduce.
> 
> Bear in mind that you a vulnerable to list elements
> that already have an embedded comma, and ones with
> an embedded colon may surprise you.
> 
> 
> It'd be nicer if listnamed had a way of getting a
> custom output separator, and/or if reduce did full
> list expansion, of course.

So, the list in question is defined thus:

domainlist manualmx_domains = ${if exists {/etc/manualmx} 
{lsearch;/etc/manualmx} {} }

When I expand ${listnamed_d:manualmx_domains}, I get just the definition part 
of the above. So that doesn’t help.

I also tried expanding:

${if forany{${listnamed:manualmx_domains}}{eq {$item}{domain.tld}}{yes}{no}}

… where “domain.tld” is the domain I’m looking for, but still no dice.

I also tried:

${if inlist{domain.tld}{${listnamed:manualmx_domains}}{yes}{no}}

… but that doesn’t work, either.

I assume the issue is that the list is defined as dynamic … is there any 
expansion string that handles that?

Thank you!

cheers,
-Felipe
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Express list in reduce?

2021-04-02 Thread Felipe Gasper via Exim-users 
Hello,

If I’ve defined a domain list thus:

domainlist mydomains = foo.com : bar.com

… is there any way to pass that domain list to, e.g, ${reduce}?

For testing purposes I’d like to do something like:

-
${reduce {+mydomains}{}{${if eq{$value}{}{}{$value,}}$item}}
-

… and have it give me “mydomains”, joined with a comma.

Alternatively, is it possible to express a filter/grep of such a list?

Thank you in advance!

cheers,
-Felipe Gasper
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] time skew: SMTP delay

2021-03-30 Thread Felipe Gasper via Exim-users 


> On Mar 30, 2021, at 10:48 AM, Jeremy Harris via Exim-users 
>  wrote:
> 
> On 30/03/2021 15:40, Felipe Gasper via Exim-users wrote:
>> Incidentally, I’m setting system clock via `date`.
> 
> Are you deliberately skewing the system into the future?
> Before or after starting the daemon?

Context: this is happening in production because chrony apparently “jerks” the 
system time rather than adjusting it slowly.

-F
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] time skew: SMTP delay

2021-03-30 Thread Felipe Gasper via Exim-users 


> On Mar 30, 2021, at 11:13 AM, Jeremy Harris  wrote:
> 
> On 30/03/2021 15:02, Felipe Gasper via Exim-users wrote:
>> [pid 25596] write(4, "2021-03-30 10:55:28 
>> 1lRGiG-0006eq-QA <= can...@felipe.dev.cpanel.net H=(felipes-mbp.lan) 
>> [10.3.4.84]:49684 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no 
>> A=dovecot_plain:mailer S=381 T=\"Test sent from ./smtp_send_test.pl\" for 
>> fel...@felipe.com\n", 254) = 254
> 
> I'd be interested in knowing whether Exim gave an SMTP response accepting the 
> data
> phase of the message.
> 
>> [pid 25596] rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
>> [pid 25596] setitimer(ITIMER_REAL, {it_interval={tv_sec=0, tv_usec=0}, 
>> it_value={tv_sec=7198, tv_usec=625000}}, NULL) = 0
>> [pid 25596] rt_sigsuspend(~[ALRM RTMIN RT_1], 8
>> -
>>  … and there it hangs. The socket never closes, so the client eventually 
>> times out the connection.
> 
> ... because if it did, your test script ought to record the message as having
> been properly sent.  The closing of the TCP connection is a seperable issue.

No, I see no such response.

My test script sends: "DATA\r\nFrom: can...@felipe.dev.cpanel.net\r\nSubject: 
Test sent from ./smtp_send_test.pl\r\n\r\nThis is a test.\r\n.\r\nQUIT\r\n"

The server later sends "354 Enter message, ending with \".\" on a line by 
itself\r\n", 56354 Enter message, ending with "." on a line by itself", but I 
think that’s just in response to successful authentication?

-F
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] time skew: SMTP delay

2021-03-30 Thread Felipe Gasper via Exim-users 

> On Mar 30, 2021, at 10:48 AM, Jeremy Harris via Exim-users 
>  wrote:
> 
> On 30/03/2021 15:40, Felipe Gasper via Exim-users wrote:
>> Incidentally, I’m setting system clock via `date`.
> 
> Are you deliberately skewing the system into the future?

I myself am deliberately skewing, yes (date -s 'now + 2 hours'), but we have 
reports of similar hangs in the wild.

> Before or after starting the daemon?

After.

> 
> Can you get debug output from a repro run?

I tried to find in the docs how to up the verbosity, but I didn’t see. What 
should I do to get debug output?

Thank you!

-FG


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] time skew: SMTP delay

2021-03-30 Thread Felipe Gasper via Exim-users 


> On Mar 30, 2021, at 10:33 AM, Jeremy Harris via Exim-users 
>  wrote:
> 
> On 30/03/2021 15:02, Felipe Gasper via Exim-users wrote:
>>  I’m noticing if I have a server time-skewed into the future, and I send 
>> a message to Exim on that server, the SMTP client never receives 
>> confirmation of receipt of the message.
>>  This causes that client to think the message send failed, though Exim 
>> does actually enqueue the message for remote delivery. Thus, the client 
>> resends the message, which causes the recipient to receive multiple copies 
>> of the message.
>>  strace is showing:
>> -
>> [pid 25596] write(4, "2021-03-30 10:55:28 
>> 1lRGiG-0006eq-QA <= can...@felipe.dev.cpanel.net H=(felipes-mbp.lan) 
>> [10.3.4.84]:49684 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no 
>> A=dovecot_plain:mailer S=381 T=\"Test sent from ./smtp_send_test.pl\" for 
>> fel...@felipe.com\n", 254) = 254
>> [pid 25596] rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
>> [pid 25596] setitimer(ITIMER_REAL, {it_interval={tv_sec=0, tv_usec=0}, 
>> it_value={tv_sec=7198, tv_usec=625000}}, NULL) = 0
>> [pid 25596] rt_sigsuspend(~[ALRM RTMIN RT_1], 8
>> -
>>  … and there it hangs. The socket never closes, so the client eventually 
>> times out the connection.
>>  Has anyone else encountered something of the like? Notwithstanding that 
>> clock-skews of 2 hours are their own problem, could Exim maybe handle this a 
>> bit more gracefully?
> 
> 
> What Exim version?  What platform?
> 
> Behaviour changed in 4.94, for platforms with _POSIX_MONOTONIC_CLOCK.

Exim 4.94
CentOS 7, default kernel (3.10.0-1160.11.1.el7.x86_64)

Incidentally, I’m setting system clock via `date`.

Thank you!

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] time skew: SMTP delay

2021-03-30 Thread Felipe Gasper via Exim-users 
Hello,

I’m noticing if I have a server time-skewed into the future, and I send 
a message to Exim on that server, the SMTP client never receives confirmation 
of receipt of the message.

This causes that client to think the message send failed, though Exim 
does actually enqueue the message for remote delivery. Thus, the client resends 
the message, which causes the recipient to receive multiple copies of the 
message.

strace is showing:

-
[pid 25596] write(4, "2021-03-30 10:55:28 
1lRGiG-0006eq-QA <= can...@felipe.dev.cpanel.net H=(felipes-mbp.lan) 
[10.3.4.84]:49684 P=esmtpsa X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no 
A=dovecot_plain:mailer S=381 T=\"Test sent from ./smtp_send_test.pl\" for 
fel...@felipe.com\n", 254) = 254
[pid 25596] rt_sigprocmask(SIG_BLOCK, [ALRM], [], 8) = 0
[pid 25596] setitimer(ITIMER_REAL, {it_interval={tv_sec=0, tv_usec=0}, 
it_value={tv_sec=7198, tv_usec=625000}}, NULL) = 0
[pid 25596] rt_sigsuspend(~[ALRM RTMIN RT_1], 8
-

… and there it hangs. The socket never closes, so the client eventually 
times out the connection.

Has anyone else encountered something of the like? Notwithstanding that 
clock-skews of 2 hours are their own problem, could Exim maybe handle this a 
bit more gracefully?

    Thank you!

cheers,
-Felipe Gasper
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] 4.94 recipient verification

2021-03-22 Thread Felipe Gasper via Exim-users 
Hi,

Is there an option to configure Exim to reject mail after SMTP time 
rather than during?

I’m finding that, if I send a message to “b...@good.com” and 
“z...@msdghbdsbgh.qwe”, the SMTP transaction fails because the 2nd address’s 
domain is bad. I’d like that SMTP transaction to succeed but for the sender to 
receive a bounce.

Thank you!

cheers,
-Felipe Gasper
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] MTA-STS and Server Name Indication (SNI) on mail servers

2020-06-17 Thread Felipe Gasper via Exim-users 

> On Jun 17, 2020, at 8:17 PM, Viktor Dukhovni via Exim-users 
>  wrote:
> 
> However, its use is recommended:
> 
>https://tools.ietf.org/html/rfc8446#section-4.4.2.2
> 
>-  The "server_name" [RFC6066] and "certificate_authorities"
>   extensions are used to guide certificate selection.  As servers
>   MAY require the presence of the "server_name" extension, clients
>   SHOULD send this extension, when applicable.

The recommendation is contextual to cases “when applicable”. This is 
significant because in applications where the server ignores the extension it’s 
arguably counterproductive to send it since it discloses the hostname that the 
client intends to hit. Thus it seems that if the server ignores the extension, 
it’s better NOT to send it--at least until encrypted SNI becomes practical.

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] MTA-STS and Server Name Indication (SNI) on mail servers

2020-06-17 Thread Felipe Gasper via Exim-users 


> On Jun 17, 2020, at 6:22 PM, Phil Pennock via Exim-users 
>  wrote:
> 
> because TLS1.3 mandates SNI.

Phil, do you have a citation for this? I skimmed the RFC just now, and the only 
mandatory details about SNI that I see are in the context of session resumption.

If TLS 1.3 indeed mandates SNI, then that’s relevant in other conversations I’m 
in and would love to be able to cite that.

Thank you!

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] SMTP (+auth) via unix socket?

2018-10-09 Thread Felipe Gasper via Exim-users 
Hello,

I’m running as root and want to send notifications to remote addresses. 
I’d like the first “Received” header to show “esmtpa”, but it appears that in 
order to do that I have to authenticate. Since I’m root and can control the 
server it seems like this shouldn’t be necessary, but I recognize that if IP 
connections are the only option to send SMTP, then authentication is necessary.

What if, though, Exim could receive SMTP via a unix socket? Exim could 
read the socket’s peer credentials on accept(), and if those credentials 
indicate that the client socket was created as root, then Exim would be 
justified in considering any SMTP message received from that socket to be 
authenticated.

It would also be a slightly faster interface into Exim since the 
connection wouldn’t have the TCP/IP overhead.

Has anything like this been discussed previously?

Thank you!

-Felipe Gasper
Mississauga, Ontario
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SNI and DANE TLSA record monitoring

2016-10-19 Thread Felipe Gasper 

> On Oct 19, 2016, at 1:22 PM, Viktor Dukhovni <exim-us...@dukhovni.org> wrote:
> 
> 
>> On Oct 19, 2016, at 9:00 AM, Felipe Gasper <fel...@felipegasper.com> wrote:
>> 
>> 
>> Exim’s approach is BEAUTIFUL for the purpose of separate certificates per 
>> domain. cPanel 11.60 just shipped with this support added. The great thing 
>> is that, unlike Apache or Dovecot, the mapping of domain to certificate is 
>> dynamic, not in a static list. For shared hosting environments, where each 
>> machine/VPS can serve tens of thousands of individual domains, this is a 
>> boon.
>> 
>> I’d be fine with some facility to configure by-domain configs, logs, or what 
>> not in tandem with the certificate. Just as long as it’s still simple and 
>> easy to determine the certificate by the DOMAIN, not by served content.
> 
> What's even more beautiful is using a single MX hostname for a boatload
> of domains, with a single associated certificate.  Works great for
> domeneshop.no (serving over 100k DANE-enabled SMTP domains via 4 MX
> hosts), and transip.nl (serving a similar number of domains), ...
> 
> I am somewhat sympathetic to the desire for SNI on port 587, where
> asking users to change settings is a bear, with port 25 SMTP, I've
> yet to see a compelling reason for server-side SNI support.  Do not
> go there, unless your back's against the wall...

I’m probably missing something here … how do you get STARTTLS clients to 
accept/request the correct hostname for TLS when there is only one TLS-secured 
FQDN?

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SNI and DANE TLSA record monitoring

2016-10-19 Thread Felipe Gasper 

> On Oct 19, 2016, at 1:22 PM, Viktor Dukhovni  wrote:
> 
> I've
> yet to see a compelling reason for server-side SNI support.  Do not
> go there, unless your back's against the wall...
> 

Our reason went like this: many email clients will assume that “b...@foo.org” 
uses either “foo.org” or “mail.foo.org” as a mail server.

When the only way to have working SSL is for the client to know about 
“shared49.somehost.where-is-this.com”, the client and server have to be smart 
enough to do autoconfig, or the user has to type that in manually. This makes 
for a worse user experience and increases support requests.

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SNI and DANE TLSA record monitoring

2016-10-19 Thread Felipe Gasper 

> On Oct 19, 2016, at 9:13 AM, Jan Ingvoldstad  wrote:
> 
>> I’d be fine with some facility to configure by-domain configs, logs, or
>> what not in tandem with the certificate. Just as long as it’s still simple
>> and easy to determine the certificate by the DOMAIN, not by served content.
>> 
>> 
> Well, SMTP doesn't "serve content" per se, so I don't really get that
> objection.

Depends on your conception of “serve content”. Insofar as we might consider 
“content” as the entire application (matrix of inputs/outputs), Exim/SMTP does 
indeed “serve content”. Anyway, semantics.

> 
> What I think, is that which certificate gets served, should be fully
> configurable based on the information available at the time you need to
> serve the certificate. That's not a lot of information. :)

Furious agreement. :)

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SNI and DANE TLSA record monitoring

2016-10-19 Thread Felipe Gasper 

> On Oct 19, 2016, at 8:42 AM, Jan Ingvoldstad <frett...@gmail.com> wrote:
> 
> On Wed, Oct 19, 2016 at 2:35 PM, Felipe Gasper <fel...@felipegasper.com>
> wrote:
> 
>> SNI is concerned strictly with the domain name, whereas virtual hosting
>> (as I’ve seen it) concerns content.
>> 
>> Apache’s SNI configuration is poorly conceived, in my opinion. It forces
>> all domains on a given virtual host to use the same certificate, which
>> makes no sense. There is no reason whatsoever why “foo.com” and “bar.com”
>> should have to serve up the same certificate--regardless of whether those
>> two domains serve up the same content.
>> 
> 
> There is *nothing* that prevents you from configuring two virtualhosts in
> Apache from serving the same content, so your understanding of how that
> configuration works, has some blank spots.
> 

Separate vhosts per domain produces larger httpd.conf files, which is a bad 
thing when you’re serving tens of thousands of domains, each of which has 
various separate directives, etc.

There is also the Include directive, but that’s loading separate files, which 
makes Apache restarts take longer.

mod_macro, new in 2.4, *might* make this better, but for us it will require a 
significant retooling effort since we already have well-worn vhost 
configuration templates.

> 
>> Exim’s approach of making the SNI request available and allowing the admin
>> to do whatever with it is much more ideal. Please do NOT change this!
>> 
> 
> Exim's approach is currently a bit too monolithic to be usable for mass
> hosting of many domains with separate certificates, separate
> configurations, and separate logfiles.

Exim’s approach is BEAUTIFUL for the purpose of separate certificates per 
domain. cPanel 11.60 just shipped with this support added. The great thing is 
that, unlike Apache or Dovecot, the mapping of domain to certificate is 
dynamic, not in a static list. For shared hosting environments, where each 
machine/VPS can serve tens of thousands of individual domains, this is a boon.

I’d be fine with some facility to configure by-domain configs, logs, or what 
not in tandem with the certificate. Just as long as it’s still simple and easy 
to determine the certificate by the DOMAIN, not by served content.

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SNI and DANE TLSA record monitoring

2016-10-19 Thread Felipe Gasper 
SNI is concerned strictly with the domain name, whereas virtual hosting (as 
I’ve seen it) concerns content.

Apache’s SNI configuration is poorly conceived, in my opinion. It forces all 
domains on a given virtual host to use the same certificate, which makes no 
sense. There is no reason whatsoever why “foo.com” and “bar.com” should have to 
serve up the same certificate--regardless of whether those two domains serve up 
the same content.

Exim’s approach of making the SNI request available and allowing the admin to 
do whatever with it is much more ideal. Please do NOT change this!

-FG

> On Oct 19, 2016, at 5:54 AM, Mike Tubby  wrote:
> 
> If what we're saying is that Exim needs to be virtual host capable then I 
> think that we're on the edge of needing a proper virtual hosts sub-system 
> that deals with:
> 
>1. naming the virtual host
>2. configuring certificates
>3. configuring TLS options (ciphers, etc)
>4. configuring a logging location
> 
> Mike
> 
> 
> On 10/19/2016 10:10 AM, Viktor Dukhovni wrote:
>> On Wed, Oct 12, 2016 at 02:50:41PM +0200, Arkadiusz Miśkiewicz wrote:
>> 
>>> Docs say that $tls_sni has raw data from client:
>>> 
>>> "Great care should be taken to deal with matters of case, various injection
>>> attacks in the string (../ or SQL), and ensuring that a valid filename can
>>> always be referenced; it is important to remember that $tls_sni is arbitrary
>>> unverified data provided prior to authentication."
>> While we're on the topic of Exim and SNI, I just interacted with
>> a user who rather admirably was monitoring his DANE TLSA records,
>> but his monitoring script was not sending the SNI extension as
>> required by RFC 7672.  Sadly, his MX host was configured to respond
>> with a different (non-default) certificate when the SNI matched
>> the actual MX hostname.  Consequently, the monitoring was flawed,
>> and missed a problem with certification rotation.
>> 
>> So please keep in mind that SNI makes things a bit more complex
>> from a monitoring perspective.  Avoid SNI if you can, use with
>> care if you must.
>> 
> 
> 
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] safe handling of $tls_sni

2016-10-19 Thread Felipe Gasper 
base62 only encodes numerals, though.

-FG

> On Oct 19, 2016, at 4:16 AM, Mike Brudenell  wrote:
> 
> Or perhaps just use Exim's existing base62 and base62d expansion operators?
> :-)
> 
> http://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#SECTexpop
> 
> 
> These:
> 
>   - use the character set [A-Za-z0-9] on case-sensitive systems;
>   - use base36 encoding using [A-Z0-9] instead on systems with
>   case-insensitive file names;
>   - are used by Exim to generate its message identifiers, and hence
>   (presumably safe!) file names to store message data in the file system.
> 
> Cheers,
> Mike B-)
> 
> 
> On 18 October 2016 at 22:21, Phil Pennock  wrote:
> 
>> On 2016-10-18 at 08:28 +0200, Arkadiusz Miśkiewicz wrote:
>>> On Monday 17 of October 2016, Phil Pennock wrote:
 Or base64-encode it.
>>> 
>>> "/" is part of base64 alphabet, so would have to replace that with other
>>> character, too.
>> 
>> You're quite right.  I was thinking of the `base64url` encoding from
>> RFC4648; it's used so often that I forgot.
> 
> 
> -- 
> Systems Administrator & Change Manager
> IT Services, University of York, Heslington, York YO10 5DD, UK
> Tel: +44-(0)1904-323811
> 
> Web: www.york.ac.uk/it-services
> Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] safe handling of $tls_sni

2016-10-17 Thread Felipe Gasper 
FWIW, I’d much rather that invalid characters in $tls_sni prompt an error.

There seems no reason to serve up meaningful content to someone who’s sending a 
malformed SNI header.

-Felipe Gasper
Mississauga, ON


> On Oct 17, 2016, at 11:42 PM, Jasen Betts <ja...@xnet.co.nz> wrote:
> 
> On 2016-10-17, Mike Tubby <m...@tubby.org> wrote:
>> 
>> Couldn't we have - per perhaps shouldn't we have - a "safe domain name" 
>> function in Exim that could be used for this and elsewhere where an 
>> untrusted domain name enters - it would:
>> 
>> * remove white space (tab, space, etc)
>> * remove non-printing chars
>> * remove 'quoting' and 'escaping'
>> * make it lower case
>> * only allow valid characters for a FQDN
> 
> why remove? why not just reject if it contains any badness?
> 
>> call it something like "safe_fqdn" and then you could do:
>> 
>> ${if 
>> exists{/etc/mail/ssl/${safe_fqdn:tls_sni}.pem}{/etc/mail/ssl/${safe_fqdn:tls_sni}.pem}{/etc/mail/default-cert.pem}
>> 
>> aren't computers are supposed to be doing the work for us...?
>> 
> This:
> 
> ${domain:a@$tls_sni}
> 
> will give the domain part if the $tls_sni is syntactically correct for a
> domain name else it will give the empty string.
> 
> Is that not good enough?
> 
> 
>   ${if exists{/etc/mail/ssl/${domain:a@$tls_sni}.pem}\
>{/etc/mail/ssl/${domain:a@$tls_sni}.pem}\
>{/etc/mail/default-cert.pem}\
>}
> 
> 
> it's going to try to use a file called /etc/mail/ssl/.pem if the sni
> is empty or contains garbage, probably not a problem. 
> 
> -- 
> This email has not been checked by half-arsed antivirus software 
> 
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] testing evaluation of tls_certificate

2016-08-23 Thread Felipe Gasper 
I’ve got a module that generates exim.conf. I’d like to test that generated 
.conf file by having exim use it to evaluate tls_certificate.

Can I do this and control the value of $tls_in_sni as a test parameter?

Thank you!

-FG
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] charset of "fail" messages

2015-11-27 Thread Felipe Gasper 

On 27 Nov 2015 2:48 PM, Viktor Dukhovni wrote:

On Fri, Nov 27, 2015 at 02:29:36PM -0500, Felipe Gasper wrote:


It appears to me that you, Jason, and I are understanding the
issue and question differently.  If Felipe still thinks there is

[

a problem, some clarification from him might help.



Yes, NDNs, of the variety that Exim sends in response to “fail text "..."”
filters, are what my inquiry concerns.


A non-delivery-notification (MIME multipart/report content type
RFC3462) consists of (up to) three parts:

 1. Required initial free-form body part, this can use UTF-8
without any need for EAI.

 2. Required message/delivery-status machine readable part,
this requires EAI for non-ASCII content. (RFC3464).

 3. Optional returned message or message headers.  If
the returned message has UTF-8 headers, it may need
to encapsulated as an EAI message/global

My interpretation of the question was that you wanted UTF-8 in the
"part 1", body, in which case *in principle* you could have raw
UTF-8 there, and a "charset=utf-8" attribute for the enclosing MIME
part, provided that the code that generates bounces (in this case
in Exim) allows you configure the charset and associated content.


Yes, part 1 is where I want the UTF-8 to go.

I’ve not consulted the RFCs myself. Basically, I want the text after 
Exim shows the intended recipient address to be able to be any UTF-8 
characters.


-FG

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] charset of "fail" messages

2015-11-27 Thread Felipe Gasper 

On 27 Nov 2015 2:24 PM, John C Klensin wrote:



--On Friday, November 27, 2015 7:10 PM + Viktor Dukhovni
<exim-us...@dukhovni.org> wrote:


I'm not sure I completely understand what is happening here,
but, if the text you cite is part of a non-delivery
notification, a body part would have to have content-type
message/global-* to contain non-ASCII (specifically UTF-8;
there are deliberately no other options) information.   And
one is not supposed to produce those notifications unless
SMTPUTF8 is in use.  See RFC 6533 for more information.


The message/global MIME type is only needed for encapsulating
messages with non-ASCII headers.  MIME body parts with UTF-8
content have been around long before EAI.


Of course they have.   Non-ASCII content/ body parts were a
primary criterion for what became MIME, even before the
multimedia requirements started being considered.


I receive such messages from my father (in Russian) quite
regularly:
...
His email address is ASCII, and the subject is RFC 2047
encoded, so EAI is entirely out of scope.


Again, as intended, even though some of the stronger advocates
of EAI hope that it will gradually eliminate the need for RFC
2047 encoded-words.

But, as I understood the question, it had to do with delivery
failure messages (NDNs), possibly even ones that were intended
to be machine-processed.   And that is where SMTPUTF8 and
extended notification formats come in.

It appears to me that you, Jason, and I are understanding the
issue and question differently.  If Felipe still thinks there is
a problem, some clarification from him might help.



Yes, NDNs, of the variety that Exim sends in response to “fail text 
"..."” filters, are what my inquiry concerns.


I believe my inquiry has been answered satisfactorily: in order to have 
NDNs in, e.g., Russian I need either to turn on SMTPUTF8 or transcode 
the multi-byte characters down to some US-ASCII representation … the 
latter of which would really be more accommodating the issue rather than 
addressing it.


Thank you, everyone! :)

-Felipe Gasper
Houston, TX

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] charset of “fail” messages

2015-11-27 Thread Felipe Gasper 

On 27 Nov 2015 6:05 AM, Jasen Betts wrote:

On 2015-11-26, Felipe Gasper <fel...@felipegasper.com> wrote:

Hi all,

When I do:

fail text "$home:/Nööö!!!"

… I get a fail message with:

/home/mortal:/N\303\266\303\266\303\266!!!

This (with US-ASCII encoding) appears to be hard-coded into
src/deliver.c … is there any motion in the direction of being able to
specify an encoding for fail messages?


As far as I understandthe rules of SMTP:

The only other charset allowed is UTF8 and that only if the HOST
advertises "SMTPUTF8" in in response to "EHLO" _and_ the client says
"SMTPUTF8" after the  part of the SMTP "MAIL FROM" command.

SMTPUTF8 support in exim is still considered experimental, but if building
with EXPERIMENTAL_INTERNATIONAL enabled does not allow UTF8 in
responses I would consider that a bug.  (not that I have any authority)



But why is this relevant for the message body?

The argument to “fail text” is put into the message body, not the 
headers … ?


-FG

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] charset of "fail" messages

2015-11-27 Thread Felipe Gasper 

On 27 Nov 2015 3:31 PM, Viktor Dukhovni wrote:

On Fri, Nov 27, 2015 at 02:55:34PM -0500, Felipe Gasper wrote:


A non-delivery-notification (MIME multipart/report content type
RFC3462) consists of (up to) three parts:

 1. Required initial free-form body part, this can use UTF-8
without any need for EAI.

 2. Required message/delivery-status machine readable part,
this requires EAI for non-ASCII content. (RFC3464).

 3. Optional returned message or message headers.  If
the returned message has UTF-8 headers, it may need
to encapsulated as an EAI message/global

My interpretation of the question was that you wanted UTF-8 in the
"part 1", body, in which case *in principle* you could have raw
UTF-8 there, and a "charset=utf-8" attribute for the enclosing MIME
part, provided that the code that generates bounces (in this case
in Exim) allows you configure the charset and associated content.


Yes, part 1 is where I want the UTF-8 to go.

I’ve not consulted the RFCs myself. Basically, I want the text after Exim
shows the intended recipient address to be able to be any UTF-8 characters.


This may well be a feature request, I don't know whether Exim
supports this or not.  As proof of concept (this is neither a
sufficient nor implied reason to consider Postfix, just an
example I happen to be familiar with):



I think, yes, this is a feature request.

src/deliver.c, at least, hard-codes US-ASCII as the charset for those 
“fail” messages; the ability to customize those doesn’t seem to be in 
evidence currently.


It would, of course, make Exim that much friendlier to i18n contexts to 
have this!


-FG

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] charset of "fail" messages

2015-11-27 Thread Felipe Gasper 

On 27 Nov 2015 7:36 PM, Richard James Salts wrote:


  1. Required initial free-form body part, this can use UTF-8
 without any need for EAI.


Yes, part 1 is where I want the UTF-8 to go.

I’ve not consulted the RFCs myself. Basically, I want the text after

Exim

shows the intended recipient address to be able to be any UTF-8

characters.


This may well be a feature request, I don't know whether Exim
supports this or not.  As proof of concept (this is neither a
sufficient nor implied reason to consider Postfix, just an
example I happen to be familiar with):



I think, yes, this is a feature request.

src/deliver.c, at least, hard-codes US-ASCII as the charset for those
“fail” messages; the ability to customize those doesn’t seem to be in
evidence currently.

It would, of course, make Exim that much friendlier to i18n contexts to

have this!



You mean this? 
http://exim.org/exim-html-current/doc/html/spec_html/ch-customizing_bounce_and_warning_messages.html


Not quite … that’s dealing with just customizing the messages, not 
specifying what the encoding of those messages is to be.


-FG

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/