Re: [exim] Is that SPAM? Or am I compromised?

> From: exi.ml @ yalis.fr > > I just received a SPAM (I hope), but the headers retained my attention; > here they are, in full: An infected Windows sent this common fraudulent spam with the same email address in From: and envelope-from as the recipient. And the same domain in Message-ID. >

Re: [exim] failed expand ACL

> From: S?awomir Dworaczek > where is the error in the ACL > > continue = ${run{SHELL -c "echo $sender_host_address > >>/var/spool/exim/blacklists/blocked_IPs;\N{\N echo Subject: > $sender_host_address blocked; echo; echo for bruteforce auth cracking > attempt.;\N}\N | EXIMBINARY

Re: [exim] [mailop] T-Online is now really blocking messages from non-commercial and simliar senders

> T-Online clearly states in their terms and conditions that they will > block servers who perform sender verfication towards them. Then a different check: deny condition = ${if or{\ {eqi{$sender_address_domain}{t-online.de}}\ .ifdef _HAVE_LOOKUP_DNSDB {forany{${lookup dnsdb{>:

Re: [exim] [mailop] T-Online is now really blocking messages from non-commercial and simliar senders

Kai Siering wrote on [mailop]: > how about starting internal discussions within that community > to include a default rejection of any mail from @t-online.de > in Exim's default configuration? > As nearly no-one who is deploying Exim > (or Postfix, Sendmail for that matter) > will be able to

Re: [exim] Exim relaying but shouldn't

> From: Eric Grammatico > In fact I tried to implement the wiki: > https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingPwauth I edited that wiki: changed server_condition = ${run{/bin/bash -c "echo -e '$auth2\n$auth3' | /usr/local/bin/pwauth"}{1}{0}} to server_condition = ${and {\

Re: [exim] Exim relaying but shouldn't

P.S. No, the culprit is the apostrophe in auth login-name: > A=login_server:#xxx'uuss+zzz > server_condition = ${run{/bin/sh -c "echo -e '$auth1\n$auth2' | > /usr/sbin/pwauth"}{1}{0}} You need to add: deny message = Restricted characters in address senders = ^.*['"$#] -- ##

Re: [exim] Exim relaying but shouldn't

> From: Eric Grammatico > 2022-09-26 16:15:24 [10] 1ocotI-0A-0g <= > #xxx'uuss+...@grammatico.me H=(localhost) [45.123.190.53] P=esmtpsa > X=TLS1.2:AES256-GCM-SHA384:256 CV=no A=login_server:#xxx'uuss+zzz S=736 > 2022-09-26 16:15:31 [12] 1ocotI-0A-0g => xxx.x...@.info >

Re: [exim] malfunctioning email delivery after upgrade to Exim 4.96

> == r...@xyz.com R=xxx (-36): host lookup for did not > complete (DNS timeout?) > > There is no problem with DNS resolution of the relevant domains on those > MX servers whatsover, judging by using dig and host command in shell. A dig or host command once is not a proof. #!/bin/sh while true

Re: [exim] Autoreply empty mail from

> From: Timur > # exim -be '$primary_hostname' > says: > mail.domain.com (This is my mail host) > > from smtp transport config: > helo_data = mail.domain.com > > DKIM generated for domain.com with selector mail > There is DNS record for domain: > mail._domainkey.domain.com. TXT?? v=DKIM1;

Re: [exim] Autoreply empty mail from

> From: Timur > I have trouble with autoreply transport (and any email from Exim-self) > in check DMARK when Exim send bounce/autoreply messages to google. > I want to configure vacation-router. SPF, DKIM, PTR is configured for my > server. When I send email from myself google receives it and

Re: [exim] Exim 4.96-RC0 released

I'm concerned with the "EXPIRATION_DATE=2022-06-30" below: FreeBSD 12.3 base contains /usr/include/db.h without DB_VERSION_STRING with * @(#)db.h8.7 (Berkeley) 6/16/94 * $FreeBSD: releng/12.3/include/db.h 326024 2017-11-20 19:45:28Z pfg $ Ports have: databases/db18:

Re: [exim] Exim 4.96-RC0 released

> - Query-style lookups are now checked for quoting, if the query string is > built using untrusted data ("tainted"). For now lack of quoting is > merely logged; a future release will upgrade this to an error. Does it apply to dnsdb? If yes then how to quote for ptr, a, mxh, txt? --

Re: [exim] catching brute foce smtp auth - what condition?

> How to catch brute foce smtp auth attempts only? (== bad login or > password provided) https://github.com/Exim/exim/wiki/BlockCracking > Condition like: > > ${if eq{$authentication_failed}{1}} > > doesn't work because it also catches cases where client cancelled smtp > auth attempt (rfc2554

Re: [exim] Exim-users Digest, Vol 214, Issue 21

-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Subject String Manipulation

> From: Ole Klinck > Apparently Exim sometimes failed to decode the message and > just gave the RFC 2047 string Insert into beginning of Exim config: check_rfc2047_length = false -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/

Re: [exim] Problem with filter on Base64-encoded subject field

> this means that Exim cannot decode the original header for some reason. Insert into the beginning of Exim config: check_rfc2047_length = false Also, you should encode Subject back. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at

Re: [exim] Looking for an example

> From: Mark Elkins > I'm looking for an example for how to cure this problem. > > Every now and then, a user will give his password to a bad actor (Social > Engineering). That bad person then goes to my webmail interface and > sends out a lot of SPAM e-mail - which goes to my port 587 (only)

Re: [exim] Rule invalid recipients

> From: Emanuel Gonzalez > i found this rule in a site: That was forked by somebody from an earlier version of my https://github.com/Exim/exim/wiki/BlockCracking -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the

Re: [exim] Exim 4.93 published.

> From: Jeremy Harris > > store_get() is not part of the API documented (in local_scan.h) as > > being usable by local_scan and dlexpand code. > > I see however that it _is_ described as part of the API in the > documentation chapter on local-scan. My apologies. > > I'll get that chapter

Re: [exim] error ignored

P.S. How to debug delivery? I inserted into the beginning of rcpt ACL: warn domains = tiscali.cz control = debug/tag=.$message_exim_id/opts=+all The debuglog contains only lines with pid of the receiving process, including: 20:18:58 18029 DSN: SPOOL_OUT - address: |doma*@

[exim] error ignored

Exim 4.92 as a smarthost gets a 5xx after end of data, but doesn't send a DSN. In mainlog (I redacted with asterisks and inserted blanks after @): 2019-06-20 18:28:19 +0300 1hdyz4-000G6A-BR <= Len*@ lena.kiev.ua H=ip-19*6.rusa*ovka-net.ki*v.ua (bedsi*e.lena.kiev.ua) [94.244.2*.38]

Re: [exim] Matching RFC 2047 encoded text

> From: Ian Zimmerman > > check_rfc2047_length = false > > Thanks, Lena. > > If I leave it as true (the default), and $h_subject: turns out to > contain "=?UTF-8?B?", can I assume (not with certainty, but with a high > likelihood) the message violates the RFC? Yes, but filtering on that is

Re: [exim] Matching RFC 2047 encoded text

> From: Ian Zimmerman > An unwanted message arrived to my mailbox with the following Subject: > > Subject: > =?UTF-8?B?VXMgY29uZ3Jlc3MgaGVhcmluZyBvZiBtYWFuIGFsc2FhbiBNb25leSBsYXVuZHJ5INmC?= > >

Re: [exim] Spam though my server

> From: Mark Elkins > I should probably have some EXIM scripts that count repetitive failures, > both at login authentication and delivery (failure) by a user, and use > that to do automatic blocking and reporting. Lena probably has a > solution for that.

Re: [exim] Slow down ?

> When several messages are sent to @ orange.fr in a too short period of > time, they are (temporarily) refused: > > Too many connections I use in the transport: serialize_hosts = * You can use: serialize_hosts = smtp-in.orange.fr At reboot: rm /var/spool/exim/db/misc* -- ## List

Re: [exim] Block emial from my host to my host without authorization

> How to block sending mail from my host to my host users without > authorization, so that in the future there are no such situations > 41.56.57.80 is not my ip address > Received: from [41.56.57.80] > by domain.dot.com with esmtp (Exim 4.91) > (envelope-from ) > id 1gkmFE-0002ym-UR > for

Re: [exim] Auth command used when not advertised

> From: Russell King > My mail server is being hit with auth attempts when the helo hasn't > advertised the presence of authentication I always advertise AUTH but in the rcpt ACL: accept authenticated = * condition = ${if !={$received_port}{25}} -- ## List details at

Re: [exim] Help extracting From-Address

> From: Luca Bertoncello > we receive many E-Mails with faked From (Header), and I'm trying to > block them. > Currenty I extract the domain (most our own domain) and check it for SPF. In messages from mailing lists (such as this [exim-users]) the domain in "From:" header fails SPF. -- ##

Re: [exim] ${lookup{value}lsearch{file}{yes}{no}} tricks help request

> From: supportsob...@mail.ru > Could someone help with syntax of?${lookup{value}lsearch{file}{yes}{no}} > > I'm trying to write a condition that will return "FALSE" if either of hosts > from "Received:" headers (yes, any on the way from sender's server to me) > is listed

Re: [exim] Removing addresses from mail before delivery?

> From: Jon 'Boli' Copeland > I have a problem with some people insisting on CCing every single > address they have for my company on every email they send. No amount of > asking politely seems to stop this. > > What I want to do, serverside, is something like the following > > |while (TO+CC

Re: [exim] exim block auth (geoip)

> From: Emanuel Gonzalez > lately we are suffering from dictionary attacks, as a prevention method > I use "fail2ban", but in some cases users use passwords that are > easy to guess and are used to send spam through bots. This code blocks both dictionary attacks and stolen passwords used for

Re: [exim] demime -> acl_smtp_mime

> From: Marco Gaiarin > but a condition like: > > deny > message = Serious MIME defect detected ($demime_reason) > demime = * > condition = ${if >{$demime_errorlevel}{2}{1}{0}} > > how can be converted in 'acl_smtp_mime' lingo? No way I think. I'm curious: how often did you see

Re: [exim] "25 lost" is giving me useful clues

> > What this is telling me is someone at 157.0.116.189 is making > > connections to my mail server - presumable to see if they can detect the > > accounts of users on my machine? It tries to guess passwords of users on your machine (brute-force password cracking). This code catches both using

Re: [exim] Block attachment extension

> From: S?awomir Dworaczek > how to block attachment with zip rar etc. extension in Exim 4.91 ? > this entry in the configuration has stopped working > deny condition = ${if >

Re: [exim] Filter with special characters (!?)

> From: Emanuel Gonzalez It's ACL, not a filter. > In the exim log i see this: > > 2018-08-22 07:48:12 1fsQgL-000554-6N Entrantes y Salientes autenticados - > Cuenta_FROM: - X-Mailer = Microsoft Outlook > Express 6.00.2900.2950 - Subject = \277Eres el del video? > > discardcondition =

Re: [exim] tons of brute force cracking events

> acl_check_auth: > > ? drop? message = blacklisted for bruteforce cracking attempt > ??? set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1} > ??? condition = ${if >{$acl_c_authnomail}{4}} This needs also: acl_smtp_mail = acl_check_mail begin acl acl_check_mail: accept set

Re: [exim] Avoiding bounces

> I have an "info@"-address that forwards the E-Mails to other > addresses, some on them outside my servers. > > Well, unfortunately this address catches many Spam/junk E-Mails and, of > course, my Exim (4.88) tries to forward them. > Virus are blocked and will __NOT__ be forwarded, but Spam is

[exim] compiling 4.91 under FreeBSD

Had someone this error? Using port: cc tls.c In file included from tls.c:122: tls-openssl.c: In function `tls_refill': tls-openssl.c:2499: error: structure has no member named `verify_stack' tls-openssl.c:2502: error: structure has no member named `verify_stack' tls-openssl.c: In function

Re: [exim] Write acl to delete incomming emails if they have a chinese subject

> I try to write acl for incomming chinese spam. Does anyone know how to check > for chinese content? begin acl acl_check_rcpt: ... require message = relay not permitted domains = +local_domains : +relay_to_domains require verify = recipient accept hosts = +whitelisted_hosts

Re: [exim] Choosing the outbound IP address according to a Database query.

> From: Mark Elkins > Problem: I have users either with weak passwords or whom give away their > passwords... > > Result: Spammers have their "information" so can use my relay mail > server to send spam on my clients behalf to many other people. If it > bounces - then the client has a full mail

Re: [exim] Can't register in bugs.exim.org

> From: Max Kostikov > Tried few times but received nothing in email. I requested password reset, got in my log: 2018-01-06 15:40:57 +0200 131.111.8.88 whitelisted in list.dnswl.org=127.0.11.2 2018-01-06 15:40:57 +0200 SMTP connection from hummus.csx.cam.ac.uk [131.111.8.88]

Re: [exim] Count only rejected connections

> From: Sebastian Arcus > drop message = Invalid HELO/EHLO > condition= ${if eq{$received_port}{25}} > condition= ${if match{$sender_helo_name}{.+\\\..+\\\..+} \ >{no}{yes}} Some legitimate senders can have hostname and HELO with one dot

Re: [exim] Some mails are queued, other are sent immediately

> From: Jeremy Harris > Could you do that with debug enabled? Using csh, I redirected debug output (-bd -q10m -d+all) to a file with >& (both stdout and stderr to the same file, some log lines might be broken and interspersed because of buffering). The file (compressed with bzip2) can be

Re: [exim] Some mails are queued, other are sent immediately

P.S. A way to reproduce (not every time, but often): delete all files in /var/spool/exim/db , restart Exim with HUP signal, send a message to @ yahoo.com . After the message is received (with auth) by Exim, while it is waiting in the queue (for unknown reason): -rw-r- 1 mailnull mail

Re: [exim] Some mails are queued, other are sent immediately

> >> I noticed that some emails are sent immediately > >> (what I prefer), while other are queued (introducing useless delay) Same here. Exim 4.90 under FreeBSD 6 on a VPS, root@lena:/root# exim -bP log_selector log_selector = +smtp_confirmation +queue_time +queue_time_overall +deliver_time

Re: [exim] How to limit the number of emails sent by each user

> From: Sebastian Nielsen > I would suggest using an config that restricts authenticated users to > a specific IP range. Then no bots from china can successfully guess a > account. I restrict authenticated users to a non-standard port (neither 25, 465 nor 587): daemon_smtp_ports = 25 : 1234

Re: [exim] How to limit the number of emails sent by each user

> From: "Ronaldo Luiz de Carvalho" > how to limit the number of emails sent by each user? > > I use WHM and I can limit by a domain account, but into a domain I want to > set limit to a specific account. Usually such limits are in order to catch spammers. But the limits are either low and

Re: [exim] redirect suspicious messages to special postmaster accounts

> From: Emanuel Gonzalez > I have an idea to avoid sending spam from my server. Is it possible > to create a rule so that when it is sent to a recipient, the mail > is discarded and an alert arrives by email? This code sends an alert by email: https://github.com/Exim/exim/wiki/BlockCracking --

Re: [exim] getting exim metrics? (using TICK?)

> From: Patrick von der Hagen > anomaly detection (like an authenticated sender suddenly causing dozens > of bounces a minute, great indicator for compromised accounts) Automatic detection (by bounce rate) and blocking of compromised accounts entirely within Exim without external monitoring:

Re: [exim] Fwd: Rate-limit queue-processing per domain

P.P.S. Add to the router: domains = ! +local_domains -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Fwd: Rate-limit queue-processing per domain

P.S. below a corrected version because a message can have several recipients. > From: Charlie Elgholm > Then one might suggest that the ratelimit-condition perhaps should be > implemented for the routers as well.. Then we could do > > ratelimit = 100 / 1h / / $domain The ${acl string

Re: [exim] Fwd: Rate-limit queue-processing per domain

> From: Charlie Elgholm > Then one might suggest that the ratelimit-condition perhaps should be > implemented for the routers as well.. Then we could do > > ratelimit = 100 / 1h / / $domain The ${acl string expansion item works in authenticators. You can try to use it (or "acl" expansion

Re: [exim] an antivirus for zero-day :)

One more correction: set acl_m_ud = ${sg{$mime_decoded_filename}{[^/]+\$}{}} condition = ${run{SHELL -c \ "cd $acl_m_ud; \ P7ZIP x -y $mime_decoded_filename; \ GREP -r -a -s -E \ 'rundll32|This program cannot be run in DOS mode|\

Re: [exim] an antivirus for zero-day :)

Correction: condition = ${run{SHELL -c \ "cd ${sg{$mime_decoded_filename}{[^/]+\\$}{}}; \ P7ZIP x -y $mime_decoded_filename; \ GREP -r -a -s -E \ 'rundll32|This program cannot be run in DOS mode' \ *"}{1}{0}} -- ## List details at

[exim] an antivirus for zero-day :)

> From: Paul Lenz > > > I wrote a plugin for Spamassassin which unzips every attachement and > > > (IMHO very important) unzips every MS Office file (xlsx, xlsm, docx) and > > > looks for strings like "rundll32" or "This program cannot be run in DOS > > > mode" and some

Re: [exim] Exim4 skips SpamAssassin if attachments are too big

> From: Paul Lenz > The mentioned text "Loteria" was clearly visible in the body, because it > was attached as > Content-Type: text/plain; charset="Windows-1251" > Content-Transfer-Encoding: 7bit Connect with your server using SSH, give the command: exim -bP acl_smtp_data

Re: [exim] Exim4 skips SpamAssassin if attachments are too big

> From: Paul Lenz > Today I received again an 1,3 MB message with Lottery spam. > In the body is clearly to be seen "ONLINE LOTTERY DEPARTMENT". What you see as message body is not the same as what Exim considers as message body. You see a text/html or text/plain part, for Exim message body is

Re: [exim] PLAIN authenticator that checks against two data sources

> From: Mike Brudenell > I think I'll quit worrying, leave the setup > as-is with a deferral response to the AUTH, and move on. > > This all came about because I was starting to look at rate limiting failed > attempts to AUTH along these lines >

Re: [exim] Retiring old build targets

> Given the resounding silence from volunteers, I'm tempted to retire > in the next release _everything_ apart from the current set of > representatives in the buildfarm. > > That would be: Linux, OpenBSD, FreeBSD, SunOS5. Perhaps keep DragonFly and Darwin, but unmaintained and unchanged, they

Re: [exim] Rewriting envelope from to header From

> From: Frank Richter > I'd like to rewrite envelope from "apache@*.mydomain" to the address in > header From. > I tried it according to https://github.com/Exim/exim/wiki/Q0801 with this > rewrite rule: > > apache@*.mydomain ${sg{$h_from:}{^.*<(.*)>}{\$1}} Ffrs According to

Re: [exim] recepient verification callout with defer_ok fails on graylisted server with error code 450

> From: "Dr. Volker Jaenisch" > verify = recipient/callout=2m,defer_ok,use_sender I specify "defer_ok" twice in different places: verify = recipient/defer_ok/callout=10s,defer_ok,use_sender -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at

Re: [exim] EBL: blacklist for email addresses in Reply-To and message bodies

> The Reply-To: header takes an address-list and is interpreted as such, > and IIRC used in that way by some mail-clients when subscribed to > mailing-lists but wanting personal copies of replies too. So the `rt:` > ACL is going to calculate something which will emit bogus queries to an >

[exim] EBL: blacklist for email addresses in Reply-To and message bodies

The purpose of the EBL blacklist is described on http://msbl.org/ebl-purpose.htm I tested EBL since October 2016, today it was declared in public beta: https://spammers.dontlike.us/mailman/private/list/2017-June/010493.html > The Email Blocklist has entered Beta 2, and is now open for testing by

Re: [exim] Using named queues

> From: Niels Kobsch?tzki > for getting a grip on some spammers that use > phished accounts on my system. Please try this and tell me whether it helps: https://github.com/Exim/exim/wiki/BlockCracking -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at

Re: [exim] TLS error on connection to smtp.office365.com (gnutls_handshake): An unexpected TLS packet was received.

> I know I'm connecting to port 587 since I specified it explicitly. But I > don't understand the relevance to my problem. Exim took the port number 465 from somewhere in its config. 465 is the TLS-on-connect port. In some other part of config you specified 587, but Exim nevertheless tries

Re: [exim] TLS error on connection to smtp.office365.com (gnutls_handshake): An unexpected TLS packet was received.

> The exim debug logs sort of look as if it is expecting to negotiate TLS > immediately on connection, rather than after the initial EHLO Yes. Look where the 465 came from: > Transport port=465 replaced by host-specific port=587 -- ## List details at

Re: [exim] Discard mail to certain recipients if the subject matches a string

> From: ? > I've tried nearly anything I could think of: > > Commit by > Commit\ by Insert into beginning of Exim config: check_rfc2047_length = false > From: Jasen Betts > RFC2047 sec 2 and section 6 say that all encoded words >

Re: [exim] 4.87 -> 4.88 readconf performance

> >> It triggers when a macro name contains the sequence /_[ODH]/. > > > > Does it include $header_Date: ? > > A workaround: $header_date: > > Macro, not header. Even comment lines are searched for /_[ODH]/ As far as I undrestand, every config line is searched before parsing. So, such line

Re: [exim] 4.87 -> 4.88 readconf performance

> This loop appears to be the problem. > It triggers when a macro name contains the sequence /_[ODH]/. Does it include $header_Date: ? A workaround: $header_date: > You are also correct in that when macros_create_builtin() is not > called the startup time is greatly reduced. -- ## List

Re: [exim] Ongoing email issues

> > FreeBSD > If you can, please try building the exim-4_89_RC6 How to: cd /usr/ports/distfiles/exim fetch https://ftp.exim.org/pub/exim/exim4/test/exim-4.89_RC6.tar.bz2 cd /usr/ports/mail/exim make clean extract cd work tar xof /usr/ports/distfiles/exim/exim-4.89_RC6.tar.bz2 mv exim-4.89_RC6

Re: [exim] Lack of demime support in latest verstion + more.

Instead of demime and clamav: :) P7ZIP = /usr/local/bin/7z # port archivers/p7zip in case of FreeBSD BINFORBIDDEN = Windows-executable attachments forbidden WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace # more cautious: