Re: [exim] Recipient Verification Bypassed
On 12/02/2016 12:43 AM, Heiko Schlittermann wrote: > Rical Jasan (Fr 02 Dez 2016 09:17:16 CET): > … >> > That works, after adding the inet_listener to Dovecot. Thank you! >> > I did have a problem with "hosts = localhost", though: >> > 23:50:31 16287 no IP address for host name localhost: skipping >> > >> > which resulted in a defer. I had to use 127.0.0.1 (which then appeared >> > to incur a DNS lookup on that as though it were a name...). Exim >> > /should/ be able to resolve the name "localhost": >> > $ cat /etc/hosts >> > 127.0.0.1 localhost localhost.localdomain localhost4 >> > localhost4.localdomain4 >> > ::1 localhost localhost.localdomain localhost6 >> > localhost6.localdomain6 > The nameserver from my resolv.conf resolves 'localhost'. If I'm not > wrong, Exim uses DNS in the first place to resolve a hostname. > > (I'm not sure about a fallback, if there is no answer from the DNS > server.) > > Probably your DNS responds with NXDOMAIN? D'oh! I really should have been able to troubleshoot that myself. I had set up reverse zones for the localhost addresses, but was missing one for localhost itself. Thanks for the pointer. > > >> > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of > > >> > /usr/local/etc/exim.conf: > > >> > option "socket" unknown >>> > > I'm working in it.. >> > >> > What about a private option for the lmtp transport that told Exim to >> > follow through with callouts? Something like force_callouts. > I'm lost. I'm not sure, how to understand it. I read that as "working on it", like you were working on a feature for the smtp transport to accept a socket option. Since I have to pay the price of using a network socket instead of a UNIX socket in order to trick Exim into actually using the transport to complete recipient verification callouts, I thought maybe an option for the lmtp transport to tell Exim to do the callout even though it wasn't smtp might be nice. I was looking at the sources and thinking do_callout in verify.c seemed a likely candidate. Somewhere around here, where there appears to be a short-circuit: 376 else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0) 377 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp", That is probably a better topic for the development list, but I would be interested in knowing if anyone else was interested, or opposed. At any rate, recipient verification is finally working! Thank you for all the help! Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Rical Jasan (Fr 02 Dez 2016 09:17:16 CET):
…
> That works, after adding the inet_listener to Dovecot. Thank you!
> I did have a problem with "hosts = localhost", though:
> 23:50:31 16287 no IP address for host name localhost: skipping
>
> which resulted in a defer. I had to use 127.0.0.1 (which then appeared
> to incur a DNS lookup on that as though it were a name...). Exim
> /should/ be able to resolve the name "localhost":
> $ cat /etc/hosts
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
The nameserver from my resolv.conf resolves 'localhost'. If I'm not
wrong, Exim uses DNS in the first place to resolve a hostname.
(I'm not sure about a fallback, if there is no answer from the DNS
server.)
Probably your DNS responds with NXDOMAIN?
> >> > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of
> >> > /usr/local/etc/exim.conf:
> >> > option "socket" unknown
> > I'm working in it..
>
> What about a private option for the lmtp transport that told Exim to
> follow through with callouts? Something like force_callouts.
I'm lost. I'm not sure, how to understand it.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 12/01/2016 12:11 AM, Heiko Schlittermann wrote: > Hi, > >> > On 11/28/2016 11:51 PM, Heiko Schlittermann wrote: > ... >>> > > lmtp_transport: >>> > > driver = smtp >>> > > protocol = lmtp >>> > > socket = /run/dovecot/lmtp # or whatever >>> > > … > Sorry for the confusion, I checked my config not good enough. > I cut some experimental snipped. > > lmtp_transport: > driver = smtp > protocol = lmtp > hosts = localhost > allow_localhost > > is better :) That works, after adding the inet_listener to Dovecot. Thank you! I did have a problem with "hosts = localhost", though: 23:50:31 16287 no IP address for host name localhost: skipping which resulted in a defer. I had to use 127.0.0.1 (which then appeared to incur a DNS lookup on that as though it were a name...). Exim /should/ be able to resolve the name "localhost": $ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 >> > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of >> > /usr/local/etc/exim.conf: >> > option "socket" unknown > I'm working in it.. What about a private option for the lmtp transport that told Exim to follow through with callouts? Something like force_callouts. Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Hi, > On 11/28/2016 11:51 PM, Heiko Schlittermann wrote: ... > > lmtp_transport: > > driver = smtp > > protocol = lmtp > > socket = /run/dovecot/lmtp # or whatever > > … Sorry for the confusion, I checked my config not good enough. I cut some experimental snipped. lmtp_transport: driver = smtp protocol = lmtp hosts = localhost allow_localhost is better :) > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of > /usr/local/etc/exim.conf: > option "socket" unknown I'm working in it.. -- Heiko signature.asc Description: Digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 11/28/2016 11:51 PM, Heiko Schlittermann wrote: > In your case callout verification probably doesn't work, as long as you > use driver=lmtp, because callouts are done only for *remote* deliveries, > and LMTP isn't considered remote. Though, there is some trick > > lmtp_transport: > driver = smtp > protocol = lmtp > socket = /run/dovecot/lmtp # or whatever > … That makes sense when you frame the issue that way. There is one problem with your nifty trick, though: # exim -bV Exim version 4.87 #17 built 20-Sep-2016 02:00:04 Copyright (c) University of Cambridge, 1995 - 2016 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2016 Probably GDBM (native mode) Support for: crypteq iconv() IPv6 GnuTLS Content_Scanning DKIM DNSSEC Event I18N OCSP PRDR Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz dnsdb Authenticators: plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of /usr/local/etc/exim.conf: option "socket" unknown The transport: lmtp: driver = smtp protocol = lmtp socket = /var/local/run/dovecot/lmtp batch_max = 32 Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Hi Rical,
Rical Jasan (Di 29 Nov 2016 08:21:11 CET):
> On 11/28/2016 03:19 AM, Drav Sloan wrote:
> >> 2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args:
> >> /usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V
> >> 2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** u...@domain.tld
> >> F= P=
> >> R=dovecot T=lmtp: LMTP error after RCPT TO: 550 5.1.1
> >> User doesn't exist: u...@domain.tld
> >
> > Given that the final delivery point is LMTP, I assume you are delivering
> > onto something like Cyrus IMAP?
>
> Dovecot's LMTP server, over a UNIX socket. Works fine, when it's
> actually used, as you can see above. :)
> > In which case, your router which delivers onto the LMTP process will
> > probably
> > not do local_part verification, which causes the recipient/callout to work
> > for any local_part.
> >
> > You can verify that by doing:
> > exim -bt somefakelocal_p...@pachijimenez.com
Using `exim -bt` or `exim -bv` you can verify the routing, that is,
you're checking, if there a chance for a successfull delivery. This
approach works, if your routers are able to verify the existence of a
given user (works for any kind of lookups (passwd, ldap, *sql, …).
verify = recipient
in some ACL asks for "static" verification, that is, it's roughly
equivalent to `exim -bv`. It doesn't help, if you can't do some kind of
lookup.
verify = recipient/callout
checks the routing (probaly quite useless, if you can't access a user
database) and then does a delivery attempt (EHLO, MAIL FROM, RCPT TO,
QUIT) to the final destination.
For ACL testing `-bv`, `-bt` doesn't help. You need
`exim -bhc `
Best used with swaks:
swaks -f … -t … --pipe 'exim -bhc '
> I guess my question is now, is there a way to make Exim use the
> transport and actually follow-through with the callout? See my response
> to Jeremy on the list (sorry, I should have CC'd you), where another
In your case callout verification probably doesn't work, as long as you
use driver=lmtp, because callouts are done only for *remote* deliveries,
and LMTP isn't considered remote. Though, there is some trick
lmtp_transport:
driver = smtp
protocol = lmtp
socket = /run/dovecot/lmtp # or whatever
…
BTW …
> > # Get the local part minus any suffixes
> > warn set acl_m9 = ${sg{${lc:$local_part}}{[+-].+\$}{}}
We have named acl variables meanwhile: set acl_m_foo = …
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: Digital signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 11/28/2016 03:19 AM, Drav Sloan wrote:
> Rical Jasan wrote:
>
> [snip]
>
>> 2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args:
>> /usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V
>> 2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** u...@domain.tld
>> F= P=
>> R=dovecot T=lmtp: LMTP error after RCPT TO: 550 5.1.1
>> User doesn't exist: u...@domain.tld
>
> Given that the final delivery point is LMTP, I assume you are delivering
> onto something like Cyrus IMAP?
Dovecot's LMTP server, over a UNIX socket. Works fine, when it's
actually used, as you can see above. :)
> In which case, your router which delivers onto the LMTP process will probably
> not do local_part verification, which causes the recipient/callout to work
> for any local_part.
>
> You can verify that by doing:
>
> exim -bt somefakelocal_p...@pachijimenez.com
That was the spamer's domain; mine just says:
$ exim -bt somefakelocal_p...@domain.tld
somefakelocal_p...@domain.tld
router = dovecot, transport = lmtp
> (and use the addtional -d+all argument to exim if you want to see debugged
> processing of that routing). I think you will find it will say that all
> addresses (valid or not) are deliverable.
It seems to stop without trying the lmtp transport, if that's what you
mean. I guess since the router didn't decline, having found a
transport, that means valid? I see that it simply queues the address:
$ exim -d+all -bt somefakelocal_p...@domain.tld
...
22:33:03 9653 vmail_aliases router declined for
somefakelocal_p...@domain.tld
22:33:03 9653 > dovecot router <
22:33:03 9653 local_part=somefakelocal_part domain=domain.tld
22:33:03 9653 checking domains
22:33:03 9653 cached yes match for +vmail_domains
22:33:03 9653 cached lookup data = NULL
22:33:03 9653 domain.tld in "+vmail_domains"? yes (matched
"+vmail_domains" - cached)
22:33:03 9653 calling dovecot router
22:33:03 9653 dovecot router called for somefakelocal_p...@domain.tld
22:33:03 9653 domain = domain.tld
22:33:03 9653 set transport lmtp
22:33:03 9653 queued for lmtp transport: local_part = somefakelocal_part
22:33:03 9653 domain = domain.tld
22:33:03 9653 errors_to=NULL
22:33:03 9653 domain_data=NULL localpart_data=NULL
22:33:03 9653 routed by dovecot router
22:33:03 9653 envelope to: somefakelocal_p...@domain.tld
22:33:03 9653 transport: lmtp
somefakelocal_p...@domain.tld
router = dovecot, transport = lmtp
> You can add an additional check in your acl_check_rcpt, which can validate
> that a user exists for a cyrus domain with something like:
>
> deny domains = +local_domains
> !condition = ${run {/usr/sbin/mbpath -q -s user.$local_part}{true}{false}}
Would I really have to do something like call `doveadm user ...' just to
do what Exim is already going to do (just not soon enough)? I was sure
failed recipient verification was a misconfiguration on my part,
especially using /callout.
I see that §43.45 says, "A successful callout does not guarantee that a
real delivery to the address would succeed; on the other hand, a failing
callout does guarantee that a delivery would fail.", but it seems a
different issue, because the callout isn't actually happening, otherwise
it would know about the guaranteed failure.
> If you use address suffixes, you can work around it with something like:
>
> # Get the local part minus any suffixes
> warn set acl_m9 = ${sg{${lc:$local_part}}{[+-].+\$}{}}
>
> deny domains = +local_domains
> !condition = ${run {/usr/sbin/mbpath -q -s user.$acl_m9}{true}{false}}
Nothing that fancy yet.
> Note, use of mbpath requires exim to have permission to read the cyrus
> mailboxes.db file for this command to work properly.
Right. Similarly for doveadm.
> Also make sure $acl_m9 is not used by some other ACL :)
Of course. :)
I guess my question is now, is there a way to make Exim use the
transport and actually follow-through with the callout? See my response
to Jeremy on the list (sorry, I should have CC'd you), where another
test (-bhc) resulted in the verification stopping because neither the
router nor the transport provided a host list. I'm unclear as to what
host list it wants. If it wants to know what host to use for testing,
it's obviously a socket on the localhost's file system.
Thank you for the help.
Rical
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 11/28/2016 03:14 AM, Jeremy Harris wrote: > On 28/11/16 11:00, Rical Jasan wrote: >> I noticed a few spam messages being accepted (saw the bounces failing) >> for seemingly unverified recipients, and having a hard time tracking >> down why. > > Try feeding one in manually that duplicates it, using -bhc and > -d-all+acl. I get this: check verify = recipient/callout >>> ... Cannot do callout: neither router nor transport provided a host list --- end verify The router: dovecot: driver = accept domains = +vmail_domains transport = lmtp The transport: lmtp: driver = lmtp socket = /var/local/run/dovecot/lmtp batch_max = 32 I had added /callout to specifically address the issue of not accepting messages for invalid recipients at SMTP-time, and had verified it fixed my problem then ...but maybe I hallucinated that. Have I really just not noticed I've been accepting mail for invalid recipients this whole time? :\ It also seems strange the message is accepted at all. Isn't that what defer_ok is for? It's intentionally absent, since I don't (think I) want that. If I can't verify a recipient I don't want to take the message. Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Rical Jasan wrote:
[snip]
> 2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args:
> /usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V
> 2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** u...@domain.tld
> F= P=
> R=dovecot T=lmtp: LMTP error after RCPT TO: 550 5.1.1
> User doesn't exist: u...@domain.tld
Given that the final delivery point is LMTP, I assume you are delivering
onto something like Cyrus IMAP?
In which case, your router which delivers onto the LMTP process will probably
not do local_part verification, which causes the recipient/callout to work
for any local_part.
You can verify that by doing:
exim -bt somefakelocal_p...@pachijimenez.com
(and use the addtional -d+all argument to exim if you want to see debugged
processing of that routing). I think you will find it will say that all
addresses (valid or not) are deliverable.
You can add an additional check in your acl_check_rcpt, which can validate
that a user exists for a cyrus domain with something like:
deny domains = +local_domains
!condition = ${run {/usr/sbin/mbpath -q -s user.$local_part}{true}{false}}
If you use address suffixes, you can work around it with something like:
# Get the local part minus any suffixes
warn set acl_m9 = ${sg{${lc:$local_part}}{[+-].+\$}{}}
deny domains = +local_domains
!condition = ${run {/usr/sbin/mbpath -q -s user.$acl_m9}{true}{false}}
Note, use of mbpath requires exim to have permission to read the cyrus
mailboxes.db file for this command to work properly.
Also make sure $acl_m9 is not used by some other ACL :)
Regards
D.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 28/11/16 11:00, Rical Jasan wrote: > I noticed a few spam messages being accepted (saw the bounces failing) > for seemingly unverified recipients, and having a hard time tracking > down why. Try feeding one in manually that duplicates it, using -bhc and -d-all+acl. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
