Re: Exim still accepting emails to nonexistent users

2016-11-23 Thread Heiko Schlittermann 
Hi Marti,

Marti Markov  (Mi 23 Nov 2016 09:21:07 CET):
> Hi Heiko,
> 
> Sorry for using your private email address. :/

… the problem is the duplicat suppression on our mailsystem, normally it
passes the 'unicasted' message and supresses the 'broadcasted' messages
(as the unicasted message comes first). The unicasted message doesn't
carry all the list headers.

That's one reason, why duplicate suppression is a bad thing.

> I managed to get this working using  local_user changes by adding ldap user
> verification there:
…
> ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=$local_part@
> $domain))}{$value}fail}
> 
> Thanks again for all the support. You pointed me in the right direction. :)

You're welcome.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: Digital signature

Re: Exim still accepting emails to nonexistent users

2016-11-23 Thread Marti Markov 
Hi Heiko,

Sorry for using your private email address. :/
I managed to get this working using  local_user changes by adding ldap user
verification there:

local_user:

  debug_print = "R: local_user LDAP lookup for $local_part@$domain"

  driver = accept

  domains = +local_domains

  condition = CHECK_VIRTUAL_USER

  transport = dovecot_lmtp

  cannot_route_message = Unknown user

Where CHECK_VIRTUAL_USER is:

# Query that tests the existence of the user

CHECK_VIRTUAL_USER = \

  ${lookup ldap{user="cn=exim4,ou=dsa,dc=mydomain,dc=com" pass=PASS \

ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=$local_part@
$domain))}{$value}fail}


Thanks again for all the support. You pointed me in the right direction. :)

2016-11-21 11:16 GMT+00:00 Heiko Schlittermann :

> Hi,
>
> Heiko Schlittermann  (Mo 21 Nov 2016 11:50:13 CET):
> > a) Routing stage
> > You need to interact with the user database dovecot uses.
> > Either you access the user database directory (flat file, LDAP,
> > whatever) or you use the ${readsocket…} feature of Exim to talk to
> > dovecot.
>
> The readsocket trick doesn't seem to work anymore.
>
> Using
> $ socat STDIO UNIX:/run/dovecot/auth-master
>  <  VERSION 1   1
>  <  SPID16290
>  >  VERSION 1   1
>  >  USER42  hs12 service=imap
>  <  USER1   hs12uid=500 gid=500 home=/var/vmail/home/h/hs12
>
> (the spaces are tabs).
>
> But using Exim
>
> exim -be '${readsocket{/run/dovecot/auth-userdb}{VERSION\t1\t1\
> nUSER\t1\hs12\tservice=imap\n}}'
>
> does not work. Exim closes the sending side right after the final \n
> with shutdown(2). Dovecot seems to see this as if the connection should
> be closed now and closes the connection, w/o any response.
>
> As it's not unusual to shutdown(2) the sender if the message is sent,
> I'd see this as a bug on the dovecot side. There is no reason to
> consider the connection as dead, just because the sender closed
> its sending side of the connection.
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
> --
>  SCHLITTERMANN.de  internet & unix support -
>  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
>  gnupg encrypted messages are welcome --- key ID: F69376CE -
>  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -
>



-- 
Marti Markov
Pursuing a Bachelor Degree of Science in Computer Science at the University
of Southampton
Cell phone: +359886621454
Twitter: https://twitter.com/martimarkov
Facebook: https://facebook.com/Marti.Markov

Re: Exim still accepting emails to nonexistent users

2016-11-21 Thread Heiko Schlittermann 
Hi,

Heiko Schlittermann  (Mo 21 Nov 2016 11:50:13 CET):
> a) Routing stage
> You need to interact with the user database dovecot uses.
> Either you access the user database directory (flat file, LDAP,
> whatever) or you use the ${readsocket…} feature of Exim to talk to
> dovecot.

The readsocket trick doesn't seem to work anymore.

Using 
$ socat STDIO UNIX:/run/dovecot/auth-master 
 <  VERSION 1   1
 <  SPID16290
 >  VERSION 1   1
 >  USER42  hs12 service=imap
 <  USER1   hs12uid=500 gid=500 home=/var/vmail/home/h/hs12

(the spaces are tabs).

But using Exim

exim -be 
'${readsocket{/run/dovecot/auth-userdb}{VERSION\t1\t1\nUSER\t1\hs12\tservice=imap\n}}'

does not work. Exim closes the sending side right after the final \n
with shutdown(2). Dovecot seems to see this as if the connection should
be closed now and closes the connection, w/o any response.

As it's not unusual to shutdown(2) the sender if the message is sent,
I'd see this as a bug on the dovecot side. There is no reason to
consider the connection as dead, just because the sender closed
its sending side of the connection.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: Digital signature

Re: Exim still accepting emails to nonexistent users

2016-11-21 Thread Heiko Schlittermann 
Hi Marti,

(Please do not send CC to my private account)

Marti Markov  (Mo 21 Nov 2016 03:52:54 CET):
> 
> Here is the router:
> 
> virtual_aliases:
…
> hide data = CHECK_VIRTUAL_ALIASES

> local_user:
>   debug_print = "R: local_user for $local_part@$domain"
>   driver = accept
>   domains = +local_domains
> #Dovecot auth check
> #  check_local_user
>   local_parts = ! root
>   transport = dovecot_lmtp
> 
> And this is the transport:
> 
> dovecot_lmtp:
>driver = lmtp
>socket = /var/run/dovecot/lmtp
>#return_path_add
>#maximum number of deliveries per batch, default 1
>batch_max = 200

Ok, the router cannot check the existence of the user. check_local_user
won't help you, as long as the $local_part is not a system user locally.

Basically you got 2 possibilities: 

a) check in the routing stage by accessing the user database
   -> testable with: exim -bv u...@exampl.com
b) check in the transport stage by using a callout
   -> testable with: swaks … --pipe 'exim -bhc i.i.i.i'

a) Routing stage
You need to interact with the user database dovecot uses.
Either you access the user database directory (flat file, LDAP,
whatever) or you use the ${readsocket…} feature of Exim to talk to
dovecot.

b) Transport stage
You need to configure the dovecot LMTP to refuse messages to unknown
uses. This you can test using swaks (it's capable of talking LMTP).
Once this LMTP works (refusing unknown users) you can use callouts for
verification during SMTP time. (exim -bv … will still tell you, that the
message is *routable*, but exim -bh and the pipe mode of swaks may help
you.



Ha ….
>   transport: dovecot_lmtp
> Cannot do callout: neither router nor transport provided a host list

This can be 'fixed' if you use (not tested)

dovecot_lmtp:
driver = smtp
protocol = lmtp
host = localhost
port = 2525

and have the dovecot LMTP run on a local TCP port

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: Digital signature

Re: Exim still accepting emails to nonexistent users

2016-11-20 Thread Marti Markov 
Hi Heiko,

Here is the router:

virtual_aliases:
driver = redirect
debug_print = "R: Check address using virtual_aliases for 
$local_part@$domain"
allow_fail
allow_defer
hide data = CHECK_VIRTUAL_ALIASES
user = vmail
group = mail




local_user:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
#Dovecot auth check
#  check_local_user
  local_parts = ! root
  transport = dovecot_lmtp
  cannot_route_message = Unknown user


And this is the transport:

dovecot_lmtp:
   driver = lmtp
   socket = /var/run/dovecot/lmtp
   #return_path_add
   #maximum number of deliveries per batch, default 1
   batch_max = 200

This might also be helpful (this is with check_local_user commented out in the 
router)
> local_user router <
local_part=nosuchuser domain=domainproblem.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
domainproblem.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
NoSuchUser in "! root"? yes (end of list)
R: local_user for nosuchu...@domainproblem.com
calling local_user router
local_user router called for nosuchu...@domainproblem.com
  domain = domainproblem.com
queued for dovecot_lmtp transport: local_part = nosuchuser
domain = domainproblem.com
  errors_to=NULL
  domain_data=NULL localpart_data=NULL
routed by local_user router
  envelope to: nosuchu...@domainproblem.com
  transport: dovecot_lmtp
Cannot do callout: neither router nor transport provided a host list
--- end verify 
deny: condition test failed in ACL "acl_check_rcpt"
processing "accept"
check domains = +relay_to_domains
domainproblem.com in "empty"? no (end of list)
domainproblem.com in "+relay_to_domains"? no (end of list)
accept: condition test failed in ACL "acl_check_rcpt"
processing "accept"
accept: condition test succeeded in ACL "acl_check_rcpt"
SMTP>> 250 Accepted
250 Accepted


This is when it’s not commented out:
> local_user router <
local_part=m.markov domain=domainproblem.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
domainproblem.com in "+local_domains"? yes (matched "+local_domains" - cached)
checking local_parts
m.markov in "! root"? yes (end of list)
checking for local user
seeking password data for user "m.markov": using cached result
getpwnam() returned NULL (user not found)
local_user router skipped: m.markov is not a local user


I currently have check_local_user disabled because nobody will be able to 
receive emails.

> On 17 Nov 2016, at 21:33, Heiko Schlittermann  wrote:
> 
> Hi,
> 
> Marti Markov  (Mi 16 Nov 2016 04:28:28 CET):
>> After adding the configuration bit:
>> 
>> deny
>>message = invalid recipient
>>domains = +local_domains
>>!verify = recipient/callout=no_cache
>> 
>> from: http://wiki2.dovecot.org/LMTP/Exim 
>>  running update-exim4.conf and service 
>> exim4 restart
>> 
>> the server is still accepting emails to recipients that do not exist in 
>> dovecot.
> 
> How is the router, targeting the messages to dovecot, configured? And
> how the transport, responsible for the delivery to dovecot?
> 
>Best regards from Dresden/Germany
>Viele Grüße aus Dresden
>Heiko Schlittermann
> -- 
> SCHLITTERMANN.de  internet & unix support -
> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> gnupg encrypted messages are welcome --- key ID: F69376CE -
> ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -

Re: Exim still accepting emails to nonexistent users

2016-11-17 Thread Heiko Schlittermann 
Hi,

Marti Markov  (Mi 16 Nov 2016 04:28:28 CET):
> After adding the configuration bit:
> 
> deny
> message = invalid recipient
> domains = +local_domains
> !verify = recipient/callout=no_cache
> 
> from: http://wiki2.dovecot.org/LMTP/Exim  
> running update-exim4.conf and service exim4 restart
> 
> the server is still accepting emails to recipients that do not exist in 
> dovecot.

How is the router, targeting the messages to dovecot, configured? And
how the transport, responsible for the delivery to dovecot?

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: Digital signature

Exim still accepting emails to nonexistent users

2016-11-15 Thread Marti Markov 
After adding the configuration bit:

deny
message = invalid recipient
domains = +local_domains
!verify = recipient/callout=no_cache

from: http://wiki2.dovecot.org/LMTP/Exim  
running update-exim4.conf and service exim4 restart

the server is still accepting emails to recipients that do not exist in dovecot.

Any ideas?