Re: [exim] Router and transport for modifing message
On 2023-04-25, mouse via Exim-users wrote:
> Hello. I'm using transport_filter to modify certain incomimg e-mail (for
> example, to set proper encoding for some headers). Based on others
> experience here is my configuration:
> My question is - is there any way to just pass e-mail through modifing
> script *without re-injecting* email via "command = ..."?
> Basically I'd like to have the following "simple-and-clean" scheme:
>
> Incoming e-mail -> Pass to send_to_modify_email ROUTER -> Pass modified
> e-mail to some other ROUTER for real delivery.
Do the mofication instead in the real delivery transport
transport_filter=${if \
inlist{list_of_senders_whose_email_is_bad}{$sender_address}\
{}}
--
Jasen.
Слава Україні
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 2023-04-20, Lance Lovette via Exim-users wrote:
>> There's a rational basis for an exception for 5xx before MAIL FROM,
>> when the target only has the connection parameters and HELO
>> name to use as a basis for rejection
>
> Unfortunately, Google, in the case of an outright IP-based block, doesn't
> reject the message until after DATA has been submitted.
>
> After wrestling with this for a few days, my solution to mitigate some
> fallout from host-based rejections is a router condition that allows me to
> easily avoid routing to problematic domains while the issue is resolved.
> (The router after this sends everything through the ESP.)
>
> FIRST_MX_HOST = ${extract{2}{ \n}{${lookup
> dnsdb{mx=$domain}{$value}}}{$value}fail}
> r_direct:
> driver = dnslookup
> transport = t_smtp
> domains = ! +local_domains
> condition = first_delivery
> condition = ${if !eq{$return_path}{}}
> condition = ${lookup
> {FIRST_MX_HOST}nwildlsearch{/etc/exim/force-esp-mxhosts}{false}{true}}
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>
> Two questions for the experts:
>
> - Is there a more efficient way to achieve this?
you could put the ip addresses in ignore target hosts instead.
> - Does Exim have a mechanism to invoke a script with rejected messages, so
> I can either re-send the message or add the host to my force-esp-mxhosts?
you can detect rejections using event_action
But it's not very easy to set up.
you setup event action as an ${acl... expansion and then in the acl branch
according to
which event is happening.
When you detect a fake rejection you could then store the fact in a ratelimit.
the ratelimit can then be tested in the main delivery router (again via a
${acl... expansion) and a rateliomit failure used to skip that router.
Preventing the processing of the bounce is harder but you can do it by
arranging for the not-smtp ACL to return "drop" when it sees a bounce
from one of these messages - you'll probably need to pass some
details to this ACL in the headers of the bounce message so that
the ACL can know which trasport is producing the error..
Detecting the rejection and setting the ratelimit could also be done
here instead I guess.
This is tying exim up in knots, it will probably be fairly fragile.
--
Jasen.
Слава Україні
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 2023-04-20, Jeremy Harris via Exim-users wrote: > On 20/04/2023 06:18, Jasen Betts via Exim-users wrote: >> On 2023-04-18, Lance Lovette via Exim-users wrote: >>>> This is a name mismatch: mailgun.org != mailgun.com. >>> >>> Perhaps it's time for a larger font size :) I will put on my dunce cap and >>> go sit in the corner. But shame on Mailgun for responding to .com with a >>> .org certificate! >>> >>> Lance >> >> Their .com is a cname pointing to the .org, so the same host is both >> .com and .org, but their host isn't using SNI. > > This raises the question: should the name-check be against the CNAME-resolved > name rather than the initial? Both? > I've not hunted through standards yet. Web browsers just use the initial domain name given by the user: the resolver is treated as a black box. -- Jasen. Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 2023-04-18, Lance Lovette via Exim-users wrote: > I'm getting an SSL verify error for messages delivered through my ESP : > > SSL verify error: certificate name mismatch: DN="/C=US/ST=Texas/L=San > Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.mailgun.org" H="smtp.mailgun.com" > > Based on Jeremy's comment in this old bug report, the wildcard CN isn't an > issue. > > https://bugs.exim.org/show_bug.cgi?id=2011 > > Is there a particular configuration option I need to set to get it to > verify? Use "smtp.mailgun.org" instead of "smtp.mailgun.com" smtp.mailgun.com is a cname pointing to smtp.mailgun.org. but they have not deployed a TLS cert for smtp.mailgun.com orly .org -- Jasen. Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 2023-04-18, Lance Lovette via Exim-users wrote: >> This is a name mismatch: mailgun.org != mailgun.com. > > Perhaps it's time for a larger font size :) I will put on my dunce cap and > go sit in the corner. But shame on Mailgun for responding to .com with a > .org certificate! > > Lance Their .com is a cname pointing to the .org, so the same host is both .com and .org, but their host isn't using SNI. -- Jasen. Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 2023-04-15, Sebastian Arcus via Exim-users wrote: > On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote: >> On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote: >>> I have a number of Exim servers behind a NAT gateway (actually >>> connected with vpn's to a cloud vps - but I'm hoping this is not >>> relevant to this post). I would like the gateway to send incoming port >>> 25 traffic to the correct Exim server based on SNI in incoming TLS >>> packets - as different Exim instances serve different email domains. >>> The setup would look like this: >>> >>> [Internet] >>> | >>> | >>> (smtp port 25) >>> | >>> v >>> | >>> [Cloud server] >>> | >>> v >>> | >>> >>> | | | >>> | | | >>> [Exim server 1] [Exim server 2] [Exim server 3] >>> >>> >>> I would have preferred to do this at IP tables level - but apparently >>> not really possible. It seems the next option would be HAProxy. Has >>> anyone here used HAProxy or run a setup as above, or know if this is >>> actually doable? Any suggestions much appreciated. >>> >> >> Exim does talk the inbound-proxy protocol tha HAProxy apparently uses >> (or can use): >> https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound >> >> >> >> I can't really help on other HAProxy facilities or config though. >> >> Another option for you would be to use Exim itself as the fanout element >> at your >> "cloud server". It has visibility of the SNI and could use that for >> routing. > > Thank you for the suggestions. I have considered using Exim itself as > the "proxy" at the front. One thing I have to figure out is SPF in > relation to Spamassassin. I think I would have to run Spamassassin on > the "proxy" Exim, as otherwise the IP address of the proxy will be added > to the headers during the delivery/relay process, and will probably > break the SPF checks in Spamassassin on the final Exim server in the > chain - I think? I think you're right exim supports HAPROXY and in the coming release XCLIENT but (so far as I know), in both cases, only as an end point not as an originator. The solution to this may be ARC where the first exim checks the SPF and DKIM and adds a header saying if they are good or not. -- Jasen. Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 2023-04-15, Sebastian Arcus via Exim-users wrote: > I have a number of Exim servers behind a NAT gateway (actually connected > with vpn's to a cloud vps - but I'm hoping this is not relevant to this > post). I would like the gateway to send incoming port 25 traffic to the > correct Exim server based on SNI in incoming TLS packets - as different > Exim instances serve different email domains. The setup would look like > this: > >[Internet] >| >| > (smtp port 25) >| >v >| > [Cloud server] >| >v >| > > | | | > | | | > [Exim server 1][Exim server 2][Exim server 3] > > > I would have preferred to do this at IP tables level - but apparently > not really possible. It seems the next option would be HAProxy. Has > anyone here used HAProxy or run a setup as above, or know if this is > actually doable? Any suggestions much appreciated. The picture above is possible but does not match the description above that. SNI won't tell you anything until some time the after the client says STARTTLS, so HAPROXY won't be able to route based on SNI, unless you can teach it SMTP. -- Jasen. Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] From header with encoding not parsed?
On 2023-04-12, Victor Ustugov via Exim-users wrote:
> Slavko via Exim-users wrote on 12.04.2023 20:42:
>> Dňa 12. apríla 2023 16:50:29 UTC používateľ MRob via Exim-users
>> napísal:
>>> Hi, I have a variable to extract the email address in from header set like
>>> this:
>>>
>>> ${lc:${address:$h_From:}}
>>
>> Header is valid, but after decoding it contains comma without
>> qoutes, the comma is address separator and thus results in
>> list of two "addresses", first without valid address, thus empty...
>>
>> Use raw header for address extracting -- $rh_From: that works
>> for both, quoted and encoded content...
>
>
> What about the colon without encoding?
>
> From: =?utf-8?Q?My=20Bizness:=20Inc.?=
yes, the colon breaks it. it's not a valid from header.
RFC5322 is a bit of a rabbit hole to dive into.
but the short story is none of these should be used in "bare" names
specials= "(" / ")" /; Special characters that do
"<" / ">" /; not appear in atext
"[" / "]" /
":" / ";" /
"@" / "\" /
"," / "." /
DQUOTE
except where there is specific permission given
Easiest fix for the sender is to use quotes.
From: "=?utf-8?Q?My=20Bizness:=20Inc.?="
--
Jasen.
Слава Україні
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] OT: are BCC header lines legitimate ?
On 2023-04-12, Olaf Hopp (SCC) via Exim-users wrote:
> Sorry for being a bit off topic:
> recently we had incoming phishing mails which all had a BCC header line.
> So I thought, that's easy to defend and I introduced a data ACL
>
> deny condition = ${if def:h_BCC: {yes}{no}}
>
> My logs revealed a lot of them and I was afraid of doing some overblocking.
> So I changed the "deny" into a "warn", shifted the ACL further down below spam
> and virus scan and added some logging.
>
> The outcome is that there are really a bunch of incoming mails
> with a BCC header, which seems to be no spam.
>
> And forthermore about 90% are coming from Google hosts like e.g.
> mail-qk1-x742.google.com
>
> So my question for discussion here:
> is there any legitimate use to have a BCC header present
> or is this all crap and can be rejected ?
https://www.rfc-editor.org/rfc/rfc5322#section-3.6.3
The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message. There are three ways in
which the "Bcc:" field is used. In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message. In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line. (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone. Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.
So, sometimes BCC recipients do see the Bcc header.
--
Jasen.
Слава Україні
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 2023-03-31, Jeremy Harris via Exim-users wrote: > On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: >> .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL >> protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL >> .endif > > Doesn't that imply the wizard has a question that sets that? The macros defined by the wizard are mostly prefixed with DC_ According to the Debian docs it seems that this one needs to be defined manually. -- Jasen. Слава Україні -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Something like "domains_require_tls"
On 2023-03-23, Jeremy Harris via Exim-users wrote:
> On 23/03/2023 16:01, Jeremy Harris via Exim-users wrote:
>> allsmtp:
>> driver = smtp
>> hosts_require_tls = ${if
>> match_domain{$domain}{+domainlist-with-TLS-Domains} {*}{}}
>> multi_domain = false
>
> Actually, better have
> max_rcpt = 1
> rather than the multi_domain; I'm not certain that there's coding in
> the transport to check for all-same-domain when expanding $domain.
It did check the last time that I looked, if they do not becomes empty.
--
Jasen.
Слава Україні
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Hide IP address of authenticated users
On 2023-03-14, Yves Goergen via Exim-users wrote:
> Hello,
>
> I'd like to hide the IP address of authenticated users sending their
> messages over my SMTP server. The address always appears in the
> "Received" header and remains there for the final recipient.
>
> A web search has only led to this information:
>
> https://serverfault.com/questions/1035035/remove-ip-and-username-from-exim-mail-headers
>
> I couldn't find any information about the suggested solution. That
> all-caps name is mentioned in very long Debian package listings, but I
> couldn't find any documentation. The name also doesn't appear in Exim's
> source code (according to GitHub search).
>
> Is there some explanation about this? Does it work? What does it do?
> Should I create the mentioned file if I don't have it yet?
Yes, that is an addition provided by the exim configuration system used
by debian.
I use the following:
received_header_text = Received: \
${if def:sender_rcvhost {from \
${if bool{$acl_m_mangle_received}{\
${sg{$sender_rcvhost}{\\[(\\d+\\.\\d+\\.\\d+)\\.\\d+\\]}{[10.\$1]}}\
}{$sender_rcvhost}}\n\t}\
{${if def:sender_ident {from ${quote_local_part:$sender_ident} }}\
${if def:sender_helo_name {(helo=$sender_helo_name)\n\t\
by $primary_hostname ${if def:received_protocol {with
$received_protocol}} \
${if def:tls_cipher {($tls_cipher)\n\t}}(Exim $version_number)\n\t\
${if def:sender_address {(envelope-from <$sender_address>)\n\t}}\
id $message_exim_id${if def:received_for {\n\tfor $received_for}}
Where "$acl_m_mangle_received" is a variable set in the mail ACL
This expression conditionally rewites the client ip address a.b.c.d to look
like a
LAN address 10.a.b.c
This is enough to satify Spamassassin (which wants to see a received
header) and Barracuda Networks (who take objection to cetrain ip
addresses appearing in received headers)
--
Jasen.
Слава Україні
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] got this garbage from HP
On 2023-01-11, Viktor Dukhovni via Exim-users wrote: > On Wed, Jan 11, 2023 at 03:41:39AM -0000, Jasen Betts via Exim-users wrote: > >> Exim seems to translate the lone LF into a space which breaks the >> message, > > I'm somewhat surprised if Exim doesn't already treat LF in SMTP as > equivalent to CRLF, but perhaps that's the case. from what I recall it does, but you have to use only LFs, if it sees CRLF it then requires CRLF. >> OTOH Gmail seems to convert it into a line break which fixes it. > > FWIW, Postfix also tolerates LF-terminated lines in SMTP, they're > converted to CRLF if/when the message is relayed onward via SMTP. So > tolerating them in Exim would not be unprecedented. -- Jasen. pǝsɹǝʌǝɹ sʇɥƃᴉɹ ll∀ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] got this garbage from HP
The "MIME-Version:" header not being separated from the "Subject:" header. I sustpected the problem was line endings and yes it turns out to be so. the HP is using a mix of '0a' and '0d-0a' in the message headers I got this garbage data block from a client's HP printer, some details have been masked "xx" to protect the innocent. 46 72 6f 6d 3a 20 22 3d 3f 75 74 66 2d 38 3f 51 From: "=?utf-8?Q 0010 3f 48 50 3d 32 30 50 72 69 6e 74 65 72 3f 3d 22 ?HP=20Printer?=" 0020 20 3c 48 50 2e 50 72 69 6e 74 65 72 40 xx xx xx ..To: 0040 20 3c xx xx xx xx xx xx xx xx xx xx xx xx xx 40 ..Subj 0060 65 63 74 3a 53 63 61 6e 2d 74 6f 2d 45 6d 61 69 ect:Scan-to-Emai 0070 6c 20 54 65 73 74 20 4d 65 73 73 61 67 65 20 66 l Test Message f 0080 72 6f 6d 20 48 50 20 43 6f 6c 6f 72 20 4c 61 73 rom HP Color Las 0090 65 72 4a 65 74 20 50 72 6f 20 4d 34 37 38 66 2d erJet Pro M478f- 00a0 39 66 0a 4d 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 9f.MIME-Version: 00b0 20 31 2e 30 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 1.0..Content-Ty 00c0 70 65 3a 6d 75 6c 74 69 70 61 72 74 2f 6d 69 78 pe:multipart/mix 00d0 65 64 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 ed;charset=utf-8 00e0 3b 20 62 6f 75 6e 64 61 72 79 3d 22 2d 2d 2d 2d ;boundary=" 00f0 3d 5f 50 61 72 74 5f 42 6f 75 6e 64 61 72 79 5f =_Part_Boundary_ 0100 30 30 30 30 30 30 30 31 5f 32 34 65 39 35 39 66 0001_24e959f 0110 62 2e 36 35 31 31 63 39 61 36 22 0d 0a 0d 0a 0d b.6511c9a6". 0120 0a 0d 0a 2d 2d 2d 2d 2d 2d 3d 5f 50 61 72 74 5f ...--=_Part_ 0130 42 6f 75 6e 64 61 72 79 5f 30 30 30 30 30 30 30 Boundary_000 0140 31 5f 32 34 65 39 35 39 66 62 2e 36 35 31 31 63 1_24e959fb.6511c 0150 39 61 36 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 9a6..Content-Typ 0160 65 3a 74 65 78 74 2f 70 6c 61 69 6e 3b 63 68 61 e:text/plain;cha 0170 72 73 65 74 3d 75 74 66 2d 38 3b 20 0d 0a 43 6f rset=utf-8; ..Co 0180 6e 67 72 61 74 75 6c 61 74 69 6f 6e 73 21 0a 0a ngratulations!.. 0190 54 68 65 20 73 65 74 74 69 6e 67 73 20 79 6f 75 The settings you 01a0 20 68 61 76 65 20 63 6f 6e 66 69 67 75 72 65 64have configured 01b0 20 61 72 65 20 63 6f 72 72 65 63 74 2e 0a 0a 4eare correct...N 01c0 6f 74 65 3a 20 54 68 69 73 20 65 6d 61 69 6c 20 ote: This email 01d0 6d 65 73 73 61 67 65 20 69 73 20 61 75 74 6f 6d message is autom 01e0 61 74 69 63 61 6c 6c 79 20 67 65 6e 65 72 61 74 atically generat 01f0 65 64 2e 20 44 6f 20 6e 6f 74 20 72 65 70 6c 79 ed. Do not reply 0200 20 74 6f 20 74 68 69 73 20 6d 65 73 73 61 67 65to this message 0210 2e 0a 0a 44 65 76 69 63 65 20 49 64 65 6e 74 69 ...Device Identi 0220 66 69 63 61 74 69 6f 6e 0a 0a 50 72 6f 64 75 63 fication..Produc 0230 74 20 53 65 72 69 61 6c 20 4e 75 6d 62 65 72 3a t Serial Number: 0240 20 43 4e 43 52 51 xx xx xx xx xx 0a 0a 0a 0d 0a CNCRQxx. Exim seems to translate the lone LF into a space which breaks the message, OTOH Gmail seems to convert it into a line break which fixes it. Obviouly the best thing to to would be to get HP to fix their device, but is there any interest in chaging the line break detection in exim? -- Jasen. pǝsɹǝʌǝɹ sʇɥƃᴉɹ ll∀ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] who starts the delivery process?
On 2022-12-26, Askhat Tokabay via Exim-users wrote: > Helo > I found in the documentation: > Delivery processes may be started as a > result of a message’s arrival, by a queue runner process, > or by an administrator using the -M option. > > The question is the following: > Can you tell me who starts the delivery process > when a message arrives? Usually message arrival, but there are settigns that can disable that in certain conditions and then one of the others is needed to cause delivery. > Or how does the delivery process > know that a message has arrived? The process that receives the message fork()s a process to do the delivery and passes it the exim_id (etc) Exim is heavily multiprocess. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] bad memory reference; pool not found, at gstring_grow 1124
On 2022-12-19, Jeremy Harris via Exim-users wrote:
> On 19/12/2022 06:32, Jasen Betts via Exim-users wrote:
>>logwrite =
>> ${sg{${sg{${sg{aaa}{a}{bbb}}}{b}{c}}}{c}{ddd}}zz
>
> Thanks for locating this so precisely.
> Fix pushed: 1ed24e36e279
Thanks for the fix.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim 4.96 stopping because postfix is starting?
On 2022-12-19, Johnnie W Adams via Exim-users wrote: > Sigh. I am slower than usual today. Without the R=, that message ID does > come from a hard bounce failing dnslookup. What I am left not understanding > is how to route such messages to our inbound node rather than out to the > internet. > > On Mon, Dec 19, 2022 at 4:13 PM Jeremy Harris via Exim-users < > exim-users@exim.org> wrote: > Exim thinks that the return path is "redac...@redact.edu" and that that address is on the internet. If you need special handling for locally generated messages (like bounces and cron jobs) you can start that in the "NOT_SMTP" acl by setting an "acl_m_" variable and then do the special handling with a custom router (probably using the manualroute mechanism) that checks for the variable. A few more layers of this and you end up with something resembling a tuba; many gates, and pipes and heading every which way. This type of convoluted email plimbing can easily make mail loops and software lasers, it might be better to give exim the information it needs to pass SPF and do the DKIM signing. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] bad memory reference; pool not found, at gstring_grow 1124
On 2022-12-05, Jeremy Harris via Exim-users wrote:
> On 05/12/2022 23:31, Jasen Betts via Exim-users wrote:
>> I'm getting this error panic
>> "bad memory reference; pool not found, at gstring_grow 1124"
>>
>> at a acl logwrite in an ${acl expansion in a router
>>
>> the logwrite is over-size and thus truncated in the debug message
>>
>> then it crashes.
>>
>> it seems to happen failry rarely, maybe 1 in 1 emails on this
path.
>>
>
> version, ops in progress... core dump?
> --
> Cheers,
>Jeremy
>
debian backports' exinm-daemon-heavy 4.96
It's caused by caused by a logwrite of exactly 8153
characters (must be exact) in a context where exim_message_id is defined.
eg put this:
logwrite =
${sg{${sg{${sg{aaa}{a}{bbb}}}{b}{c}}}{c}{ddd}}zz
in the data ACL
so the line it would write would start with
-MM-DD HH:MM:SS_IDIDID-IDIDID-ID_
+1+2+3+--
making exactly 8153+37 = 8190 characters not including the newline.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Storing messages in Maildir format with symmetric encryption
On 2022-12-11, Dengler, Gabriel via Exim-users wrote: > Hey Heiko, > > in the meantime, I made great progress with the "transport_filter" tool. > That was exactly what I was looking for. > > In the current setup, I want to store a public and a private key for > each user, whereas the private key is encrypted by a password that is > only known by the user. For incoming messages, I use the public key to > encrypt them, for accessing those messages you need the private key, > respectively. > > As mentioned in the documentation [1], you can use expansion variables > to pass to the "transport_filter". Is there an easy way to access the > user name or do you have to filter it out of the headers, e.g. by > accessing "Envelope-to:"? I thought about $recipients [2], but this is > not available for "transport_filter". You can save $recipients into an $acl_m_ variable in the data acl and thus have the value available when doing delivery, but how will that help? - recipients may be multiple... When encrypting you need a single. if it's handling a single recipinet you get you get $domain ansd $local_part which are probably what you want. They're tainted so use them in a lookup to find the public key (or the filename). some transports can handle muiltipe recipients in a single transaction. they'll need to be configured to not attempt that. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] bad memory reference; pool not found, at gstring_grow 1124
I'm getting this error panic
"bad memory reference; pool not found, at gstring_grow 1124"
at a acl logwrite in an ${acl expansion in a router
the logwrite is over-size and thus truncated in the debug message
then it crashes.
it seems to happen failry rarely, maybe 1 in 1 emails on this path.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Storing messages in Maildir format with symmetric encryption
On 2022-11-23, Jeremy Harris via Exim-users wrote: > On 23/11/2022 00:16, Dengler, Gabriel via Exim-users wrote: >> I want to store the incoming e-mails using the Maildir file format encrypted >> by using some symmetric encryption using the user's password > > It seems like a generally valuable concept - but I'd think that assymetric > encryption > of the data-at-rest is more appropriate than symmetric. The MDA (exim, here, > receiving > a message and delivering to file) shou be able to encrypt for the destination > user > but NOT decrypt. So it should have access to a public key and not a private > key > for the destination mailbox - and this is entirely separate from notions of > SMTP authentication. > > Where to implement it in the code? Probably pretty late in the appendfile > transport; about where it's doing actual writes to the file fd - and using > a public key supplied via a transport option (which the config pulls > from a database lookup using the username, or localpart, or whatever) > and perhaps another giving the cipher scheme. Perhaps use some sort of GPG wrapper as a transport_filter, and do decryption client-side? -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] interface and greylistning
On 2022-11-21, Laura Williamson via Exim-users wrote:
> Have a bit of an issue. When sending out emails out exim select an
> interface like this
>
> interface = ${lookup sqlite {SQLITE_Q_USERINTERFACE select ip from
> interface where active='Y' order by random() limit 1}{$value}}
> helo_data = ${lookup
> dnsdb{ptr=$sending_ip_address}{$value}{$primary_hostname}}
>
> Which works perfectly fine, however, if the server we send to has
> greylisting it will try again but every time it will select a new
> interface IP and therefore might get greylisted again (as the IP now is
> different), is there a way around this?
don't use random, use somethign repeatable instead eg:
${listextract{${eval:1+(${base62d:${substr_14_2:$message_exim_id}}%5)}}{\
10.0.0.1:10.0.0.2:10.0.0.3:10.0.0.4:10.0.0.5}{$value}{10.0.0.1}}
Here the feactional-seconds part of $message_exim_id is used as a
repeatable pseudo-random number. the range is (0..499)
you can possibly use the sha1 function to get repeatable pseudo-random
values by salting the ip-address with the exim-id of the message.
interface = ${lookup sqlite {SQLITE_Q_USERINTERFACE select ip from \
interface where active='Y' \
order by sha1(ip || '${quote_sqlite:$message_exim_id}' ) \
limit 1}{$value}}
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim4 vs. Frontier.com
On 2022-11-11, Mike via Exim-users wrote: > I've struggled off and on for months to get outbound mail via exim4 through > frontier.com with no joy. > I'm on a single user system using mutt and exim4 plus fetchmail. Inbound is > no problem. > Outbound I see this in /var/log/exim4/mainlog: > 554 5.7.1 <>: Sender address rejected: Access denied > /etc/email-addresses has the proper frontier email address in it. > From web search I created /etc/exim4/conf.d/rewrite/10_from_rewrite > containing this line: > * "$header_from:" F > This supposedly tells exim4 to set the Envelope header the same as the From > header. > I think Sent = Envelope headers, admittedly not sure about that. > If there is anyone on the list who has exim4 talking to Frontier.com please > help. https://frontier.com/helpcenter/categories/internet/email/troubleshooting-email/get-started/mail-server-settings It looks like you confugure your smarthost as smtp.frontier.com and tell it to use your fronteir account username and password. /etc/exim4/conf.d/ suggests a debian (or at least .deb) distro. That uses a file called /etc/exim4/passwd.client to configure your smarthost username and password Put an email in ther queue with the network diconnected, list it using sudo mailq and then reconnect the network and run a foreground delivery with sudo runq -v check that authentication succeeds. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] raw mime_filename
On 2022-10-13, Mikhail Golub via Exim-users wrote:
> Hi.
>
> How can I get "raw" $mime_filename ?
>
> In Exim - "headers_charset = UTF-8".
> And if file name of attachment not in utf8 i have a problem with log
> display.
> Example from log, $mime_filename:
> "▒▒ ▒▒▒ 12_10_22.xlsx"
>
> I could use ... embedded Perl (use Encode).
> If i got raw mime_filename ...
>
> Or can you recommend an easier way get filename in log in utf8 encoding?
nothing that can be relied upon.
last week I saw an attachment with lots of high-bit bytes in the
filename, not UTF-8, and no explicit announcement of the character set.
deny
condition = $if(eq{$mime_filename}{${utf8clean:$mime_filename}{no}{yes}}
message=unnaceptable attachment filename please follow RFC
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to make proxy support work in exim
Proxy protocol is an optional feature: if this: exim -bV | grep '\WPROXY\W' prints nothing you will need to install a more feature-rich build of exim. > ``` > hostlist hosts_proxy = <; 127.0.0.1; 192.46.111.11 > ``` > But PROXY protocol seems to be not recognised by exim loose the "hostlist" hosts_proxy = <; 127.0.0.1; 192.46.111.11 or use the host list explicitly hostlist hosts_proxy = <; 127.0.0.1; 192.46.111.11 hosts_proxy = +hosts_proxy https://www.exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
On 2022-09-30, Jeremy Harris via Exim-users wrote: > On 30/09/2022 09:11, Jasen Betts via Exim-users wrote: >> Testssl.sh primes its ALPN requests based on the port number used > > What does it use for 25/465/567 ? I don't know of an actual Standard; > I just picked the obvious for Exim. I think nothing, I have not checked the source. testssl also does replays of stored "TLS Hello"s representing several different browsers they will have whatever ALPN was recorded when they were created. Further IP addresses: 2400:8907::f03c:93ff:fe2d:f557 rDNS (172.105.179.7): 172-105-179-7.ip.linodeusercontent.com. Service detected: Couldn't determine what's running on port 465, assuming no HTTP service => skipping all HTTP checks Testing protocols via sockets except NPN+ALPN SSLv2 not offered (OK) SSLv3 not offered (OK) It seems mostly focussed on testing web servers, It seems to be built around openssl (command line) and does support starttls for the same protocols supported by openssl. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
On 2022-09-30, Andrew C Aitchison via Exim-users wrote: > On Fri, 30 Sep 2022, Jasen Betts via Exim-users wrote: > >> On 2022-09-30, Viktor Dukhovni via Exim-users wrote: >>> On Fri, Sep 30, 2022 at 01:21:21AM -0000, Jasen Betts via Exim-users wrote: >>> >>>>> With the older Exim, GnuTLS appears to consider six cipher suites before >>>>> finding a suitable choice (after skipping all the DHE candidates). >>>> >>>> I can disable DHE_RSA by saying >>>> >>>> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA >>>> >>>> and now it chooses the same suite that 4.94 was choosing >>>> but there is still an error after the suite is chosen. >>> >>> You could keep debugging GnuTLS, or just use a version of Exim with TLS >>> support via OpenSSL, which will likely just work. Your call. >>> >>> Some resource that GnuTLS expects to use is not available when it is >>> initialised by the problem version of Exim. If not a DHE group, >>> likely something else related cryptography. To debug, you'd need >>> to figure out where that error is raised. Lack of help from strace >>> is not unexpected. >> >> It seems to be ALPN causing the problem. >> >> this was the commit that "broke" it... >> >> commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD) >> Author: Jeremy Harris >> Date: Tue Jun 22 23:04:59 2021 +0100 >> >>TLS: as server, reject connections with ALPN indicating non-smtp use >> >> The problem seems to be "gnutls_ext_raw_parse" returning >> GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used. >> (or when no extensions are being used?) this is undocumented >> behaviour, but is sematically compatible with the description of that >> function. > > IIRC you were testing on port 443. Recently I changed to testing on 465. Testing 4.96 on 443 showed negative results for many web browsers (unsurprisingly now) versin 4.94 (which was released just before ALPN was implemented in exim) gives positive results. > Just out of interest, > what happens if you use a port without a special TLS meaning ? Recently I've just been replaying the recorded Paradox "TLS hello" for testing. Testssl.sh primes its ALPN requests based on the port number used (but that can probably be overridden) -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
On 2022-09-30, Viktor Dukhovni via Exim-users wrote:
> On Fri, Sep 30, 2022 at 01:21:21AM -0000, Jasen Betts via Exim-users wrote:
>
>> > With the older Exim, GnuTLS appears to consider six cipher suites before
>> > finding a suitable choice (after skipping all the DHE candidates).
>>
>> I can disable DHE_RSA by saying
>>
>> tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA
>>
>> and now it chooses the same suite that 4.94 was choosing
>> but there is still an error after the suite is chosen.
>
> You could keep debugging GnuTLS, or just use a version of Exim with TLS
> support via OpenSSL, which will likely just work. Your call.
>
> Some resource that GnuTLS expects to use is not available when it is
> initialised by the problem version of Exim. If not a DHE group,
> likely something else related cryptography. To debug, you'd need
> to figure out where that error is raised. Lack of help from strace
> is not unexpected.
It seems to be ALPN causing the problem.
this was the commit that "broke" it...
commit f50a063dc0b96ac95b3a7bc0aebad3b3f2534c02 (HEAD)
Author: Jeremy Harris
Date: Tue Jun 22 23:04:59 2021 +0100
TLS: as server, reject connections with ALPN indicating non-smtp use
The problem seems to be "gnutls_ext_raw_parse" returning
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE when ALPN is not being used.
(or when no extensions are being used?) this is undocumented
behaviour, but is sematically compatible with the description of that
function.
This patch seems to fix it in my test case. I will try real-world tests next
week.
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7a6db94e1..9fc921064 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1142,8 +1142,9 @@ tls_server_clienthello_cb(gnutls_session_t session,
unsigned int htype,
unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
{
/* Call fn for each extension seen. 3.6.3 onwards */
-return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+ int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+ return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc ;
}
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Setting Exim to always remove DKIM signatures
On 2022-09-29, Johnnie W Adams via Exim-users wrote: > Hi, folks, > > We have an unusual mail routing topology, where mail passes through > our SMTP server, through LISTSERV, and then back through our SMTP server. > > We are failing DMARC for reasons I think having to do with when the > message is signed by DKIM. > > I +think+ the issue is that the DKIM signature from our SMTP server is > from the first pass through and not the second pass. So what I would like > to do is tell Exim to remove any DKIM signatures from inbound mail. That > way, when mail leaves our data center, it'll be signed only at the point of > departure. > > Can this be done? It's not obvious from the documentation. headers can be stripped on arrivial using headers_remove in an ACL or on delivery using remove_headers in a router or transport You probablly want to strip the DKIM headers either before delivering them to the listserver (in the transport) or upon receiving them from it in an ACL. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
On 2022-09-29, Viktor Dukhovni via Exim-users wrote: > On Thu, Sep 29, 2022 at 03:31:59AM -0000, Jasen Betts via Exim-users wrote: > >> This client called itself "Paradox" in the SMTP ehlo, I think it's >> probably an alarm system. I have an example TLS hello packet now: >> >> 160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900 >> d052828c650ccd8c020040180033003900450088001600350084002f0041 >> 000a000500040100 > > The "tshark" decode for this Client Hello is: > > Transport Layer Security > SSLv3 Record Layer: Handshake Protocol: Client Hello > Content Type: Handshake (22) > Version: SSL 3.0 (0x0300) > Length: 67 > Handshake Protocol: Client Hello > Handshake Type: Client Hello (1) > Length: 63 > Version: TLS 1.1 (0x0302) > Random: > 923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040 > GMT Unix Time: Feb 7, 2106 01:28:15.0 EST > Random Bytes: > 923e9988d02b8fc276bdcf02ccb6fc3900d052828c650ccd8c020040 > Session ID Length: 0 > Cipher Suites Length: 24 > Cipher Suites (12 suites) > Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) > Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) > Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA > (0x0045) > Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA > (0x0088) > Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) > Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) > Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) > Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) > Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) > Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) > Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) > Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) > Compression Methods Length: 1 > Compression Methods (1 method) > Compression Method: null (0) > > So this client seems to support SSL 3.0 through TLS 1.1, with RSA and > mostly SHA1. The TLS Client HELLO includes no TLS 1.0 extensions. > >> tls_require_ciphers expands to "NORMAL:%COMPAT" >> 433834 TLS: preloading cipher list for server: NORMAL:%COMPAT >> 433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 >> groups into priority list >> 433838 Initialising GnuTLS server params >> 433838 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for >> compatibility > > First client cipher chosen. But does the server support TLS 1.1 and > below? Perhaps Exim (or GnuTLS) defaults to TLS 1.2 or higher? > >> 433838 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.33: >> GNUTLS_DHE_RSA_AES_128_CBC_SHA1 >> 433838 error -56 from gnutls_handshake: The requested data were not >> available. > > Here, the first ciphersuite is chosen, but perhaps then fails for lack > of appropriate DHE parameters? There may be some adverse interaction > between DHE group selection and TLS 1.1 and below in the newer Exim. > >> 435388 TLS: no SNI presented in handshake. >> 435388 GnuTLS<2>: checking 00.33 (GNUTLS_DHE_RSA_AES_128_CBC_SHA1) for >> compatibility >> 435388 GnuTLS<2>: checking 00.39 (GNUTLS_DHE_RSA_AES_256_CBC_SHA1) for >> compatibility >> 435388 GnuTLS<2>: checking 00.45 (GNUTLS_DHE_RSA_CAMELLIA_128_CBC_SHA1) for >> compatibility >> 435388 GnuTLS<2>: checking 00.88 (GNUTLS_DHE_RSA_CAMELLIA_256_CBC_SHA1) for >> compatibility >> 435388 GnuTLS<2>: checking 00.16 (GNUTLS_DHE_RSA_3DES_EDE_CBC_SHA1) for >> compatibility >> 435388 GnuTLS<2>: checking 00.35 (GNUTLS_RSA_AES_256_CBC_SHA1) for >> compatibility >> 435388 GnuTLS<3>: ASSERT: >> ../../../lib/ext/server_name.c[gnutls_server_name_get]:239 >> 435388 GnuTLS<2>: Selected (RSA) cert based on ciphersuite 0.35: >> GNUTLS_RSA_AES_256_CBC_SHA1 > > With the older Exim, GnuTLS appears to consider six cipher suites before > finding a suitable choice (after skipping all the DHE candidates). I can disable DHE_RSA by saying tls_require_ciphers = NORMAL:%COMPAT:!DHE-RSA and now it chooses the same suite that 4.94 was choosing but there is still an error after the suite is chosen. 442134 Initi
Re: [exim] GnuTTS woes
On 2022-09-28, Jeremy Harris via Exim-users wrote: > On 28/09/2022 21:10, Viktor Dukhovni via Exim-users wrote: >> You need to analyse some failed handshake full-packet captures with >> "tshark", and collected detailed logs from the clients that are having >> problems. > > For Exim, that's "-d-all+tls" as a minimum. Thanks. This client called itself "Paradox" in the SMTP ehlo, I think it's probably an alarm system. I have an example TLS hello packet now: 160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900 d052828c650ccd8c020040180033003900450088001600350084002f0041 000a000500040100 And I'm able to provoke the error message by replaying it. ( sleep 1 ; xxd -c 32 -r << XDATA 000 160343013f0302923e9988d02b8fc276bdcf02ccb6fc3900 020 d052828c650ccd8c020040180033003900450088001600350084002f0041 040 000a000500040100 XDATA sleep 4 ; echo quit ; echo quit ; sleep 5 ) | nc localhost 465 root@eximtest:~# exim -bd -d-all+tls Exim version 4.96 uid=0 gid=0 pid=433834 D=1000 Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS TLS_resume move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPECONNECT PRDR PROXY Queue_Ramp SOCKS SPF SRS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot external plaintext spa tls Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Compiler: GCC [10.2.1 20210110] Library version: Glibc: Compile: 2.31 Runtime: 2.31 Library version: BDB: Compile: Berkeley DB 5.3.28: (September 9, 2013) Runtime: Berkeley DB 5.3.28: (September 9, 2013) Library version: GnuTLS: Compile: 3.7.1 Runtime: 3.7.1 Library version: IDN2: Compile: 2.3.0 Runtime: 2.3.0 Library version: Stringprep: Compile: 1.33 Runtime: 1.33 Library version: spf2: Compile: 1.2.10 Runtime: 1.2.10 Library version: Cyrus SASL: Compile: 2.1.27 Runtime: 2.1.27 [Cyrus SASL] Library version: PCRE2: Compile: 10.36 Runtime: 10.36 2020-12-04 Library version: MySQL: Compile: 100515 10.5.15 [mariadb-10.5] Runtime: 100515 10.5.15 Library version: SQLite: Compile: 3.34.1 Runtime: 3.34.1 WHITELIST_D_MACROS: "OUTGOING" TRUSTED_CONFIG_LIST: "/etc/exim4/trusted_configs" configuration file is /var/lib/exim4/config.autogenerated log selectors = cffc 64205022 001c cwd=/root 3 args: exim -bd -d-all+tls trusted user admin user dropping to exim gid; retaining priv uid fresh-exec forking for cipher-validate fresh-exec forked for cipher-validate: 433835 postfork: cipher-validate tls_require_ciphers expands to "NORMAL:%COMPAT" Exim pid=433835 (cipher-validate) terminating with rc=0 tls_validate_require_cipher child 433835 ended: status=0x0 433834 creating notifier socket 433834 @/var/spool/exim4/exim_daemon_notify 433834 listening on all interfaces (IPv6) port 25 433834 listening on all interfaces (IPv4) port 25 433834 listening on all interfaces (IPv6) port 465 433834 listening on all interfaces (IPv4) port 465 433834 listening on all interfaces (IPv6) port 587 433834 listening on all interfaces (IPv4) port 587 433834 listening on all interfaces (IPv6) port 443 433834 listening on all interfaces (IPv4) port 443 433834 pid written to /run/exim4/exim.pid 433834 LOG: MAIN 433834 exim 4.96 daemon started: pid=433834, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4) port 443 (IPv6 and IPv4) 433834 GnuTLS global init required 433834 TLS: basic cred init, server 433834 tls_set_watch: '/etc/exim4/duck.certkey' 433834 watch dir '/etc/exim4' 433834 TLS: preloading server certs 433834 GnuTLS<3>: ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:103 433834 GnuTLS<3>: ASSERT: ../../../lib/x509/attributes.c[_x509_parse_attribute]:174 433834 GnuTLS<3>: ASSERT: ../../../lib/x509/x509_ext.c[gnutls_subject_alt_names_get]:111 433834 GnuTLS<3>: ASSERT: ../../../lib/x509/x509.c[get_alt_name]:1848 433834 GnuTLS<3>: ASSERT: ../../../lib/nettle/mpi.c[wrap_nettle_mpi_print]:60 433834 TLS: cert/key 0 /etc/exim4/duck.certkey registered 433834 TLS: not preloading CA bundle for server 433834 TLS: preloading cipher list for server: NORMAL:%COMPAT 433834 GnuTLS<2>: added 6 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list 433834 TLS: basic cred init, client 433834 TLS: not preloading client certs, for
Re: [exim] Exim relaying but shouldn't
On 2022-09-28, Lena--- via Exim-users wrote:
>> From: Eric Grammatico
>
>> In fact I tried to implement the wiki:
>> https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPwauth
>
> I edited that wiki: changed
>
> server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' |
> /usr/local/bin/pwauth"}{1}{0}}
>
> to
>
> server_condition = ${and {\
> {!match{$auth2$auth3}{[\x27\r\n]}}\
> {bool{${run{/bin/bash -c "echo -e '$auth2\n$auth3' |
> /usr/local/bin/pwauth"}{1}{0\
> }}
Does that still work in recent versions?
The documentation for ${run gives conflicting guidance on tainted values.
"Note: if tainted arguments are used, they are supplied by a potential
attacker; a careful assessment for security vulnerabilities should be
done. "
and
"Neither the command nor any argument may be tainted."
It would be nice to have a ${readpipe expansion somewhat analogous to
${readsocket but connects to a pipe process instead of a socket.
parhaps put the return code in $0
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
Sorry for the slow replies, my mailing list subscription was misconfigured On 2022-09-28, Viktor Dukhovni via Exim-users wrote: > On Tue, Sep 27, 2022 at 02:39:19AM -0000, Jasen Betts via Exim-users wrote: > >> it's reachable here: eximtest.duckdns.org >> >> eg: $ testssl eximtest.duckdns.org:465 >> > > You said that ECDHE ciphers are not available, but a default connection > with "posttls-finger" gives TLS 1.3 with an ECDHE cipher: > I did say that, I was working from scraped web pages of a third-party analysis at the time... I've since found testssl.sh (which is easier to use) and by tweaking the priority string have turned on the same cyphers. accordingto testssl.sh The only feature currently missing is maximum_fragment_size, (and the ability to support several client platforms) I think I may have to run a bisection search on the source code to figure out where that fell off. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
On 2022-09-24, Viktor Dukhovni via Exim-users wrote: > On Fri, Sep 23, 2022 at 05:50:29AM -0000, Jasen Betts via Exim-users wrote: > >> My testing mainly involves telling exim to listen on poert 443 with >> implicit SSL and then hitting it with www.sslcheck.com >> >> tls_on_connect_ports = 465:443 >> daemon_smtp_ports = 25:465:587:443 >> >> and this testing also shows a change in the availalbe suites. >> >> It mainly seems to be ECDH suites that are no longer avaialable. > > There's a big difference between "ECDH" and "ECDHE", the "fixed" DH/ECDH > ciphers are deprecated, rarely used, and should not be used. While DHE > and ECDHE ciphers are preferred. If GnuTLS disabled these, no harm done. > > If you post the name of the server, it would be possible for others to > confirm your observations and perhaps offer more detailed help. the server is nothing special, basically a stock debian 11 with exim installed from debian backports, and a certificate from letsencrypt. I'm working towards minimum steps to reproduce by eliminating as many other factors as possible.. I'm using a free dynamic domain name to protect the guilty. it's reachable here: eximtest.duckdns.org eg: $ testssl eximtest.duckdns.org:465 once I find a good configuration I will deploy it on production servers. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
On 2022-09-24, Andreas Metzler via Exim-users wrote: > On 2022-09-23 Jasen Betts via Exim-users wrote: >> upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS >> connectivity (as a server). > >> I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports > >> customers are complaining about TLS not not working > >> my testing mainly involves telling exim to listen on poert 443 with >> implicit SSL and then hitting it with www.sslcheck.com I have since discovered the script testssl.sh which gives the same results, faster. >> and this testing also shows a change in the availalbe suites. > >> It mainly seems to be ECDH suites that are no longer avaialable. > > Hello, > > I suspect you have only installed a EC/ECDSA certificate, you will also > need a RSA certificate for maximum compatibility. On my test server I'm using an RSA certificate from letsencrypt. it doesn't seem to make any difference. I can align the list cipher suites on both versions by disabling DHE-RSA on the new server, but that didn't help. according to testssl.sh the only protocol difference seems to be that the new version isn't offering tls extension "max fragment length/#1" I can't find a way to enable this to test if it makes any difference. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] GnuTTS woes
On 2022-09-24, Jeremy Harris via Exim-users wrote: > On 23 September 2022 06:50:29 BST, Jasen Betts via Exim-users > wrote: >>upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS >>connectivity (as a server). >> >>I'm using libgnutls3.7.1 on debian 11 and the Exim package from >>backports > > > > Did the GnuTLS version change? > If so it could be that rather than > the Exim version change. > > You need to disentangle. the version of gnutls is the same: this one. lrwxrwxrwx 1 root root 20 Aug 7 14:30 x86_64-linux-gnu/libgnutls.so -> libgnutls.so.30.29.1 lrwxrwxrwx 1 root root 20 Aug 7 14:30 x86_64-linux-gnu/libgnutls.so.30 -> libgnutls.so.30.29.1 -rw-r--r-- 1 root root 2086552 Aug 7 14:30 x86_64-linux-gnu/libgnutls.so.30.29.1 -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SMTPUTF8 Authentication and logging
On 2022-09-22, Kai Bojens via Exim-users wrote: > Hello there, > I have a new server which now has SMTPUTF8 enabled. I'm not sure why but > since then at least one Outlook client decided to stop using the IDN > form (xn--dmin-moa0i.example) and now tries to authenticate with the > UTF-8 domain. Researching this problem has led me to some questions: > > 1. How does exim handle UTF-8 in authentication data? Authentication credentials have been 8-bit since forever, exim is 8-bit clean so, if a client offers an 8 bit credential (username, password, etc) exim will pass that on to the lookup or whatever is being used to check the credentials. > 2. How does exim handle the logging of such information? I searched the > logfile and noticed that the authentication information is logged with > UTF-8 in octal: > > (set_id=xyz@XXX\303\266nX\303\244XXX.xyz) These would be an escaped version of the bytes offered in the credential. there is no enforcement that the credential is valid UTF8. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] GnuTTS woes
upgrading from 4.94 to 4.96 seems to have dramatically reduced the TLS connectivity (as a server). I'm using libgnutls3.7.1 on debian 11 and the Exim package from backports customers are complaining about TLS not not working my testing mainly involves telling exim to listen on poert 443 with implicit SSL and then hitting it with www.sslcheck.com tls_on_connect_ports = 465:443 daemon_smtp_ports = 25:465:587:443 and this testing also shows a change in the availalbe suites. It mainly seems to be ECDH suites that are no longer avaialable. I'm not sure how to proceed. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 4.96 reduce not working
On 2022-09-22, Jeremy Harris via Exim-users wrote:
>
> a3d3e7ef81 (just pushed) fixes this.
>
> Given the fix, does
>
>${listcount:${filter {a:p:p:l:e} {inlisti{$item}{ p:e:z
>
> look plausible?
Yes, that looks good.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] 4.96 reduce not working
I was using the follwing form to see how many elements of list 1 occur in list2
${reduce{ a:p:p:l:e }{0}{${if inlisti{$item}{ p:e:z
}{${eval:$value+1}}{$value
but this has stopped working in 4.96
It seems to be inlisti is overwriting $value :(
Ah yes, this feature is documented.
the way I'm using it the first list is a tainted variable and the
second is a constant macro.
I guess I can rewrite it is
${reduce{ a:p:p:l:e }{0}{${if or{\
{eqi{$item}{p}}\
{eqi{$item}{e}}\
{eqi{$item}{z}}\
}{${eval:$value+1}}{$value
but I can't use the macro for that :(
is there a better way?
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Blocking a Class C
On 2022-06-06, The Doctor via Exim-users wrote: > On Mon, Jun 06, 2022 at 11:33:17PM +0100, Jeremy Harris via Exim-users wrote: >> On 06/06/2022 23:18, The Doctor via Exim-users wrote: >> > Just going over my spam and I find this IP 195.133.39.99 >> > >> > sending a lot of junk. How can you block such a class C? >> > >> >> Multiple possible ways. >> >> One would be a >> deny hosts= 195.133.39.0/24 >> acl verb (assuming you really want the class-C). >> You get to choose at what stage of processing you want this. > > I wonder if Reject IP can be class C based. well, yeah, a network-layer firewall is another solution. > -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] smarthost Outsmarting me so Far (Victory at last)
On 2022-05-11, Martin McCormick via Exim-users wrote: > # Example: > ### target.mail.server.example:login:password > *.suddenlink.net:marti...@suddenlink.net:BigSecret > > To get it to work now, I had to change the last line > credentials slightly as you suggested to try: It now looks like > > *:marti...@suddenlink.net:StillBigSecret > > One of the people I spoke with with suddenlink Tech > Support said they had not made any changes. [...] The log line for your successful exim delivery should include the host name that exim thinks it delieverd to. It should continue to work if you put something that matches that hostname in your passwd.client -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] test Thu, 05 May 2022 14:51:32 -0500
On 2022-05-05, Martin McCormick via Exim-users wrote: > --===0238493248== > Content-Type: text/plain > > Subject: smarthost Outsmarting me so Far > $ telnet smtp.suddenlink.net 25 you probably need encryption to use authentication. openssl s_client -connect smtp.suddenlink.net:25 -starttls=smtp > helo martim.n Use ESMTP "ehlo" instead of "helo": EHLO martim.n > 250 omta03.suddenlink.net > help login The help banner doesn't cover auth, the command you want is AUTH LOGIN Auth is all in base-64 so you'll need to encode your responses (and decode the challenges if you can't guess what they are). > A good perl or python script should plug in to exim's > logic to make it possible to script and monitor authentication > and take care of that while exim can do the smtp activities as it > always has. > > Any and all constructive ideas are much appreciated. > A modular authentication helper would be a tremendous > force multiplier since security issues have made things much more > complex then they were and a form of scripting similar to expect > should reduce the amount of head-banging necessary to solve minor > changes in authentication that totally stop the show right now. perl and python already have SMTP libraries just use them, or use swaks if you're programming in shell. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Google SMTP Timeouts on large mails
On 2022-04-29, Graeme Coates via Exim-users wrote: > Hi all, > > > > I've seen this issue raised in: > > > > https://lists.exim.org/lurker/message/20220216.071725.892984cd.en.html > > and > > https://lists.exim.org/lurker/message/20220313.200645.624cc373.en.html > > > > but haven't seen a definite resolution as yet. > > > > As per other reports, I have a Debian Bullseye (11.3) system running Exim > 4.94.2 #2. It is setup with virtual domains using dovecot for local delivery > and aliases defined for some simple forwarding. I wasn't aware of any > similar issue in Exim 4.92 (on Debian 10). I see log reports similar to > other reports - eg: > > > > /var/log/exim4/mainlog:2022-04-27 07:47:30 1njbGQ-005LxL-M5 > H=gmail-smtp-in.l.google.com [2a00:1450:4010:c0e::1a]: SMTP timeout after > sending data block (199774 bytes written): Connection timed out > > /var/log/exim4/mainlog:2022-04-27 07:50:10 1njbGU-005Lz8-RV > H=gmail-smtp-in.l.google.com [74.125.131.26]: SMTP timeout after end of data > (246239 bytes written): Connection timed out > > > > This is for both ipv4 and ipv6 connections, and to only Google mail servers, > and only when delivering "large" messages (that are bigger than say about > 100kb, though I haven't investigated fully the limits - short, text only is > fine). Eventually, the messages do get through, but with delays of hours in > some cases. As per other reports, delivery of the same mail to all other > hosts works perfectly. This occurs both with firewall rules set to allow > everything, as well as with a "normal" ruleset allowing: all > OUTBOUND/FORWARD, all icmp INBOUND and all TCP INBOUND with ctstate > RELATED,ESTABLISHED (as well as ports opened for relevant services). > > > > If I do: sysctl net.ipv4.tcp_window_scaling=0 , then everything works > perfectly - with tcp_window_scaling=1, the issue is reproduced. > > > > I have a packet capture which is available here: > > > > https://tinyurl.com/742s855d > > > > The Session log from Exim in debug mode is here (with redacted hosts, > addresses, etc) - the message was delivered to the server, and is being > forwarded onto an email in a Google workspace account (following a > forwarding rule in an aliases file) > > > > https://tinyurl.com/22nn887u > > > > > > Is it possible from these traces to pin down the issue at all and maybe come > up with a workround (without having to turn off tcp_window_scaling) or a > pointer as to where I need to formally raise a bug, and I'll be happy to do > so! make sure that your DNS and return-path MX are working, we recently had some sort of firewall issue that was unrelated to SMTP causing timeouts on deliveries to gmail. removing the firewall rules cleared it up. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Multiple domains using certificates and keys
On 2022-03-23, The Doctor via Exim-users wrote:
>
> Question:
>
> In my configuration file I have
>
> tls_certificate = ${if exists\
>{/path/to/2021/${tls_sni}/chain.cert}\
> {/path/to/2022/${tls_sni}/chain.cert}\
>{/path/to/default//chain.cert}\
> }
> tls_privatekey = ${if exists\
> {path/to/old/${tls_sni}/key}\
>{/path/to/current/${tls_sni}/key}\
> {/path/to/defalut/key}\
> }
>
> Am I missing something?
Tainting I guess. ${tls_sni} is a value which may contain any bytes
whatsoever, and can be, and has been, abused by attackers, thus exim
doesn't trust it in a filesystem context.
So even though you know the names of the files you need
to verify them against a home-truth. something like:
tls_privatekey = ${lookup {$tls_sni} dsearch,ret=full \
{/path/to/current/}{$value/key}{/path/to/default/key}}
This assumes that the file "key" exists if the subdirectory $tls_sni
is found, if you want to be paranoid you can replace $value/key with
an if-exists check using "$value/key" instead of
"path/to/current/${tls_sni}/key"
I'm a fan of putting the key, certificate, and chain into a single
file, as this reduces the number of cofiguration settings needed. then
you could have file-per-domain in a single directory. and replace
"/key" with ".allcert" or similatr above (not needing the if-exists test at all)
tls_privatekey = ${lookup {$tls_sni.allcert} dsearch,ret=full \
{/path/to/current/}{$value}{/path/to/default.allcert}}
Also you misspelled default one time, and 2021 vs 2022, I'm
guessing transcription errosrs, but you did ask.
Also double slashes but I think that is harmless in Posix.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Limiting outside world to ports 465 and 587
On 2022-03-13, The Doctor via Exim-users wrote: > I was wonder if it is doable that the outside world > can only see ports 587 and 465 > while limiting port 25 to localhost only. assuming 192.0.2.44 is "the outside world" ip address. in main configuration: daemon_smtp_ports = 25 : 587 : 465 local_interfaces = <; 127.0.0.1 ; ::1 ; [192.0.2.44]:587 ; [192.0.2.44]:465 drop the ::1 entry if you don't have ipv6 explanation here: https://www.exim.org/exim-html-current/doc/html/spec_html/ch-starting_the_daemon_and_the_use_of_network_interfaces.html -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unable to send or receive mails, Tainted not permitted
The directory must be present beforehand
On 2022-02-13, necktwi via Exim-users wrote:
> It failed with
> 2022-02-13 12:01:02 1nJ8PW-0003xM-O7 == neck...@ferryfair.com R=localuser
> T=local_delivery defer (-1): Expansion of "${lookup {$local_part}
> dsearch,ret=full {/home}{$value/.maildir}fail}" (file or directory name for
> local_delivery transport) failed: "lookup" failed and "fail” requested
>
>
>> On 12-Feb-2022, at 6:29 PM, Jasen Betts via Exim-users
>> wrote:
>>
>> On 2022-02-12, necktwi via Exim-users wrote:
>>> I fixed it by setting
>>> directory = ${home}/.maildir
>>>
>>> But I want it to work with
>>> directory = /home/$local_part/.maildir
>>
>> use something like this instead.
>>
>> directory = ${lookup {$local_part} dsearch,ret=full
>> {/home}{$value/.maildir}fail}
>>
>>
>> --
>> Jasen.
>>
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unable to send or receive mails, Tainted not permitted
On 2022-02-12, necktwi via Exim-users wrote:
> I fixed it by setting
> directory = ${home}/.maildir
>
> But I want it to work with
> directory = /home/$local_part/.maildir
use something like this instead.
directory = ${lookup {$local_part} dsearch,ret=full
{/home}{$value/.maildir}fail}
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim maildirsize quota calculation in the face of symlinks
On 2022-02-10, Maarten van Baarsel via Exim-users wrote: > Currently, I'm also using a plugin in dovecot: > > https://wiki.dovecot.org/Plugins/MailboxAlias > > However, this plugin solves the alias problem with a symlink in the > Maildir directory, which makes Exim count the mails twice when the > appendfile transport is calculating quota sizes. Have you considered using OS-provided per-user disk quotas instead? https://www.linux.com/training-tutorials/step-step-using-user-quotas-linux/ this is just an idea, I don't know how well dovecot and exim interact with quota. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] sendind email to an intermittently connected host
On 2022-01-18, Leonardo Boselli via Exim-users wrote: > On Tue, 18 Jan 2022, Odhiambo Washington wrote: >> I still believe that it's better to solve the problem from the source - >> where the connectivity is almost unpredictable. > > log time unconnections are predictable, since does not occour by a > failure, but intentionally, and system manager for both systems is the > same. so when system return active the unqueuing can be triggered > manually. > And the problem is not for 5 minutes (that BTW is NOT enough realtime > for one of the the needs) but when it is off/inactive/refusing for up to 3 > months, when the other system must queue without giving even the slightest > warning. exim can be configured how long to retry for and when to warn, you can set it to 6 months if you want (well, you might have to say 183 days I don't think exim understands months) -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re-routing mail to the secondary MX server
On 2022-01-12, Dmitriy Matrosov via Exim-users wrote: > Hi. > > Is it possible to re-route certain mails on the primary server (with lowest > MX priority) > to the secondary (the one with highest priority)? > > My use case is if the recipient is not found on the primary server, > try to deliver a message to the secondary server (which is controlled by > another person). > > Thanks. Don't make it a secondary unless you trust it to accept and forward emails for your server to you server, then you have to solve the problem where neither server wants a certain email. If you want it to cover some of your domain's mailboxes then you'll need to add a manualroute router for it put it between the local delivery router and the remote dnslookup router. If possible have the rcpt acl for your domain check this server where appropriate, "verify = callout" or "control = cutthru" are possible ways. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] converting from debian package to source
On 2022-01-08, Odhiambo Washington via Exim-users wrote: > On Sat, Jan 8, 2022 at 5:26 PM Julian Bradfield via Exim-users < > exim-users@exim.org> wrote: > >> My mail servers run, and have run for decades, on Debian, and I've >> always used the Debian package for exim4, though I don't use debconf >> for my own additions, but just edit the conf.template file as if it >> were a .conf file. >> >> The pain of dealing with Debian's antiquated versions (4.92) and >> gratuitous messing around with upstream's configuration (most recent >> annoyance, not supporting built-in SPF) is prompting me to think about >> switching to using the primary source. >> >> I wonder if anybody on this list has done such a conversion recently, >> and would have time to share the chief gotchas they encountered. >> >> If you reply to me, I will summarize to the list. >> > > There are times I have simply grabbed the source tarball and compiled it > manually. > As long as you make the right edits to the Local/Makefile. You can always > toss away the default /etc/exim4 and replace the contents > with your own version of configs, while still being able to use the system > control scripts to start/stop exim. > I have never liked the split configurations I see on Debian and its > derivates. I use the monolithic config everywhere. The main benefits for the split config is to allow users to separate custom from stock config (which makes upgrades less painful), and to allow packages containing companion services (eg: mailscanner or dbmail) to ship exim config changes. It also makes things like adding procedurally generated config sections easier. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Running our own email server on GCP
On 2022-01-04, Byung-Hee HWANG via Exim-users wrote: > Terrance Devor via Exim-users writes: > >> I have read that google blocks port 25 and 465. We absolutely need to run >> our email own email servers on GCP using our Kubernetes cluster. Did anyone >> succeed in this? > > Currently i am running Postfix on GCP, Ubuntu 18.04 LTS as Google > Computer Engine. You can open INGRESS (port 25 inbond). However you > cannot open ENGRESS (port 25 outbond). So you should use outside SMTP > for sending. In my experience, Mailgun and Amazon SES are good for > sending. They offer special ports such as 2525, 2587 for relaying. > > Sicerely, Byung-Hee I suspect they block outbound to 25 to prevent complaints that their address range is in spamhaus DUL -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] base64 messages
On 2021-11-25, Jim Pazarena via Exim-users wrote:
> when the entire content of a spam email message is in base64 , is there
> a variable available that has that content in decoded text so that a
> filter can view it ?
In the MIME ACL you can access the decoded parts of the
message using readfile
decode=default
set acl_m_this_part_content=${readfile{$mime_decoded_filename}}
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html#SECTscanmimepart
MIME ACL is somewhat a maze of twisty passages all alike due to the
recursive nature of MIME. be prepared for your code to execute
multiple times: once on each part of each message.
I'm using the MIME ACL to process MDRs and log them in a postgresql
database.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] getting exim to accept mail on a domain without an MX DNS record.
On 2021-11-19, russellbell--- via Exim-users wrote: > 'IP addresses are not domain names. > Yes. I meant to say that it's a valid address. ok > 'They can not have MX records.' > Why not? If an SMTP server at the address handles mail... then it dosn't need an MX record. > 'If there is any domain name that has an A record pointing to > 123.456.789.012, it is likely to work much more often than using the > IP address directly, even if it has no MX record.' > There is an A record, but there's also an MX record that > points to our mail server, a Microsoft Outlook thing: mail sent to it > won't arrive at the target server. one way to avoid the need for ip literals is to make another MX record (on a sub-domain) that points to the A record for this IP > Quoth Jasen Betts: 'You probably need to configure > [123.456.789.012] as one of the domains that exim accepts for. > In host_accept_relay ? could be local_domains (depending on how different your config is) > 'you may need to enable IP literal domains too.' > Does local_domains_include_host_literals do this? Exim documetation says: allow_domain_literals, I don't know where that one comes from. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] getting exim to accept mail on a domain without an MX DNS record.
On 2021-11-19, russellbell--- via Exim-users wrote: > I'm trying to configure a domain that has never accepted mail > from external sources to start. The server runs exim, which I've > never used. I send a message to the domain using its IP, for example > fred@123.456.789.012. exim returns: > > 'rejected RCPT : The mail server could not deliver mail to > 'fred@123.456.789.012. The account or domain may not exist, > 'they may be blacklisted, or missing the proper dns entries.' > > dig mx 123.456.789.012 > > returns NXDOMAIN. MX is not required. do you have a DNS record for your domain (like you claim in the subject) or do you only have an IP address? You probably need to configure [123.456.789.012] as one of the domains that exim accepts for. you may need to enable IP literal domains too. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] [Transport error]: message has lines too long for transport
On 2021-11-18, Andrea Biscuola via Exim-users wrote: > Hi all > > We are an italian hosting provider (https://host.it) and we use exim to relay > e-mails from > our hosting servers. > Exim is installed and configured through the directadmin control panel > (https://www.directadmin.com), so the main configuration is managed using the > directadmin custombuild subsystem. > > One week ago, we upgraded to exim 4.95 and suddenly, some customers (using > microsoft > outlook, nonetheless), started to experience the following error for *some* > of their > e-mails: Outlook is not email software. Outlook is X.400 software with partial email capability tacked on. > message has lines too long for transport > Reporting-MTA: dns; web017.shared.host.it > > I received some examples of such e-mails from our customers service, and it > appear that > the problem is with some badly formatted headers. > Unfortunately, we can't throw those customers out of the window :-) so we are > searching > how to expand the line limits for the transports. Turn off 8BITMIME. that may be sufficient to prevent this outlook bug. perhaps configure two different submission ports one with 8BITMIME disabled for the benefit of those afflicted with outlook and one with all the features enabled. > However, I'm struggling to understand, from the documentation, what the > correct solution > is. From what I was able to understand, we should modify the remote_smtp and > remote_smtp_forward_transport sections to solve the problem, with the > message_linelength_limit > parameter set to something like "4096". The important documentation is here: https://datatracker.ietf.org/doc/html/rfc5322#section-2.1.1 > Consider also, that the main exim configuration, is handled directly by > directadmin and > it's generated from it's internal "templates". In general, we can safely > change a configuration > file called /etc/exim.variables.conf.custom to put a series of overrides to > the default > configuration. > > Do we need to modify the directadmin templates or can we use one of the > "custom" files > in /etc to achieve the same result? Increasing that limit will break SMTP and will probably just result in the refusals taking longer to reach the sender. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 'Cloned' config not logging in
On 2021-11-06, Charles Johnson via Exim-users wrote: > This is a multi-part message in MIME format. > --756F4DD9543959086F856B82 > Content-Type: text/plain; charset=utf-8; format=flowed > Content-Transfer-Encoding: 8bit > > I have a 'cloned' configuration of exim4 using my hosting's smtp server > as a smarthost. I cannot see where the failing one differs in any way > from ones where sending is unproblematic. Can someone kindly tell me > from the unfreeze debug trace what the problem might be? > > Look forward to hearing… > > Charles > SMTP>> MAIL FROM:<> SIZE=2971 > SMTP>> RCPT TO: > will write message using CHUNKING > SMTP>> BDAT 1953 LAST > SMTP<< 550 "Please login first" > SMTP<< 503 sender not yet given You're missing the smtp auth data for sending, the standard debian config puts that in a file called /etc/exim4/passwd.client likely you'll also need to use a real domain name for the recipient. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Hi Exim users - problem with hybrid exchange domain sending to exim.
On 2021-10-29, John Stegenga via Exim-users wrote: > My Exim installation is standard, installed on Centos via WHM. > > > > Most settings are default. > > > > One of my hosted customers reported that one of HIS customers cannot send > email to his domain. > > We've looked at all kinds of settings, the customers SPF record is ok, but we > don't know how to set > up a PTR for him because: > > 1- His outbound email comes through O365/exchange online, > > 2- His inbound email goes through ironport devices to an on-premise > exchange server. > > > > Has anyone dealt with this before? > > I added his domain to the whitelist, to no effect. It's not clear what exim is objecting to. or what change you made where. Make sure that his domain does not have a broken dnssec configuration. Perhaps try adding office 365's servers to the whitelist, you should be able to pull their addresses from the SPF -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] dnslists - netmask or wildcard
On 2021-10-18, Nick Rickard via Exim-users wrote:
>>> Does
>>>
>>> dnslists = abcdef.sbl.dq.spamhaus.net
>>> condition = ${if match_ip ($dnslist_value) {127.0.0.0/24}}
>>>
>>> do what you need?
>>
>> Yes, thank you.
>>
>> Noting that it should, I believe, be curly brackets throughout the condition.
>>
>>
> Hmm, I spoke to soon. For my use case, Spamhaus does not always return a
> single (IP adddress) value leading to errors such as:
>
> connect" ACL: failed to expand ACL string "${if match_ip {$dnslist_value}
> {127.0.0.0/24}}": "127.0.0.3, 127.0.0.2" is not an IP address
>
> But thank you for the pointer; it feels that with a bit of working through
> the logic I should be able to make it work.
You've probably already figured this out, but here's a hint anyway:
${if forany{<, $dnslist_value}{match_ip {$item}{127.0.0.0/24}}}
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Solved: Encrypted SSL Postgres Connection
On 2021-09-16, Pat via Exim-users wrote:
> That failed with:
> Failed: lookup of "select generate_series(1,10) " gave DEFER: PGSQL
> connection failed: root certificate file "root.crt" does not exist
> Either provide the file or change sslmode to disable server certificate
> verification.
>
> I was a little stumped at that point. I was testing from
> /usr/local/etc/exim, and the certificate was indeed present. I tried a
> few different things to the DB_NAME value, such as quoting the redefined
> contents, wrapping some and then all in parenthesis, doing both, etc. but
> nothing changed the output. Then I ran /usr/local/sbin/exim -d +all -be
> '${lookup pgsql{ select generate_series(1,10) }}' which didn't really
> give me anything. However in looking over the output I noticed several
> references to /var/spool/exim, such as:
> lock name: /var/spool/exim/eximuser.lock.
>
> So I moved the two certificates and the key file to /var/spool/exim. Bingo!
This is interesting. it will be hard (impossible) to use slashes in
the database parameters, so yes, you will need to put the key file (or
a symlink that points to it) in the spool directory.
This explains why the bug report is also asking for the option to use
URL style connection strings. that would allow slashes.
> I am assuming at this point that the DB_PW portion is noise that the
> PG cluster ignores (or at least doesn't parse) because it is set to
> an invalid value but I see no sign of it in the PG log. In fact the
> thepguser role has no password in the cluster.
Exim passes it to libpq. what libpq does with the parameters it gets
from exim is up to the postgresql developers.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Encrypted SSL connection to remote PostgreSQL cluster
On 2021-09-10, Jeremy Harris via Exim-users wrote: > On 10/09/2021 09:13, Jeremy Harris via Exim-users wrote: >> On 10/09/2021 01:31, Patrick via Exim-users wrote: >>> Before I spend too much time trying to figure this out, is it possible to >>> configure my PostgreSQL connection to use passwordless certificate based >>> authentication? >> >> Nope. We're using what seems to be an older API for the client-connection >> which does not support SSL. A wishlist-level bug would be appropriate. > > Actually, reading the Postgres docs further, there's a faint hope. > Try something like: > > pgsql_servers = "host=192.168.45.16 sslcert=client.crt sslkey=client.key > sslmode=verify-ca sslrootcert=root.crt/exim/thepguser/" > > (We're still using the older API, but it appears to have a forward-compat > feature. This might be pgsql-library version dependent; I'm looking > at the 8.3 docs) As I unserstand it the old libpq connect call naively massages its parameters to match the new connection string interface, so it's preactical to inject connection parameters using the database-name field -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Combine hosts/sender_domains in condition?
On 2021-09-08, MRob via Exim-users wrote: > On 2021-09-08 05:03, Jasen Betts via Exim-users wrote: >> On 2021-09-07, MRob via Exim-users wrote: >>> Hellos, I was trying to write a clause that needs to combine >>> 'sender_domains' and 'hosts' in *OR* condition so I can't put on two >>> separate lines. >>> >>> Is only way for this to repeat the full clause, once with >>> sender_domains >>> and one with hosts? >> >> >> if it was an accept or deny rule you could just have another >> rule for the other condition >> >> So it must be a require rule >> >> change it to a deny rule and invert both conditions. >> De Morgan's theorem. > > It's a deny rule, but I can't change it to accept because if it doesn't > match I want it to continue to the next clause. make two deny rules. deny sender_domains = +thing message = I don't like that domain deny hosts = +thing message = I don't like that host -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Combine hosts/sender_domains in condition?
On 2021-09-07, MRob via Exim-users wrote: > Hellos, I was trying to write a clause that needs to combine > 'sender_domains' and 'hosts' in *OR* condition so I can't put on two > separate lines. > > Is only way for this to repeat the full clause, once with sender_domains > and one with hosts? if it was an accept or deny rule you could just have another rule for the other condition So it must be a require rule change it to a deny rule and invert both conditions. De Morgan's theorem. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Subject rewriting
On 2021-08-26, nb via Exim-users wrote:
> Hi,
>
> I need to change the subject when the message is considered as spam,
> *and* when there is an SPF problem.
>
> I use the following method:
>
> 1 - for SPF:
> # remove old subject
> remove_header=Subject
> # create a new subject
> add_header = Subject: *** SPF Error *** $rh_Subject:
>
> 2 - for SPAM:
> # remove old subject
> remove_header=Subject
> # create a new subject
> add_header = Subject: ***SPAM (score: $spam_score)*** $rh_Subject:
>
> It works fine when either of these two cases occur.
> But when both occur at the same time, I don't get the expected result.
> In this case, I get two "Subject" headers.
One way would be to build up the prefix in an ACL variable.
# 1 - for SPF:
# add this to subject
set acl_m_subj_prefix = $acl_m_subj_prefix *** SPF Error ***
# 2 - for SPAM:
# add this to subject
set acl_m_subj_prefix = $acl_m_subj_prefix ***SPAM (score:
$spam_score)***
warn
condition = ${if!eq{}{$acl_m_subj_prefix}}
logwrite = subject rewritten
# remove old subject
remove_header=Subject
# create a new subject
add_header = Subject: $acl_m_subj_prefix $h_Subject:
# discard the variable
set acl_m_subj_prefix =
> Furthermore, would it be better to use $h_header?
If your exim configuration supports UTF-8, then yes.
(headers_charset setting in main configurarion)
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] One Smart Host for certain domain
On 2021-08-31, Effendy Abdullah via Exim-users wrote:
> On 2021-08-31 19:52, Cyborg wrote:
>> Am 27.08.21 um 15:35 schrieb Effendy Abdullah via Exim-users:
>> > Hi,
>> >
>> > How do I route to one Smart Host for certain domain and all other domain
>> > route to another Smart Host. Using WHM/cPanel with Exim.
>
> I think I didn't make myself clear.
> I'm using MailGun as a smartest with one "default" credentials, with about 80
> domains. Some of the domain will be using their own login credentials for
> MailGun.
>
> So my current Exim config in WHM is as follows:
>
> #Section: AUTH
> mailgun_login:
> driver = plaintext
> public_name = LOGIN
> hide client_send = :
> ${extract{user}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts:
>
> ${extract{pass}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts
A:
change lsearch to nwildlsearch
add a * entry at the end of the /etc/exim_smarthosts file. that entry has
the default credentials
or
B:
use the not-found branch of "lsearch" or "extract" to get the default
credentials.
which means code like:
hide client_send = : \
${extract{user}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}{$value}{DEFAULTUSER:\
${extract{pass}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}{$value}{DEFAULRPASS
or
hide client_send = : \
${extract{user}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}{$value}{DEFAULTUSER}}:\
${extract{pass}{${lookup{$sender_address_domain}lsearch{/etc/exim_smarthosts}}}{$value}{DEFAULRPASS}}
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim on server hardware
On 2021-08-26, M.R.P. zensky via Exim-users wrote: > Can Exim be installed on a desktop pc or is it better to have a dedicated > server. Yes. If your PC is fast enough for your traffic needs it will run ok. If it's a single user, small office or family setup then a PC will be fine. Probably a raspberry pi with an external disk would even be sufficient for a single user. If you're going to do bulk sending you'll discover all the people who don't like bulk sending. more powerful hardware won't help there. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] local_domains by dns
On 2021-08-26, Cyborg via Exim-users wrote:
> Hi,
>
> the exim docs do not seem to cover the topic of "how to build" a
> local_domains list, they only cover the topic of "whats the syntax of a
> list".
>
> My actual problem is to build the content of local_domains from DNS IN
> MX Records. The server shall only handle the domain as local,
> if the mx is pointing to an address on the host.
Ok, if DNS has the answer, what do you need local_domains for?
> Has anyone done this?
No, because it's impossible, there is no DNS lookup that will find all
the domains that use any host as their MX.
> Can it be archived without perl script execution, which would be a
> performance drop at least?
There's probably a better solution to be had by using routers.
something like:
routers
i_the_mx:
driver = dnslookup
ignore_target_hosts = ! :
! : ...
self = send
# code here to check the mailbox part.
deny_external:
driver = manualroute
condition=${if eq{}{$authenticated_id}}
allow_fail
data=:fail: relay access denied
...
Then in the rcpt acl you just say
require
verify=recipient
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Receive Mail From a Secondary-MX Proxy
On 2021-08-25, Sabahattin Gucukoglu via Exim-users wrote: > I am thinking about how I’ll manage to send and receive mail from the > Internet by way of a proxy, with SOCKS for outbound and proxy-protocol for > inbound mail, where the proxy is also potentially a backup MX. The idea is > that I will run the mailer on a network with a dynamic connection, and use a > VPS with a fixed IP for connectivity that’s trustworthy for other MX hosts, > which only accepts mail when the ISP connection goes down for a noticeable > period. I could even extend the client connection through a VPN, so the ISP > is oblivious to how it’s used (the country in question has a very flexible > approach to civil liberties). > > The doc says Exim recognises a proxy host by IP; does this mean I > can’t receive ordinary mail from it as a secondary MX? If not, how do > you think I ought to go about this? Tell the proxy protocol host to deliver email to it's own extenal ip address, that will cause it to open a proxy connection to the exim server. > What about if I extent this setup so that my mailer machine only makes > outbound connections to the proxy host—can I still receive inbound mail, > through a forwarded port perhaps? SSH seems like the obvious answer, but then > I’d lose sender information, yes? I could use an inner VPN, perhaps. But > something that only carries application-layer traffic would be nicer. Exim > supports SOCKS, but not the bind method—perhaps that would be useful. I'm not sure what you mean. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] * in local_part
On 2021-08-18, Henry Pootel via Exim-users wrote: > Hello. > > I would like to forward some addresses to one by mask with pattern. > > For example: > > all messages, which coming to *test@my.domain must be forward to > email@my.domain > > I've tried it with alias file ( *test@my.domain: email@my.domain )... > not work. > > How it possible? > > Thanks. use wildlsearch instead of lsearch for processing the file. search the exim configuration for the name of the file. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Differences exim 4.93 and 4.94
On 2021-08-21, SysAdmin EM via Exim-users wrote:
> I try to make a connection but I see the following error:
> /opt/exim/bin/exim -be '${lookup
> mysql{servers=127.0.0.1::6033/c233/sqlmonitor/9cCnX7NigY99
> select 1+1 }'
> Failed: lookup of "servers=127.0.0.1::6033/c233/sqlmonitor/9cCnX7NigY99
> select 1+1 " gave DEFER: missing ; after "servers=" in MySQL lookup
Sorry, I handed you bad syntax try this:
/opt/exim/bin/exim -be '${lookup
mysql{servers=127.0.0.1::6033/c233/sqlmonitor/9cCnX7NigY99; select 1+1 }'
If that password was an important secret sorry about that too.
If it works you should get "2" as the result. so then try without the
"servers=127.0.0.1::6033/c233/sqlmonitor/9cCnX7NigY99;" part to cinfirm
that the config file is working.
you can also try adding debug flags before the -be
-d+lookup
which will give more diagnostics on the connection to mysql.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Differences exim 4.93 and 4.94
On 2021-08-20, SysAdmin EM via Exim-users wrote:
> In the server in production we use a version prior to exim and I cannot
> make the connection to proxysql work.
Can you make tcp connections to your proxysql using other mysql clients?
what exact error message does exim give?
Is there anything interesting in the proxysql log file?
Try this and report the result:
/usr/sbin/exim -be '${lookup
mysql{servers=127.0.0.1::6033/database/user/pass select 1+1 }'
>> ### Testing Server ###
> Exim version 4.94 #2 built 03-Aug-2020 15:07:07
> ### Production Server ###
> Exim version 4.93 #5 built 18-Dec-2019 13:45:23
> Are there many differences between the exim versions? Any suggestion?
I'm not aware of any significant changes to the mysql support.
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] missing message id in email converted to user in virtual users
On 2021-08-13, Patrick Unthank via Exim-users wrote: > I am not sure why there is no message-id passed to postfix when there is > one recorded in the exim log, i.e. id=3D1mDi3K-0005a1-RG That id is an exim ID that exim uses to track the email, not a Message-Id header that should have been added by the senders's email client or the initial MTA. -- Jasen. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim in systemd system (queue mode)
On 2021-07-08, Jeremy Harris via Exim-users wrote:
> On 02/07/2021 20:25, michael--- via Exim-users wrote:
>> Now, in a systemd based system the "/etc/init.d/exim queue" command is
>> missing. And I can't find a "systemctl queue exim.service" equivalent.
>> Can I just replace this step with: "/usr/sbin/exim -bd -odq" ?
>
> If that matches your usual command line, yes.
>
>> Or do you recommend another approach?
>
> It depends what your concerns are. I assume you're worrying
> about half-delivered files but not about half-received files
> in spool. You'd want to add a detect/wait for any ongoing
> queue-runner processes to what you list, though (ok, the
> probability of a queued message for a local delivery destination
> is low. But nonzero).
>
>
> Another approach would be to test in ACL the existence of
> a named file, and if present, divert received messages to
> an alternate queue and set queue-only.
You could have a router that defers in the presence of the named file
immediately before the local delivery router, this would cause local
deliveries to be deferred (and end up held on the queue) until the file
goes away.
A router something like this:
hold_this:
driver = redirect
verify = no
domains = +local_domains
condition = ${if exists{/run/lock/backup_in_progress}}
allow_defer = yes
data = :defer: backup in progress
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] too long line but which one?
On 2021-06-30, Arkadiusz Miśkiewicz via Exim-users wrote:
>
> Hi,
>
> how to log that too long line(s), so it will be easy to point where the
> problem is in case of mail incoming via smtp ?
>
>deny
> message = maximum allowed line length is 998 octets, \
> got $max_received_linelength
> condition = ${if > {$max_received_linelength}{998} }
presumably the sender can do
egrep -n '.{999}' message_file.txt
or eqivalent
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] IPv6 bug with reverse_host_lookup
On 2021-06-24, Cyborg via Exim-users wrote:
> Am 24.06.21 um 20:05 schrieb Evgeniy Berdnikov via Exim-users:
>> On Thu, Jun 24, 2021 at 01:11:40PM -0400, Robert Blayzor via Exim-users
>> wrote:
>>> On 6/24/21 11:54 AM, Evgeniy Berdnikov via Exim-users wrote:
Pls, post here result of
exim -d-all+dns+acl -bh '[2602:ff1c:1:80::50]:60631'
>>> Exim version 4.94.2 uid=0 gid=0 pid=27354 D=24
>> ...
>>> looking up host name for 2602:ff1c:0001:0080::::0050
>>> DNS lookup of
>>> 0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa.
>>> (PTR) succeeded
>>> Reverse DNS security status: unverified
>>> IP address lookup yielded "mta4.pr.judicialwatch.org"
>>> DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
>>> checking addresses for mta4.pr.judicialwatch.org
>>> Forward DNS security status: unverified
>>>192.107.243.81
>>> no IP address for mta4.pr.judicialwatch.org matched
>>> 2602:ff1c:0001:0080::::0050
>>> 2602:ff1c:0001:0080::::0050 does not match any IP address for
>>> mta4.pr.judicialwatch.org
>> And below is output from my test host:
>>
>> looking up host name for 2602:ff1c:0001:0080::::0050
>> DNS lookup of
>> 0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa.
>> (PTR) succeeded
>> Reverse DNS security status: unverified
>> IP address lookup yielded "mta4.pr.judicialwatch.org"
>> DNS lookup of mta4.pr.judicialwatch.org () succeeded
>> DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
>> checking addresses for mta4.pr.judicialwatch.org
>> Forward DNS security status: unverified
>>2602:ff1c:1:80::50 OK
>>
>> The difference is that your Exim does not do IPv6 () record lookup.
>> Try to locate the reason... I'd propose to compare with pure Exim setup.
>
> I just verified it on a IPv6 enabled 4.92.2 system, and it does show the
> excat same error as Robert gets:
>
> host in hosts_connection_nolog? no (option unset)
> LOG: smtp_connection MAIN
> SMTP connection from [2602:ff1c:0001:0080::::0050]
> host in host_lookup? yes (matched "*")
> looking up host name for 2602:ff1c:0001:0080::::0050
> DNS lookup of
> 0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa.
> (PTR) succeeded
> Reverse DNS security status: unverified
> IP address lookup yielded "mta4.pr.judicialwatch.org"
> DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
> checking addresses for mta4.pr.judicialwatch.org
> Forward DNS security status: unverified*
> ** 192.107.243.81*
> no IP address for mta4.pr.judicialwatch.org matched
> 2602:ff1c:0001:0080::::0050
> 2602:ff1c:0001:0080::::0050 does not match any IP address
> for mta4.pr.judicialwatch.org
>
> # exim -be '${lookup dnsdb {ptr=2602:ff1c:1:80::50}}'
> mta4.pr.judicialwatch.org
perhaps you have ip6 lookups disabled in /etc/gai.conf ?
--
Jasen.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Advice: NFS, hardware, SATA vs SAS etc
On 2019-12-04, venbian via Exim-users wrote: > Hello gurus, > > As 2020 nears I wanted to ask opinions about the current state of > hardware requirements for a small business email platform. $dayjob > asked me to enhance our existing platform to improve performance and > add redundancy. Q1: how much of each? > Main questions (TLDR): > > Can NFS handle heavy IMAP, LDA, HTTP workload? yes: this is not microsoft - there are no software performance limits. But using NFS for server disk will double your network traffic (or worse when doing server side searches) > Is direct attached SATA III 6Gb/s SSD in RAID 1 sufficient or is SAS needed? see Q1 > Is gigabit ethernet the bottleneck in any case? I can upgrade to a > 10 gigabit local network if advisable. > Can NFS peacefully co-exist with other mail system workloads without > resource contention such as SQL DB or spamassassin or redis, etc? if your database is on direct attached disk then yes. > More detail: > > I had bad experiences with NFS approx 15yrs ago where IMAP load > saturated controller link (yes, noatime was used on the mount) and was > unusable. But in 2020 is it time to give NFS another look? why would you want to use NFS? I would pick E-SATA or USB3 direct-attach over NFS, and internal direct-attach over that. > Current mail storage setup uses local attached large SATA SSD and >does well, but it directly hosts HTTP, LDA, IMAP and Submission which >could all be faster and it only does nightly backups. Adding SAN is >probably out of $dayjob pricerange and SAS is borderline. Power >consumption is also a factor so instead of a dedicated file server I >thought it would make more sense to build a big server with direct >attached fast SATA SSD in mirrored RAID that also has strong CPU and >maximum memory so it can also run some of the backend process such as >spamassassin, redis or SQL database etc. (we want to start using SQL >DB for more which means it will be under heavy use) > What workloads can best co-exist with NFS where each does not contend for the > other's resources? NFS server uses disk and LAN, D L NFS client uses RAM and LAN, R L S.A. uses CPU and RAM,R C Redis uses RAM and CPUR C SQL uses RAM and disk and CPU D R C Redis and SQL also use the lan if they're serving other servers. > I'd put a couple smaller machines in HA in front of that to proxy > webmail, HTTP website, IMAP and Submission. Edge MTA is on a separate > server and would probably stay that way, maybe adding a failover. It > keeps a fraction of its mail in the local system but will make more > heavy use of the SQL DB which I thought to also put on the file > server(?) > Could NFS keep up with load for proxy of HTTP, IMAP, LDA, etc? > > Is local attached SATA SSD in RAID 1 ok? Will 6Gb/s SATA III be a bottleneck > in any possible scenario? I was looking at motherboards with multiple PCIe or > M.2 slots thinking NVMe bandwidth (3GB/s) would be great but I'm unsure if > NFS, gigabit ethernet or other components could even make use of it. see Q1 > Or is that too amateur and local attached (hope not remote attached) SAS a > minimum requirement? SAS SSDs are a newer thing I never used and expensive > for the $boss. I read some people express doubts that SSD is suited for SAS > at all which is one reason I thought just use SATA for more efficient power > and cost. > > Our workload: > > We process a lot of mail but as you can guess, don't have tremendous > storage needs. We have several tens of thousands of users but a > smaller fraction of that are actively using mail every day. Maildir > storage is several TB. Exact daily mail volume is unknown but should > be on the order of a few million, many which users have forwarded to > to other accounts so a small fraction is stored locally. Forwarding can get messy when gmail thinks _you_ are spamming. SATA will probably work alright there. > We also have few TB of web data that is hosted from a server in the > same location that I thought to unify into the NFS setup. I wouldn't use NFS as server disk unless the service was CPU intensive. so servers running Redis or S.A. are good candidates for being NFS clients. others not so much. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] message_size_limit depending on incoming domain
On 2019-11-18, Niels Kobschätzki via Exim-users wrote: > Hi, > > I know that there is a setting message_size_limit and that I can > control it > globally and per router. > > I accept mails for a lot of domains and for some of those domains > I'd like to > have a bigger message_size_limit than for the rest. Those domains > are already > handled differently but I am not sure at which point the > message_size_limit > comes into play. when they say "EHLO ..." right at the start exim responds with "SIZE ." when they say "MAIL FROM..." they have the option to declare the size of the content. and if the say something too big exim will deny them, http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html You can't vary this setting based on anything that happens after EHLO for your rcpt-based checks you and do ACL checks on $message_size and the refuse the email (or recipient) if $message_size is too big. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] ACL error "for linear search: No such file or directory"
On 2019-11-15, Emanuel Gonzalez via Exim-users wrote:
> condition = ${if
> exists{${lookup{$sender_address}lsearch*@{${perl{getmaildir2}{$local_part@
> $domain}}/.spamassassin/whitelist{no}{yes}
> where is my error in the sintax?
this bit looks fishy:
whitelist{no}{yes}
you're not closing the exists{ condtition before the true and false
options of the if - perhaps you want this:
condition = ${if
exists{${lookup{$sender_address}lsearch*@{${perl{getmaildir2}{$local_part@$domain}}/.spamassassin/whitelist}}}{no}{yes}}
--
When I tried casting out nines I made a hash of it.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] conditional email forwards to another host
On 2019-11-12, Lars Schimmer via Exim-users wrote: > Hi! > > I need a little help, mostly for security. > I do run a exim4 host (debian), and I want to forward all emails > incoming for 3-5 Emails to another host (NOT a different domain) > > As far as I understand it, I need: > - transport fo the 2nd host > - router which routes the email to the transports > > Has anyone a example for such a router wiht a condition? > Mostly I do not want to experiment with a live server... > > thank you. > > MfG, > Lars Schimmer easiest is to actually use another domain and just forward the emails using ~/.forward or /etc/aliases else you create a manualroute router that matches your domain and the apropritat local_parts and routes them to the destination server. a router something like this: these_go_elsewhere: driver = manualroute domains = example.com local_parts = mailbox1 : mailbox2 : mailbox3 route_list = * elsewhere.example.com transport = remote_smtp add it to the routers section of the configuration before the routers for local delivery. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Finding Fallback DKIM Domain
On 2019-10-29, Christian K via Exim-users wrote: >> Presumably you have a list of all your domains. >> It's a simple lookup, then. Just write a suitable >> file, or database, and use that. > > > This will be the workaround if I find no general solution for any > subdomains but it unfortunately means I'll need to keep a list of all > subdomains. it may be possible to write a script that maintains the list, and use nwildsearch to scan the list. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to suspend user to send emails, even to local domain?
On 2019-10-18, pedro.almeida--- via Exim-users wrote: > Hi, > > Thank you for your help, Marius. > > Could you please elaborate a litle on how to filter those user ids out > in the sql query? > > Regards > > > On 18/10/19 14:19, Cyborg via Exim-users wrote: >> Am 18.10.19 um 14:26 schrieb ersrpca001 ersrpca001 via Exim-users: >>> Should I create a rule? >>> >>> Or should I create a limit to these 2 users, of sending zero emails? >> make SQL based authentication for SMTP-AUTH, >> enforce SMTP-AUTH, >> filter both user ids out in your sql query. >> >> Marius >> > how do you want to indicate who is allowed and who is not? -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unstoppable spam
On 2019-09-24, Odhiambo Washington via Exim-users wrote: > Authentication-Results: gw.ourdomain.tld;iprev=fail > smtp.remote-ip=5.61.42.174;auth=pass (PLAIN) > smtp.auth=benson.ku...@ourdomain.tld;dmarc=skipped > header.from=ourdomain.tld Is that a standard header? I've not seen exim adding that. It seems to say they did "auth plain" and gave an acceptable password. (escpecially in combination with "esmtpsa" in the received header. Could there be some problem with your plain authenticator? What is it authenticating against? Can you share the ' <= ' line for this email (1iCQpf-0002zI-7B) in the exim logs it should be near Mon, 23 Sep 2019 19:05:01 +0300 -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-15846 ..Exim Vulnerability
On 2019-09-13, Jan Ingvoldstad via Exim-users wrote: > From the Wheezy ELTS package: [...] > dpkg-source: info: applying 92_Fix-base64d-buffer-size-CVE-2018-6789.patch > dpkg-source: info: applying 93_CVE-2019-15846.patch > it looks like the patch is present already in the debian package, that's good news. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-15846 ..Exim Vulnerability
On 2019-09-12, Richard Jones via Exim-users wrote: > On Sep 12, Heiko Schlittermann via Exim-users wrote >> If you're out of luck, either upgrade your Debian system to a recent >> one, or prepare to compile Exim on your own. (This is not as hard as it >> seems, but you have to care about further updates manually). > > I don't suppose anyone has magical instructions on how to do this for > exim4-daemon-heavy? > grab the exim sources from a recent debian and install build-deps and try to compile... all the exim-* packages in debian come from a single source package. I was unsuccessful building exim 4.80 on Jessie (debian 8) earlier this year. so that building on Wheezy may require significant effort (like building other libraries from source to support this exim) it's probably easier to install the wheezy exim4 source package, patch it manually, (it's a one line patch) and rebuild. workflow something like this, (* represents a version number): sudo apt-get build-dep exim4 apt-get source exim4 cd exim4* vi src/strings.c # make the edit fakeroot debian/rules binary # build takes several minutes. sudo dpkg -i ../exim4-daemon-heavy*.deb -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim and Postfix
On 2019-08-28, Eliza via Exim-users wrote: > Hi > > on 2019/8/28 17:07, Heiko Schlittermann via Exim-users wrote: >> The Exim configuration partly mimics a programming language, and allows for >> a multitude of runtime expandable parameters, you can use the embedded >> Perl interpreter, use database lookups (key/value, directory, >> relational) in almost any places of the configuration. >> >> Its runtime configuration allows you to build sophisticated ACL for >> incoming messages, build sophisticated mail routing (e.g. based on >> content scanning results, mail headers, external programs, …) > > If exim supports runtime configuration, it becomes more flexible, for > content filter etc. But how about the performance to accept/deliver > messages comparing to postfix? imterpreted code is abot 100 times slower than native code, but disk is about 100 times slower than memory, and WAN is about 100 times slower than disk. what's the hurry? -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim Logo as vector graphics
On 2019-08-27, Heiko Schlittermann via Exim-users wrote: > > --===1113415539== > Content-Type: multipart/signed; micalg=pgp-sha512; > protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" > Content-Disposition: inline > > > --3MwIy2ne0vdjdPXF > Content-Type: text/plain; charset=utf-8 > Content-Disposition: inline > > Jasen Betts via Exim-users (Di 27 Aug 2019 12:06:32 > CEST): >> >> I have taken MK which seems to be original line art an pushed its >> shading in the direction of the origial bitmap. > > Who or what is MK? It was the file name of one of the CSVs that was posted here, presumably an attribution to the author. > Thank you a lot. You're welcome. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim Logo as vector graphics
On 2019-08-20, Heiko Schlittermann via Exim-users wrote: > Thank you for the 3 logos we got so far. > > The cPanel folks told me that these SVG are not perfect, but usable to > some extend. I have taken MK which seems to be original line art an pushed its shading in the direction of the origial bitmap. I can't do mime attaches usinf slrn, so you'll have to cut here - - - - 8< - - - - 8< - - - - 8< - - - - http://www.openswatchbook.org/uri/2009/osb; xmlns:dc="http://purl.org/dc/elements/1.1/; xmlns:cc="http://creativecommons.org/ns#; xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#; xmlns:svg="http://www.w3.org/2000/svg; xmlns="http://www.w3.org/2000/svg; xmlns:xlink="http://www.w3.org/1999/xlink; xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd; xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape; width="100%" height="100%" viewBox="0 0 360 226" version="1.1" xml:space="preserve" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;" id="svg746" sodipodi:docname="mk2.svg" inkscape:version="0.92.4 (5da689c313, 2019-01-14)">image/svg+xmlhttp://purl.org/dc/dcmitype/StillImage; /> exim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim, Dovecot, mdir and hardlinks - a true story
On 2019-08-15, Jeremy Harris via Exim-users wrote: > On 14/08/2019 20:09, Cyborg via Exim-users wrote: >> I really believe, an option to match quota/du behaviour and use stat() >> on each file to check >> the inode, is fine. A) it's relatively simple to do, B) does not break >> existing installations and C) works on NFS as well, i think. > > We already use stat on each file, unless quota_size_regex is set. > > If we take Nigel's excellent point that dividing the filesize by the > link count, both from a stat call, does the job - plus document the > point that using quota_size_regex gets quotas wrong in environments > using linking - this would seem to be the minimum possible change. > > Does it satisfy enough cases? I think that if OS filesystem quotas are in use (rather than software quotas) exim will be getting errors in response to open(2) write(2) or close(2) calls when it attempts to exceed them, and it probably already handles that scenario fairly well. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim filters to/from/cc address
On 2019-07-23, Gary Stainburn via Exim-users wrote: > In my user filter I have a number of entries similar to > > if ($h_from: matches "user@domain") or > ($h_to: matches "user@domain") or > ($h_cc: matches "user@domain") then > deliver mobileph...@mydomain.com > seen > finish > endif > > which is used to forward important emails to my phone. > > Is there an wasier way to do this, e.g. a variable containing all recipients, > or all addresses? There's probably a better way. why does that work? -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unable to send the mail but able to receive them
On 2019-07-15, necktwi via Exim-users wrote: > From my mac mail client I've connected to remote exim+dovecot server. Since > few weeks back I was not able to send mail but able to receive. > > exim in /var/log/messages says: > Jul 14 15:22:15 RPi3B exim[3576]: 2019-07-14 20:52:15 dovecot_plain > authenticator failed for ([xx.xx.xx.xx]) [yy.yy.yy.yy]: 535 Incorrect > authentication data (set_id=necktwi) > > dovecot in /var/log/dovecot.log says: > Jul 14 19:40:27 auth: Debug: client in: AUTH 1 LOGIN service=smtp > rip=yy.yy.yy.yy lip=xx.xx.xx.xx nologin resp= (previous base64 data may > contain sensitive data) > Jul 14 19:40:27 auth: Debug: client passdb out: CONT 1 VXNlcm5hbWU6 > Jul 14 19:40:27 auth: Debug: auth client connected (pid=0) > Jul 14 19:40:27 auth: Debug: client in: AUTH 1 PLAIN service=smtp secured > rip=xx.xx.xx.xx lip=yy.yy.yy.yy nologin > resp=aeVja333aQeuZWerdHdpAeRecmezaG9lcw== (previous base64 data may contain > sensitive data) > Jul 14 19:40:27 auth: Debug: policy(necktwi,xx.xx.xx.xx): Policy check action > is continue > Jul 14 19:40:27 auth-worker(11866): Debug: pam(necktwi,xx.xx.xx.xx): lookup > service=smtp > Jul 14 19:40:27 auth-worker(11866): Info: pam(necktwi,xx.xx.xx.xx): > pam_authenticate() failed: Authentication failure (Password mismatch?) (given > password: xxx) > > (log is obfuscated) > > Is it the problem with dovecot or exim? > Should exim contact dovecot prior to sending the mail? > I have also tried windows mail client with same error. It's been a few yers since I did this, from what I recall. Exim requires access to the SASLAUTH socket, as exim is not running as root you need to ensure that the path to the socket and the socket itself are accessable by the user that exim runs as. maybe something here? https://wiki.dovecot.org/HowTo/EximAndDovecotSASL you might need to add the exim user to the group that the owns the SASLAUTH socket -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: already vulnerable ?
On 2019-07-03, Marc Haber via Exim-users wrote: > On Sun, 23 Jun 2019 20:02:33 +0100, Jeremy Harris via Exim-users > wrote: >> deny local_parts = \N ^.*$ : ^.*\\x24 : ^.*\\0?44 \N >>message = no mate > > This might be a really stupid question, but what exactly does that do? > > ^.*$ blocks local_parts containing a $ It looks to me like it matches any string, it should probably be ^.*\$ which would match any astring contailnin literal '$' > ^.\\x24 does the same? matches containing literal '\x24' > but I'm stymied about the \\0.44 notation, what's that? assuming typo: \\0?44 matches strings containing literal '\044' and '\44' -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] error ignored
On 2019-06-26, Lena--- via Exim-users wrote: > Exim 4.92 as a smarthost gets a 5xx after end of data, but doesn't send a DSN. > In mainlog (I redacted with asterisks and inserted blanks after @): > > 2019-06-20 18:28:19 +0300 1hdyz4-000G6A-BR <= Len*@ lena.kiev.ua > H=ip-19*6.rusa*ovka-net.ki*v.ua (bedsi*e.lena.kiev.ua) [94.244.2*.38] > I=[62.109.6.225]:52*5 P=esmtpsa X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > CV=no S=3473 RT=0s id=20190620152815.gg...@lena.kiev > 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR ** doma*@ tiscali.cz > R=remote_domains T=remote_smtp H=tax.virusfree.cz [212.224.105.18] > I=[62.109.6.225] X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no: SMTP error > from remote mail server after end of data: 554 message refused (#5.7.1) - for > more information visit https://www.virusfree.cz/cs/help > 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR doma*@ tiscali.cz: error ignored > 2019-06-20 18:28:21 +0300 1hdyz4-000G6A-BR Completed QT=2s > > I see "error ignored" in deliver.c, but I don't undersand why > in this simple case - a personal message with single recipient. > Why "error ignored"? > My config doesn't contain "errors_to". > Nothing in rejectlog, spool. > > I cannot reproduce, repeat message was accepted. usually that means that exim can't find a route for the return path, the route finds a retry counter that is older than the retry limit, or the route returns an explicit fail. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Help with AUTH DDOS
On 2019-06-24, mixed8e--- via Exim-users wrote:
> Hi, I have a server under a minor DDOS of AUTH guessing attacks. I
> installed fail2ban and tried to be conservative, allowing 50 AUTH guesses
> before banning an IP address. Unfortunately, the attack has too many bots
> and the server is under heavy load so I temporarily reduced the threshold
> to just a single AUTH failure before banning. I hope no users forget their
> passwords!
>
> It looks like fail2ban's default iptables integration does not drop
> connections that are already established, because I'm seeing a lot of
> fail2ban log lines stating "already banned" and also Exim log lines from
> suspect IP addresses with this:
>
> TCP/IP connection count = 161
>
> Eventually I would hope the connections will naturally drop and the ban
> will become more effective (empirically that seems to be happening).
> However, I'd like to ask for general opinions on the matter and one
> specific question:
>
> What would be the Exim setting to limit the number of TCP connections? Or
> is it a bad idea to limit connections like that? I do know at least one
> group of users of this server sit behind a single IP address, so the
> connection count for that IP address is very high. Does that mean I can't
> approach the problem from this angle? (short of whitelisting known
> addresses)
set smtp_accept_max_nonmail lower. this may inconvenience some users a
little and rset and helo are counted as nonmail IIRC..
alternatively in ACL_AUTH
drop
set acl_c_auth_count = ${eval: $acl_c_auth_count + 1}
condition = ${if >{1}{$acl_c_auth_count }}
message = "go away"
which will allow only one attept at auth per connect.
--
When I tried casting out nines I made a hash of it.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On 2019-06-19, Heiko Schlittermann via Exim-users wrote: > > --===0789655678== > Content-Type: multipart/signed; micalg=pgp-sha512; > protocol="application/pgp-signature"; boundary="mlyb34ecdekgbwyp" > Content-Disposition: inline > > > --mlyb34ecdekgbwyp > Content-Type: text/plain; charset=utf-8 > Content-Disposition: inline > > Russell King via Exim-users (Di 11 Jun 2019 16:08:28 > CEST): >> >> As I stated in my original post, I've tried subsituting the " " with >> both + and %2b. I was using Firefox, I've also used elinks as well. >> Nothing works to get a commitdiff. >> >> >https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91%2Bfixes >> >> That URL is not a problem - getting the shortlog is not a problem. >> Following any of the links from the shortlog _is_ a problem as my >> original post stated. > > Hm. Starting with the link you describe here (using %2B) an can follow > many, if not all (didn't test *all*) links, shortlog -> commitdiff > works. That modified link works in firefox too, It seems that problem is the server displays a page with bad links if '+' is used incorrectly in the URL, this may be because in URLs '+' represents space. This behavious seems odd, there may be an XSS vuln in there somewhere. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Auto-bcc certain outgoing mail?
On 2019-06-14, Aki Kyo via Exim-users wrote:
> Hello, can someone help guide me what the best way is to grab copies
> of one of our users outgoing mails and bcc to another address?
a router like this
example_audit:
driver = redirect
unseen = yes
verify = no
errors_to = /dev/null
data = audit_mail...@example.net
condition = ${if eq{$authenticated_id}{username_here}}
or use a condition that matches some other identifiable feature.
--
When I tried casting out nines I made a hash of it.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DKIM signing table
On 2019-06-07, Bjoern Franke via Exim-users wrote:
> Hi,
>
> we have a setup with multiple exim instances, which are configured for
> DKIM like explained in [1].
>
> But is it possible to use a signing table like e.g. opendkim is using?
> It would be useful for different selectors.
sure, you don't have to use disk files, you can use a database lookup
(or any other string expansion). also the key content from the look-up
can be a literal string of PEM format data instead of a file name.
or you could just put the selector in another file.
something like
dkim_selector=${if
exist{DKIM_DOMAIN.sel}{${readfile{DKIM_DOMAIN.sel}}}{default_selector}}
--
When I tried casting out nines I made a hash of it.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Matching RFC 2047 encoded text
On 2019-04-21, Ian Zimmerman via Exim-users wrote: > On 2019-04-17 15:30, Lena--- wrote: > >> check_rfc2047_length = false > > Thanks, Lena. > > If I leave it as true (the default), and $h_subject: turns out to > contain "=?UTF-8?B?", can I assume (not with certainty, but with a high > likelihood) the message violates the RFC? yes, there is a small probability that the sender actually intended "=?UTF-8?B?" to be presented to the recipient. in all other cases the message does not meet the RFC. possibly you should also check for "=?UTF-8?P?" etc... -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Server Upgrade
On 2019-04-13, Rainer Dorsch via Exim-users wrote: > Hi, > > I want to upgrade my server from Debian Jessie to Debian Stretch. I am afraid > that at some time during the upgrade process, there is an invalid exim > configuration and messages get rejected. In order to avoid that I was > thinking > of either redirecting via DNS to a server which does not listen to port 25 to > enforce the sender to try again. Or redirect via DNS to a server which > buffers > all incoming messages until the Stretch setup is tested (not sure which > server > software does this though...). > > Can anybody recommend one of the approaches or even propose something > better...? Use iptables rules to block the public allowing only your tests to reach exim. If you have not editied any Debian conffiles the upgrade should proceed smoothly with only a brief outage, no spurious rejects. during the upgrade process a bad config is much more likely to prevent exim from running than to cause spurious rejects. I use Debian's split config wich allows me to separate my config tweaks from the Debian provided conf files, this vastly reduces the amount of editing needed during upgrades. -- When I tried casting out nines I made a hash of it. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to trap "command timed out"? (avoid 451 reject)
On 2019-03-14, Aki Kyo via Exim-users wrote:
> Hi,
>
> I'm running a command on a decoded MIME part:
>
> ${run{/path/to/command $mime_decoded_filename}}
>
> In some very rare cases, I get "command timed out" and the message is
> rejected with 451 code
>
> Aside from debugging why it timed out, most important, how can I catch
> this condition so the timed out command doesn't cause a 4xx temporary
> rejection? My command not so important so I want to skip this command
> and accept the message
If you perform an action under a "warn" ACL verb then a temporary
failure of the expansion will not cause the ACL to defer, instead
you get a log line and the ACL will continue at the next verb.
Perhaps you can under a warn "verb" set some ACL variable and then use
an "accept" or "deny" verb to act on the content of the variable. in
the case of a timeout the line with $run will be ignored, so the
variable will be unaltered.
--
When I tried casting out nines I made a hash of it.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
