[exim] Exim as client to Implicit SSL

[Rob Gunther via Exim-users]

I am trying to deliver mail to a server on port 465, using implicit SSL.

There is no greeting, I assume the servers are supposed to negotiate the
encryption.

I have tested that the remote server is answering and tests I have done
with https://testssl.sh/ shows there is a server there and it negotiated.

I read over this page:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html

It talks about receiving mail and setting up port 465 to receive mail, but
nothing about sending mail that I can see.

What is needed to have EXIM send to a server using encryption other than
STARTTLS?


Robert
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] DMARC alignment when forwarding

[Rob Gunther via Exim-users]

We have Exim running as our MTA.  When we forward mail for a user, we use
SRS to ensure we do not violate the SPF policy of the sending domain.

Sometimes messages are rejected from recipients.

550-5.7.26 DMARC policy. Please contact the administrator of omnis.com
domain
550-5.7.26 if this was a legitimate mail. Please visit
550-5.7.26  https://support.google.com/mail/answer/2451690 to learn about
the
550 5.7.26 DMARC initiative.

In researching why this occurs, we have found some domains publish DMARC
policy with instructions to reject.

DMARC says either SPF must pass or DKIM must pass, along with alignment for
the message to be accepted.

We do not alter the message content when forwarding, no changing subject,
no adding footers - nothing.

SPF will not align since we modify the message envelope.

We have found that some domains that have DMARC enabled use SPF, but do not
sign their mail using DKIM at all.

Messages we forward fail SPF alignment; and no DKIM signature from the
original sender means fail fail fail.

What are possible solutions to this problem?  Other than contacting every
sending domain that does this and try and get them to sign their mail.

We have been thinking of doing this (got the idea from Wikipedia).

1) If the domain in the from header publishes DMARC record
2) Do they have DMARC set to reject?
3) The message has no DKIM signature
4) The message passes our own SPF check

If those four conditions are met we were going to change the from header
from:

From: Happy User 

To this:

From: Happy User 

Not happy to have to do something like this, but it will get the message
past systems that are doing the DMARC check by making the sender address
invalid and our SRS/SPF will still pass inbound spam checks with our own
domain.

We would also have to ensure there is a Reply-To: header so a user could
reply to the original sender.

Any comments on doing something like this?  Is it stupid or perhaps there
is a better way?
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Stop SAVE appending

[Rob Gunther via Exim-users]

I'm trying to have Exim save some messages.

>From a router I call a file, which contains my logic.

if first_delivery then

if "${if exists{/msg/$message_id}{true}{false}}" is false then

noerror save /msg/$message_id

endif

endif


That works, it will save a copy of the message.  However, if there are
multiple recipients it will append the message once for every recipient.

I attempted to add the if exists logic, to prevent multiple copies of the
message - I only need it once.

I'm guessing that if exists uses a cached result?  The first time it does
not see the file and caches the result.

Any suggestions on how to only get a single copy in the file?  I see no
option on the save command to append or not and my if exists does not seem
to do the trick.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] de-taint efficiency

[Rob Gunther via Exim-users]

On Fri, Jul 3, 2020 at 6:32 PM Jeremy Harris via Exim-users <
exim-users@exim.org> wrote:

> > domainlist local_domains = lsearch;/etc/virtual/domains
> >
> > How can I just search the local_domains list?  I've looked at the various
> > lookup types but don't see any way to lookup something from the named
> list
> > and have it return a clean domain name that I can reference in
> $domain_data
> >
> >
> > I've got quite a few routers that are using 'domains =
> > lsearch,ret=key;/domains/domains.dat' which I assume Exim really is
> opening
> > that file and searching every time.
> >
> > Can I make it more efficient by using the named list?
>
> Exim caches list look results, so repeated use gets an efficincy
> benefit.  There is no efficiency benefit from using a named list
> per se; they are just syntactic sugar to make writing the config
> less verbose.
>
> However... specifically for your case, the cache lookup uses the
> filename of the search-definition, and then checks the options -
> so if you mix (in your case) ret=key and plain, the caching is
> inoperative.  That could be a future enhancement.
>
> But: unless you are using +local_domains in some more-complex
> manner than most people, it seems like you could put ret=key
> in that definition.
> --
> Cheers,
>   Jeremy
>
>
Wow, so close.

I did as suggested and changed the local_domains reference to:

   domainlist local_domains = lsearch,ret=key;/etc/virtual/domains

Then referencing   domains = +local_domainsin the routers works.  No
lsearch needed at that point, seems much cleaner.

However, I found a stumbling block.

I am using rewrite configuration to deal with domain aliases.  I check the
disk for a file to indicate the recipient address is an alias.  I then
rewrite the recipient address, which I guess then my new domain name of the
recipient is no longer in my local_domains variable, since I populated it
with just the original recipient domain.

Then future routers break because the domain in local_domains no longer
matches the recipient being processed.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] de-taint efficiency

[Rob Gunther via Exim-users]

I got caught by the wonderful new de-taint system, fortunately the server
that I updated was not processing live mail at the time.

After a bit of struggling to understand the changes I modified my Exim
config to fix some of the issues, but suspect there may be more hiding.

I was able to get rid of some errors in routers, by doing this:

domains = lsearch,ret=key;/domains/domains.dat

That works, I can then access $domain_data in the rest of the router.

However, it sorta annoys me.

At the start of the Exim configuration file, we already load the local
domains like this:

domainlist local_domains = lsearch;/etc/virtual/domains

How can I just search the local_domains list?  I've looked at the various
lookup types but don't see any way to lookup something from the named list
and have it return a clean domain name that I can reference in $domain_data


I've got quite a few routers that are using 'domains =
lsearch,ret=key;/domains/domains.dat' which I assume Exim really is opening
that file and searching every time.

Can I make it more efficient by using the named list?
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] String Search - What am I doing wrong?

[Rob Gunther via Exim-users]

I am trying to conduct a search (condition) in an ACL.

condition  = ${if match {$spam_report:}{VIRUS}}

The above WORKS.

My understanding when using the match command the right element is
considered a REGEX, even though I don't need that functionality I don't see
any other way to conduct a contains search.  I'm trying to look in the
$spam_report variable for the string VIRUS.

As mentioned, as written above works.

But I actually need to search for the string VIRUS(

Now that becomes a problem as ( is important in REGEX.

I tried escaping like this VIRUS\( and also VIRUS\\(

No luck with either of these, I will get an error like this:

failed to expand ACL string "${if match {$spam_report:}{VIRUS\(}}": regular
expression error in "VIRUS(": missing ) at offset 6

What am I doing wrong here?  How do I escape the opening bracket?
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Access $domain in ACL?

[Rob Gunther via Exim-users]

Bummer, I see the $domain variable is not available.  RTFM and I see the
following note:

15. Data for message ACLs
In the case of RCPT (but not MAIL or DATA), $domain and $local_part are set
from the argument address. The entire SMTP command is available in
$smtp_command.

That sucks, as I don't know who the recipient is the virus-infected message
is.

Yesterday tried to do my scan in the ACL, which works, and then log when a
message contains a virus in a router but there seems to be no way to write
to the log in a router.  In the router, I actually do the scan of the virus
scan result and write the message to disk and stop processing.  The message
is then picked up and placed in quarantine, so I thought writing to a log
at that point would be good... but can't figure out any way to write to the
log in the router.  Is it really not possible, or am I missing it?


On Mon, Sep 16, 2019 at 8:51 AM Rob Gunther  wrote:

> I am using acl_smtp_data to execute anti-spam/anti-virus checks.
>
> It works fine.
>
> I'm now trying to use logwrite if the result of the scan indicates the
> message contains a virus.  That part is also working, when a virus is
> detected I can write to the log.
>
> The problem is, I want to include the domain of the recipient in the log
> but $domain comes up empty.
>
> I can write the spam score and $sender_address_domain without issue.
>
> What is the requirement for $domain to be populated?
>
>
> Rob
>
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Access $domain in ACL?

[Rob Gunther via Exim-users]

I am using acl_smtp_data to execute anti-spam/anti-virus checks.

It works fine.

I'm now trying to use logwrite if the result of the scan indicates the
message contains a virus.  That part is also working, when a virus is
detected I can write to the log.

The problem is, I want to include the domain of the recipient in the log
but $domain comes up empty.

I can write the spam score and $sender_address_domain without issue.

What is the requirement for $domain to be populated?


Rob
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Slow Delivery - Nothing in log

[Rob Gunther via Exim-users]

I am tracing some slow delivery of mail, about 20+  minutes

A message comes in, but Exim appears to make no delivery attempt for 20+
minutes.

The logs show the message is accepted, then 20 minutes later it is
delivered.  Nothing in the logs during the 20 minutes for that message, no
delivery attempts.

When I look through the logs, the server is delivering other messages to
said domain/server.

What would cause Exim to just hold the message in the queue like that?

It happens for a small % of mail, and the delay is not always 20 minutes.

Anything I can check out in logs or configuration to determine why it is
holding up the delivery of the messages?
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] (no subject)

[Rob Gunther via Exim-users]

We are accepting mail for customer domains, then delivering the mail using
Exim to the customer server.  Customer servers can be anywhere, as long as
it answers to SMTP requests.

Come across a problem, two users hosted by Google.

Customer 1 has somehow added IP restrictions in the Google platform to only
accept mail from specific IP addresses.  He has messed up and not added one
of our IP addresses to the list, so google rejects the message deliveries
with:

421 4.7.0 IP not in whitelist for RCPT domain, closing connection.

We have Exim put the message back into the delivery queue for a retry later.

Customer 2 has no such restriction so mail can be delivered to his Google
hosted email just fine.

Both customers are having us deliver their mail to:  ASPMX.L.GOOGLE.COM

It looks like this is causing issues for Exim, as Customer 2 mail is
spending a lot of time in the queue.  Exim thinks the retry time has not
passed, so it just holds the mail.

Am I correct in assuming Exim is tracking the server status by the
destination server name?  Just ASPMX.L.GOOGLE.COM.  If we are getting those
421 errors back, Exim pauses delivery attempts for a while.

Exim does not seem to track the domain/destination server as the
combination for tracking server outages or issues etc.

Is there any way to have it not retry for Customer 1, but Customer 2 would
have its own status retained by Exim... so customer 1 can't impact customer
2 delivery speed.


Regards,


Robert
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] SIZE announcement @ connectf

[Rob Gunther via Exim-users]

When someone connects to Exim (or any server really) and do an EHLO the
server will return a maximum SIZE they will accept.

I ran a test against a few providers:

SIZE Announced Megabyte
GMAIL 157286400 150.00
Outlook 157286400 150.00
InMotion 52428800 50.00
GoDaddy 104857600 100.00
HostGator 52428800 50.00
Dreamhost 4096 39.06
One 104857600 100.00
Gmail announces a message of 150 Megabyte, I believe the size they will
accept is actually more in the range of 50 Megabyte.

I did this little bit of research because I actually want to accept
different max message sizes with Exim - BASED ON THE RECIPIENT DOMAIN.

If my Exim server answers, issues a size of 157286400 is there any way I
can (must be RFC complaint) reduce the size for specific domains?

If the recipient is domain A, I want an actual max SIZE of  35883008 or
some value lower than the size announced at initial connection.


Any ideas?
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] SRS reverse

[Rob Gunther via Exim-users]

I am trying to add SRS to a server to deal with mail forwarding, following
these instructions .

I have the forwarding part working.

The reverse part works as well, but I want to tweak it.  If a hash has
expired or someone is trying to hack it the router rejects the mail.  When
the router rejects the message, it returns an undelivered notice back to
the sender.

I could see this being used much like DNS amplification, someone could
pound a victims email address using our server.

I would prefer if the SRS hash is invalid and the router rejects, that it
sends the message to :blackhole:

Is there a way for me to specify in a router if it fails, direct the
message to :blackhole:



Rob
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Sender Name & Email

[Rob Gunther via Exim-users]

Thanks for the confirmation guys but of a bummer but not the end of the
world.

I ended up using ${address:$h_from:} to let Exim provide the best possible
address and $h_from directly to try and extract any name parts on my own.

On Thu, Aug 17, 2017 at 11:07 PM, Rob Gunther  wrote:

> I thought I had in the past seen variables where Exim exposed the header
> From: data of the sender.
>
> Specifically breaking it down into an email address and name parts.
>
> I see the $sender_address which exposes the envelope address, but I'm
> looking for the header parts.
>
> Of course, I can access the header directly with $h_from: but if Exim is
> splitting out the header that would be much more reliable for my purposes.
>
> Anyone know if those variables really exist, or did I dream I read it
> before?
>
>
> Regards,
>
>
> Rob
>
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Sender Name & Email

[Rob Gunther via Exim-users]

I thought I had in the past seen variables where Exim exposed the header
From: data of the sender.

Specifically breaking it down into an email address and name parts.

I see the $sender_address which exposes the envelope address, but I'm
looking for the header parts.

Of course, I can access the header directly with $h_from: but if Exim is
splitting out the header that would be much more reliable for my purposes.

Anyone know if those variables really exist, or did I dream I read it
before?


Regards,


Rob
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Routers - Headers

[Rob Gunther via Exim-users]

Yes, router based is what I was looking at.  Here is a rundown of what I am
trying to do.  Let me say that there are NO local users on the machine at
all.  It is just for processing mail in, scan for spam, process some SPF
stuff etc. and then back out for delivery.

When a message comes in, I am using acl_smtp_data to check messages for
spam.  The spam checker has no idea who the user is, just gives its opinion
of the spam content.

We do not reject spam in the ACL, we accept all of it.

We store the spam score and recipients to a variable in the ACL so the info
can be referenced later.

Then we drop down into the routers, where we do stuff with SPF, user
aliases, domain aliases etc.  One of the routers deals with catch-all, if
the domain uses catch-all direct all unknown recipients to the catch-all
address.

Then the next router is deciding if the spam should be placed in
quarantine.  What was the spam score, what is the user preference etc.  One
of the conditions is if the message is a catch-all message or not, if it is
a catch-all message there is no spam quarantine.

So the decision of the catch-all router is what we are trying to gain
access to.  What action is the catch-all  router doing and can we act on it
in our quarantine router.

May have to keep digging on this, move the quarantine function to transport
or something... if anyone has a bright idea please let me know.


Rob

On Fri, Aug 11, 2017 at 3:58 PM, Heiko Schlittermann via Exim-users <
exim-users@exim.org> wrote:

> Rob Gunther via Exim-users <exim-users@exim.org> (Fr 11 Aug 2017 08:49:30
> CEST):
> > My assumption was correct, I found this blurb in the documentation
> > <http://www.exim.org/exim-html-current/doc/html/spec_
> html/ch-generic_options_for_routers.html>
> > on
> > routers.
> >
> > *New header lines are not actually added until the message is in the
> > process of being transported. This means that references to header lines
> in
> > string expansions in the transport’s configuration do not “see” the added
> > header lines. *
>
> That talks about header lines added in transports. What is mentioned
> about header lines added in routers? (I'm not sure..)
> >
> > So back to my original question...  What can I do in a router that I can
> > then read as a condition of another router?
>
> You can try setting address_data.
>
> (And I revoke my question about the subsequent routers, as the first one
> was a redirect router…)
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
> --
>  SCHLITTERMANN.de  internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --- key ID: F69376CE -
>  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Routers - Headers

[Rob Gunther via Exim-users]

My assumption was correct, I found this blurb in the documentation

on
routers.

*New header lines are not actually added until the message is in the
process of being transported. This means that references to header lines in
string expansions in the transport’s configuration do not “see” the added
header lines. *

So back to my original question...  What can I do in a router that I can
then read as a condition of another router?

On Fri, Aug 11, 2017 at 10:20 AM, Rob Gunther  wrote:

> I have a router that I use for catch-all purposes.  If the conditions are
> all valid, it adds a header and redirects the message to the catch-all
> account defined for the domain.
>
> headers_add = "X-Catch-All: u...@example.com"
>
> That works fine, has been working for years.
>
> Further down in my router list I am trying to add a new router, that I do
> *not* want to run if the message has the X-Catch-All header.
>
> I basically want something like this (but have not gotten it work).
>
> condition = ${if !def:h_x-catch-all:}
>
> Since I have not been able to get it work, I am assuming the header is not
> actually added yet when passing through the 2nd router.
>
> What can I do in the 1st router, that would allow me to exclude the
> message from being processed in the 2nd router?
>
>
> Rob
>
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Routers - Headers

[Rob Gunther via Exim-users]

I have a router that I use for catch-all purposes.  If the conditions are
all valid, it adds a header and redirects the message to the catch-all
account defined for the domain.

headers_add = "X-Catch-All: u...@example.com"

That works fine, has been working for years.

Further down in my router list I am trying to add a new router, that I do
*not* want to run if the message has the X-Catch-All header.

I basically want something like this (but have not gotten it work).

condition = ${if !def:h_x-catch-all:}

Since I have not been able to get it work, I am assuming the header is not
actually added yet when passing through the 2nd router.

What can I do in the 1st router, that would allow me to exclude the message
from being processed in the 2nd router?


Rob
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] How to go about 'saving bits'

[Rob Gunther via Exim-users]

We want to use a filter to save a snippet of information from every
message.  Ideally, we would like to save the message sender & recipients
(we store recipients in a variable in the ACL that we can reference) to a
file.

I guess the question is, how can I make a little file for every message
processed and drop some variables into it so we can have an external
process read them later?



Regards,


Rob
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] nhash - how to reproduce?

[Rob Gunther via Exim-users]

I am looking at nhash in exim to store email into different folders to
prevent too many messages in a single folder.

How does nhash actually work though?  If I have exim store the message
based on this hash but I want to look up where said message was stored
using some other system, how can I calculate the hash to I know where the
file is?

Searching this group this topic came up back in 2010 but the link from back
then is dead.


So I guess I am looking for the logic, so I can produce it in another
language so I can find my mail...


Regards,


Rob
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/