Re: [exim] Recipient Verification Bypassed
On 12/02/2016 12:43 AM, Heiko Schlittermann wrote: > Rical Jasan (Fr 02 Dez 2016 09:17:16 CET): > … >> > That works, after adding the inet_listener to Dovecot. Thank you! >> > I did have a problem with "hosts = localhost", though: >> > 23:50:31 16287 no IP address for host name localhost: skipping >> > >> > which resulted in a defer. I had to use 127.0.0.1 (which then appeared >> > to incur a DNS lookup on that as though it were a name...). Exim >> > /should/ be able to resolve the name "localhost": >> > $ cat /etc/hosts >> > 127.0.0.1 localhost localhost.localdomain localhost4 >> > localhost4.localdomain4 >> > ::1 localhost localhost.localdomain localhost6 >> > localhost6.localdomain6 > The nameserver from my resolv.conf resolves 'localhost'. If I'm not > wrong, Exim uses DNS in the first place to resolve a hostname. > > (I'm not sure about a fallback, if there is no answer from the DNS > server.) > > Probably your DNS responds with NXDOMAIN? D'oh! I really should have been able to troubleshoot that myself. I had set up reverse zones for the localhost addresses, but was missing one for localhost itself. Thanks for the pointer. > > >> > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of > > >> > /usr/local/etc/exim.conf: > > >> > option "socket" unknown >>> > > I'm working in it.. >> > >> > What about a private option for the lmtp transport that told Exim to >> > follow through with callouts? Something like force_callouts. > I'm lost. I'm not sure, how to understand it. I read that as "working on it", like you were working on a feature for the smtp transport to accept a socket option. Since I have to pay the price of using a network socket instead of a UNIX socket in order to trick Exim into actually using the transport to complete recipient verification callouts, I thought maybe an option for the lmtp transport to tell Exim to do the callout even though it wasn't smtp might be nice. I was looking at the sources and thinking do_callout in verify.c seemed a likely candidate. Somewhere around here, where there appears to be a short-circuit: 376 else if (Ustrcmp(addr->transport->driver_name, "smtp") != 0) 377 log_write(0, LOG_MAIN|LOG_PANIC|LOG_CONFIG_FOR, "callout transport '%s': %s is non-smtp", That is probably a better topic for the development list, but I would be interested in knowing if anyone else was interested, or opposed. At any rate, recipient verification is finally working! Thank you for all the help! Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Rical Jasan (Fr 02 Dez 2016 09:17:16 CET): … > That works, after adding the inet_listener to Dovecot. Thank you! > I did have a problem with "hosts = localhost", though: > 23:50:31 16287 no IP address for host name localhost: skipping > > which resulted in a defer. I had to use 127.0.0.1 (which then appeared > to incur a DNS lookup on that as though it were a name...). Exim > /should/ be able to resolve the name "localhost": > $ cat /etc/hosts > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 The nameserver from my resolv.conf resolves 'localhost'. If I'm not wrong, Exim uses DNS in the first place to resolve a hostname. (I'm not sure about a fallback, if there is no answer from the DNS server.) Probably your DNS responds with NXDOMAIN? > >> > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of > >> > /usr/local/etc/exim.conf: > >> > option "socket" unknown > > I'm working in it.. > > What about a private option for the lmtp transport that told Exim to > follow through with callouts? Something like force_callouts. I'm lost. I'm not sure, how to understand it. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 12/01/2016 12:11 AM, Heiko Schlittermann wrote: > Hi, > >> > On 11/28/2016 11:51 PM, Heiko Schlittermann wrote: > ... >>> > > lmtp_transport: >>> > > driver = smtp >>> > > protocol = lmtp >>> > > socket = /run/dovecot/lmtp # or whatever >>> > > … > Sorry for the confusion, I checked my config not good enough. > I cut some experimental snipped. > > lmtp_transport: > driver = smtp > protocol = lmtp > hosts = localhost > allow_localhost > > is better :) That works, after adding the inet_listener to Dovecot. Thank you! I did have a problem with "hosts = localhost", though: 23:50:31 16287 no IP address for host name localhost: skipping which resulted in a defer. I had to use 127.0.0.1 (which then appeared to incur a DNS lookup on that as though it were a name...). Exim /should/ be able to resolve the name "localhost": $ cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 >> > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of >> > /usr/local/etc/exim.conf: >> > option "socket" unknown > I'm working in it.. What about a private option for the lmtp transport that told Exim to follow through with callouts? Something like force_callouts. Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Hi, > On 11/28/2016 11:51 PM, Heiko Schlittermann wrote: ... > > lmtp_transport: > > driver = smtp > > protocol = lmtp > > socket = /run/dovecot/lmtp # or whatever > > … Sorry for the confusion, I checked my config not good enough. I cut some experimental snipped. lmtp_transport: driver = smtp protocol = lmtp hosts = localhost allow_localhost is better :) > 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of > /usr/local/etc/exim.conf: > option "socket" unknown I'm working in it.. -- Heiko signature.asc Description: Digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 11/28/2016 11:51 PM, Heiko Schlittermann wrote: > In your case callout verification probably doesn't work, as long as you > use driver=lmtp, because callouts are done only for *remote* deliveries, > and LMTP isn't considered remote. Though, there is some trick > > lmtp_transport: > driver = smtp > protocol = lmtp > socket = /run/dovecot/lmtp # or whatever > … That makes sense when you frame the issue that way. There is one problem with your nifty trick, though: # exim -bV Exim version 4.87 #17 built 20-Sep-2016 02:00:04 Copyright (c) University of Cambridge, 1995 - 2016 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2016 Probably GDBM (native mode) Support for: crypteq iconv() IPv6 GnuTLS Content_Scanning DKIM DNSSEC Event I18N OCSP PRDR Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz dnsdb Authenticators: plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 2016-11-30 15:25:56 [13335] Exim configuration error in line 855 of /usr/local/etc/exim.conf: option "socket" unknown The transport: lmtp: driver = smtp protocol = lmtp socket = /var/local/run/dovecot/lmtp batch_max = 32 Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Hi Rical, Rical Jasan (Di 29 Nov 2016 08:21:11 CET): > On 11/28/2016 03:19 AM, Drav Sloan wrote: > >> 2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args: > >> /usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V > >> 2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** u...@domain.tld > >> F= P= > >> R=dovecot T=lmtp: LMTP error after RCPT TO: 550 5.1.1 > >> User doesn't exist: u...@domain.tld > > > > Given that the final delivery point is LMTP, I assume you are delivering > > onto something like Cyrus IMAP? > > Dovecot's LMTP server, over a UNIX socket. Works fine, when it's > actually used, as you can see above. :) > > In which case, your router which delivers onto the LMTP process will > > probably > > not do local_part verification, which causes the recipient/callout to work > > for any local_part. > > > > You can verify that by doing: > > exim -bt somefakelocal_p...@pachijimenez.com Using `exim -bt` or `exim -bv` you can verify the routing, that is, you're checking, if there a chance for a successfull delivery. This approach works, if your routers are able to verify the existence of a given user (works for any kind of lookups (passwd, ldap, *sql, …). verify = recipient in some ACL asks for "static" verification, that is, it's roughly equivalent to `exim -bv`. It doesn't help, if you can't do some kind of lookup. verify = recipient/callout checks the routing (probaly quite useless, if you can't access a user database) and then does a delivery attempt (EHLO, MAIL FROM, RCPT TO, QUIT) to the final destination. For ACL testing `-bv`, `-bt` doesn't help. You need `exim -bhc ` Best used with swaks: swaks -f … -t … --pipe 'exim -bhc ' > I guess my question is now, is there a way to make Exim use the > transport and actually follow-through with the callout? See my response > to Jeremy on the list (sorry, I should have CC'd you), where another In your case callout verification probably doesn't work, as long as you use driver=lmtp, because callouts are done only for *remote* deliveries, and LMTP isn't considered remote. Though, there is some trick lmtp_transport: driver = smtp protocol = lmtp socket = /run/dovecot/lmtp # or whatever … BTW … > > # Get the local part minus any suffixes > > warn set acl_m9 = ${sg{${lc:$local_part}}{[+-].+\$}{}} We have named acl variables meanwhile: set acl_m_foo = … Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 - signature.asc Description: Digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 11/28/2016 03:19 AM, Drav Sloan wrote: > Rical Jasan wrote: > > [snip] > >> 2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args: >> /usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V >> 2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** u...@domain.tld >> F= P= >> R=dovecot T=lmtp: LMTP error after RCPT TO: 550 5.1.1 >> User doesn't exist: u...@domain.tld > > Given that the final delivery point is LMTP, I assume you are delivering > onto something like Cyrus IMAP? Dovecot's LMTP server, over a UNIX socket. Works fine, when it's actually used, as you can see above. :) > In which case, your router which delivers onto the LMTP process will probably > not do local_part verification, which causes the recipient/callout to work > for any local_part. > > You can verify that by doing: > > exim -bt somefakelocal_p...@pachijimenez.com That was the spamer's domain; mine just says: $ exim -bt somefakelocal_p...@domain.tld somefakelocal_p...@domain.tld router = dovecot, transport = lmtp > (and use the addtional -d+all argument to exim if you want to see debugged > processing of that routing). I think you will find it will say that all > addresses (valid or not) are deliverable. It seems to stop without trying the lmtp transport, if that's what you mean. I guess since the router didn't decline, having found a transport, that means valid? I see that it simply queues the address: $ exim -d+all -bt somefakelocal_p...@domain.tld ... 22:33:03 9653 vmail_aliases router declined for somefakelocal_p...@domain.tld 22:33:03 9653 > dovecot router < 22:33:03 9653 local_part=somefakelocal_part domain=domain.tld 22:33:03 9653 checking domains 22:33:03 9653 cached yes match for +vmail_domains 22:33:03 9653 cached lookup data = NULL 22:33:03 9653 domain.tld in "+vmail_domains"? yes (matched "+vmail_domains" - cached) 22:33:03 9653 calling dovecot router 22:33:03 9653 dovecot router called for somefakelocal_p...@domain.tld 22:33:03 9653 domain = domain.tld 22:33:03 9653 set transport lmtp 22:33:03 9653 queued for lmtp transport: local_part = somefakelocal_part 22:33:03 9653 domain = domain.tld 22:33:03 9653 errors_to=NULL 22:33:03 9653 domain_data=NULL localpart_data=NULL 22:33:03 9653 routed by dovecot router 22:33:03 9653 envelope to: somefakelocal_p...@domain.tld 22:33:03 9653 transport: lmtp somefakelocal_p...@domain.tld router = dovecot, transport = lmtp > You can add an additional check in your acl_check_rcpt, which can validate > that a user exists for a cyrus domain with something like: > > deny domains = +local_domains > !condition = ${run {/usr/sbin/mbpath -q -s user.$local_part}{true}{false}} Would I really have to do something like call `doveadm user ...' just to do what Exim is already going to do (just not soon enough)? I was sure failed recipient verification was a misconfiguration on my part, especially using /callout. I see that §43.45 says, "A successful callout does not guarantee that a real delivery to the address would succeed; on the other hand, a failing callout does guarantee that a delivery would fail.", but it seems a different issue, because the callout isn't actually happening, otherwise it would know about the guaranteed failure. > If you use address suffixes, you can work around it with something like: > > # Get the local part minus any suffixes > warn set acl_m9 = ${sg{${lc:$local_part}}{[+-].+\$}{}} > > deny domains = +local_domains > !condition = ${run {/usr/sbin/mbpath -q -s user.$acl_m9}{true}{false}} Nothing that fancy yet. > Note, use of mbpath requires exim to have permission to read the cyrus > mailboxes.db file for this command to work properly. Right. Similarly for doveadm. > Also make sure $acl_m9 is not used by some other ACL :) Of course. :) I guess my question is now, is there a way to make Exim use the transport and actually follow-through with the callout? See my response to Jeremy on the list (sorry, I should have CC'd you), where another test (-bhc) resulted in the verification stopping because neither the router nor the transport provided a host list. I'm unclear as to what host list it wants. If it wants to know what host to use for testing, it's obviously a socket on the localhost's file system. Thank you for the help. Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 11/28/2016 03:14 AM, Jeremy Harris wrote: > On 28/11/16 11:00, Rical Jasan wrote: >> I noticed a few spam messages being accepted (saw the bounces failing) >> for seemingly unverified recipients, and having a hard time tracking >> down why. > > Try feeding one in manually that duplicates it, using -bhc and > -d-all+acl. I get this: check verify = recipient/callout >>> ... Cannot do callout: neither router nor transport provided a host list --- end verify The router: dovecot: driver = accept domains = +vmail_domains transport = lmtp The transport: lmtp: driver = lmtp socket = /var/local/run/dovecot/lmtp batch_max = 32 I had added /callout to specifically address the issue of not accepting messages for invalid recipients at SMTP-time, and had verified it fixed my problem then ...but maybe I hallucinated that. Have I really just not noticed I've been accepting mail for invalid recipients this whole time? :\ It also seems strange the message is accepted at all. Isn't that what defer_ok is for? It's intentionally absent, since I don't (think I) want that. If I can't verify a recipient I don't want to take the message. Rical -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
Rical Jasan wrote: [snip] > 2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args: > /usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V > 2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** u...@domain.tld > F= P= > R=dovecot T=lmtp: LMTP error after RCPT TO: 550 5.1.1 > User doesn't exist: u...@domain.tld Given that the final delivery point is LMTP, I assume you are delivering onto something like Cyrus IMAP? In which case, your router which delivers onto the LMTP process will probably not do local_part verification, which causes the recipient/callout to work for any local_part. You can verify that by doing: exim -bt somefakelocal_p...@pachijimenez.com (and use the addtional -d+all argument to exim if you want to see debugged processing of that routing). I think you will find it will say that all addresses (valid or not) are deliverable. You can add an additional check in your acl_check_rcpt, which can validate that a user exists for a cyrus domain with something like: deny domains = +local_domains !condition = ${run {/usr/sbin/mbpath -q -s user.$local_part}{true}{false}} If you use address suffixes, you can work around it with something like: # Get the local part minus any suffixes warn set acl_m9 = ${sg{${lc:$local_part}}{[+-].+\$}{}} deny domains = +local_domains !condition = ${run {/usr/sbin/mbpath -q -s user.$acl_m9}{true}{false}} Note, use of mbpath requires exim to have permission to read the cyrus mailboxes.db file for this command to work properly. Also make sure $acl_m9 is not used by some other ACL :) Regards D. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient Verification Bypassed
On 28/11/16 11:00, Rical Jasan wrote: > I noticed a few spam messages being accepted (saw the bounces failing) > for seemingly unverified recipients, and having a hard time tracking > down why. Try feeding one in manually that duplicates it, using -bhc and -d-all+acl. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/