from:"Lena\-\-\- via Exim\-users"

Re: [exim] Is that SPAM? Or am I compromised?

2023-03-13 Thread Lena--- via Exim-users

> From: exi.ml @ yalis.fr
> 
> I just received a SPAM (I hope), but the headers retained my attention; 
> here they are, in full:

An infected Windows sent this common fraudulent spam with the same
email address in From: and envelope-from as the recipient.
And the same domain in Message-ID.

> There is a DKIM signature done by my own server (d=yalis.fr), which 
> includes the From header, and that header is @yalis.fr.

Your "seuil3" added DKIM signature while it relayed that spam
to your "sphinx3".

Accepting emails from hosts with empty $sender_host_name is unwise.
I deny mail from such hosts in China, HongKong, Taiwan, Brazil, Korea, Vietnam
and greylist mail from such hosts in other countries.
But most other mail admins deny emails from such hosts.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] failed expand ACL

2023-01-20 Thread Lena--- via Exim-users

> From: S?awomir Dworaczek

> where is the error in the ACL
> 
> continue = ${run{SHELL -c "echo $sender_host_address 
> >>/var/spool/exim/blacklists/blocked_IPs;\N{\N echo Subject: 
> $sender_host_address blocked; echo; echo for bruteforce auth cracking 
> attempt.;\N}\N | EXIMBINARY WARNTO"}}{yes}{no}}

This is from an old version of my code. I never wrote "yes no" at the end,
it's the error.
Current version: https://github.com/Exim/exim/wiki/BlockCracking


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] [mailop] T-Online is now really blocking messages from non-commercial and simliar senders

2022-10-20 Thread Lena--- via Exim-users

> T-Online clearly states in their terms and conditions that they will
> block servers who perform sender verfication towards them.

Then a different check:

 deny condition = ${if or{\
{eqi{$sender_address_domain}{t-online.de}}\
.ifdef _HAVE_LOOKUP_DNSDB
{forany{${lookup dnsdb{>: defer_never,mxh=$sender_address_domain}}}\
   {match{$item}{\N^mx\d+\.t-online\.de$\N}}}\
.endif
   }}
  condition = ${if match{${readsocket{inet:\
.ifdef _HAVE_LOOKUP_DNSDB
${reduce{${lookup dnsdb{>: defer_never,mxh=$sender_address_domain}}}\
{}{$item}}\
.else
mx00.t-online.de\
.endif
:25}{}{2s}}}{^554 IP=}}
  message = We checked that $sender_address_domain blocks us. \
So we do not accept a message we cannot reply to.
# The server admin may change "deny" to "warn" and
# "message =" to "control = fakereject/"
# but few admins will want that (or notice and bother).


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] [mailop] T-Online is now really blocking messages from non-commercial and simliar senders

2022-10-20 Thread Lena--- via Exim-users

Kai Siering wrote on [mailop]:

> how about starting internal discussions within that community
> to include a default rejection of any mail from @t-online.de
> in Exim's default configuration?

> As nearly no-one who is deploying Exim
> (or Postfix, Sendmail for that matter)
> will be able to *send* to @t-online.de due to their policy,
> it is only logical to not *accept* any mail from them, too.

I propose to include in default Exim config (in rcpt ACL)
a code which checks whether the server is blocked by t-online.de:

 warn set acl_m_ton = notton
  condition = ${if or{\
{eqi{$sender_address_domain}{t-online.de}}\
.ifdef _HAVE_LOOKUP_DNSDB
{forany{${lookup dnsdb{>: defer_never,mxh=$sender_address_domain}}}\
   {match{$item}{\N^mx\d+\.t-online\.de$\N}}}\
.endif
   }}
  set acl_m_ton = checkdefer
  !verify = sender/callout=10s
  set acl_m_ton = $acl_verify_message

 deny condition = ${if !eq{$acl_m_ton}{notton}}
  condition = ${if !eq{$acl_m_ton}{checkdefer}}
  message = sender verify failed: $acl_m_ton

 deny condition = ${if eq{$acl_m_ton}{checkdefer}}
  message = We checked that $sender_address_domain blocks us. \
So we do not accept a message we cannot reply to.
# The server admin may change "deny" to "warn" and
# "message =" to "control = fakereject/"
# but few admins will want that (or notice and bother).


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim relaying but shouldn't

2022-09-28 Thread Lena--- via Exim-users

> From: Eric Grammatico

> In fact I tried to implement the wiki: 
> https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPwauth

I edited that wiki: changed

server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' | 
/usr/local/bin/pwauth"}{1}{0}}

to

server_condition = ${and {\
 {!match{$auth2$auth3}{[\x27\r\n]}}\
 {bool{${run{/bin/bash -c "echo -e '$auth2\n$auth3' | 
/usr/local/bin/pwauth"}{1}{0\
}}


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim relaying but shouldn't

2022-09-28 Thread Lena--- via Exim-users

P.S.  No, the culprit is the apostrophe in auth login-name:

> A=login_server:#xxx'uuss+zzz

> server_condition = ${run{/bin/sh -c "echo -e '$auth1\n$auth2' | 
> /usr/sbin/pwauth"}{1}{0}}

You need to add:

 deny message = Restricted characters in address
  senders = ^.*['"$#]


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim relaying but shouldn't

2022-09-28 Thread Lena--- via Exim-users

> From: Eric Grammatico

> 2022-09-26 16:15:24 [10] 1ocotI-0A-0g <= 
> #xxx'uuss+...@grammatico.me H=(localhost) [45.123.190.53] P=esmtpsa 
> X=TLS1.2:AES256-GCM-SHA384:256 CV=no A=login_server:#xxx'uuss+zzz S=736
> 2022-09-26 16:15:31 [12] 1ocotI-0A-0g => xxx.x...@.info 
>  R=dnslookup T=remote_smtp H=xxx.xxx.xx 
> [195.141.89.98] X=TLS1.3:TLS_AES_256_GCM_SHA384:25
> 6 CV=yes K C="250 2.0.0 Ok: 1599 bytes queued as 4MblCR37H1zlq0LZ"
> 2022-09-26 16:15:31 [12] 1ocotI-0A-0g Completed
> 
> I don't understand why is it relayed, here are extracts from my config:

> deny??? message?? = Restricted characters in address
>  ? domains?? = +local_domains
>  ? local_parts?? = ^[#] : ^[.] : ^.*[@%!/|#+]

This checks local_part of recipient address, not sender address.
The <= log line shows sender address.

> plain_server:
>  ? driver = plaintext
>  ? public_name??? = PLAIN
>  ? server_condition = ${run{/bin/sh -c "echo -e '$auth2\n$auth3' | 
> /usr/sbin/pwauth"}{1}{0}}

Perhaps this `pwauth` perceives the # in the beginning as a comment line.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] malfunctioning email delivery after upgrade to Exim 4.96

2022-09-07 Thread Lena--- via Exim-users

> == r...@xyz.com R=xxx (-36): host lookup for  did not
> complete (DNS timeout?)
> 
> There is no problem with DNS resolution of the relevant domains on those
> MX servers whatsover, judging by using dig and host command in shell.

A dig or host command once is not a proof.

#!/bin/sh
while true
do
  /usr/bin/time -a -o /tmp/timelog dig +short  mx >/dev/null
  sleep 0.2
  done

> On IMAP servers receiving emails from the above MX servers, the new and
> very frequent error is now this (even when the mid corresponds to just
> one recipient):
> 
>  no immediate delivery: more than 10 messages received in one
> connection

You need this setting:

> smtp_accept_max_per_connection = 100

for the receiving Exim (you call that "IMAP servers").
And restart Exim.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Autoreply empty mail from

2022-08-02 Thread Lena--- via Exim-users

> From: Timur 

> # exim -be '$primary_hostname'
> says:
> mail.domain.com (This is my mail host)
> 
> from smtp transport config:
> helo_data = mail.domain.com
> 
> DKIM generated for domain.com with selector mail
> There is DNS record for domain:
> mail._domainkey.domain.com. TXT?? v=DKIM1; k=rsa; p=
> 
> Whats wrong?

Your email to [exim-users] had the domain alcopack.de in "From:" header line
(I'm talking not about envelope-from also known as MAIL FROM).
alcopack.de and mail.alcopack.de resolve to different IP-addresses.
Your Exim is on mail.alcopack.de, right?
You have DMARC record for alcopack.de but not for mail.alcopack.de:

~ $ dig +short _dmarc.mail.alcopack.de txt
~ $ dig +short _dmarc.alcopack.de txt
"v=DMARC1; p=none"

mail.alcopack.de (in HELO) and alcopack.de (in DMARC and DKIM)
are different domains.

Also, make sure that if $sender_address_domain is empty,
your Exim config uses correct domain for DKIM signing - exactly same domain
as in DMARC.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Autoreply empty mail from

2022-08-01 Thread Lena--- via Exim-users

> From: Timur 

> I have trouble with autoreply transport (and any email from Exim-self) 
> in check DMARK when Exim send bounce/autoreply messages to google.
> I want to configure vacation-router. SPF, DKIM, PTR is configured for my 
> server. When I send email from myself google receives it and pass DKIM, 
> SPF, DMARK.
> When exim send autoreply message to google, google answer:
> u...@gmail.com R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com 
> [108.177.126.26] 
> X=TLS1.3:ECDHE_X25519__ECDSA_SECP256R1_SHA256__AES_256_GCM:256 CV=yes: 
> SMTP error from remote mail server after pipelined end of data: 
> 550-5.7.26 Unauthenticated email from domain.com is not accepted due to 
> 550-5.7.26 domain's DMARC policy. Please contact the administrator of 
> 550-5.7.26 domain.com domain if this was a legitimate mail. Please visit 
> 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about 
> the 550 5.7.26 DMARC initiative.
> I run exim in debug mode and saw next:
> 
> MAIL FROM and $sender_address_domain - empty

When MAIL FROM is empty, receivers should use the domain in HELO.
Give the command:

exim -be '$primary_hostname'

If it says not exactly the domain you use in DKIM
then use primary_hostname in the beginning of Exim config.

If your mail server handles mail for several domains then use helo_data
option in the smtp transport.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim 4.96-RC0 released

2022-04-27 Thread Lena--- via Exim-users

I'm concerned with the "EXPIRATION_DATE=2022-06-30" below:

FreeBSD 12.3 base contains /usr/include/db.h without DB_VERSION_STRING
with

 *  @(#)db.h8.7 (Berkeley) 6/16/94
 * $FreeBSD: releng/12.3/include/db.h 326024 2017-11-20 19:45:28Z pfg $

Ports have:

databases/db18:

PORTVERSION=18.1.40
COMMENT=Oracle Berkeley DB, Release ${BDBVER}

databases/db5:

PORTVERSION=5.3.28
DEPRECATED= EOLd, potential security issues, maybe use db18 instead
EXPIRATION_DATE=2022-06-30
COMMENT=Oracle Berkeley DB, revision ${BDBVER}

Exim 4.96 src/hintsdb.h :

# include 

/* 1.x did no locking
   2.x had facilities, but exim does it's own
   3.x+ unknown
*/

/* We can distinguish between versions 1.x and 2.x/3.x by looking for a
definition of DB_VERSION_STRING, which is present in versions 2.x onwards. */

# ifdef DB_VERSION_STRING

#  if DB_VERSION_MAJOR >= 6
#   error Version 6 and later BDB API is not supported


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim 4.96-RC0 released

2022-04-26 Thread Lena--- via Exim-users

>  - Query-style lookups are now checked for quoting, if the query string is
> built using untrusted data ("tainted").  For now lack of quoting is 
> merely logged; a future release will upgrade this to an error.

Does it apply to dnsdb?

If yes then how to quote for ptr, a, mxh, txt?

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] catching brute foce smtp auth - what condition?

2022-04-12 Thread Lena--- via Exim-users

> How to catch brute foce smtp auth attempts only? (== bad login or
> password provided)

https://github.com/Exim/exim/wiki/BlockCracking

> Condition like:
> 
> ${if eq{$authentication_failed}{1}}
> 
> doesn't work because it also catches cases where client cancelled smtp
> auth attempt (rfc2554 and "*").

Doesn't happen in real life.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim-users Digest, Vol 214, Issue 21

2022-03-25 Thread Lena--- via Exim-users



-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Subject String Manipulation

2022-03-16 Thread Lena--- via Exim-users

> From: Ole Klinck

> Apparently Exim sometimes failed to decode the message and
> just gave the RFC 2047 string

Insert into beginning of Exim config:

check_rfc2047_length = false


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Problem with filter on Base64-encoded subject field

2020-12-16 Thread Lena--- via Exim-users

> this means that Exim cannot decode the original header for some reason.

Insert into the beginning of Exim config:
check_rfc2047_length = false

Also, you should encode Subject back.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Looking for an example

2020-06-30 Thread Lena--- via Exim-users

> From: Mark Elkins

> I'm looking for an example for how to cure this problem.
> 
> Every now and then, a user will give his password to a bad actor (Social 
> Engineering). That bad person then goes to my webmail interface and 
> sends out a lot of SPAM e-mail - which goes to my port 587 (only) Exim 
> (version 4.94)..
> 
> The mail server then gets black-listed :-(

> All my users details are in a MySQL Database. Ideally - I could change 
> their status to "disabled"

How to detect outgoing spam:
https://github.com/Exim/exim/wiki/BlockCracking


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Rule invalid recipients

2020-02-04 Thread Lena--- via Exim-users

> From: Emanuel Gonzalez

> i found this rule in a site:

That was forked by somebody from an earlier version of my
https://github.com/Exim/exim/wiki/BlockCracking


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim 4.93 published.

2019-12-11 Thread Lena--- via Exim-users

> From: Jeremy Harris

> > store_get() is not part of the API documented (in local_scan.h) as
> > being usable by local_scan and dlexpand code.
> 
> I see however that it _is_ described as part of the API in the
> documentation chapter on local-scan.  My apologies.
> 
> I'll get that chapter touched up for the new interface

In my ${dlfunc module I use:

uschar *dir = expand_string(US "$spool_directory/grey");
size_t dir_len = strlen(dir);
uschar *filename = US store_get(dir_len+257);

Do I need to change that since 4.93 to this?

uschar *dir = expand_string(US "$spool_directory/grey");
size_t dir_len = strlen(dir);
uschar *filename = US store_get(dir_len+257, FALSE);



-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] error ignored

2019-06-26 Thread Lena--- via Exim-users

P.S. How to debug delivery?
I inserted into the beginning of rcpt ACL:

  warn  domains = tiscali.cz
control = debug/tag=.$message_exim_id/opts=+all

The debuglog contains only lines with pid of the receiving process,
including:

20:18:58 18029 DSN:  SPOOL_OUT - address: |doma*@ tiscali.cz| errorsto: 
|NULL| orcpt: |NULL| dsn_flags: 24

I invoked Exim with the message at stdin:
exim -d+all -i -t tis1 2>tis2
but that way the bug(?) didn't manifest, a normal DSN was generated.

That line was slightly different:
20:46:51 28502 DSN:  SPOOL_OUT - address: |doma*@ tiscali.cz| errorsto: 
|NULL| orcpt: |NULL| dsn_flags: 0

What is "dsn_flags"?


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] error ignored

2019-06-26 Thread Lena--- via Exim-users

Exim 4.92 as a smarthost gets a 5xx after end of data, but doesn't send a DSN.
In mainlog (I redacted with asterisks and inserted blanks after @):

2019-06-20 18:28:19 +0300 1hdyz4-000G6A-BR <= Len*@ lena.kiev.ua 
H=ip-19*6.rusa*ovka-net.ki*v.ua (bedsi*e.lena.kiev.ua) [94.244.2*.38] 
I=[62.109.6.225]:52*5 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no 
S=3473 RT=0s id=20190620152815.gg...@lena.kiev
2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR ** doma*@ tiscali.cz 
R=remote_domains T=remote_smtp H=tax.virusfree.cz [212.224.105.18] 
I=[62.109.6.225] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error 
from remote mail server after end of data: 554 message refused (#5.7.1) - for 
more information visit https://www.virusfree.cz/cs/help
2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR doma*@ tiscali.cz: error ignored
2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR Completed QT=2s

I see "error ignored" in deliver.c, but I don't undersand why
in this simple case - a personal message with single recipient.
Why "error ignored"?
My config doesn't contain "errors_to".
Nothing in rejectlog, spool.

I cannot reproduce, repeat message was accepted.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Matching RFC 2047 encoded text

2019-04-21 Thread Lena--- via Exim-users

> From: Ian Zimmerman

> > check_rfc2047_length = false
> 
> Thanks, Lena.
> 
> If I leave it as true (the default), and $h_subject: turns out to
> contain "=?UTF-8?B?", can I assume (not with certainty, but with a high
> likelihood) the message violates the RFC?

Yes, but filtering on that is fraught with false positives.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Matching RFC 2047 encoded text

2019-04-17 Thread Lena--- via Exim-users

> From: Ian Zimmerman

> An unwanted message arrived to my mailbox with the following Subject:
> 
> Subject: 
> =?UTF-8?B?VXMgY29uZ3Jlc3MgaGVhcmluZyBvZiBtYWFuIGFsc2FhbiBNb25leSBsYXVuZHJ5INmC?=
> 
> =?UTF-8?B?2LbZitipINin2YTZg9mI2YbYutis2LHYsyDZhNi62LPZitmEINin2YTYo9mF2YjYp9mEINmE2YTZhdmE?=
> =?UTF-8?B?2YrYp9iv2YrYsSDZhdi52YYg2KfZhNi12KfZhti5?=
> 
> Try decoding it yourself if you dare ;-)

> What else could it stop from working?

In the beginning of Exim config:

check_rfc2047_length = false


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Spam though my server

2019-02-19 Thread Lena--- via Exim-users

> From: Mark Elkins

> I should probably have some EXIM scripts that count repetitive failures, 
> both at login authentication and delivery (failure) by a user, and use 
> that to do automatic blocking and reporting. Lena probably has a 
> solution for that.

https://github.com/Exim/exim/wiki/BlockCracking


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Slow down ?

2019-02-04 Thread Lena--- via Exim-users

> When several messages are sent to @ orange.fr in a too short period of
> time, they are (temporarily) refused:

> > Too many connections

I use in the transport:

  serialize_hosts = *

You can use:

  serialize_hosts = smtp-in.orange.fr

At reboot:
rm /var/spool/exim/db/misc*


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Block emial from my host to my host without authorization

2019-01-19 Thread Lena--- via Exim-users

> How to block sending mail from my host to my host users without
> authorization, so that in the future there are no such situations
> 41.56.57.80 is not my ip address

> Received: from [41.56.57.80]
>  by domain.dot.com with esmtp (Exim 4.91)
>  (envelope-from )
>  id 1gkmFE-0002ym-UR
>  for katow...@domain.dot.com; Sat, 19 Jan 2019 09:44:49 +0100

You asked this question on a mailing list. Some mailing lists
don't alter envelope-from, so you'd not receive your own messages
back from such mailing lists. Also, the easiest way to test
whether your Exim is working at the moment is to send an email
through it to a forwarder which sends it to your email address.

What you quoted looks like an "I hacked your mailbox" scam
sent from a trojaned home Windows, no RDNS in this instance.
So, I can advise this solution for rcpt ACL:

 warn dnslists = cbl.abuseat.org
  set acl_m_cbl = 1

 deny message = it looks like we did not send this
  condition = ${if eqi{$sender_address}{$local_part@$domain}}
  !authenticated = *
  !hosts = @[]
  condition = ${if or{\
  {!def:sender_host_name}\
  {match{$sender_host_name}{\N(\d{1,3}[-.]){3}\d\N}}\
  {def:acl_m_cbl}\
 }}
  !dnslists = list.dnswl.org!=127.0.0.255 : swl.spamhaus.org


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Auth command used when not advertised

2018-11-27 Thread Lena--- via Exim-users

> From: Russell King

> My mail server is being hit with auth attempts when the helo hasn't
> advertised the presence of authentication

I always advertise AUTH but in the rcpt ACL:

  accept  authenticated = *
  condition = ${if !={$received_port}{25}}


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Help extracting From-Address

2018-11-24 Thread Lena--- via Exim-users

> From: Luca Bertoncello

> we receive many E-Mails with faked From (Header), and I'm trying to 
> block them.
> Currenty I extract the domain (most our own domain) and check it for SPF.

In messages from mailing lists (such as this [exim-users])
the domain in "From:" header fails SPF.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] ${lookup{value}lsearch{file}{yes}{no}} tricks help request

2018-11-13 Thread Lena--- via Exim-users

> From: supportsob...@mail.ru

> Could someone help with syntax of?${lookup{value}lsearch{file}{yes}{no}}
> 
> I'm trying to write a condition that will return "FALSE" if either of hosts
> from "Received:" headers (yes, any on the way from sender's server to me)
> is listed in?/etc/whitelist_networks, otherwise "TRUE".

deny !condition = ${if forany{<\n $h_Received:}\
 {match{$item}\
   {\N\B(\d+\.\d+\.\d+\.\d+)\B\N}\
   {$lookup{$1}iplsearch{/path/file}{1}{0}}\
   {0}\
 }\
   }

-- 
Lena

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Removing addresses from mail before delivery?

2018-11-05 Thread Lena--- via Exim-users

> From: Jon 'Boli' Copeland

> I have a problem with some people insisting on CCing every single
> address they have for my company on every email they send. No amount of
> asking politely seems to stop this.
> 
> What I want to do, serverside, is something like the following
> 
> |while (TO+CC contains more than one of a@x b@x c@x) remove in reverse
> order (c@x, b@x, a@x) until (TO+CC contains only one of a@x b@x c@x)
> finally deliver mail to the address(es) that remain |

In acl_check_rcpt:

 discard !hosts = @[]
  domains = x
  condition = ${if >{$recipients_count}{1}} 
  message = the message is delivered only to the first recipient on domain x

> Bonus points are available if there's an easy way to send a bounce to
> the sender for each address that has to be removed.

 "deny" instead of "discard".


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim block auth (geoip)

2018-10-04 Thread Lena--- via Exim-users

> From: Emanuel Gonzalez

> lately we are suffering from dictionary attacks, as a prevention method
> I use "fail2ban", but in some cases users use passwords that are
> easy to guess and are used to send spam through bots.

This code blocks both dictionary attacks and stolen passwords used for spam:
https://github.com/Exim/exim/wiki/BlockCracking


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] demime -> acl_smtp_mime

2018-09-13 Thread Lena--- via Exim-users

> From: Marco Gaiarin 

> but a condition like:
> 
>   deny
> message = Serious MIME defect detected ($demime_reason)
> demime = *
> condition = ${if >{$demime_errorlevel}{2}{1}{0}}
> 
> how can be converted in 'acl_smtp_mime' lingo?

No way I think. I'm curious: how often did you see messages triggering
this rejection?

More elaborate checks:

P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
GREP = /usr/bin/grep
SHELL = /bin/sh
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: 
exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
# Perhaps "jar" should be added.
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z|tar
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime

begin acl
acl_check_mime:
  deny message = BINFORBIDDEN
   log_message = forbidden attachment: filename=$mime_filename, \
 content-type=$mime_content_type, recipients=$recipients
   condition = ${if or{\
{match{$mime_content_type}\
  {(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
  }}

  deny message = Compressed BINFORBIDDEN
   condition = ${if or{\
   {match{$mime_content_type}{(?i)application/\
 (octet-stream|x(-zip)?-compressed|zip)}}\
   {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
  }}
   condition = ${if <{$message_size}{1500K}}
   decode = default
   log_message = forbidden binary in attachment: filename=$mime_filename, \
 recipients=$recipients
   condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
 {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

  deny message = Windows-executable inside an Office file attachment
   condition = ${if or{\
 {match{$mime_content_type}{(?i)openxmlformats-officedocument}}\
 {match{$mime_filename}{\N(?i)\.(doc|xls|ppt)(x|m)$\N}}\
  }}
   decode = default
   log_message = forbidden binary in Office file attachment: \
 filename=$mime_filename, recipients=$recipients
   set acl_m_ud = ${sg{$mime_decoded_filename}{[^/]+\$}{}}
   condition = ${run{SHELL -c \
 "cd $acl_m_ud; \
  P7ZIP x -y $mime_decoded_filename; \
  GREP -r -a -s -E \
   'rundll32|This program cannot be run in DOS mode|\
This program must be run under|Embedded Object|\
WScript\\.Sh|Shell\\.Application|Location: file:' \
   $acl_m_ud"}{1}{0}}

  accept


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] "25 lost" is giving me useful clues

2018-09-04 Thread Lena--- via Exim-users

> > What this is telling me is someone at 157.0.116.189 is making
> > connections to my mail server - presumable to see if they can detect the
> > accounts of users on my machine?

It tries to guess passwords of users on your machine
(brute-force password cracking).
This code catches both using guessed passwords for spamming
and the guessing (auth cracking):
https://github.com/Exim/exim/wiki/BlockCracking

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Block attachment extension

2018-08-24 Thread Lena--- via Exim-users

> From: S?awomir Dworaczek

> how to block attachment with zip rar etc. extension in Exim 4.91 ?
> this entry in the configuration has stopped working

> deny   condition  = ${if 
> match{${lc:$mime_filename}}{\N(\.com|\.vbs|\.bat|\.pif|\.scr|\.exe|\.js|\.mpeg|\.wmv|\.wav|\.wmp|\.asf|\.zip|\.rar|\.mpg|\.bmp)$\N}}

If at the beginning of Exim config you haven't the line

check_rfc2047_length = false

then the reason is long filenames, not Exim version. Add this line.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Filter with special characters (!?)

2018-08-23 Thread Lena--- via Exim-users

> From: Emanuel Gonzalez

It's ACL, not a filter.

> In the exim log i see this:
> 
> 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados - 
> Cuenta_FROM:  - X-Mailer = Microsoft Outlook 
> Express 6.00.2900.2950 - Subject = \277Eres el del video?
> 
> discardcondition = ${if match{$header_subject:}{^\277Eres el del 
> video?\$}}   logwrite = Rejected By SPAM - $header_subject - FROM: 
> "$sender_address"

 deny condition = ${if match{$header_subject:}\
{\N^\0277Eres el del video\?$\N}}
 message = rejected as spam - $header_subject: - FROM: $sender_address

This must be in the data ACL.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] tons of brute force cracking events

2018-06-08 Thread Lena--- via Exim-users

> acl_check_auth:
> 
> ? drop? message = blacklisted for bruteforce cracking attempt
> ??? set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
> ??? condition = ${if >{$acl_c_authnomail}{4}}

This needs also:

acl_smtp_mail = acl_check_mail
begin acl
acl_check_mail:
  accept set acl_c_authnomail = 0


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Avoiding bounces

2018-05-26 Thread Lena--- via Exim-users

> I have an "info@"-address that forwards the E-Mails to other
> addresses, some on them outside my servers.
> 
> Well, unfortunately this address catches many Spam/junk E-Mails and, of
> course, my Exim (4.88) tries to forward them.
> Virus are blocked and will __NOT__ be forwarded, but Spam is some other and,
> of course, I cannot be sure if an E-Mail is Spam or not, so I have to forward
> it...

No, you haven't to forward it. You can deliver to a local mailbox
(or several mailboxes) and configure your mail clients to
download mail from those mailboxes via POP3 or IMAP.

> some recipient (in this case: Google) refuse some E-Mail if they are
> Spam (in the "mind" of Google)

Gmail also can download via POP3.

By forwarding spam to Google, you harm reputation of your server.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] compiling 4.91 under FreeBSD

2018-04-16 Thread Lena--- via Exim-users

Had someone this error?  Using port:

cc tls.c
In file included from tls.c:122:
tls-openssl.c: In function `tls_refill':
tls-openssl.c:2499: error: structure has no member named `verify_stack'
tls-openssl.c:2502: error: structure has no member named `verify_stack'
tls-openssl.c: In function `tls_close':
tls-openssl.c:2778: error: structure has no member named `verify_stack'
tls-openssl.c:2779: error: structure has no member named `verify_stack'
*** Error code 1
Stop in /usr/ports/mail/exim/work/exim-4.91/build-FreeBSD-i386.

# /usr/local/bin/openssl version
OpenSSL 1.0.2o  27 Mar 2018


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Write acl to delete incomming emails if they have a chinese subject

2018-03-19 Thread Lena--- via Exim-users

> I try to write acl for incomming chinese spam. Does anyone know how to check
> for chinese content?

begin acl
acl_check_rcpt:
...
  require message = relay not permitted
  domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept hosts = +whitelisted_hosts
 logwrite = $sender_host_address locally whitelisted

  deny   message = I don`t accept mail from China,HongKong,Taiwan, Korea, \
   Vietnam because too many admins there do not care \
   about outgoing spam. Your \
   IP-address seems to belong to: $dnslist_text.
 dnslists = zz.countries.nerd.dk=127.0.0.156,127.0.1.88,127.0.0.158,\
 127.0.1.154,127.0.2.192
...
acl_check_mime:
  accept condition = ${if def:header_List-ID:}

  accept condition = ${lookup{$sender_address_domain}nwildlsearch\
 {/usr/local/etc/exim/mailing_list_domains}{1}{0}}

  deny  message = Blocked as Chinese spam (type 1)
condition = ${if match{$rheader_Subject:}{\N=\?utf-8\?B\?\N}}
condition = ${if match{$bheader_X-mailer:}{\NFoxmail [\d, ]+ \[cn\]\N}}
condition = ${if or{\
{eq{$mime_content_type}{application/vnd.ms-excel}}\
{match{$mime_filename}{\N(?i)\.xls$\N}}\
   }}

  deny  message = Blocked as Chinese spam (type 2)
condition = ${if eq{$mime_content_type}{text/plain}}
condition = ${if eqi{$mime_charset}{UTF-8}}
mime_regex = \N\
([\x01-\x7f](\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9]).+?){3}

  deny  message = Blocked as Chinese spam (type 4)
condition = ${if eq{$mime_content_type}{text/html}}
condition = ${if eqi{$mime_charset}{utf-8}}
mime_regex = ]+_GB2312>

  deny  message = Blocked as Vietnamese spam from gmail
condition = ${if match{$sender_host_name}\
  {\N^mail-[\w-]+\.google\.com$\N}}
condition = ${if match{$mime_content_type}{text/(plain|html)}}
condition = ${if eqi{$mime_charset}{UTF-8}}
mime_regex = 
\N([\x01-\x7f](\xe1(\xba[\xa1-\xa3\xa5\xa6\xa8\xab\xad\xb6\xbe\xbf]|\xbb[\x81\x82\x85-\x87\x89-\x92\x97\x99-\x9c\xaa\xab\xad\xb0\xb1])|\xc3[\xaa\xa2\xb4]\xcc[\x81\x83\x89])[\x01-\x7f].*?){3}
...
acl_check_data:
...
  accept hosts = : +whitelisted_hosts

  deny  message = I understand neither Chinese nor Korean nor Japanese
condition = ${if or{\

{match{$message_headers_raw}{\N(?i)charset="?(gb2312|big5|gbk|ks_c_|euc[_-]kr|shift_jis)\N}}\

{match{$message_headers_raw}{\N(?i)=\?(gb2312|big5|gbk|ks_c_\w*|euc[_-]kr|shift_jis)\?[BbQq]\?\N}}\

{match{$message_body}{\N(?i)(content-type:\s*text\/(plain|html);\s*charset=\s*"?|content=(3D)?["']text\/html;\s*charset=(3D)?)(gb2312|big5|gbk|ks_c_|euc[_-]kr|shift_jis)\N}}\
   }}

  deny  message = Blocked as Chinese spam (type 3)
condition = ${if match{$rheader_Subject:}{\N^ =\?utf-8\?\N}}
condition = ${if match{$bheader_Subject:}\
   {\N^(\xe2\x96\xb2)?(\xe4[\xb8-\xbf]|[\xe5-\xe9])\N}}

  deny  message = I consider a Chinese mailbox in Reply-To as a sign of spam.
condition = ${if match_domain{${domain:$header_reply-to:}}\
{yahoo.cn:yahoo.com.cn:yahoo.com.hk:w.cn}}
...

The file mailing_list_domains:

groups.io
*.groups.io
^yahoogroups\.
returns.groups.yahoo.com
googlegroups.com
^listserv\.
^lists\.
freebsd.org
exim.org
mailground.net
opennet.ru
subscribe.ru
njabl.org
spammers.dontlike.us
mailop.org
mutt.org


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Choosing the outbound IP address according to a Database query.

2018-03-13 Thread Lena--- via Exim-users

> From: Mark Elkins

> Problem: I have users either with weak passwords or whom give away their
> passwords...
> 
> Result: Spammers have their "information" so can use my relay mail
> server to send spam on my clients behalf to many other people. If it
> bounces - then the client has a full mail box quite quickly. Worse - the
> IP address of the machine gets blacklisted.

Use this: https://github.com/Exim/exim/wiki/BlockCracking

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Can't register in bugs.exim.org

2018-01-06 Thread Lena--- via Exim-users

> From: Max Kostikov 

> Tried few times but received nothing in email.

I requested password reset, got in my log:

2018-01-06 15:40:57 +0200 131.111.8.88 whitelisted in list.dnswl.org=127.0.11.2
2018-01-06 15:40:57 +0200 SMTP connection from hummus.csx.cam.ac.uk 
[131.111.8.88] I=[212.109.198.40]:25 lost while reading message data (header)


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Count only rejected connections

2017-12-31 Thread Lena--- via Exim-users

> From: Sebastian Arcus

> drop   message  = Invalid HELO/EHLO
> condition= ${if eq{$received_port}{25}}
> condition= ${if match{$sender_helo_name}{.+\\\..+\\\..+} \
>{no}{yes}}

Some legitimate senders can have hostname and HELO with one dot
like example.com

I block EHLO ylmf-pc (a signature of Cutwail/Pushdo bot) at first sight:

WARNTO = ab...@example.com
# change this to your email address
SHELL = /bin/sh
IPNOTIF = echo Subject: blocked $sender_host_address $dnslist_text \
  ${sg{${lookup dnsdb{>, 
defer_never,ptr=$sender_host_address}}}{\N[^\w.,-]\N}{}}; \
  echo; echo for bruteforce auth cracking attempt.;
begin acl
acl_check_helo:
  drop  message = Cutwail/PushDo bot blacklisted
condition = ${if eq{$sender_helo_name}{ylmf-pc}}
acl = setdnslisttext
continue = ${run{SHELL -c "echo $sender_host_address \
   >>$spool_directory/blocked_IPs; \
   \N{\N IPNOTIF \N}\N | $exim_path -f root WARNTO"}}
# if this bot is dropped at helo, it repeats multiple times,
# but if dropped at connect, it tries only twice

  accept

setdnslisttext:
  accept dnslists = zz.countries.nerd.dk

  accept

acl_check_connect:
  drop  message = $sender_host_address locally blacklisted for a bruteforce \
  auth (username+password) cracking attempt
condition = ${if exists{$spool_directory/blocked_IPs}}
condition = ${lookup{$sender_host_address}iplsearch\
 {/var/..$spool_directory/blocked_IPs}{1}{0}}
# Another path to the same file in order to circumvent lookup caching.

  accept


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Some mails are queued, other are sent immediately

2017-12-27 Thread Lena--- via Exim-users

> From: Jeremy Harris

> Could you do that with debug enabled?

Using csh, I redirected debug output (-bd -q10m -d+all) to a file with >&
(both stdout and stderr to the same file,
some log lines might be broken and interspersed because of buffering).
The file (compressed with bzip2) can be downloaded from
drive.google.com/file/d/1wWbpVZ_4ob4KvMu57Y-oBS3A3xgyfbSi/view
That debug log is about several messages, only the last one was queued,
then a bounce/DSN. I deleted all files from /var/spool/exim/db
just before sending the queued message.

I see:

15:08:34  6101 already connected to mta7.am0.yahoodns.net [98.137.159.27] (on 
fd 0)
15:08:34  6101 all IP addresses skipped or deferred at least one address

But I don't understand why.
Recipient callout verification was successful (OK reply to RCPT),
connection was held (use_sender,hold), why the message was queued?
During subsequent queue run, the message was rejected after end of data
(recipient email address inactive).

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Some mails are queued, other are sent immediately

2017-12-25 Thread Lena--- via Exim-users

P.S.  A way to reproduce (not every time, but often):
delete all files in /var/spool/exim/db , restart Exim with HUP signal,
send a message to   @ yahoo.com . After the message is received (with auth)
by Exim, while it is waiting in the queue (for unknown reason):

-rw-r-  1 mailnull mail   16384 Dec 25 18:25 callout
-rw-r-  1 mailnull mail   0 Dec 25 18:25 callout.lockfile
-rw-r-  1 mailnull mail   0 Dec 25 18:25 retry.lockfile
-rw-r-  1 mailnull mail   16384 Dec 25 18:25 wait-throttled_smtp
-rw-r-  1 mailnull mail   0 Dec 25 18:25 wait-throttl~mtp.lockfile

root@lena:/root# exim_dumpdb /var/spool/exim wait-throttled_smtp
mta6.am0.yahoodns.net 1eTWxP-000Kok-PE
mta5.am0.yahoodns.net 1eTWxP-000Kok-PE
mta7.am0.yahoodns.net 1eTWxP-000Kok-PE
root@lena:/root# exim_dumpdb /var/spool/exim callout
25-Dec-2017 19:54:35 yahoo.com callout=accept postmaster=unknown random=unknown
25-Dec-2017 19:54:35 lena_kiev @ yahoo.com/ callout=accept
root@lena:/root# host yahoo.com
yahoo.com has address 206.190.39.42
yahoo.com has address 98.139.180.180
yahoo.com has address 98.138.252.38
yahoo.com has IPv6 address 2001:4998:44:204::100d
yahoo.com has IPv6 address 2001:4998:c:e33::53
yahoo.com has IPv6 address 2001:4998:58:2201::73
yahoo.com mail is handled by 1 mta5.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta6.am0.yahoodns.net.
yahoo.com mail is handled by 1 mta7.am0.yahoodns.net.
root@lena:/root# exim -bV
Exim version 4.90 #0 (FreeBSD 6.3) built 24-Dec-2017 20:40:09
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2017
Probably Berkeley DB version 1.8x (native mode)
Support for: crypteq iconv() use_setclassresources PAM Expand_dlfunc OpenSSL 
Content_Scanning DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz 
dnsdb
Authenticators: plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /usr/local/etc/exim/configure.lena

(I inserted blanks around @ in email addresses in order to be readable
in mailing list archives).
The transport:

throttled_smtp:
  driver = smtp
  serialize_hosts = *
  dkim_domain = 
  dkim_selector = 3
  dkim_private_key = /usr/local/etc/exim/dkim3.key
  connection_max_messages = 5
  max_rcpt = 9
  retry_use_local_part
  hosts_avoid_pipelining = *
  hosts_try_chunking =


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Some mails are queued, other are sent immediately

2017-12-25 Thread Lena--- via Exim-users

> >> I noticed that some emails are sent immediately
> >> (what I prefer), while other are queued (introducing useless delay)

Same here. Exim 4.90 under FreeBSD 6 on a VPS,

root@lena:/root# exim -bP log_selector
log_selector = +smtp_confirmation +queue_time +queue_time_overall +deliver_time 
-retry_defer +smtp_incomplete_transaction +smtp_no_mail +incoming_interface
root@lena:/root#

First message was rejected by recipient MTA after end of data
(I don't know whether it's relevant):

2017-12-25 06:26:19 +0200 1eTKLB-00025a-NK <= Lena @ lena.kiev.ua 
H=ip-1c*0.rusano*ka-net.kiev.ua (bedside.lena.kiev.ua) [94.2*4.28.208] 
I=[212.109.198.40]:5225 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 
CV=no A=plain: S=1088 id=20171225042614.GA908 @ lena.kiev
2017-12-25 06:26:22 +0200 1eTKLB-00025a-NK **  @ yahoo.com 
R=remote_domains_throttled T=throttled_smtp H=mta6.am0.yahoodns.net 
[98.137.159.24] I=[212.109.198.40] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 
CV=no: SMTP error from remote mail server after end of data: 554 delivery 
error: dd Requested mail action aborted - mta4090.mail.ne1.yahoo.com
2017-12-25 06:26:22 +0200 1eTKLG-00025m-MR <= <> R=1eTKLB-00025a-NK U=mailnull 
P=local S=2535
2017-12-25 06:26:22 +0200 1eTKLB-00025a-NK Completed QT=5s
2017-12-25 06:26:23 +0200 1eTKLG-00025m-MR => lena  
R=localuser T=local_delivery QT=0s DT=0s
2017-12-25 06:26:23 +0200 1eTKLG-00025m-MR => |/home/cgi/data/nokia.pl (Lena @ 
lena.kiev.ua)  R=aliases T=address_pipe QT=0s DT=0s
2017-12-25 06:26:23 +0200 1eTKLG-00025m-MR Completed QT=0s

Second message to the same recipient domain (but another local_part)
was delayed by Exim until the next queue run, I don't understand why:

2017-12-25 06:27:57 +0200 1eTKMn-00027D-BW <= Lena @ lena.kiev.ua 
H=ip-1*d0.rusan*vka-net.kiev.ua (bedside.lena.kiev.ua) [94.244.28.2*8] 
I=[212.109.198.40]:5225 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 
CV=no A=plain: S=1092 id=20171225042754.GB908 @ lena.kiev
2017-12-25 06:34:46 +0200 Start queue run: pid=8699
2017-12-25 06:34:50 +0200 1eTKMn-00027D-BW => lena_kiev @ yahoo.com 
R=remote_domains_throttled T=throttled_smtp H=mta7.am0.yahoodns.net 
[67.195.229.59] I=[212.109.198.40] X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 
CV=yes C="250 ok dirdel" QT=6m53s DT=3s
2017-12-25 06:34:50 +0200 1eTKMn-00027D-BW Completed QT=6m53s
2017-12-25 06:34:50 +0200 End queue run: pid=8699

In the header of the second (delayed) message received by yahooMail:

Received: from 127.0.0.1  (EHLO lena.kiev.ua) (212.109.198.40)
  by mta4181.mail.gq1.yahoo.com with SMTPS; Mon, 25 Dec 2017 04:34:48 +
DKIM-Signature: 
Received: from ip-1*d0.rusa*ovka-net.kiev.ua ([94.2*4.28.208] 
helo=bedside.lena.kiev.ua)
by lena.kiev.ua with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.90 (FreeBSD))
(envelope-from )
id 1eTKMn-00027D-BW
for lena_kiev @ yahoo.com; Mon, 25 Dec 2017 06:27:57 +0200

I tried once to reproduce - unsuccessfully
(second message was sent immediately).

In rcpt ACL I use
  verify = recipient/defer_ok/callout=10s,defer_ok,use_sender,hold

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to limit the number of emails sent by each user

2017-12-19 Thread Lena--- via Exim-users

> From: Sebastian Nielsen

> I would suggest using an config that restricts authenticated users to
> a specific IP range. Then no bots from china can successfully guess a
> account.

I restrict authenticated users to a non-standard port (neither 25, 465 nor 587):

daemon_smtp_ports = 25 : 1234

 accept authenticated = *
condition = ${if !={$received_port}{25}}
control = submission/domain=

If bots aren't blocked, they waste connection time and RAM, in effect like DoS.
This https://github.com/Exim/exim/wiki/BlockCracking blocks bots from both
wasting resources and spamming.

> That will prevent accounts from being hacked and used in spamming

Passwords mostly are stolen with Windows malware or phishing.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to limit the number of emails sent by each user

2017-12-18 Thread Lena--- via Exim-users

> From: "Ronaldo Luiz de Carvalho"

> how to limit the number of emails sent by each user?
> 
> I use WHM and I can limit by a domain account, but into a domain I want to
> set limit to a specific account.

Usually such limits are in order to catch spammers.
But the limits are either low and inconvenient for honest users
or high and allow spam to trickle through.
There is another approach to rate limiting in order to catch spammers:
https://github.com/Exim/exim/wiki/BlockCracking

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] redirect suspicious messages to special postmaster accounts

2017-11-29 Thread Lena--- via Exim-users

> From: Emanuel Gonzalez

> I have an idea to avoid sending spam from my server. Is it possible
> to create a rule so that when it is sent to a recipient, the mail
> is discarded and an alert arrives by email?

This code sends an alert by email:
https://github.com/Exim/exim/wiki/BlockCracking


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] getting exim metrics? (using TICK?)

2017-11-04 Thread Lena--- via Exim-users

> From: Patrick von der Hagen

> anomaly detection (like an authenticated sender suddenly causing dozens 
> of bounces a minute, great indicator for compromised accounts)

Automatic detection (by bounce rate) and blocking of compromised accounts
entirely within Exim without external monitoring:
https://github.com/Exim/exim/wiki/BlockCracking

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Fwd: Rate-limit queue-processing per domain

2017-10-21 Thread Lena--- via Exim-users

P.P.S. Add to the router:

 domains = ! +local_domains


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Fwd: Rate-limit queue-processing per domain

2017-10-21 Thread Lena--- via Exim-users

P.S. below a corrected version because a message can have several recipients.

> From: Charlie Elgholm

> Then one might suggest that the ratelimit-condition perhaps should be
> implemented for the routers as well.. Then we could do
> 
> ratelimit = 100 / 1h /  / $domain

The  ${acl  string expansion item works in authenticators.
You can try to use it (or "acl" expansion condition) in routers.
Something like this:


begin acl
throttle:
  accept set acl_m_mxlist = ${lookup dnsdb{>: mxh=$acl_arg1}}
 condition = ${if forany{$acl_m_mxlist}\
   {match_domain{$item}{*.google.com}}}
 condition = ${if >{${eval10:$tod_epoch-0$acl_m_gmail}}{50}}
 set acl_m_gmail = $tod_epoch
 ratelimit = 100 / 1h / per_cmd / gmail
 message = :defer:

  accept condition = ${if forany{$acl_m_mxlist}\
   {match_domain{$item}{*.hotmail.com:*.outlook.com}}}
 condition = ${if >{${eval10:$tod_epoch-0$acl_m_ms}}{50}}
 set acl_m_ms = $tod_epoch
 ratelimit = 100 / 1h / per_cmd / ms
 message = :defer:

  accept
...
begin routers
...
throttled_mx:
 driver = redirect
 allow_defer
 no_verify
 data = ${acl{throttle}{$domain}}


If this works then please post your modifications to this.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Fwd: Rate-limit queue-processing per domain

2017-10-21 Thread Lena--- via Exim-users

> From: Charlie Elgholm

> Then one might suggest that the ratelimit-condition perhaps should be
> implemented for the routers as well.. Then we could do
> 
> ratelimit = 100 / 1h /  / $domain

The  ${acl  string expansion item works in authenticators.
You can try to use it (or "acl" expansion condition) in routers.
Something like this:


begin acl
throttle:
  warn condition = ${if !def:acl_m_throttler}
   condition = ${if !def:acl_m_mxlist}
   set acl_m_mxlist = ${lookup dnsdb{>: mxh=$acl_arg1}}

  warn condition = ${if !def:acl_m_throttler}
   set acl_m_throttler = ${if forany{$acl_m_mxlist}\
   {match_domain{$item}{*.google.com}}{google}}

  warn condition = ${if !def:acl_m_throttler}
   set acl_m_throttler = ${if forany{$acl_m_mxlist}\
   {match_domain{$item}{*.hotmail.com:*.outlook.com}}{ms}}

  accept condition = ${if !def:acl_m_throttler}

  accept ratelimit = 100 / 1h / per_cmd / strict / throttler-$acl_m_throttler
 message = :defer:

  accept
...
begin routers
...
throttled_mx:
 driver = redirect
 allow_defer
 no_verify
 data = ${acl{throttle}{$domain}}


If this works then please post your modifications to this.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] an antivirus for zero-day :)

2017-09-29 Thread Lena--- via Exim-users

One more correction:

   set acl_m_ud = ${sg{$mime_decoded_filename}{[^/]+\$}{}}
   condition = ${run{SHELL -c \
 "cd $acl_m_ud; \
  P7ZIP x -y $mime_decoded_filename; \
  GREP -r -a -s -E \
   'rundll32|This program cannot be run in DOS mode|\
This program must be run under|Embedded Object|\
WScript\\.Sh|Shell\\.Application|Location: file:' \
   $acl_m_ud" >/dev/null}{1}{0}}


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] an antivirus for zero-day :)

2017-09-28 Thread Lena--- via Exim-users

Correction:

   condition = ${run{SHELL -c \
 "cd ${sg{$mime_decoded_filename}{[^/]+\\$}{}}; \
  P7ZIP x -y $mime_decoded_filename; \
  GREP -r -a -s -E \
   'rundll32|This program cannot be run in DOS mode' \
   *"}{1}{0}}


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] an antivirus for zero-day :)

2017-09-28 Thread Lena--- via Exim-users

> From: Paul Lenz 

> > > I wrote a plugin for Spamassassin which unzips every attachement and
> > > (IMHO very important) unzips every MS Office file (xlsx, xlsm, docx) and
> > > looks for strings like "rundll32" or "This program cannot be run in DOS
> > > mode" and some others.

Which exactly others?

> > Good idea (about Office files). Perhaps I can replicate this
> > in Exim without SpamAssassin if you send me your code or a link to it.
> 
> How can you use my code? It is written im Perl. As I understand you, you 
> can write only rules for Exim, but you can not write executable code, 
> can you?

Exim has ${run expansion item.

The part about Office files not tested:

P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
GREP = /usr/bin/grep
SHELL = /bin/sh
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: 
exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
  deny message = BINFORBIDDEN
   log_message = forbidden attachment: filename=$mime_filename, \
 content-type=$mime_content_type, recipients=$recipients
   condition = ${if or{\
{match{$mime_content_type}\
  {(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
  }}

  deny message = Compressed BINFORBIDDEN
   condition = ${if or{\
   {match{$mime_content_type}{(?i)application/\
 (octet-stream|x(-zip)?-compressed|zip)}}\
   {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
  }}
   condition = ${if <{$message_size}{1500K}}
   decode = default
   log_message = forbidden binary in attachment: filename=$mime_filename, \
 recipients=$recipients
   condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
 {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

  deny message = Windows-executable inside an Office file attachment
   condition = ${if or{\
 {match{$mime_content_type}{(?i)openxmlformats-officedocument}}\
 {match{$mime_filename}{\N(?i)\.(doc|xls|ppt)(x|m)$\N}}\
  }}
   decode = default
   log_message = forbidden binary in Office file attachment: \
 filename=$mime_filename, recipients=$recipients
   condition = ${if eq{$run{SHELL -c \
 "cd ${sg{$mime_decoded_filename}{[^/]+\\$}{}}; \
  P7ZIP x -y $mime_decoded_filename; \
  GREP -r -a -s -E \
   'rundll32|This program cannot be run in DOS mode' \
   *"}{1}{0}}{1}}

  accept


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim4 skips SpamAssassin if attachments are too big

2017-09-17 Thread Lena--- via Exim-users

> From: Paul Lenz 

> The mentioned text "Loteria" was clearly visible in the body, because it 
> was attached as
> Content-Type: text/plain; charset="Windows-1251"
> Content-Transfer-Encoding: 7bit

Connect with your server using SSH, give the command:

exim -bP acl_smtp_data

In your case it must say:

acl_smtp_data = check_message

If it says something else then it's the reason why this in your config
didn't work:

#!!# ACL that is used after the DATA command
check_message:
deny senders = /etc/exim4/blockeddoms

discard message = "Loteria in message body"
!senders   = :
condition  = ${if match{${lc:$message_body}}{loteria|lottery}{yes}{no}}

> Anyway I will try your code

An afterthought: better with \b instead of \s

> Why do you want to reject spam?

Sometimes your rules will make mistakes (called "false positives")
considering an honest message as a spam. If spam is rejected then
the human sender knows about that and sees what you wrote in "message".

> Isn't it a waste of traffic

"deny" in RCPT causes less traffic (message body isn't transmitted).
"deny" in DATA or MIME - no difference in traffic,
only what you wrote in "message" is transmitted.

> and may 
> cause useless bounces?

"deny" in ACL doesn't cause your Exim to send a separate letter
called a "bounce". Your Exim refuses to accept the message.
The sending server may create a bounce, but it's helpful in case of
a false positive.

> 2. I would prefer to use my director which simply moves spam detected by 
> SpamAssassin into a waste bin:

Is the "waste bin" a folder you look at once a day or so?
My Exim either accepts a message into Inbox or rejects what it considers spam,
with few exceptions (I seldom use "discard"). I don't use SpamAssassin,
my VPS with Exim (and a web-server) has only 64M RAM.

> spamkill_director:
>driver = accept
>check_local_user
>condition = "${if def:h_X-Spam-Flag: {1}{0}}"
>transport = spamkill
>no_verify
> 
> How can I set this flag instead of denying a message if "loteria" was 
> detected?

You can set an "acl_m_" variable and check it in that router.

> I had a look on you file "Lena-eximconf-run.txt".
> I wonder how this set of rules can detect viruses.

Currently it checks only what is mentioned in WINBIN and COMPREXT.

> I wrote a plugin for Spamassassin which unzips every attachement and 
> (IMHO very important) unzips every MS Office file (xlsx, xlsm, docx) and 
> looks for strings like "rundll32" or "This program cannot be run in DOS 
> mode" and some others.

Good idea (about Office files). Perhaps I can replicate this
in Exim without SpamAssassin if you send me your code or a link to it.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim4 skips SpamAssassin if attachments are too big

2017-09-03 Thread Lena--- via Exim-users

> From: Paul Lenz

> Today I received again an 1,3 MB message with Lottery spam.
> In the body is clearly to be seen "ONLINE LOTTERY DEPARTMENT".

What you see as message body is not the same as what Exim considers as
message body. You see a text/html or text/plain part,
for Exim message body is all parts (encoded) and their separators.
Use something like "View Source" in your mail client (MUA)
to look at what Exim considers as message body.

> discard message = "Loteria in message body"
> !senders   = :
> condition  = ${if match {${lc:$message_body}} 
> {loteria|lottery}{yes}{no}}

acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
  deny  message = rejected as spam because of forbidden word in body
condition = ${if match{$mime_content_type}{text/}}
mime_regex = \N(?i)\s(loteria|lottery)\s

  accept

Some other examples: http://lena.kiev.ua/Lena-eximconf-run.txt

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] PLAIN authenticator that checks against two data sources

2017-08-10 Thread Lena--- via Exim-users

> From: Mike Brudenell

> I think I'll quit worrying, leave the setup
> as-is with a deferral response to the AUTH, and move on.
> 
> This all came about because I was starting to look at rate limiting failed
> attempts to AUTH along these lines
> .
> (Although I have my suspicions as to whether it will work as the author of
> that post says after a failed authentication attempt Exim will go straight
> to the check_quit or check_not_quit ACLs, whereas I see it happily letting
> the client try to authenticate again down the same connection. I'll keep
> playing.

This catches multiple auth attempts in the same connection too:
https://github.com/Exim/exim/wiki/BlockCracking

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Retiring old build targets

2017-07-26 Thread Lena--- via Exim-users

> Given the resounding silence from volunteers, I'm tempted to retire
> in the next release _everything_ apart from the current set of
> representatives in the buildfarm.
> 
> That would be: Linux, OpenBSD, FreeBSD, SunOS5.

Perhaps keep DragonFly and Darwin, but unmaintained and unchanged,
they patch as needed.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Rewriting envelope from to header From

2017-07-12 Thread Lena--- via Exim-users

> From: Frank Richter

> I'd like to rewrite envelope from "apache@*.mydomain" to the address in 
> header From.
> I tried it according to https://github.com/Exim/exim/wiki/Q0801 with this 
> rewrite rule:
> 
> apache@*.mydomain ${sg{$h_from:}{^.*<(.*)>}{\$1}}  Ffrs

According to
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-address_rewriting.html
(untested):

apache@*.mydomain ${address:$rh_from:} F

I suspect that the wiki page is wrong, but I'm not sure.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] recepient verification callout with defer_ok fails on graylisted server with error code 450

2017-07-06 Thread Lena--- via Exim-users

> From: "Dr. Volker Jaenisch"

> verify = recipient/callout=2m,defer_ok,use_sender

I specify "defer_ok" twice in different places:

verify = recipient/defer_ok/callout=10s,defer_ok,use_sender

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-29 Thread Lena--- via Exim-users

> The Reply-To: header takes an address-list and is interpreted as such,
> and IIRC used in that way by some mail-clients when subscribed to
> mailing-lists but wanting personal copies of replies too.  So the `rt:`
> ACL is going to calculate something which will emit bogus queries to an
> external service.

I tested with `exim -be`. If Reply-To contains more than one address
then  ${address  expands into empty string, the  ${if def
causes the code to not query anything:

rt:
  warn  set acl_m_rt = ${sg{${lc:${address:$header_Reply-To:}}}{\\+.*@}{@}}
condition = ${if match{$acl_m_rt}{@gmail.com}}
set acl_m_rt = ${sg{${local_part:$acl_m_rt}}{\\.}{}}@gmail.com

  deny  condition = ${if def:acl_m_rt}
condition = ${lookup{${domain:$acl_m_rt}}nwildlsearch\
 {MLDOMAINS}{0}{1}}
dnslists = ebl.msbl.org/${sha1:$acl_m_rt}
log_message = Reply-To: $header_Reply-To: in EBL: $dnslist_text \
From: $header_From:, envelope-from $sender_address, \
recipients=$recipients, Subject: $header_Subject:
message = spam detected
  # 419 (Nigerian) scams often sent by humans, do not tell them
  # that the spam was detected with EBL http://msbl.org

  accept


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] EBL: blacklist for email addresses in Reply-To and message bodies

2017-06-28 Thread Lena--- via Exim-users

The purpose of the EBL blacklist is described on
http://msbl.org/ebl-purpose.htm

I tested EBL since October 2016, today it was declared in public beta:
https://spammers.dontlike.us/mailman/private/list/2017-June/010493.html

> The Email Blocklist has entered Beta 2, and is now open for testing by
> the public. If you have not tried the list out, please do so. We would
> love to receive your feedback, and think you will like seeing less 419
> Advance Fee Fraud and some other types of spam in your inboxes.
> 
> You can find information, instructions, and tools on the website:
> http://msbl.org/ebl-implementation.html

How to use EBL in Exim config (requires Exim version 4.87 or higher):
https://github.com/Exim/exim/wiki/EBL

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Using named queues

2017-05-19 Thread Lena--- via Exim-users

> From: Niels Kobsch?tzki

> for getting a grip on some spammers that use
> phished accounts on my system.

Please try this and tell me whether it helps:
https://github.com/Exim/exim/wiki/BlockCracking


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS error on connection to smtp.office365.com (gnutls_handshake): An unexpected TLS packet was received.

2017-04-29 Thread Lena--- via Exim-users

> I know I'm connecting to  port 587 since I specified it explicitly.  But I 
> don't understand the relevance to my problem.

Exim took the port number 465 from somewhere in its config.
465 is the TLS-on-connect port.
In some other part of config you specified 587, but Exim nevertheless
tries TLS-on-connect.
Search for "465", post relevant parts of your config.
Better entire config.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS error on connection to smtp.office365.com (gnutls_handshake): An unexpected TLS packet was received.

2017-04-29 Thread Lena--- via Exim-users

> The exim debug logs sort of look as if it is expecting to negotiate TLS
> immediately on connection, rather than after the initial EHLO

Yes. Look where the 465 came from:

> Transport port=465 replaced by host-specific port=587

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Discard mail to certain recipients if the subject matches a string

2017-04-07 Thread Lena--- via Exim-users

> From: ?   

> I've tried nearly anything I could think of:
> 
> Commit by
> Commit\ by

Insert into beginning of Exim config:

check_rfc2047_length = false

> From: Jasen Betts 

> RFC2047 sec 2 and section 6 say that all encoded words 
> shall be no longer than 75 ascii characters, the one containing 
> "Commit_by" is over-length.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 4.87 -> 4.88 readconf performance

2017-03-14 Thread Lena--- via Exim-users

> >> It triggers when a macro name contains the sequence /_[ODH]/.
> > 
> > Does it include $header_Date: ?
> > A workaround: $header_date:
> 
> Macro, not header.

Even comment lines are searched for /_[ODH]/
As far as I undrestand, every config line is searched before parsing.
So, such line triggers creation of builtin macros:

condition = ${if match{$rheader_Date:}{\N \+0[56]00\N}}


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 4.87 -> 4.88 readconf performance

2017-03-13 Thread Lena--- via Exim-users

> This loop appears to be the problem.

> It triggers when a macro name contains the sequence /_[ODH]/.

Does it include $header_Date: ?
A workaround: $header_date:

> You are also correct in that when macros_create_builtin() is not
> called the startup time is greatly reduced.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Ongoing email issues

2017-02-28 Thread Lena--- via Exim-users

> > FreeBSD

> If you can, please try building the exim-4_89_RC6

How to:
cd /usr/ports/distfiles/exim
fetch https://ftp.exim.org/pub/exim/exim4/test/exim-4.89_RC6.tar.bz2
cd /usr/ports/mail/exim
make clean extract
cd work
tar xof /usr/ports/distfiles/exim/exim-4.89_RC6.tar.bz2
mv exim-4.89_RC6 exim-4.89
cd ..
sed -i.bak -e 's/4.88/4.89/' Makefile
cd files
rm patch-pass-fd-to-tcpwrappers
fetch http://lena.kiev.ua/patch-pass-fd-to-tcpwrappers
cd /usr/ports/mail/exim
make all deinstall reinstall clean


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Lack of demime support in latest verstion + more.

2017-02-07 Thread Lena--- via Exim-users

Instead of demime and clamav:   :)

P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious: 
exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
  deny message = BINFORBIDDEN
   log_message = forbidden attachment: filename=$mime_filename, \
 content-type=$mime_content_type, recipients=$recipients
   condition = ${if or{\
{match{$mime_content_type}\
  {(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
  }}

  deny message = Compressed BINFORBIDDEN
   condition = ${if or{\
   {match{$mime_content_type}{(?i)application/\
 (octet-stream|x(-zip)?-compressed|zip)}}\
   {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
  }}
   condition = ${if <{$message_size}{1500K}}
   decode = default
   log_message = forbidden binary in attachment: filename=$mime_filename, \
 recipients=$recipients
   condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
 {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

  accept


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

71 matches

Mail list logo