Re: [exim] Router and transport for modifing message

[Jeremy Harris via Exim-users]

On 25/04/2023 09:59, mouse via Exim-users wrote:

My question is - is there any way to just pass e-mail through modifing script *without 
re-injecting* email via "command = ..."?


Do your changes in ACL code, using Exim facilities rather than
an external script.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Routing failed deliveries through an ESP

[Jeremy Harris via Exim-users]

On 21/04/2023 13:13, Slavko via Exim-users wrote:

it can
be related to per_addr option


per_addr can only be used in the rcpt acl.
You'd possibly be able to just use count=1,
if this was and event raised once per thing
you want counted.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Routing failed deliveries through an ESP

[Jeremy Harris via Exim-users]

On 21/04/2023 06:55, Slavko via Exim-users wrote:

Did i something wrong?


Would need the actual error message to guess.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] log_reject_target

[Jeremy Harris via Exim-users]

On 20/04/2023 16:21, Ian Z via Exim-users wrote:

I was not sure I was interpreting the expression "current ACL" correctly.
Things like warn and deny are what, ACL rules?



Verbs.  See
https://exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
section 18.

For hunting about for info like this, use the Concept Index.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Routing failed deliveries through an ESP

[Jeremy Harris via Exim-users]

On 20/04/2023 15:47, Lance Lovette via Exim-users wrote:

Does Exim have a mechanism to invoke a script with rejected messages


We already told you no.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] log_reject_target

[Jeremy Harris via Exim-users]

On 19/04/2023 16:24, Ian Z via Exim-users wrote:

First, does this mean that here nothing will be logged:

   acl_check_rcpt:

 warn log_reject_target =

 deny condition = true


I've not tried that, but at first sight yes.
Why are you asking?


Second, what about nested ACLs? Both with the acl= condition
and with the ${acl .. } expansion. Is the value of log_reject_target
restored upon return to the top level ACL?


The value is reset to default on an expansion condition or item which
calls an ACL, and on any of the top-level ACL calls specified by
main-config options.  It is not reset for or after an "acl=" ACL
condition (i.e. a nested ACL call)/
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Wildcard CN verify error

[Jeremy Harris via Exim-users]

As a side-note,

On 18/04/2023 20:08, Lance Lovette via Exim-users wrote:

 smtp_mailgun:

[...]]

   hosts_require_auth = <; $host_address
   hosts_require_tls = <; $host_address


Just using * for those two would have the same effect,
and save work.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Wildcard CN verify error

[Jeremy Harris via Exim-users]

On 20/04/2023 06:18, Jasen Betts via Exim-users wrote:

On 2023-04-18, Lance Lovette via Exim-users  wrote:

This is a name mismatch: mailgun.org != mailgun.com.


Perhaps it's time for a larger font size :) I will put on my dunce cap and
go sit in the corner. But shame on Mailgun for responding to .com with a
.org certificate!

Lance


Their .com is a cname pointing to the .org, so the same host is both
.com and .org, but their host isn't using SNI.


This raises the question: should the name-check be against the CNAME-resolved
name rather than the initial?  Both?
I've not hunted through standards yet.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Wildcard CN verify error

[Jeremy Harris via Exim-users]

On 18/04/2023 22:39, Evgeniy Berdnikov via Exim-users wrote:

  mailgun.org != mailgun.com.


Good eyes!
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Wildcard CN verify error

[Jeremy Harris via Exim-users]

On 18/04/2023 22:03, Lance Lovette via Exim-users wrote:

 Exim version 4.95



 X509v3 Subject Alternative Name:
 DNS:*.mailgun.org, DNS:mailgun.org



   [34.160.13.42] SSL verify error: certificate name mismatch:
DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.
mailgun.org" H="smtp.mailgun.com"


Hmm.  Looks like that should have matched.
I'll have a play; see if I can duplicate that (but not tonight).

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Wildcard CN verify error

[Jeremy Harris via Exim-users]

On 18/04/2023 20:08, Lance Lovette via Exim-users wrote:

 SSL verify error: certificate name mismatch: DN="/C=US/ST=Texas/L=San
Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.mailgun.org" H="smtp.mailgun.com"


Check to see if that cert had any SANs.
The current source has the name-check only using the SN if there are none.

You didn't say what Exim version (and you trimmed the log line; there's been
an IP there since 4.91 and now I can't go check the cert myself).
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Routing failed deliveries through an ESP

[Jeremy Harris via Exim-users]

On 17/04/2023 14:08, Bill Cole via Exim-users wrote:

There's a rational basis for an exception for 5xx before MAIL FROM, when the 
target only has the connection parameters and HELO name to use as a basis for 
rejection. Re-routing via a fallback path isn't entirely unjustifiable in that 
case, as it changes those elements of the transaction.


Exim treats what you're talking of as a "host error" rather than a "message 
error",
and goes on to try the next host in the list of possibles determined by the 
routing
stage.  Commonly that would be a lower-priority MX for the domain.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Dynamic received_header_text

[Jeremy Harris via Exim-users]

The documentation does answer these questions.  Was some of it unclear?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Routing failed deliveries through an ESP

[Jeremy Harris via Exim-users]

On 17/04/2023 02:01, Lance Lovette via Exim-users wrote:

How might I configure my routers to ignore an initial 5xx response from the
first router and attempt another (and maybe future) deliveries through an
alternate router?


You can't.  A permenent error response for a message is definitive.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

[Jeremy Harris via Exim-users]

On 16/04/2023 19:17, Sebastian Arcus via Exim-users wrote:


relay_to_compan1:
   driver = manualroute
   domains = company1.com
   route_list = company1.com 192.168.100.10
   transport = remote_relay_company1
   host_find_failed = defer

relay_to_compan2:
   driver = manualroute
   domains = company2.com
   route_list = company2.com 192.168.100.11
   transport = remote_relay_company2
   host_find_failed = defer

Wouldn't the above just work for incoming email?


Yes.

And if those transports don't actually need different configs,
you only need one.  And then you might consider using multiple
entries in the route_list and only needing one router, too.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Dynamic certificate paths

[Jeremy Harris via Exim-users]

On 16/04/2023 19:35, Lance Lovette via Exim-users wrote:

That would be helpful. Can you point me to a reference?

https://exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html#SECTalomo
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Dynamic certificate paths

[Jeremy Harris via Exim-users]

On 16/04/2023 17:52, Lance Lovette wrote:

My goal is to have a single configuration file that can run across
different environments (dev/stage/live.)


I'm not seeing why the default of the "uname" result, used
if you don't set this option, is not sufficient in that case.


FWIW, the readfile assignment hasn't caused issues anywhere else so
far, just in the cert paths, which I presume are a special case for
security.


The docs do show which options are expanded (and so, implicitly,
which ones are not).

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

[Jeremy Harris via Exim-users]

On 15/04/2023 23:31, Sebastian Arcus via Exim-users wrote:

 you might be able to use cutthrough delivery from the front-end to the
real server, which might allow you to reject rather than bounce some of the 
time; it might even help with your SPF dilemma ?


That was my intention - so that the back-end machines can verify if the 
recipient exists. Are you saying that when using cutthrough delivery, this 
doesn't add an extra header to the email message - so this way it wouldn't mess 
up the SPF checks on the back-end machine


No.  A Received: header is always added, cutthrough or store-and-forward.


(I was assuming that the front-end machine would add another header to the 
incoming email, which would make it appear to be one of the sending servers - 
which I then assumed would fail the SPF checks on the back-end machines)


(The original) SA presumably relies on Received: headers to get the sending IP; 
there's
no setting in the API being used to call it.

The RSPAMD variant call does, however - so if there were enough call for it
a feature could be added to Exim to set that from the config; that in turn
could use on the backend Exim info added to the message by private agreement 
with the
frontend (eg. an A-R header).

OR:
you could use the SA feadture "ignore_received_spf_header", do the SPF checks 
on the
frontend, and add that header to transfer the info

you could use the rspamd feature 
https://www.rspamd.com/doc/modules/external_relay.html

OR:
you could just run SA on the frontend

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

[Jeremy Harris via Exim-users]

On 15/04/2023 18:01, Sebastian Arcus via Exim-users wrote:

I think I would have to run Spamassassin on the "proxy" Exim, as otherwise the 
IP address of the proxy will be added to the headers during the delivery/relay process, 
and will probably break the SPF checks in Spamassassin on the final Exim server in the 
chain - I think?


That would depend on how SA gets it's info, but yes that'd be simplest.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Dynamic certificate paths

[Jeremy Harris via Exim-users]

On 15/04/2023 19:36, Lance Lovette via Exim-users wrote:

But I need primary_hostname to be dynamic, say read from a file.

 primary_hostname = ${readfile{/etc/mailname}{}}


You can't do that; the primary_hostname option does not
expand it's argument.

Could you explain your need further?  Why do you want this value
to come from a file?  Would it suffice to have that line of configuration
come from a file (if so, look into the .include directive).
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

[Jeremy Harris via Exim-users]

On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote:


Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can 
use):
https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound


Thinking further, this (HAProxy with Proxy-protocol as a frontend for an MTA,
with the HAProxy routing based on SNI) has additional complications.  Because
the ESMTP connection has to (for port 25) negotiate TLS using STARTTLS, you're
asking that HAProxy run that part of the ESMTP protocol, so that it can see the
SNI.  It'd have to replay that ESMTP startup down the connection to the backend,
as far as the TLS Client Hello - or be a full ESMTP endpoint.  I don't know if
it's that clever.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

[Jeremy Harris via Exim-users]

On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote:

I have a number of Exim servers behind a NAT gateway (actually connected with 
vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I 
would like the gateway to send incoming port 25 traffic to the correct Exim 
server based on SNI in incoming TLS packets - as different Exim instances serve 
different email domains. The setup would look like this:

   [Internet]
   |
   |
     (smtp port 25)
   |
   v
   |
    [Cloud server]
   |
   v
   |
    
    |  |   |
    |  |   |
[Exim server 1]    [Exim server 2]    [Exim server 3]


I would have preferred to do this at IP tables level - but apparently not 
really possible. It seems the next option would be HAProxy. Has anyone here 
used HAProxy or run a setup as above, or know if this is actually doable? Any 
suggestions much appreciated.



Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can 
use):
https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound

I can't really help on other HAProxy facilities or config though.

Another option for you would be to use Exim itself as the fanout element at your
"cloud server".  It has visibility of the SNI and could use that for routing.
Indeed, if the configurations needed for the "Exim server N" elements are 
sufficiently
similar and load & geography permits, you could collapse the lot into a single 
Exim.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuration progress.

[Jeremy Harris via Exim-users]

On 14/04/2023 04:03, Peter via Exim-users wrote:

The result from
exim -d+all+noutf8 -odf petereasth...@gmail.com &1 | tee ~/NY/ex1 
| less
is in
http://easthope.ca/ex1 .

17:31:09  8486 easthope.ca in "imager.hitronhub.home"? no (end of list)

That is to determine whether the destination is local?


You've not shown any context, but I assume it's this:

17:31:09  8490   /considering: ${if 
match_domain{$sender_address_domain}{imager.hitronhub.home}{${sender_address_local_part}@easthope.ca}fail}}}
17:31:09  8490/considering: 
$sender_address_domain}{imager.hitronhub.home}{${sender_address_local_part}@easthope.ca}fail}}}
17:31:09  8490|--expanding: $sender_address_domain
17:31:09  8490\_result: easthope.ca
17:31:09  8490   \__(tainted)
17:31:09  8490/considering: 
imager.hitronhub.home}{${sender_address_local_part}@easthope.ca}fail}}}
17:31:09  8490|--expanding: imager.hitronhub.home
17:31:09  8490\_result: imager.hitronhub.home
17:31:09  8490 easthope.ca in "imager.hitronhub.home"? no (end of list)

- so it's checking on the sender_address_domain, not the destination.


Subsequently,
17:31:09  8491 no message retry record
17:31:09  8491 retry time not reached: checking ultimate address timeout

Why is a retry time evaluated?


To see if it's yet time to bother to try this apparently-dead host again.


  Why not try authentication?


It's not made a connection, so there's nothing to authenticate to.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] From header with encoding not parsed?

[Jeremy Harris via Exim-users]

On 13/04/2023 23:24, Martin D Kealey via Exim-users wrote:

On Thu, 13 Apr 2023 at 19:36, Slavko  wrote in
exim-users@exim.org:


Dňa 12. apríla 2023 16:50:29 UTC používateľ MRob via Exim-users <
exim-users@exim.org> napísal:

Hi, I have a variable to extract the email address in from header set

like this:


${lc:${address:$h_From:}}


Header is valid, but after decoding it contains comma without
qoutes, the comma is address separator and thus results in
list of two "addresses", first without valid address, thus empty...



My take on this is that Exim is wrong there.

Anywhere else, splitting addresses on commas happens before decoding, and
this should be no different.


Uh, it's only a list if and when you use that string (the result of that 
expansion)
where a list is expected.  And the list separator is also defined
by the context.

I don't agree with "Exim is wrong there".

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] From header with encoding not parsed?

[Jeremy Harris via Exim-users]

On 13/04/2023 09:54, Victor Ustugov via Exim-users wrote:

I'm not talking about what should be encoded, but about what can be
received in a real email from a spammer, some kind of script or
something like that.


A mail sender could send you *anything*.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re (2): Configuring exim to use an non-TLS connection to port 587.

[Jeremy Harris via Exim-users]

On 12/04/2023 18:51, Peter via Exim-users wrote:

It has these lines.



08:33:42  4098   /considering: 
${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }

we're doing a string expansion, which will request a lookup...

08:33:42  4098/considering: 
$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }
08:33:42  4098|--expanding: $host
08:33:42  4098\_result: easthope.ca

the key we're looking up is the destination host for the transport, 
"easthope.ca"

08:33:42  4098/considering: /etc/exim4/passwd.client}{$host_address}}}{} }
08:33:42  4098|--expanding: /etc/exim4/passwd.client
08:33:42  4098\_result: /etc/exim4/passwd.client

this is the DB we're to do the the lookup in

08:33:42  4098   search_open: nwildlsearch "/etc/exim4/passwd.client"
08:33:42  4098   search_find: file="/etc/exim4/passwd.client"
08:33:42  4098 key="easthope.ca" partial=-1 affix=NULL starflags=0 opts=NULL
08:33:42  4098   LRU list:
08:33:42  4098 :/etc/exim4/passwd.client
08:33:42  4098 End
08:33:42  4098   internal_search_find: file="/etc/exim4/passwd.client"
08:33:42  4098 type=nwildlsearch key="easthope.ca" opts=NULL
08:33:42  4098   file lookup required for easthope.ca
08:33:42  4098 in /etc/exim4/passwd.client
08:33:42  4098 easthope.ca in "mail.easthope.ca"? no (end of list)
08:33:42  4098   lookup failed

... and no, it isn't there.


/etc/exim4/passwd.client can be read by Debian-exim and has only
one active line beginning with mail.easthope.ca.


... sounds like that's the right answer, given the file content.


A little further down.
08:33:43  4098   SMTP(closed)<<
08:33:43  4098 Remote host closed connection in response to pipelined DATA

The smarthost refused to continue the conversation?


Correct.  Before that close from it, we see:

08:33:43  4098 sync_responses expect rcpt
08:33:43  4098   SMTP<< 550 SMTP AUTH is required for message submission on 
port 587

meaning: we wanted it's response to a "RCPT" comamnd we sent it,
and that response was and error code (the 550 value) along with
a comment for humans "SMTP AUTH is required for message submission on port 587".

So we didn't manage to authenticated ourselves to them.  In fact, we
didn't event try, probably because that lookup didn't find a match for that
key.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] From header with encoding not parsed?

[Jeremy Harris via Exim-users]

On 12/04/2023 17:50, MRob via Exim-users wrote:

Hi, I have a variable to extract the email address in from header set like this:

${lc:${address:$h_From:}}

But it comes out blank(empty) given a "from" header like this one:

From: =?utf-8?Q?My=20Bizness=2C=20Inc.?= 

I think thats a valid header? Did i do somethings wrong please? Thanks!


You didn't say whree you are trying to do that expansion.
If it's before data phase, the headers have not yet been received.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuring exim to use an non-TLS connection to port 587.

[Jeremy Harris via Exim-users]

On 11/04/2023 23:50, Peter via Exim-users wrote:

From:    Graeme Fowler via Exim-users 
Date:    Tue, 11 Apr 2023 18:44:22 +0100

From
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
 (sec 10):

"... setting hosts_avoid_tls (an option of the transport) to a list
of server hosts for which TLS should not be used."


I wonder how that is done.

$ find /etc/exim4/ -type f -exec grep "hosts_avoid_tls" '{}' \; -print
   hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost
   hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp
   hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
   hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS

Obvious questions before recklessly diving into changes.

(1) Macros are mentioned frequently in Exim documents.  In general,
the meaning of "macro"  depends upon the context.
https://en.wikipedia.org/wiki/Macro#Computing
What is a macro in Exim?


Described in the Exim documentation:
https://exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_runtime_configuration_file.html#SECTmacrodefs


(2) Lines above containing "=" signs are assignments?


Those specific ones are option settings.


(3) An entity to left of = is a variable?  Similar to a shell variable?


No.  Read the docs.


(4) What is an entity in all caps, right of =?


Almost certainly a macro.


Of course, looked for answers in various docs before posting this.
/usr/share/doc/exim4-base/README
/usr/share/doc/exim4-base/README.Debian
/usr/share/doc/exim4-config/README.Debian
https://wiki.debian.org/PkgExim4UserFAQ
https://en.wikipedia.org/wiki/Macro#Computing
Nothing particularly helpful.  =8~/


The first hit from either duckduckgo or google gets you to the right place.
So did Graeme's mail you included.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuring exim to use an non-TLS connection to port 587.

[Jeremy Harris via Exim-users]

On 11/04/2023 17:43, Peter via Exim-users wrote:

Hello again,

In absence of progress to have exim apply TLS-on-connect to server port
465 I'm trying non-TLS to port 587 as a simpler first objective.  =8~/

Configuration specifications of the server are here.
https://islandhosting.com/knowledgebase/21/How-do-I-configure-my-email-client.html

This is the result of "dpkg-reconfigure exim4-config".

$ tail -n 15 /etc/exim4/update-exim4.conf.conf
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost='easthope.ca'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='158.69.159.172::587'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
$

The consequent eximdebug.txt is here.
http://easthope.ca/eximdebug.txt

I noted this line.
20:33:40  1656 read response data: size=213
The lines following it suggest the server attempts to apply STARTTLS
whereas the instructions on the Web page cited above are "Non-SSL
Settings ... SMTP Port: 587".  What is the reality?


A little before that line:

   20:33:40  1656 158.69.159.172 in hosts_avoid_tls? no (option unset)
   20:33:40  1656   SMTP>> STARTTLS

The transport checked it's option "hosts_avoid_tls" and found nothing set.
So it tried to use STARTTLS.  If you don't want it to even try
(and then fallback to plaintext), then you need somthing in that option.
If you're only ever talking to this smarthost, it could even be "*" to
have that apply to all target hosts.

Whether or not the Debian configurator has a way of doing that for you
I don't know.



What is the crux of failure?


  20:33:41  1656 TLS: checking peer certificate
  20:33:41  1656 TLS certificate verification failed: cert name mismatch
  20:33:41  1656 TLS session fail: (certificate verification failed)

- they presented a server certificate that we don't like; specifically,
the list of systems that are supposed to use the cert did not include
the name we think the server has (the one we made a TCP connection to).
It's possible to turn that security check off, and you might have to
in order to get a TLS connection to this provider (either STARTTLS or
TLS-on-connect).





However, your debug run did continue with a plaintext attempt after
failing on the STARTTLS, and we see

  20:33:41  1656 158.69.159.172 in hosts_require_auth? no (option unset)

- which seems bogus given your provider's need for login/password authentication

followed by

   20:33:41  1656   failed to expand "<; ${if exists{/etc/exim4/passwd.client} 
{${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }" while 
checking a list: failed to open /etc/exim4/passwd.client for linear search: Permission 
denied (euid=106 egid=113)

- which is clearly an error that needs fixing, and should be self-explanatory 
apart from
"euid" and "egid" which are the values of user and group that the exim 
transport process was
operaing as at the time of trying to open that file.  Check the file 
permissions,

I would guess that this file is created by the Debian configurator, but I don't
know that.  If it was, then it should just work with their config, unless 
someone
has manually fiddled with things.



FOOTNOTE
In the transcript, eximdebug.txt, the direction of transmission is
unclear.  A common notation is "c:" indicating client transmission and
"s:" indicating server transmission. It would add only 2 or 3
characters per line while removing uncertainty.  =8~)


The debug from exim uses "SMTP>>" to say "I sent this" - eg:

   20:33:40  1656   SMTP>> EHLO imager.hitronhub.home

and it uses "SMTP<<" to say "I received this" - eg:

   20:33:40  1656   SMTP<< 250-hornby.islandhosting.com Hello 
s0106a84e3f6ccb23.gv.shawcable.net [24.108.14.249]


Separately:
Given what your presentation of the debug output to us has done with the UTF-8
content (as I mentioned before), you might want to experiment with the debug option 
"+noutf8"
so that ascii-art is used instead.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re (2): Syntactic validity of configuration.

[Jeremy Harris via Exim-users]

On 11/04/2023 07:44, Slavko via Exim-users wrote:

The only downside with exim is, that this split (as implemented
in debian) is not directly supported by exim, and one have to
reload exim even to test it, but on other side, at least i do not
forget to reload it after changes ;-)


Possible wishlist item, for exim to watch for changes to the
files that provided it's config and auto-reload.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Defaults for FreeBSD

[Jeremy Harris via Exim-users]

On 09/04/2023 17:58, David Siebörger via Exim-users wrote:

The default settings for CC and USE_DB for FreeBSD seem to be out-of-date.


I'd like to hear from the FreeBSD package maintainer their preferences,
even though you're talking about the upstream git.

Folding back any patches FreeBSD is carrying, whree feasible,
would be good.

Unfortunately I don't know right off how to find out who that is.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re (2): Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 08/04/2023 23:35, Peter via Exim-users wrote:

(1) The man page shows option -f without explanation.  How is it used?


It has no effect, though it is parsed and is not an error.

Despite the author's note on that manpage (at least in the Ubunto
online one I found) the source must have been glanced at.  The actual
Exim documentation doesn't mention it.
 

(2) Why split the database identifier into path and file?  Why not
just the fully qualified name?  Eg.
  exim_tidydb -t 1m /var/spool/exim4/db/retry


That's not a "file", it's a hints-database name.

It lets the utility Do The Right Thing when the database
is made of multiple files, or a file with some name depending
on, but not identical to, the name of the hints-db.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 08/04/2023 19:16, Peter via Exim-users wrote:

Appears the log I have now is complete; the last line has "terminating
with rc=0".  Rather than clutter the mailing list with mostly
insignificant data I put it here. http://easthope.ca/eximdebug.txt


Somewhere along the way the UTF-8 in that got mangled...

But here:

19:37:10  5273   ** pe...@easthope.ca R=smarthost T=remote_smtp_smarthost: all 
hosts for 'easthope.ca' have been failing for a long time (and retry time not 
reached)

"retry time not reached" is the relevant bit.  Exim is holding off for a bit
from trying to connect to a host it has recorded as failing.
It'll try again eventually (assuming you have periodic queue runs) -
or you could just wipe the hints database.


(and that line was being sent to your main log, as well as debug output)
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 06/04/2023 19:53, Jeremy Harris via Exim-users wrote:

On 05/04/2023 17:49, Peter via Exim-users wrote:

19:40:02  9597  TFO mode sendto, no data: EINPROGRESS
19:40:02  9597  connected
19:40:02  9597  ╭considering: $primary_hostname
19:40:02  9597  ├──expanding: $primary_hostname
19:40:02  9597  ╰─result: dalton.invalid


Something tells me you didn't wait long enough
(which could be, like, ten minutes if it's this
end exim timing out waiting for the target system
to speak).


Actually, I'm not convinced that your transport
actually has "protocol = smtps".   The TLS client-side
startup should be visible pretty soon after that "sendto"
(which initiates the TCP connection).

If you look backward in that file there should be a line
like "remote delivery to j...@test.ex with transport=send_to_server1" -
take that transport name off the end and check it's
the transport in your config
that you are expecting.  Then do
# exim -bP transport 
to dump the actual config (at least, from a freshly loaded
config... you *did* restart exim after any config edits?)
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 05/04/2023 17:49, Peter via Exim-users wrote:

19:40:02  9597  TFO mode sendto, no data: EINPROGRESS
19:40:02  9597  connected
19:40:02  9597  ╭considering: $primary_hostname
19:40:02  9597  ├──expanding: $primary_hostname
19:40:02  9597  ╰─result: dalton.invalid


Something tells me you didn't wait long enough
(which could be, like, ten minutes if it's this
end exim timing out waiting for the target system
to speak).
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re (n): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 06/04/2023 18:30, Peter via Exim-users wrote:

I should refrain from attempting to send messages as root. Should
submit as ordinary user.  Correct?


Nope.

The "don't run as root" thing doesn't affect deliveries done
via smtp, only deliveries to file.  Deliveries to file have
to be done as the owner of the recipient account, so as to
have permission to modify their files.  But we want to avoid
running as root (and sometimes some other privileged users too,
which is why it's configurable) because doing so is an attack
surface just begging to be scratched.

Your deliver-to-smartmost is not that.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 06/04/2023 17:28, Peter via Exim-users wrote:

What is the reality?


"Delivery" meaning the specific phase of a message going outward from
exim, as opposed to being accepted by exim.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 01/04/2023 16:22, Peter via Exim-users wrote:

Nevertheless, the connection fails.  Any tip about diagnosis may help.


Exim has a debug mode.  Most commonly triggered from a commandline option.
It is documented in the Exim docs, and possibly (I've not checked
a Debian system) the manpage for exim.

Attempt a test connection using a commandline message send, along the lines
of

$ exim -d+all -odf per...@externaldomsin.com &1 | tee 
eximdebug.txt | less

You will see the processing that exim does, and should be able to
infer at what point it diverges from your needs.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Make auth unsuccessful with some conditions

[Jeremy Harris via Exim-users]

On 31/03/2023 20:28, Evgeniy Berdnikov via Exim-users wrote:

while $auth1 should always be null string for PLAIN.


Wups, not for the dovecot driver.
You're thinking of the plaintext driver.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 31/03/2023 16:36, Peter via Exim-users wrote:

submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314]

Should a line beginning smtps be added?  Eg.
smtps 465/tcp  ...


Not needed.  The "smtps" values for the exim smtp transport driver
is a keyword, not a reference looked up in /etc/services.

But I'm still thinking that the Debian configuration wizard for Exim
likely has a question on this, and you shouldn't be needing to
manually find the right place in their resulting set of configuration files.
This is my inference from the presence of that macros use pointed
out by Evgeniy.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote:

.ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL
  protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL
.endif


Doesn't that imply the wizard has a question that sets that?

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Make auth unsuccessful with some conditions

[Jeremy Harris via Exim-users]

On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote:

I'm trying to deny users successful authentication if they connect not from the 
internal network but from the Internet. At the same time, I have a file with 
exception users.

server_condition is used to deny authentication. At the same time, this works 
for CRAM_MD5, but does not work for PLAIN (an error message appears in the log, 
but the message is sent as coming from an authorized user).


What error message?  In what fashion does it "not work"?
Show us an example.  Use the debug facilities (quite likely,
doing that will show you where your issue is).



There are also notes for PLAIN in the documentation: "This option must be set for a 
plaintext server authenticator, where it is used directly to control authentication. See 
section 34.3 for details." I don't know how to apply or bypass this in my case.


As it says, for a plaintext authenticator.  You are not using one,
you are using dovecot authenticators.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.

[Jeremy Harris via Exim-users]

On 30/03/2023 20:00, Peter via Exim-users wrote:

Debian 11 here with exim4 4.94.2-7.


Debian has a configuration wizard.  In what respect is
not offering what you need?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Make auth unsuccessful with some conditions

[Jeremy Harris via Exim-users]

On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote:

I have a file with exception users


But the server_advertise_condition wants an emtpty/nonempty string,
and you appear to be handing it a filename.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] nwildlsearch does not match

[Jeremy Harris via Exim-users]

On 31/03/2023 07:51, Niels Kobschätzki via Exim-users wrote:

What am I doing wrong? I thought that nwildlsearch can use wildcards and
* and .* are wildcards to me.


https://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsinglekeylookups
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Something like "domains_require_tls"

[Jeremy Harris via Exim-users]

On 29/03/2023 17:59, Viktor Dukhovni via Exim-users wrote:

It is (at least in Postfix) also possible


Please note that this mailing list is not focussed on Postfix.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Something like "domains_require_tls"

[Jeremy Harris via Exim-users]

On 29/03/2023 10:40, Slavko via Exim-users wrote:

Dňa 29. 3. o 10:56 Olaf Hopp (SCC) via Exim-users napísal(a):

 decided still to live with 2 pairs of routers and transports
and keep in mind, when I change one of them, I have to change the other one as 
well.


And what about include common transport parts from separate file in both? I 
never did it in transport, but i use it in ACL to not touch (very mutch) 
debian's default config.


Alternatively, using macros for the common bits across the pairs would get you 
partway.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Something like "domains_require_tls"

[Jeremy Harris via Exim-users]

On 24/03/2023 14:45, Olaf Hopp (SCC) via Exim-users wrote:

Am I missing something ?


The behaviour defined in the docs does not cover your use.
The actual implementation, and behaviour, could change underneath you.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Something like "domains_require_tls"

[Jeremy Harris via Exim-users]

On 24/03/2023 12:28, Olaf Hopp (SCC) via Exim-users wrote:

Do you think "multi_domain = false" is not worth for trying ?

Corrrect.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Something like "domains_require_tls"

[Jeremy Harris via Exim-users]

On 23/03/2023 16:01, Jeremy Harris via Exim-users wrote:

allsmtp:
  driver = smtp
  hosts_require_tls = ${if match_domain{$domain}{+domainlist-with-TLS-Domains} 
{*}{}}
  multi_domain = false


Actually, better have
max_rcpt = 1
rather than the multi_domain; I'm not certain that there's coding in
the transport to check for all-same-domain when expanding $domain.

Note that there's a cost here in efficiency, which the separate
routers & transports solution does not have.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Something like "domains_require_tls"

[Jeremy Harris via Exim-users]

On 23/03/2023 15:30, Olaf Hopp (SCC) via Exim-users wrote:

router_A:
 domains: +domainlist-with-TLS-Domains
 transport: tlssmtp
router_B:
 domains: *
 transport: smtp

tlssmtp:
 hosts_require_tls = *
 driver = smtp
smtp:
 driver smtp


in reality two routers and transports are much more complicated but almost
identical. The same is true for the transports.

Is it somehow possible to consolidate this into one router and one transport


allsmtp:
 driver = smtp
 hosts_require_tls = ${if match_domain{$domain}{+domainlist-with-TLS-Domains} 
{*}{}}
 multi_domain = false

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Tainted search query is not properly quoted

[Jeremy Harris via Exim-users]

On 20/03/2023 15:14, Odhiambo Washington via Exim-users wrote:

What mod do I need to make on it?


Quote it.  Like you already are for $sender_helo_name.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Stacking or renaming headers

[Jeremy Harris via Exim-users]

On 19/03/2023 17:42, Ian Z via Exim-users wrote:

   X-Original-Foo: the-ur-foo
   Foo: the-no-longer-ur-foo

I am not thinking of a header with addresses here, so Exim's rewrite
mechanism doesn't apply. Is there a "best" or "accepted" way to do
this? In particular, can I do this in an ACL:

   add_header = X-Original-Foo: $h_foo:
   set acl_m_original_foo = $h_foo:
   remove_header = Foo
   add_header = Foo: the-no-longer-$acl_m_original_foo


Yes.  And you don't need the temporary variable.


(I am not sure if the last add_header trum^H^H^H^Hoverrides the
preceding remove_header.)


No.


And if not in ACL, can I do something similar in a router or transport?


Yes, both.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Single quotes and transport_filter

[Jeremy Harris via Exim-users]

On 19/03/2023 17:22, Ian Z via Exim-users wrote:

Chapter 24 documents the transport_filter option. An example is given
where the argv vector for the command comes from an expansion:

   transport_filter = '/bin/cmd${if eq{$host}{a.b.c}{1}{2}}'

   This runs the command /bin/cmd1 if the host name is a.b.c, and
   /bin/cmd2 otherwise. If double quotes had been used, they would have
   been stripped by Exim when it read the option’s value.  When the
   value is used, if the single quotes were missing, the line would be
   split into two items, /bin/cmd${if and eq{$host}{a.b.c}{1}{2}, and
   an error would occur when Exim tried to expand the first one.

I have two problems grokking this:

- I can  find no other place in the spec where it is specifically
   explained what single quotes do, as opposed to double quotes.


Yup; this could be better.

In the coding I find an explanatory comment:

/* Split the command up into arguments terminated by white space. Lose
trailing space at the start and end. Double-quoted arguments can contain \\ and
\" escapes and so can be handled by the standard function; single-quoted
arguments are verbatim. Copy each argument into a new string. */



- In Section 29.3 on pipe commands (which are supposedly expanded the
   same way), there is this example:

 command = /some/path ${if eq{$local_part}{postmaster}{xx}{yy}}

 will not work, because the expansion item gets split between
 several arguments.  You have to write

 command = /some/path "${if eq{$local_part}{postmaster}{xx}{yy}}"

   So why are double quotes OK here?


The difference is an artefact of the option-handling described in
Ch.6 Sec.17 :-  if an option value *starts* with a doublequote
then it must end with one (and, implicitly, they get stripped
at that processing phase.  The pipe example does not.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Tainted search query is not properly quoted

[Jeremy Harris via Exim-users]

On 19/03/2023 10:58, Odhiambo Washington via Exim-users wrote:

  warn  condition= ${if eq {$acl_m_greyexpiry}{} {1}}
 set acl_m_dontcare = ${lookup sqlite {INSERT INTO greylist \
   VALUES ( '$acl_m_greyident', \

  '${eval10:$tod_epoch+300}', \

  '${quote_sqlite:$sender_host_address}', \

  '${quote_sqlite:$sender_helo_name}' );}}


It's not obvious to me what I haven't quoted properly.


The only obvious element is your $acl_m_greyindent, since $tod_epoch
shouldn't be derived from wire information.  The debug "expand" channel
would show you for definite.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] strip incoming messages of A-R headers that claim to be from our own

[Jeremy Harris via Exim-users]

On 16/03/2023 14:53, Jim Lamers via Exim-users wrote:

headers_remove = Authentication-Results
headers_add = "Authentication-Results: TEST"


You might prefer to only do the (remove, add-stripped) sequence
when there is an offending AR header present.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] strip incoming messages of A-R headers that claim to be from our own

[Jeremy Harris via Exim-users]

On 16/03/2023 14:53, Jim Lamers via Exim-users wrote:

was wondering if there are better ways to remove  incoming A-R headers
that claim to be from our own admd?


Nope.  I raised a wishlist item for it.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)

[Jeremy Harris via Exim-users]

On 15/03/2023 20:00, Andrew C Aitchison via Exim-users wrote:


> When exim acting as a mail client wishes to send a message,
a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command
by also sending a response to the *next* command, which exim will
erroneously treat as a trusted response.


Sigh.  Nobody has *ever* shown any way that could have been exploited.-- 
Cheers,

  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Error while checking expression with exim -be

[Jeremy Harris via Exim-users]

On 14/03/2023 13:17, Victor Ustugov via Exim-users wrote:

Office365 OAutn2 access token response size is over 4K)


You are seriously stretching the original intent of Exim's
string-handling with this.

[ Have you considered writing an Exim authenticator module? ]


Entering this expression interactively
many times will be very inconvenient.


a) you should be able to use stdin.  If you are
having problems with it, they are probably from
the shell (as in Bourne Shell, Ksh, Csh) expanding
or dequoting things you didn't expect

b) recent version of the "-be" support let you
define macros and set variables
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Hide IP address of authenticated users

[Jeremy Harris via Exim-users]

On 14/03/2023 22:02, Yves Goergen via Exim-users wrote:

Is there some explanation about this? Does it work? What does it do? Should I 
create the mentioned file if I don't have it yet?


It's a macro definition, in Exim terms.  What having it defined means
depends on the rest of the configuration; it's in no way a builtin
thing for Exim.  You need to investigate the configuration that it
is intended to be used with, and _its_ documentation.

Possibly Debian's.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] strip incoming messages of A-R headers that claim to be from our own

[Jeremy Harris via Exim-users]

On 13/03/2023 15:59, Jim Lamers via Exim-users wrote:

This solution does not seem to work in all situations,


Can you characterize the nonworking ones?



headers_add Authentication-Results TEST


Did you miss a colon there?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Error while checking expression with exim -be

[Jeremy Harris via Exim-users]

On 14/03/2023 11:46, Victor Ustugov via Exim-users wrote:

When I tried to run exim with a long value of -be option, I got an error:

exim: length limit exceeded (386 > 256) for: recipient


Yes, I've run into that (just this week!)

I assume the "-be " was a retrofit after the use
of a trailing arg for a mail recipient, and just uses the same
machinery.

What you can do is use the interactive mode of -be instead;
that's ok up to more like a kB - and after that, use "backlash, newline"
continuations.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Is that SPAM? Or am I compromised?

[Jeremy Harris via Exim-users]

On 13/03/2023 23:43, Gedalya via Exim-users wrote:

4. On ports 587, authentication should not be advertised before STARTTLS is 
issued.


A slight suggested relaxation of that rule:  Only authentication methods
which are self-encrypted should be used on a cleartext channel.

That mean the same as your simpler rule for PLAIN and LOGIN, which are
the common ones.  But the SCRAM family, for example, would be safe.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] expansion error in OAuth2 client authenticator

[Jeremy Harris via Exim-users]

On 12/03/2023 21:51, Victor Ustugov via Exim-users wrote:

Rather, the lack of SNI support does not prevent me from getting
response to access token refresh request. But Exim puts certificate
verification error message into the logs.


Having found a way of doing basic functionality testing
of it, pushed 6fdf76d0eae4.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] expansion error in OAuth2 client authenticator

[Jeremy Harris via Exim-users]

On 12/03/2023 17:31, Victor Ustugov via Exim-users wrote:

Jeremy Harris via Exim-users wrote on 12.03.2023 19:09:

On 12/03/2023 16:25, Victor Ustugov via Exim-users wrote:

Is it possible to use SNI with ${readsocket?

No.


Do you plan to implement this functionality?


It's not currently on the radar.  Glancing round the
code, it could be implemented with a bit of a hack.
Choosing a syntax would also be needed.

How badly do you need it?

Testing is an issue.  I think you mentioned building
a FreeBSD port for yourself; does that mean you
could take a patch and test that?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] expansion error in OAuth2 client authenticator

[Jeremy Harris via Exim-users]

On 12/03/2023 16:25, Victor Ustugov via Exim-users wrote:

Is it possible to use SNI with ${readsocket?

No.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] $spam_score_int

[Jeremy Harris via Exim-users]

On 10/03/2023 10:26, John McMurray via Exim-users wrote:

I'd also like to be able to increase the $spam_score_int variable so that mail 
clients can decide how they want to handle higher spam scores.


That variable is set by a call to SpamAssasin.  Your code snippet doesn't
mention it; it's unclear how you are thinking of using it.

It is described in the documentation.

You can't modify it.  You might not need to, to do what you want.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Ratelimiting recipients per sender_address

[Jeremy Harris via Exim-users]

On 09/03/2023 19:30, Slavko via Exim-users wrote:

Dňa 9. marca 2023 16:08:08 UTC používateľ Jeremy Harris via Exim-users 
 napísal:

On 09/03/2023 15:47, Olaf Hopp (SCC) via Exim-users wrote:

   "x recipients per distinct sender per time period y  > z" ?


If yoe used $sender_address@$recipient as the key, would
it do what you want?


Are not per_rcpt/per_addr option for that?


Probably; it depends on exactly what's being asked for.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Ratelimiting recipients per sender_address

[Jeremy Harris via Exim-users]

On 09/03/2023 15:47, Olaf Hopp (SCC) via Exim-users wrote:

  "x recipients per distinct sender per time period y  > z" ?


If yoe used $sender_address@$recipient as the key, would
it do what you want?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim, OAUTH2 and gnutls problem

[Jeremy Harris via Exim-users]

On 05/03/2023 15:59, ael via Exim-users wrote:

While testing, I have encountered two apparently benign error messages:

1) H=outlook.xx.office365.com [xx.xx.xxx.xxx] TLS error on connection (recv):
Error in the pull function.


Yes, the GnuTLS library produces this somewhat obscure message when
a read it's trying to do on the underlying TCP socket returns an
error to it.  The error can be, and most often is "the far end
closed the TCP connection" when GnuTLS is expecting a proper, graceful
notification that the TLS layer is being closed.

So long as the mail message was apparently transferred properly you
can ignore this one.

Your debug shows SMTP-leve success responses for both the data
phase for the message and the SMTP QUIT after it.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Question about SRS

[Jeremy Harris via Exim-users]

On 03/03/2023 14:47, Patrick Cernko via Exim-users wrote:

obviously I have to use that domain in the inbound_srs* routers then


Plus any other places where your config has a notino as to what
it does with what domain names.  You're moving further away from a
basic set; you'll need to reason about it yourself.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Any plan to integrate DMARC for incoming email in Debian/Ubuntu releases?

[Jeremy Harris via Exim-users]

On 02/03/2023 18:43, Jämes Ménétrey via Exim-users wrote:

official packages for these platforms.


Here is the wrong place to be asking, being the upstream project
and not Debian
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Question about SRS

[Jeremy Harris via Exim-users]

On 03/03/2023 13:22, Patrick Cernko via Exim-users wrote:

Why is it required to set max_rcpt=1 in the remote_forwarded_smtp transport?


For $original_domain to be valid.  If the transport was handling multiple
recipients then the domains could potentially be disparate.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] How to customize the autoreply email subject?

[Jeremy Harris via Exim-users]

On 28/02/2023 08:54, Cyborg via Exim-users wrote:

Am 28.02.23 um 00:27 schrieb Tony via Exim-users:

 Now, the auto reply email subject start with "*Autoreply*:" , I want to change 
it.  How?


Sounds like a custom rule:

grep -r -i "Autoreply" /etc/exim/*


The autoreply transport has a "subject" option
(and the string "Autoreply" is no in the source code).

https://exim.org/exim-html-current/doc/html/spec_html/ch-the_autoreply_transport.html
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] renewing the SSL certificate doesn't work

[Jeremy Harris via Exim-users]

On 27/02/2023 11:15, Gary Stainburn via Exim-users wrote:

I did suspect this, but the private key is in the correct format.


Try running Exim with debug; does it give any further hint?

Check the file ownership & permissions, also.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] renewing the SSL certificate doesn't work

[Jeremy Harris via Exim-users]

On 27/02/2023 10:21, Gary Stainburn via Exim-users wrote:


TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14] 
(SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key): 
error:0906D06C:PEM routines:PEM_read_bio:no start line

I seem to remember in the past that I had to merge the certificate with the 
bundle, so I did that too, but I still get the above error.


The error notes specifically the private-key file, so the bundle
is not the issue.

What does the file look like (do NOT post the whole thing publically!) ?


The first couple of line should be, for the expected format, something like

   -BEGIN PRIVATE KEY-
   MIIEvAIBADANBgkqh...

and there should be a line

   -END PRIVATE KEY-

after the block of ascii-ized binary data.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim rewrites the "From:" address

[Jeremy Harris via Exim-users]

On 25/02/2023 23:21, Nick via Exim-users wrote:

Why is it doing this


Possibility 1: the macro is not in fact set.

Check by running "exim -bP macros | grep MAIN_FORCE_SENDER"

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim rewrites the "From:" address

[Jeremy Harris via Exim-users]

On 25/02/2023 23:21, Nick via Exim-users wrote:

Why is it doing this and how can I stop it?


Possibility 2:  "mailx" does not actually run exim with the arguments
you think it does.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] A study of failing tls certs, with valid certificate files

[Jeremy Harris via Exim-users]

On 25/02/2023 14:45, Andreas Metzler via Exim-users wrote:

So it looks like something else was broken
at some point in time and is fixed again.


Good to hear.  Thanks for the follow-up.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Issue with Exim on an IPv6-only host

[Jeremy Harris via Exim-users]

On 21/02/2023 11:59, Sebastian Tennant via Exim-users wrote:

  hosts_require_auth = $host


Why not   hosts_require_auth = *   ?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Issue with Exim on an IPv6-only host

[Jeremy Harris via Exim-users]

On 20/02/2023 14:53, Sebastian Tennant via Exim-users wrote:

  ** […] R=all_via_fast_smtp_server T=fast_smtp_server […]: SMTP error
  from remote mail server after pipelined MAIL FROM:<[…]> SIZE=1537:
  530 5.7.1 Authentication required DT=1m


You got an SMTP response.  You were already talking TLS; the TLS
error basically says that the peer didn't shut it down cleanly
having sent that SMTP response - but that's fine, we got enough.

You didn't authenticate to that peer, and it's insisting that you need to.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Is there a way to forcably disconnect remote session using tempfail 4xx code

[Jeremy Harris via Exim-users]

On 21/02/2023 03:14, Matt Bryant via Exim-users wrote:

Is there anyway in exim to force a disconnect but with a temporary 4xx failure 
rather than a hard deny and 5xx error ???. I can see 'drop' does the latter 
case but there seem no equivalent action/verb or command to issue a tempfail 
and then disconnect.


No; that's a further departure from standards than Exim is coded to do.
You could raise an RFE if you have a convincing case for it.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

[Jeremy Harris via Exim-users]

On 17/02/2023 04:18, Ian Zimmerman via Exim-users wrote:

   what is a "variable of type certificate" in exim's proudly unityped
   macro language?


$tls_{in,out}_(our,peer)cert are all certificate-type variables.
They are not useable as text, but can be used by a "certextract"
expansion.

The documentation Concept Index has an entry for "certificate", "variables".
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

[Jeremy Harris via Exim-users]

On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote:

Some applications (want to) only accept client certificates issued by a
dedicated non-public CA, which amounts to an authorisation server


In exim usage that's a test on a certextract of the issuer of
$tls_in_peercert, either just in ACL or as part of the
serer_condition for an authenticator using the tls driver.

For either, the TLS session has to have been accepted first.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS authentication

[Jeremy Harris via Exim-users]

On 14/02/2023 00:40, Ian Zimmerman via Exim-users wrote:

Is it at all possible with OpenSSL to stop the "system" location from
being checked?


No.


If not, that seems to make the use of TLS for client
authentication impossible because any certificate presented by
e.g. Google will pass verification. Am I reading this correctly?


Please define your authentication requirements:  exactly what
do you want checked?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Windows based Mail servers and exim

[Jeremy Harris via Exim-users]

On 07/02/2023 15:19, The Doctor via Exim-users wrote:

For Email Admins
No connection could be made because the target computer actively refused it.


That bit there is the important info.  Unfortunately, they didn't say
what IP they tried to connect from, and unless you can infer anything
else about them (such as IPs used by previous messages from them that
you did accept), you need it to search for in your logs.  You might
have to contact the operator of tha system and ask.

Then: search your Exim mainlog for connections from that IP.  If there
is one that matches the expected date/time, what was logged about it?

If none such: do you run a firewall?  What about its logs?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim 4.96 on Devuan 4.0 build problem with PCRE2

[Jeremy Harris via Exim-users]

On 05/02/2023 23:12, Mike Tubby via Exim-users wrote:

The thing is that I have pcre3-dev and the rest of the PCRE2 libraries 
installed (mine you someone will will have to explain why version numbers are 
going backwards) ... ;-)


I'm not aware of a PCRE3 (and neither ia https://www.pcre.org/ AFAICS)...
but I suspect your Local/Makefile is not including the right pcre library
(which is the version 2 one).
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Connection timed out errors

[Jeremy Harris via Exim-users]

On 01/02/2023 22:53, MRob via Exim-users wrote:

Sorry, maybe I wrote it wrong: question is more to inquire if Exim checking any internal 
flags or status that make it different from use "telnet [host] 25" on command 
line. I dont understand why I could telnet-by-hand with immediate successful 
connection/no slow connect as soon after I saw the error in the log tail.


If there has been an error for a specific destination host in the
past, it is remembered so as to avoid trying to use that host
again.  Most mail destinations run multiple MX's so an alternate
will get used.

That memory does expire eventually.

Look up "hints database" in the Concept Index, if you want
more details.


Is any tip for how to take other debug steps or a way to "coax" exim to see 
what I see? Thank you for response, I do not mean to bother but this problem is very hard 
to understand.


If you have a queued message which needs to be sent to the host
in question, you can run a deliver attempt on it manually, with
debug enabled.  See the manual section on commandline options.

Also, maybe simple problem is the "timer" length was inadvertantly change. Do you mind to say if that timeout comes from a certain exim configuration setting? Thank you! 


The value is an option for the transport, in the configuration.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Connection timed out errors

[Jeremy Harris via Exim-users]

On 01/02/2023 22:02, MRob via Exim-users wrote:

How to find why exim thinks it is timing out?


Exim thinks the connection timed out because it sets an
alarm before calling the syscall "connect" - and that
timer went off.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] New install EXIM + Dovecot - auth permission error

[Jeremy Harris via Exim-users]

On 01/02/2023 13:26, Heiko Schlittermann via Exim-users wrote:

Sure about $auth1? Isn'tit $auth2 in case of the PLAIN driver?


Not for the dovecot driver (only for the plaintext driver).
$auth1 is correct, here,
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] FreeBSD: Moving from BDB5 to BDB18

[Jeremy Harris via Exim-users]

On 31/01/2023 14:38, Odhiambo Washington via Exim-users wrote:

What changes do I need to make in Local/Makefile to achieve this?


For TDB:

 USE_TDB = y
 DBMLIB = -ltdb

For gdbm:

 USE_GDBM = yes
 DBMLIB = -lgdbm

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Moving from BDB5 to BDB18

[Jeremy Harris via Exim-users]

On 31/01/2023 13:33, Odhiambo Washington via Exim-users wrote:

Will it ever be possible to have Exim officially build against BDB18 ?


Ever?  That depends on

- the library owner making information about it freely available
  (something that stopped after BDB version 5, Oracle having bought up 
Sleepycat)
- a maintainer with enough interest to put in the time
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] FreeBSD: Moving from BDB5 to BDB18

[Jeremy Harris via Exim-users]

On 31/01/2023 13:28, Odhiambo Washington via Exim-users wrote:

I have deinstalled BDB5 and instead installed BDB18 for the obvious reason.

Now Exim will not build at all and I am wondering whether it's possible to
build Exim against BDB18.


No. Use gdbm or tdb.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim auth driver dovecot 'LOGIN' fails?

[Jeremy Harris via Exim-users]

On 25/01/2023 16:25, Sander Smeenk via Exim-users wrote:

Is Exim's dovecot driver for LOGIN auth broken or am i doing something
wrong?


It's working fine for me in test, though I don't see you doing
anything wrong.  The debug shows the "OK" response from dovecot;
it's not clear where the temporary-error creeps in, between there
and the SMTP response.
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] spam_score_int - what to do with negative values?

[Jeremy Harris via Exim-users]

On 26/01/2023 10:31, Niels Kobschätzki via Exim-users wrote:

with a score of -12.6


How was that part verified?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Recipient verification

[Jeremy Harris via Exim-users]

On 23/01/2023 19:38, Johnnie W Adams via Exim-users wrote:

A light has come on in my brain. Is this as simple as going into my ingress
node and adding "require verify = recipient/callout" somewhere sensible,
like right after "require verify = sender"?


If the ingres exim routers and transports known how to talk to
said recipient, and if the recipient as the ingress sees it
ig the same as the recipient as your current egress sees it
(it has not been modified [forwarded, redirected] by or in
between those two)... yes.

Why are your sources not sending these mails direct in
the first place?  Ie there value in your ingress+egress
stage?
--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Recipient verification

[Jeremy Harris via Exim-users]

On 23/01/2023 18:36, Johnnie W Adams wrote:

On Fri, Jan 20, 2023 at 3:12 PM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:


On 20/01/2023 19:50, Johnnie W Adams via Exim-users wrote:
An R-verify checks routability, and (with callout) acceptability
by the destination.  If your intent is to discover nonexistent
recipients *during SMTP reception* of a message, so that
you can reject at SMTP time and thereby not have to generate
a bounce - then yes, it'll do that.  But you should be
doing this check in your rcpt ACL, and it'll only cover
messages *you* receive using SMTP (as opposed to cmdline/stdin).



I'm okay with that limitation.

What I'm unclear on is the full consequences of doing this on our egress
node rather than our ingress node. It seems to me--but I could be
wrong!--the worst that can happen is that the mail passes through our
ingress node, is refused at our egress node, and our ingress node has to
pass that failure back where it came from. What am I missing?


You're not.

If your overall system, with these two separated nodes. is forwarding
external-source messages out to somewhere else, that's what'll happen
if you R-verify on the last of your nodes.

If there's no other nodes on the path between your "ingress" and
"egress", and if the ingress is Exim, you can do something called
"cutthrough routing" to still avoid the bounce-generation.  This
turns your ingress from traditional store-and-forward mode to
a realtime forwarder, and means that a response from the egress
can be passed right back to the message source while the source-ingress
SMTP connection is active.
You can decide when to cutthrough on a per-message basis; it's an ACL
control.

Or, probably at the cost of more knowledge needed there, you could
just arrange this verification in the ingress node.


Also, if done for message-submission receptions by you
it will upset many MUAs (which have little notion that
a message being rejected is a thing, it seems).
So if that was your hope, you're onto a loser.



Our egress node should Never accept mail from an MUA, so that would not
worry me in the configuration I'm thinking of, but if the check must be
made at the ingress node, that would mean (I assume) I'd have to write a
more complicated ACL, because it does accept mail from MUAs.


Yes.  It commonly suffices to condition your ACL paths by $recieved_port -
25 vs. everything else, the latter being your MUA clients.  But situations
differ.


On looking again, I see that I need to put "acl_smtp_vrfy = acl_check_vrfy"
in my main configuration settings to use acl_check_vrfy in the begin acl:
section.


Almost certainly not.  acl_smtp_vrfy deals with the SMTP VRFY command,
which is not what we're dealing with here despite the naming (it's also
pretty much obsolete.  Nobody uses it; most sites refuse to answer it).

You probably want this action being done in your RCPT-time acl.  If it's
just a single verb, with a couple of conditions, put it inline.
[  ACL is a programming language.  With subroutines.  You don't have
   to use them, but once you're doing something complicated... ]

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Recipient verification

[Jeremy Harris via Exim-users]

On 20/01/2023 19:50, Johnnie W Adams via Exim-users wrote:

Calling the ACL on all mail prevents bounces, correct?


An R-verify checks routability, and (with callout) acceptability
by the destination.  If your intent is to discover nonexistent
recipients *during SMTP reception* of a message, so that
you can reject at SMTP time and thereby not have to generate
a bounce - then yes, it'll do that.  But you should be
doing this check in your rcpt ACL, and it'll only cover
messages *you* receive using SMTP (as opposed to cmdline/stdin).

Also, if done for message-submission receptions by you
it will upset many MUAs (which have little notion that
a message being rejected is a thing, it seems).
So if that was your hope, you're onto a loser.


As to when this is called, I would put it on our egress node, which only
has acl_check_rcpt. I planned to put it after that. So more like this?

acl_check_vrfy:


I'm still trying to work out your intent.  Is that word "acl_check_vrfy"
never mentioned elsewhere (in your proposed config)?  If so, it will
have no effect.  ACL names are not magic.

When do you want it run?


--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Recipient verification

[Jeremy Harris via Exim-users]

On 20/01/2023 18:18, Johnnie W Adams via Exim-users wrote:

  I've been doing some research on recipient verification to eliminate
bounces, and am wondering if it's as simple something like this at the end
of my ACL list:

acl_check_vrfy:

   deny

 senders = ''

 !verify = recipient/callout

  Surely it's not that simple, but I'm at a loss as to what else is
needed


You didn't say when you'd be calling this ACL, nor why you'd
only be verifying bounces.  Not generating bounces yourself
is also worthy, which means validating recipients of nonbounce
messages; using the routers and possibly transports to do the
validation (which is what "verify" does) is one way.

I assume the recipients you are validating are non-local
to this box, since you specify callout.  But you could be
confused about the intent of recipient verification.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Blocking a Class C

[Jeremy Harris via Exim-users]

On 19/01/2023 17:32, The Doctor via Exim-users wrote:

I assumed that you were blocking the pair
(src ip 46.148.40.108, target port 25)
and was checking that you are also blocking
(src ip 46.148.40.108, target port 465)


Could this cause a 601 error?


Possibly a typo?  SMTP does not define any 6xx error code.

Also, irrelevant.  Blocking done by a firewall would be
stopping TCP-level connection, so you won't get any SMTP
communication at all.  How a client reports that is up to it.

--
Cheers,
  Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/