Re: [exim] Temporary reject when random sender verification should succeed
On 2018-06-08 18:34, Heiko Schlittermann wrote: > > > >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify > > > >> defer for : Could not complete > > > >> sender verify callout: mail.haskell.org [23.253.242.70] : > > > >> response to "RCPT TO:" was: > > > >> 250 2.1.5 Ok > > > >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 > > > >> F= temporarily rejected RCPT > > > >> : > > > >> Could not complete sender verify callout > > Well OK, but the spec says (43.46): > > > > If the “random” check succeeds, the result is saved in a cache record, > > and used to force the current and subsequent callout checks to succeed > > without a connection being made, until the cache record expires. > > > > Note "current". > Even for a non-native speaker it seems clear to me. (Or, because I'm a > non-native speaker ;) > > But I'm confused anyway. If the random test leads to the conclusion, > that the following callouts are wasted effort and considered as > succeeeded, why does Exim rejects the following RCPT? > > Can you paste the relevant port of your ACL? I simply modified the sender verify acl in the example config: diff --git a/exim/exim.conf b/exim/exim.conf index 423de93..5391114 100644 --- a/exim/exim.conf +++ b/exim/exim.conf @@ -508,7 +508,7 @@ acl_check_rcpt: drop log_message = acl_check_rcpt: $sender_address cannot be verified -!verify = sender +!verify = sender/callout=random # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Temporary reject when random sender verification should succeed
Ian Zimmerman via Exim-users (Do 07 Jun 2018 19:30:34
CEST):
> On 2018-06-07 16:44, Jeremy Harris wrote:
>
> > >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify
> > >> defer for : Could not complete
> > >> sender verify callout: mail.haskell.org [23.253.242.70] :
> > >> response to "RCPT TO:" was: 250
> > >> 2.1.5 Ok
> > >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176
> > >> F= temporarily rejected RCPT
> > >> :
> > >> Could not complete sender verify callout
> > >
>
> Well OK, but the spec says (43.46):
>
> If the “random” check succeeds, the result is saved in a cache record,
> and used to force the current and subsequent callout checks to succeed
> without a connection being made, until the cache record expires.
>
> Note "current".
Even for a non-native speaker it seems clear to me. (Or, because I'm a
non-native speaker ;)
But I'm confused anyway. If the random test leads to the conclusion,
that the following callouts are wasted effort and considered as
succeeeded, why does Exim rejects the following RCPT?
Can you paste the relevant port of your ACL?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Temporary reject when random sender verification should succeed
On Wed, 30 May 2018, Ian Zimmerman via Exim-users wrote: I just turned on callout sender verify with the random option. Strangely, the first (and only the first) connect from many domains after that is temporarily rejected, although the callout seems to succeed with a 250 status code. The log lines look like this: 2018-05-29 12:25:26 acl_check_connect: connect from 23.253.242.70 2018-05-29 12:25:28 acl_check_connect: host geoip us 2018-05-29 12:25:34 acl_check_connect: 23.253.242.70 accepted 2018-05-29 12:25:34 acl_check_mail: mail from haskell-cafe-boun...@haskell.org 2018-05-29 12:25:40 [23.253.242.70] SSL verify error: depth=0 error=certificate has expired cert=/OU=Domain Control Validated/CN=*.haskell.org 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify defer for : Could not complete sender verify callout: mail.haskell.org [23.253.242.70] : response to "RCPT TO:" was: 250 2.1.5 Ok 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 F= temporarily rejected RCPT : Could not complete sender verify callout 2018-05-29 12:25:40 SMTP connection from haskell.org [23.253.242.70]:51176 closed by QUIT I obfuscated my mx hostname and my domain name, and only these two items. Why exim "Could not complete" the callout when it got a success code? Again, this only happened for the first time for each domain after the configuration change. Subsequent connections work normally and log nothing about the callout. Sorry. The first time that you posted this, I didn't notice the certificate expiry error (which openssl s_client -connect mail.haskell.org:25 -starttls smtp -verify 0 confirms for me ). I *think* that the wire callout is succeeding, but the expired certificate means that exim considers the callout verify to have failed. Once that callout has failed, exim caches the result and doesn't bother to callout verify subsequent connections, hence the successful connections with no callouts logged (again assuming that I have correctly understood exim). -- Andrew C. Aitchison Cambridge, UK and...@aitchison.me.uk -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Temporary reject when random sender verification should succeed
On 2018-06-07 16:44, Jeremy Harris wrote: > >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify > >> defer for : Could not complete > >> sender verify callout: mail.haskell.org [23.253.242.70] : > >> response to "RCPT TO:" was: 250 > >> 2.1.5 Ok > >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 > >> F= temporarily rejected RCPT > >> : > >> Could not complete sender verify callout > > > >> Why exim "Could not complete" the callout when it got a success code? > It's the "random" test. You don't want it to succeed; it means > that this domain will accept _anything_. You got a 250, acceptance. Well OK, but the spec says (43.46): If the “random” check succeeds, the result is saved in a cache record, and used to force the current and subsequent callout checks to succeed without a connection being made, until the cache record expires. Note "current". Maybe this is a confusion about what it means to "succeed"? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Temporary reject when random sender verification should succeed
On 06/07/2018 04:17 PM, Ian Zimmerman via Exim-users wrote: > On 2018-05-30 09:16, Ian Zimmerman wrote: > >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify >> defer for : Could not complete >> sender verify callout: mail.haskell.org [23.253.242.70] : >> response to "RCPT TO:" was: 250 >> 2.1.5 Ok >> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 >> F= temporarily rejected RCPT >> : >> Could not complete sender verify callout > >> Why exim "Could not complete" the callout when it got a success code? > > This is still happening; any clue what may be causing it? It's the "random" test. You don't want it to succeed; it means that this domain will accept _anything_. You got a 250, acceptance. Oops. -- Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Temporary reject when random sender verification should succeed
On 2018-05-30 09:16, Ian Zimmerman wrote: > 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify > defer for : Could not complete > sender verify callout: mail.haskell.org [23.253.242.70] : > response to "RCPT TO:" was: 250 > 2.1.5 Ok > 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 > F= temporarily rejected RCPT > : > Could not complete sender verify callout > Why exim "Could not complete" the callout when it got a success code? This is still happening; any clue what may be causing it? -- Please don't Cc: me privately on mailing lists and Usenet, if you also post the followup to the list or newsgroup. To reply privately _only_ on Usenet and on broken lists which rewrite From, fetch the TXT record for no-use.mooo.com. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
