Il giorno mer 8 gen 2025 alle ore 12:47 Jeremy Harris via Exim-users
<[email protected]> ha scritto:
>
> On 08/01/2025 11:30, Gandalf Corvotempesta via Exim-users wrote:
> > Any idea how to enable a full-debug only for requests coming from a
> > particular ip ?
>
> There is an ACL modifier for enabling debug. Combine that with an
> ACL condition selecting the source IP, in an ACL verb called from
> the acl_smtp_connect main-config option.
>
> https://exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
Debug enabled.
This is the smarthost
warn: condition test succeeded in ACL "acl_check_connect"
processing "accept" (/var/lib/exim4/config.autogenerated 503)
accept: condition test succeeded in ACL "acl_check_connect"
end of ACL "acl_check_connect": ACCEPT
host in pipelining_connect_advertise_hosts? yes (matched "*")
SMTP>> 220 smarthost.server X ESMTP Server
TCP_INFO getsockopt: Success
Process 4085276 is ready for new message
smtp_setup_msg entered
SMTP<< EHLO exim.client
sender_fullhost = 4.3.2.1.bc.googleusercontent.com (exim.client) [1.2.3.4]
sender_rcvhost = 4.3.2.1.bc.googleusercontent.com ([1.2.3.4] helo=exim.client)
set_process_info: 4085276 handling incoming connection from
4.3.2.1.bc.googleusercontent.com (exim.client) [1.2.3.4]
spf_conn_init: exim.client 1.2.3.4
using ACL "acl_check_helo"
processing "accept" (/var/lib/exim4/config.autogenerated 304)
accept: condition test succeeded in ACL "acl_check_helo"
end of ACL "acl_check_helo": ACCEPT
host in dsn_advertise_hosts? no (option unset)
host in pipelining_advertise_hosts? yes (matched "*")
host in auth_advertise_hosts? yes (matched "*")
Evaluating advertise_condition for plain_server PLAIN athenticator
Evaluating advertise_condition for login_server LOGIN athenticator
host in chunking_advertise_hosts? yes (matched "*")
host in tls_advertise_hosts? yes (matched "*")
host in smtputf8_advertise_hosts? yes (matched "*")
SMTP>> 250-smarthost.server Hello 4.3.2.1.bc.googleusercontent.com [1.2.3.4]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-PIPECONNECT
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250-PRDR
250-SMTPUTF8
250 HELP
SMTP<< STARTTLS
initialising GnuTLS as a server
initialising GnuTLS server session
Expanding various TLS configuration options for session credentials
server certs were preloaded
verify certificates = /etc/ssl/certs/ca-certificates.crt size=213777
Added 140 certificate authorities
Initialising GnuTLS server params
GnuTLS tells us that for D-H PK, NORMAL is 2048 bits
read D-H parameters from file "/var/spool/exim4/gnutls-params-4096"
initialized server D-H parameters
cipher list preloaded
host in tls_resumption_hosts? no (option unset)
host in tls_verify_hosts? no (option unset)
host in tls_try_verify_hosts? no (option unset)
TLS: a client certificate will not be requested
SMTP>> 220 TLS go ahead
TLS: no SNI presented in handshake
Seen status_request extension from client
(TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
To get keying info for TLS1.3 is hard:
Set environment variable SSLKEYLOGFILE to a filename relative to the
spool directory,
and make sure it is writable by the Exim runtime user.
Add SSLKEYLOGFILE to keep_environment in the exim config.
Start Exim as root.
If using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers
(works for TLS1.2 also, and saves cut-paste into file).
Trying to use add_environment for this will not work
host in hosts_require_alpn? no (option unset)
TLS: no ALPN presented in handshake
TLS: checking peer certificate
TLS: no certificate from peer ((nil) & 0)
cipher: TLS1.3:ECDHE_SECP256R1__ECDSA_SECP256R1_SHA256__AES_256_GCM:256
Have channel bindings cached for possible auth usage
sender_fullhost = 4.3.2.1.bc.googleusercontent.com [1.2.3.4]
sender_rcvhost = 4.3.2.1.bc.googleusercontent.com ([1.2.3.4])
set_process_info: 4085276 handling incoming TLS connection from
4.3.2.1.bc.googleusercontent.com [1.2.3.4]
TLS active
Calling gnutls_record_recv(session=0x5583dd584aa0,
buffer=0x5583ddbb47e8, buffersize=4096)
tls_refill: err from gnutls_record_recv
LOG: MAIN
TLS error on connection from 4.3.2.1.bc.googleusercontent.com
[1.2.3.4] (recv): A TLS fatal alert has been received: Certificate is
bad
SMTP>> 421 smarthost.server lost input connection
LOG: smtp_connection MAIN
SMTP connection from 4.3.2.1.bc.googleusercontent.com [1.2.3.4] lost D=0s
search_tidyup called
SMTP>>(close on process exit)
>>>>>>>>>>>>>>>> Exim pid=4085276 (daemon-accept) terminating with rc=1
>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>
warn: condition test succeeded in ACL "acl_check_connect"
processing "accept" (/var/lib/exim4/config.autogenerated 503)
accept: condition test succeeded in ACL "acl_check_connect"
end of ACL "acl_check_connect": ACCEPT
host in pipelining_connect_advertise_hosts? yes (matched "*")
SMTP>> 220 smarthost.server X ESMTP Server
TCP_INFO getsockopt: Success
Process 4085277 is ready for new message
smtp_setup_msg entered
SMTP<< EHLO exim.client
sender_fullhost = 4.3.2.1.bc.googleusercontent.com (exim.client) [1.2.3.4]
sender_rcvhost = 4.3.2.1.bc.googleusercontent.com ([1.2.3.4] helo=exim.client)
set_process_info: 4085277 handling incoming connection from
4.3.2.1.bc.googleusercontent.com (exim.client) [1.2.3.4]
spf_conn_init: exim.client 1.2.3.4
using ACL "acl_check_helo"
processing "accept" (/var/lib/exim4/config.autogenerated 304)
accept: condition test succeeded in ACL "acl_check_helo"
end of ACL "acl_check_helo": ACCEPT
host in dsn_advertise_hosts? no (option unset)
host in pipelining_advertise_hosts? yes (matched "*")
host in auth_advertise_hosts? yes (matched "*")
Evaluating advertise_condition for plain_server PLAIN athenticator
Evaluating advertise_condition for login_server LOGIN athenticator
host in chunking_advertise_hosts? yes (matched "*")
host in tls_advertise_hosts? yes (matched "*")
host in smtputf8_advertise_hosts? yes (matched "*")
SMTP>> 250-smarthost.server Hello 4.3.2.1.bc.googleusercontent.com [1.2.3.4]
250-SIZE 104857600
250-8BITMIME
250-PIPELINING
250-PIPECONNECT
250-AUTH PLAIN LOGIN
250-CHUNKING
250-STARTTLS
250-PRDR
250-SMTPUTF8
250 HELP
SMTP<< QUIT
SMTP>> 221 smarthost.server closing connection
LOG: smtp_connection MAIN
SMTP connection from 4.3.2.1.bc.googleusercontent.com (exim.client)
[1.2.3.4] closed by QUIT
search_tidyup called
SMTP>>(close on process exit)
>>>>>>>>>>>>>>>> Exim pid=4085277 (daemon-accept) terminating with rc=0
>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
