Re: [exim] Failure to deliver to Gmail

[Viktor Dukhovni via Exim-users]

> On Jun 27, 2019, at 5:58 AM, Richard Jones via Exim-users 
>  wrote:
> 
> There have been a few mails about this recently, but I don't think they
> cover my case (nor is this about my previous mail about retry times)

There was a recent thread that's an excellent match, that reported
unexpected by Exim GnuTLS EAGAIN with TLS 1.3.

> 
> I've sent a mail sent to my gmail account which is just sat in the
> queue, attempts to other gmail accounts fail similarly. Here's the short
> version:
> 
> 10271 Connecting to gmail-smtp-in.l.google.com [2a00:1450:400c:c06::1a]:25 
> from 2a03:9800:10:6e:af5b:cd05:8290:26e8 ... 2a00:1450:400c:c06::1a in 
> hosts_try_fastopen? no (option unset)
> 10271 connected
> 10271   SMTP<< 220 mx.google.com ESMTP z18si1497282wrn.66 - gsmtp
> 10271   SMTP>> EHLO smtp.junix.systems
> 10271   SMTP<< 250-mx.google.com at your service, 
> [2a03:9800:10:6e:af5b:cd05:8290:26e8]
> 10271  250-SIZE 157286400
> 10271  250-8BITMIME
> 10271  250-STARTTLS
> 10271  250-ENHANCEDSTATUSCODES
> 10271  250-PIPELINING
> 10271  250-CHUNKING
> 10271  250 SMTPUTF8
> 10271 2a00:1450:400c:c06::1a in hosts_avoid_tls? no (option unset)
> 10271   SMTP>> STARTTLS
> 10271 TLS certificate verified: peerdn="C=US,ST=California,L=Mountain 
> View,O=Google LLC,CN=mx.google.com"
> 10271 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
> 10271   SMTP>> EHLO smtp.junix.systems
> 10271   H=gmail-smtp-in.l.google.com [2a00:1450:400c:c06::1a] TLS error on 
> connection (recv): Resource temporarily unavailable, try again.

Which is exactly this.  IIRC there's a recent Exim patch, or you
can disable TLS 1.3, or switch to Exim built with OpenSSL.

-- 
Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 4xx from GMAIL for fatal errors

[Viktor Dukhovni via Exim-users]

On Thu, Jun 27, 2019 at 12:51:20PM +0200, Axel Rau via Exim-users wrote:

> > On 27/06/2019 10:17, Axel Rau via Exim-users wrote:
> >> 451-4.3.0 Multiple destination domains per transaction is unsupported.
> >> or
> >> 452-4.2.2 The email account that you tried to reach is over quota.

I don't know whether Exim has a similar feature, but FWIW, Postfix has:

http://www.postfix.org/postconf.5.html#smtp_reply_filter
http://www.postfix.org/postconf.5.html#smtp_delivery_status_filter

which allow, respectively, rewriting (requires some care to not
corrupt multi-line responses) of the remote SMTP server's response,
or of the final delivery status (safer, but takes place only after
all the MX hosts have been tried).  These are power tools for
edge-cases where the remote server is in some plausible way "broken".
They should avoided if at all possible, they can do more harm than
good:

http://postfix.1071664.n5.nabble.com/Mails-to-gmail-bouncing-td101910.html

-- 
Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] error ignored

[Jeremy Harris via Exim-users]

On 26/06/2019 19:06, Lena--- via Exim-users wrote:
> P.S. How to debug delivery?
> I inserted into the beginning of rcpt ACL:
> 
>   warn  domains = tiscali.cz
> control = debug/tag=.$message_exim_id/opts=+all

I have a nasty feeling that debug enabled via this means doesn't
propagate across processes.  Another problem to hunt...

Restarting the daemon with a debug cmdline option probably
works (it'll stay in foreground, so I often "service stop;
exim -bd -d+all 2>&1 | tee mydebuglog" for a test,
then start the service again before going to look at the results.

> What is "dsn_flags"?

rfc3461 -related information for a message

#define rf_dsnlasthop   0x01  /* Do not propagate DSN any further */
#define rf_notify_never 0x02  /* NOTIFY= settings */
#define rf_notify_success   0x04
#define rf_notify_failure   0x08
#define rf_notify_delay 0x10

Foolishly, the 24 was decimal - so fail+delay notifications.
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] error ignored

[Jeremy Harris via Exim-users]

On 27/06/2019 09:11, Jasen Betts via Exim-users wrote:
> On 2019-06-26, Lena--- via Exim-users  wrote:
>> Exim 4.92 as a smarthost gets a 5xx after end of data, but doesn't send a 
>> DSN.
>> In mainlog (I redacted with asterisks and inserted blanks after @):
>>
>> 2019-06-20 18:28:19 +0300 1hdyz4-000G6A-BR <= Len*@ lena.kiev.ua 
>> H=ip-19*6.rusa*ovka-net.ki*v.ua (bedsi*e.lena.kiev.ua) [94.244.2*.38] 
>> I=[62.109.6.225]:52*5 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 
>> CV=no S=3473 RT=0s id=20190620152815.gg...@lena.kiev
>> 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR ** doma*@ tiscali.cz 
>> R=remote_domains T=remote_smtp H=tax.virusfree.cz [212.224.105.18] 
>> I=[62.109.6.225] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error 
>> from remote mail server after end of data: 554 message refused (#5.7.1) - 
>> for more information visit https://www.virusfree.cz/cs/help
>> 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR doma*@ tiscali.cz: error ignored
>> 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR Completed QT=2s
>>
>> I see "error ignored" in deliver.c, but I don't undersand why
>> in this simple case - a personal message with single recipient.
>> Why "error ignored"?
>> My config doesn't contain "errors_to".
>> Nothing in rejectlog, spool.
>>
>> I cannot reproduce, repeat message was accepted.
> 
> 
> usually that means that exim can't find a route for the return path, 
> the route finds a retry counter that is older than the retry limit, 
> or the route returns an explicit fail.

Certainly some form of error with the bounce resulting from 554
for 1hdyz4-000G6A-BR.  I'll see if there's any way of enhancing
that message, for future releases.

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 4xx from GMAIL for fatal errors

[Jeremy Harris via Exim-users]

On 27/06/2019 11:51, Axel Rau via Exim-users wrote:
> „Temporary nature" means to me that the receiver may resolve the issue.

Correct, and I'd expect that of both of the examples you gave.

> Does google treat GOOGLEMAIL.com  and gmail.com 
>  (which both appeared in the recipient list) as different 
> domains?

I think so.

> Both are handled by the same MXes, so I would have to persuade my exim to 
> split by domain but by MX?
> How can this be done?

I'm not sure what you mean by "split by domain but by MX".

I use, on the transport handling my external-smtp :-

multi_domain =${if match{$host}{(?i)google.com\$} {no}{yes}}

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 4xx from GMAIL for fatal errors

[Axel Rau via Exim-users]

> Am 27.06.2019 um 12:00 schrieb Jeremy Harris via Exim-users 
> :
> 
> On 27/06/2019 10:17, Axel Rau via Exim-users wrote:
>> 451-4.3.0 Multiple destination domains per transaction is unsupported.
>> or
>> 452-4.2.2 The email account that you tried to reach is over quota.
> 
> You really want to override the temporary nature of the error?
> OK, your call.
> 
> Write a retry rule that matches the error code and possibly the
> destination, having a short ultimate timeout.

Thanks for the tipp.

„Temporary nature" means to me that the receiver may resolve the issue.
Does google treat GOOGLEMAIL.com  and gmail.com 
 (which both appeared in the recipient list) as different 
domains?
Both are handled by the same MXes, so I would have to persuade my exim to split 
by domain but by MX?
How can this be done?

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Failure to deliver to Gmail

[Richard Jones via Exim-users]

Hello all!

There have been a few mails about this recently, but I don't think they
cover my case (nor is this about my previous mail about retry times)

I've sent a mail sent to my gmail account which is just sat in the
queue, attempts to other gmail accounts fail similarly. Here's the short
version:

10271 Connecting to gmail-smtp-in.l.google.com [2a00:1450:400c:c06::1a]:25 from 
2a03:9800:10:6e:af5b:cd05:8290:26e8 ... 2a00:1450:400c:c06::1a in 
hosts_try_fastopen? no (option unset)
10271 connected
10271   SMTP<< 220 mx.google.com ESMTP z18si1497282wrn.66 - gsmtp
10271   SMTP>> EHLO smtp.junix.systems
10271   SMTP<< 250-mx.google.com at your service, 
[2a03:9800:10:6e:af5b:cd05:8290:26e8]
10271  250-SIZE 157286400
10271  250-8BITMIME
10271  250-STARTTLS
10271  250-ENHANCEDSTATUSCODES
10271  250-PIPELINING
10271  250-CHUNKING
10271  250 SMTPUTF8
10271 2a00:1450:400c:c06::1a in hosts_avoid_tls? no (option unset)
10271   SMTP>> STARTTLS
10271 TLS certificate verified: peerdn="C=US,ST=California,L=Mountain 
View,O=Google LLC,CN=mx.google.com"
10271 cipher: TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
10271   SMTP>> EHLO smtp.junix.systems
10271   H=gmail-smtp-in.l.google.com [2a00:1450:400c:c06::1a] TLS error on 
connection (recv): Resource temporarily unavailable, try again.
10271   SMTP(closed)<<
10271 tls_close(): shutting down TLS
10271 GnuTLS<3>: ASSERT: ../../lib/buffers.c[_gnutls_io_write_flush]:696
10271   SMTP(close)>>

Exim then tries the backup MXs which give various other errors
(including file not found).

Using the command line works just fine, so it's not a DNS/IP/IPv6
addressing or site issue.

I've got the full exim debug output and the full gnutls-cli output if
that's of help.

Thanks!

Richard Jones

-- 
junix.systems/privacy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 4xx from GMAIL for fatal errors

[Jeremy Harris via Exim-users]

On 27/06/2019 10:17, Axel Rau via Exim-users wrote:
> 451-4.3.0 Multiple destination domains per transaction is unsupported.
> or
> 452-4.2.2 The email account that you tried to reach is over quota.

You really want to override the temporary nature of the error?
OK, your call.

Write a retry rule that matches the error code and possibly the
destination, having a short ultimate timeout.

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] 4xx from GMAIL for fatal errors

[Axel Rau via Exim-users]

Hello exim users,

a mail with 33 recipients, some of them at gmail was sitting in the queue.
The Google recipients got
451-4.3.0 Multiple destination domains per transaction is unsupported.
or
452-4.2.2 The email account that you tried to reach is over quota.

Are there any configuration recipies known to deal with that situation i.e. 
taking the 451 and 452 from them as 5xx errors?

Thanks, Axel
---
PGP-Key: CDE74120  ☀  computing @ chaos claudius


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Help with AUTH DDOS

[Jeremy Harris via Exim-users]

On 27/06/2019 08:12, mixed8e--- via Exim-users wrote:
> Does Exim have a reporting mechanism where I can get connection stats?

To log the connection count, on every new connection, add
"+smtp_connection" to your log_selector.

To manually get a sample view of current activity, "exiwhat"
(this is not designed for continuous use; not for automated
stats gathering).

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] error ignored

[Jasen Betts via Exim-users]

On 2019-06-26, Lena--- via Exim-users  wrote:
> Exim 4.92 as a smarthost gets a 5xx after end of data, but doesn't send a DSN.
> In mainlog (I redacted with asterisks and inserted blanks after @):
>
> 2019-06-20 18:28:19 +0300 1hdyz4-000G6A-BR <= Len*@ lena.kiev.ua 
> H=ip-19*6.rusa*ovka-net.ki*v.ua (bedsi*e.lena.kiev.ua) [94.244.2*.38] 
> I=[62.109.6.225]:52*5 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 
> CV=no S=3473 RT=0s id=20190620152815.gg...@lena.kiev
> 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR ** doma*@ tiscali.cz 
> R=remote_domains T=remote_smtp H=tax.virusfree.cz [212.224.105.18] 
> I=[62.109.6.225] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error 
> from remote mail server after end of data: 554 message refused (#5.7.1) - for 
> more information visit https://www.virusfree.cz/cs/help
> 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR doma*@ tiscali.cz: error ignored
> 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR Completed QT=2s
>
> I see "error ignored" in deliver.c, but I don't undersand why
> in this simple case - a personal message with single recipient.
> Why "error ignored"?
> My config doesn't contain "errors_to".
> Nothing in rejectlog, spool.
>
> I cannot reproduce, repeat message was accepted.


usually that means that exim can't find a route for the return path, 
the route finds a retry counter that is older than the retry limit, 
or the route returns an explicit fail.

-- 
  When I tried casting out nines I made a hash of it.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Help with AUTH DDOS

[Evgeniy Berdnikov via Exim-users]

On Thu, Jun 27, 2019 at 12:12:04AM -0700, mixed8e--- via Exim-users wrote:
> However, it appears that the number of connections is very reasonable.
> Does Exim have a reporting mechanism where I can get connection stats?

 With config option "log_selector=+all" lines like
 
   SMTP connection from [78.108.69.2]:48469 I=[192.168.10.12]:25 (TCP/IP
   connection count = 157)

 are written into mainlog.

> I get different numbers from ss, netstat, lsof, /proc/net/sockstat,
> /proc/net/tcp, and whatever else I've tried. Some of the numbers are not
> very similar, so I don't know what to look for. Everything except some of
> the `ss -s`numbers makes it look as though the connection count to Exim is
> quite small.

 Probably not all these sources are interpreted right. Say, /proc/net/tcp
 countains raw entries which are not human-readable, they should be
 filtered by port numbers and by flags: some connections are in ESTABLISHED
 state, some in SYN-SENT or SYN-ACK, some in TIME_WAIT, and so on.

 Number of incoming connections may be estimated as number of Exim's child
 processes under listening daemon (excluding active queue runners).

> Could the slowness be the firewall so busy with the large volume of
> attempted connections even though most are dropped? `uptime` shows a
> fairly light load on the system, not too much wait (though it does pop up
> once in a while over 20% it's mostly under 10%). The only flaw with that
> idea, why would SMTP service be particularly affected more than other
> services?

 First of all you have to check memory utilization. If your system falls
 into swapping then CPU speed does not matter. The second step should be
 check for DNS operation and /etc/resolv.conf contents.
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Help with AUTH DDOS

[Antoine via Exim-users]

On 27/06/2019 09:12, mixed8e--- via Exim-users wrote:
>> On 2019-06-24, mixed8e--- via Exim-users  wrote:
>>> Hi, I have a server under a minor DDOS of AUTH guessing attacks. I
>>> installed fail2ban and tried to be conservative, allowing 50 AUTH
>>> guesses
>>> before banning an IP address. Unfortunately, the attack has too many
>>> bots
>>> and the server is under heavy load so I temporarily reduced the
>>> threshold
>>> to just a single AUTH failure before banning. I hope no users forget
>>> their
>>> passwords!
>>>
>>> It looks like fail2ban's default iptables integration does not drop
>>> connections that are already established, because I'm seeing a lot of
>>> fail2ban log lines stating "already banned" and also Exim log lines from
>>> suspect IP addresses with this:
>>>
>>> TCP/IP connection count = 161
>>>
>>> Eventually I would hope the connections will naturally drop and the ban
>>> will become more effective (empirically that seems to be happening).
>>> However, I'd like to ask for general opinions on the matter and one
>>> specific question:
>>>
>>> What would be the Exim setting to limit the number of TCP connections?
>>> Or
>>> is it a bad idea to limit connections like that?  I do know at least one
>>> group of users of this server sit behind a single IP address, so the
>>> connection count for that IP address is very high.  Does that mean I
>>> can't
>>> approach the problem from this angle? (short of whitelisting known
>>> addresses)
>> set smtp_accept_max_nonmail lower. this may inconvenience some users a
>> little and rset and helo are counted as nonmail IIRC..
>>
>> alternatively in ACL_AUTH
>>
>>   drop
>> set acl_c_auth_count = ${eval: $acl_c_auth_count + 1}
>> condition = ${if >{1}{$acl_c_auth_count }}
>> message = "go away"
>>
>> which will allow only one attept at auth per connect.
> Thanks Jeremy and Jasen. I've looked at some of the suggested settings but
> before I change anything I'm wondering if anyone can help me diagnose the
> situation to make sure I'm making changes that will have the needed
> effect.
>
> My fail2ban jail has banned thousands and thousands of IP addresses, but
> the system is still slow. There are two effects:
> 1. overall slowness of the machine, from ssh access, or loading web pages
> 2. SMTP service is the most affected, most slow (sometimes sending will
> time out)
>
> However, it appears that the number of connections is very reasonable.
> Does Exim have a reporting mechanism where I can get connection stats? I
> get different numbers from ss, netstat, lsof, /proc/net/sockstat,
> /proc/net/tcp, and whatever else I've tried. Some of the numbers are not
> very similar, so I don't know what to look for. Everything except some of
> the `ss -s`numbers makes it look as though the connection count to Exim is
> quite small.
>
> Could the slowness be the firewall so busy with the large volume of
> attempted connections even though most are dropped? `uptime` shows a
> fairly light load on the system, not too much wait (though it does pop up
> once in a while over 20% it's mostly under 10%). The only flaw with that
> idea, why would SMTP service be particularly affected more than other
> services?
>
> How could I hone in on the actual problem before fiddling with config knobs?
>
> Thanks--
>
>

You can also make exim listen on a second port and advertise AUTH only
on it, using something like:
server_advertise_condition = ${if and{ {def:tls_cipher}
{eq{$received_port}{$SECOND_PORT
in the authentication configuration.
In this case all the AUTH tentatives done on the standard port will be
rejected with the minimum of effort from your side.
And you can immediately and severely ban any such tentative using fail2ban.

The downside is that all your MUAs will have to reconfigure the port as
well.

A.



-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/