Re: [exim] Router and transport for modifing message
On 25/04/2023 09:59, mouse via Exim-users wrote: My question is - is there any way to just pass e-mail through modifing script *without re-injecting* email via "command = ..."? Do your changes in ACL code, using Exim facilities rather than an external script. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 21/04/2023 13:13, Slavko via Exim-users wrote: it can be related to per_addr option per_addr can only be used in the rcpt acl. You'd possibly be able to just use count=1, if this was and event raised once per thing you want counted. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 21/04/2023 06:55, Slavko via Exim-users wrote: Did i something wrong? Would need the actual error message to guess. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] log_reject_target
On 20/04/2023 16:21, Ian Z via Exim-users wrote: I was not sure I was interpreting the expression "current ACL" correctly. Things like warn and deny are what, ACL rules? Verbs. See https://exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html section 18. For hunting about for info like this, use the Concept Index. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 20/04/2023 15:47, Lance Lovette via Exim-users wrote: Does Exim have a mechanism to invoke a script with rejected messages We already told you no. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] log_reject_target
On 19/04/2023 16:24, Ian Z via Exim-users wrote: First, does this mean that here nothing will be logged: acl_check_rcpt: warn log_reject_target = deny condition = true I've not tried that, but at first sight yes. Why are you asking? Second, what about nested ACLs? Both with the acl= condition and with the ${acl .. } expansion. Is the value of log_reject_target restored upon return to the top level ACL? The value is reset to default on an expansion condition or item which calls an ACL, and on any of the top-level ACL calls specified by main-config options. It is not reset for or after an "acl=" ACL condition (i.e. a nested ACL call)/ -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
As a side-note, On 18/04/2023 20:08, Lance Lovette via Exim-users wrote: smtp_mailgun: [...]] hosts_require_auth = <; $host_address hosts_require_tls = <; $host_address Just using * for those two would have the same effect, and save work. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 20/04/2023 06:18, Jasen Betts via Exim-users wrote: On 2023-04-18, Lance Lovette via Exim-users wrote: This is a name mismatch: mailgun.org != mailgun.com. Perhaps it's time for a larger font size :) I will put on my dunce cap and go sit in the corner. But shame on Mailgun for responding to .com with a .org certificate! Lance Their .com is a cname pointing to the .org, so the same host is both .com and .org, but their host isn't using SNI. This raises the question: should the name-check be against the CNAME-resolved name rather than the initial? Both? I've not hunted through standards yet. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 18/04/2023 22:39, Evgeniy Berdnikov via Exim-users wrote: mailgun.org != mailgun.com. Good eyes! -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 18/04/2023 22:03, Lance Lovette via Exim-users wrote: Exim version 4.95 X509v3 Subject Alternative Name: DNS:*.mailgun.org, DNS:mailgun.org [34.160.13.42] SSL verify error: certificate name mismatch: DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*. mailgun.org" H="smtp.mailgun.com" Hmm. Looks like that should have matched. I'll have a play; see if I can duplicate that (but not tonight). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Wildcard CN verify error
On 18/04/2023 20:08, Lance Lovette via Exim-users wrote: SSL verify error: certificate name mismatch: DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.mailgun.org" H="smtp.mailgun.com" Check to see if that cert had any SANs. The current source has the name-check only using the SN if there are none. You didn't say what Exim version (and you trimmed the log line; there's been an IP there since 4.91 and now I can't go check the cert myself). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 17/04/2023 14:08, Bill Cole via Exim-users wrote: There's a rational basis for an exception for 5xx before MAIL FROM, when the target only has the connection parameters and HELO name to use as a basis for rejection. Re-routing via a fallback path isn't entirely unjustifiable in that case, as it changes those elements of the transaction. Exim treats what you're talking of as a "host error" rather than a "message error", and goes on to try the next host in the list of possibles determined by the routing stage. Commonly that would be a lower-priority MX for the domain. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Dynamic received_header_text
The documentation does answer these questions. Was some of it unclear? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing failed deliveries through an ESP
On 17/04/2023 02:01, Lance Lovette via Exim-users wrote: How might I configure my routers to ignore an initial 5xx response from the first router and attempt another (and maybe future) deliveries through an alternate router? You can't. A permenent error response for a message is definitive. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 16/04/2023 19:17, Sebastian Arcus via Exim-users wrote: relay_to_compan1: driver = manualroute domains = company1.com route_list = company1.com 192.168.100.10 transport = remote_relay_company1 host_find_failed = defer relay_to_compan2: driver = manualroute domains = company2.com route_list = company2.com 192.168.100.11 transport = remote_relay_company2 host_find_failed = defer Wouldn't the above just work for incoming email? Yes. And if those transports don't actually need different configs, you only need one. And then you might consider using multiple entries in the route_list and only needing one router, too. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Dynamic certificate paths
On 16/04/2023 19:35, Lance Lovette via Exim-users wrote: That would be helpful. Can you point me to a reference? https://exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html#SECTalomo -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Dynamic certificate paths
On 16/04/2023 17:52, Lance Lovette wrote: My goal is to have a single configuration file that can run across different environments (dev/stage/live.) I'm not seeing why the default of the "uname" result, used if you don't set this option, is not sufficient in that case. FWIW, the readfile assignment hasn't caused issues anywhere else so far, just in the cert paths, which I presume are a special case for security. The docs do show which options are expanded (and so, implicitly, which ones are not). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 23:31, Sebastian Arcus via Exim-users wrote: you might be able to use cutthrough delivery from the front-end to the real server, which might allow you to reject rather than bounce some of the time; it might even help with your SPF dilemma ? That was my intention - so that the back-end machines can verify if the recipient exists. Are you saying that when using cutthrough delivery, this doesn't add an extra header to the email message - so this way it wouldn't mess up the SPF checks on the back-end machine No. A Received: header is always added, cutthrough or store-and-forward. (I was assuming that the front-end machine would add another header to the incoming email, which would make it appear to be one of the sending servers - which I then assumed would fail the SPF checks on the back-end machines) (The original) SA presumably relies on Received: headers to get the sending IP; there's no setting in the API being used to call it. The RSPAMD variant call does, however - so if there were enough call for it a feature could be added to Exim to set that from the config; that in turn could use on the backend Exim info added to the message by private agreement with the frontend (eg. an A-R header). OR: you could use the SA feadture "ignore_received_spf_header", do the SPF checks on the frontend, and add that header to transfer the info you could use the rspamd feature https://www.rspamd.com/doc/modules/external_relay.html OR: you could just run SA on the frontend -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 18:01, Sebastian Arcus via Exim-users wrote: I think I would have to run Spamassassin on the "proxy" Exim, as otherwise the IP address of the proxy will be added to the headers during the delivery/relay process, and will probably break the SPF checks in Spamassassin on the final Exim server in the chain - I think? That would depend on how SA gets it's info, but yes that'd be simplest. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Dynamic certificate paths
On 15/04/2023 19:36, Lance Lovette via Exim-users wrote: But I need primary_hostname to be dynamic, say read from a file. primary_hostname = ${readfile{/etc/mailname}{}} You can't do that; the primary_hostname option does not expand it's argument. Could you explain your need further? Why do you want this value to come from a file? Would it suffice to have that line of configuration come from a file (if so, look into the .include directive). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote: Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use): https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound Thinking further, this (HAProxy with Proxy-protocol as a frontend for an MTA, with the HAProxy routing based on SNI) has additional complications. Because the ESMTP connection has to (for port 25) negotiate TLS using STARTTLS, you're asking that HAProxy run that part of the ESMTP protocol, so that it can see the SNI. It'd have to replay that ESMTP startup down the connection to the backend, as far as the TLS Client Hello - or be a full ESMTP endpoint. I don't know if it's that clever. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy
On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim instances serve different email domains. The setup would look like this: [Internet] | | (smtp port 25) | v | [Cloud server] | v | | | | | | | [Exim server 1] [Exim server 2] [Exim server 3] I would have preferred to do this at IP tables level - but apparently not really possible. It seems the next option would be HAProxy. Has anyone here used HAProxy or run a setup as above, or know if this is actually doable? Any suggestions much appreciated. Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use): https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound I can't really help on other HAProxy facilities or config though. Another option for you would be to use Exim itself as the fanout element at your "cloud server". It has visibility of the SNI and could use that for routing. Indeed, if the configurations needed for the "Exim server N" elements are sufficiently similar and load & geography permits, you could collapse the lot into a single Exim. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuration progress.
On 14/04/2023 04:03, Peter via Exim-users wrote: The result from exim -d+all+noutf8 -odf petereasth...@gmail.com &1 | tee ~/NY/ex1 | less is in http://easthope.ca/ex1 . 17:31:09 8486 easthope.ca in "imager.hitronhub.home"? no (end of list) That is to determine whether the destination is local? You've not shown any context, but I assume it's this: 17:31:09 8490 /considering: ${if match_domain{$sender_address_domain}{imager.hitronhub.home}{${sender_address_local_part}@easthope.ca}fail}}} 17:31:09 8490/considering: $sender_address_domain}{imager.hitronhub.home}{${sender_address_local_part}@easthope.ca}fail}}} 17:31:09 8490|--expanding: $sender_address_domain 17:31:09 8490\_result: easthope.ca 17:31:09 8490 \__(tainted) 17:31:09 8490/considering: imager.hitronhub.home}{${sender_address_local_part}@easthope.ca}fail}}} 17:31:09 8490|--expanding: imager.hitronhub.home 17:31:09 8490\_result: imager.hitronhub.home 17:31:09 8490 easthope.ca in "imager.hitronhub.home"? no (end of list) - so it's checking on the sender_address_domain, not the destination. Subsequently, 17:31:09 8491 no message retry record 17:31:09 8491 retry time not reached: checking ultimate address timeout Why is a retry time evaluated? To see if it's yet time to bother to try this apparently-dead host again. Why not try authentication? It's not made a connection, so there's nothing to authenticate to. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] From header with encoding not parsed?
On 13/04/2023 23:24, Martin D Kealey via Exim-users wrote: On Thu, 13 Apr 2023 at 19:36, Slavko wrote in exim-users@exim.org: Dňa 12. apríla 2023 16:50:29 UTC používateľ MRob via Exim-users < exim-users@exim.org> napísal: Hi, I have a variable to extract the email address in from header set like this: ${lc:${address:$h_From:}} Header is valid, but after decoding it contains comma without qoutes, the comma is address separator and thus results in list of two "addresses", first without valid address, thus empty... My take on this is that Exim is wrong there. Anywhere else, splitting addresses on commas happens before decoding, and this should be no different. Uh, it's only a list if and when you use that string (the result of that expansion) where a list is expected. And the list separator is also defined by the context. I don't agree with "Exim is wrong there". -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] From header with encoding not parsed?
On 13/04/2023 09:54, Victor Ustugov via Exim-users wrote: I'm not talking about what should be encoded, but about what can be received in a real email from a spammer, some kind of script or something like that. A mail sender could send you *anything*. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring exim to use an non-TLS connection to port 587.
On 12/04/2023 18:51, Peter via Exim-users wrote: It has these lines. 08:33:42 4098 /considering: ${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} } we're doing a string expansion, which will request a lookup... 08:33:42 4098/considering: $host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} } 08:33:42 4098|--expanding: $host 08:33:42 4098\_result: easthope.ca the key we're looking up is the destination host for the transport, "easthope.ca" 08:33:42 4098/considering: /etc/exim4/passwd.client}{$host_address}}}{} } 08:33:42 4098|--expanding: /etc/exim4/passwd.client 08:33:42 4098\_result: /etc/exim4/passwd.client this is the DB we're to do the the lookup in 08:33:42 4098 search_open: nwildlsearch "/etc/exim4/passwd.client" 08:33:42 4098 search_find: file="/etc/exim4/passwd.client" 08:33:42 4098 key="easthope.ca" partial=-1 affix=NULL starflags=0 opts=NULL 08:33:42 4098 LRU list: 08:33:42 4098 :/etc/exim4/passwd.client 08:33:42 4098 End 08:33:42 4098 internal_search_find: file="/etc/exim4/passwd.client" 08:33:42 4098 type=nwildlsearch key="easthope.ca" opts=NULL 08:33:42 4098 file lookup required for easthope.ca 08:33:42 4098 in /etc/exim4/passwd.client 08:33:42 4098 easthope.ca in "mail.easthope.ca"? no (end of list) 08:33:42 4098 lookup failed ... and no, it isn't there. /etc/exim4/passwd.client can be read by Debian-exim and has only one active line beginning with mail.easthope.ca. ... sounds like that's the right answer, given the file content. A little further down. 08:33:43 4098 SMTP(closed)<< 08:33:43 4098 Remote host closed connection in response to pipelined DATA The smarthost refused to continue the conversation? Correct. Before that close from it, we see: 08:33:43 4098 sync_responses expect rcpt 08:33:43 4098 SMTP<< 550 SMTP AUTH is required for message submission on port 587 meaning: we wanted it's response to a "RCPT" comamnd we sent it, and that response was and error code (the 550 value) along with a comment for humans "SMTP AUTH is required for message submission on port 587". So we didn't manage to authenticated ourselves to them. In fact, we didn't event try, probably because that lookup didn't find a match for that key. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] From header with encoding not parsed?
On 12/04/2023 17:50, MRob via Exim-users wrote: Hi, I have a variable to extract the email address in from header set like this: ${lc:${address:$h_From:}} But it comes out blank(empty) given a "from" header like this one: From: =?utf-8?Q?My=20Bizness=2C=20Inc.?= I think thats a valid header? Did i do somethings wrong please? Thanks! You didn't say whree you are trying to do that expansion. If it's before data phase, the headers have not yet been received. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring exim to use an non-TLS connection to port 587.
On 11/04/2023 23:50, Peter via Exim-users wrote: From: Graeme Fowler via Exim-users Date: Tue, 11 Apr 2023 18:44:22 +0100 From https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html (sec 10): "... setting hosts_avoid_tls (an option of the transport) to a list of server hosts for which TLS should not be used." I wonder how that is done. $ find /etc/exim4/ -type f -exec grep "hosts_avoid_tls" '{}' \; -print hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS Obvious questions before recklessly diving into changes. (1) Macros are mentioned frequently in Exim documents. In general, the meaning of "macro" depends upon the context. https://en.wikipedia.org/wiki/Macro#Computing What is a macro in Exim? Described in the Exim documentation: https://exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_runtime_configuration_file.html#SECTmacrodefs (2) Lines above containing "=" signs are assignments? Those specific ones are option settings. (3) An entity to left of = is a variable? Similar to a shell variable? No. Read the docs. (4) What is an entity in all caps, right of =? Almost certainly a macro. Of course, looked for answers in various docs before posting this. /usr/share/doc/exim4-base/README /usr/share/doc/exim4-base/README.Debian /usr/share/doc/exim4-config/README.Debian https://wiki.debian.org/PkgExim4UserFAQ https://en.wikipedia.org/wiki/Macro#Computing Nothing particularly helpful. =8~/ The first hit from either duckduckgo or google gets you to the right place. So did Graeme's mail you included. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring exim to use an non-TLS connection to port 587.
On 11/04/2023 17:43, Peter via Exim-users wrote: Hello again, In absence of progress to have exim apply TLS-on-connect to server port 465 I'm trying non-TLS to port 587 as a simpler first objective. =8~/ Configuration specifications of the server are here. https://islandhosting.com/knowledgebase/21/How-do-I-configure-my-email-client.html This is the result of "dpkg-reconfigure exim4-config". $ tail -n 15 /etc/exim4/update-exim4.conf.conf # This is a Debian specific file dc_eximconfig_configtype='smarthost' dc_other_hostnames='' dc_local_interfaces='127.0.0.1' dc_readhost='easthope.ca' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='158.69.159.172::587' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' $ The consequent eximdebug.txt is here. http://easthope.ca/eximdebug.txt I noted this line. 20:33:40 1656 read response data: size=213 The lines following it suggest the server attempts to apply STARTTLS whereas the instructions on the Web page cited above are "Non-SSL Settings ... SMTP Port: 587". What is the reality? A little before that line: 20:33:40 1656 158.69.159.172 in hosts_avoid_tls? no (option unset) 20:33:40 1656 SMTP>> STARTTLS The transport checked it's option "hosts_avoid_tls" and found nothing set. So it tried to use STARTTLS. If you don't want it to even try (and then fallback to plaintext), then you need somthing in that option. If you're only ever talking to this smarthost, it could even be "*" to have that apply to all target hosts. Whether or not the Debian configurator has a way of doing that for you I don't know. What is the crux of failure? 20:33:41 1656 TLS: checking peer certificate 20:33:41 1656 TLS certificate verification failed: cert name mismatch 20:33:41 1656 TLS session fail: (certificate verification failed) - they presented a server certificate that we don't like; specifically, the list of systems that are supposed to use the cert did not include the name we think the server has (the one we made a TCP connection to). It's possible to turn that security check off, and you might have to in order to get a TLS connection to this provider (either STARTTLS or TLS-on-connect). However, your debug run did continue with a plaintext attempt after failing on the STARTTLS, and we see 20:33:41 1656 158.69.159.172 in hosts_require_auth? no (option unset) - which seems bogus given your provider's need for login/password authentication followed by 20:33:41 1656 failed to expand "<; ${if exists{/etc/exim4/passwd.client} {${lookup{$host}nwildlsearch{/etc/exim4/passwd.client}{$host_address}}}{} }" while checking a list: failed to open /etc/exim4/passwd.client for linear search: Permission denied (euid=106 egid=113) - which is clearly an error that needs fixing, and should be self-explanatory apart from "euid" and "egid" which are the values of user and group that the exim transport process was operaing as at the time of trying to open that file. Check the file permissions, I would guess that this file is created by the Debian configurator, but I don't know that. If it was, then it should just work with their config, unless someone has manually fiddled with things. FOOTNOTE In the transcript, eximdebug.txt, the direction of transmission is unclear. A common notation is "c:" indicating client transmission and "s:" indicating server transmission. It would add only 2 or 3 characters per line while removing uncertainty. =8~) The debug from exim uses "SMTP>>" to say "I sent this" - eg: 20:33:40 1656 SMTP>> EHLO imager.hitronhub.home and it uses "SMTP<<" to say "I received this" - eg: 20:33:40 1656 SMTP<< 250-hornby.islandhosting.com Hello s0106a84e3f6ccb23.gv.shawcable.net [24.108.14.249] Separately: Given what your presentation of the debug output to us has done with the UTF-8 content (as I mentioned before), you might want to experiment with the debug option "+noutf8" so that ascii-art is used instead. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Syntactic validity of configuration.
On 11/04/2023 07:44, Slavko via Exim-users wrote: The only downside with exim is, that this split (as implemented in debian) is not directly supported by exim, and one have to reload exim even to test it, but on other side, at least i do not forget to reload it after changes ;-) Possible wishlist item, for exim to watch for changes to the files that provided it's config and auto-reload. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Defaults for FreeBSD
On 09/04/2023 17:58, David Siebörger via Exim-users wrote: The default settings for CC and USE_DB for FreeBSD seem to be out-of-date. I'd like to hear from the FreeBSD package maintainer their preferences, even though you're talking about the upstream git. Folding back any patches FreeBSD is carrying, whree feasible, would be good. Unfortunately I don't know right off how to find out who that is. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 08/04/2023 23:35, Peter via Exim-users wrote: (1) The man page shows option -f without explanation. How is it used? It has no effect, though it is parsed and is not an error. Despite the author's note on that manpage (at least in the Ubunto online one I found) the source must have been glanced at. The actual Exim documentation doesn't mention it. (2) Why split the database identifier into path and file? Why not just the fully qualified name? Eg. exim_tidydb -t 1m /var/spool/exim4/db/retry That's not a "file", it's a hints-database name. It lets the utility Do The Right Thing when the database is made of multiple files, or a file with some name depending on, but not identical to, the name of the hints-db. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 08/04/2023 19:16, Peter via Exim-users wrote: Appears the log I have now is complete; the last line has "terminating with rc=0". Rather than clutter the mailing list with mostly insignificant data I put it here. http://easthope.ca/eximdebug.txt Somewhere along the way the UTF-8 in that got mangled... But here: 19:37:10 5273 ** pe...@easthope.ca R=smarthost T=remote_smtp_smarthost: all hosts for 'easthope.ca' have been failing for a long time (and retry time not reached) "retry time not reached" is the relevant bit. Exim is holding off for a bit from trying to connect to a host it has recorded as failing. It'll try again eventually (assuming you have periodic queue runs) - or you could just wipe the hints database. (and that line was being sent to your main log, as well as debug output) -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 06/04/2023 19:53, Jeremy Harris via Exim-users wrote: On 05/04/2023 17:49, Peter via Exim-users wrote: 19:40:02 9597 TFO mode sendto, no data: EINPROGRESS 19:40:02 9597 connected 19:40:02 9597 ╭considering: $primary_hostname 19:40:02 9597 ├──expanding: $primary_hostname 19:40:02 9597 ╰─result: dalton.invalid Something tells me you didn't wait long enough (which could be, like, ten minutes if it's this end exim timing out waiting for the target system to speak). Actually, I'm not convinced that your transport actually has "protocol = smtps". The TLS client-side startup should be visible pretty soon after that "sendto" (which initiates the TCP connection). If you look backward in that file there should be a line like "remote delivery to j...@test.ex with transport=send_to_server1" - take that transport name off the end and check it's the transport in your config that you are expecting. Then do # exim -bP transport to dump the actual config (at least, from a freshly loaded config... you *did* restart exim after any config edits?) -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 05/04/2023 17:49, Peter via Exim-users wrote: 19:40:02 9597 TFO mode sendto, no data: EINPROGRESS 19:40:02 9597 connected 19:40:02 9597 ╭considering: $primary_hostname 19:40:02 9597 ├──expanding: $primary_hostname 19:40:02 9597 ╰─result: dalton.invalid Something tells me you didn't wait long enough (which could be, like, ten minutes if it's this end exim timing out waiting for the target system to speak). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (n): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 06/04/2023 18:30, Peter via Exim-users wrote: I should refrain from attempting to send messages as root. Should submit as ordinary user. Correct? Nope. The "don't run as root" thing doesn't affect deliveries done via smtp, only deliveries to file. Deliveries to file have to be done as the owner of the recipient account, so as to have permission to modify their files. But we want to avoid running as root (and sometimes some other privileged users too, which is why it's configurable) because doing so is an attack surface just begging to be scratched. Your deliver-to-smartmost is not that. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 06/04/2023 17:28, Peter via Exim-users wrote: What is the reality? "Delivery" meaning the specific phase of a message going outward from exim, as opposed to being accepted by exim. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 01/04/2023 16:22, Peter via Exim-users wrote: Nevertheless, the connection fails. Any tip about diagnosis may help. Exim has a debug mode. Most commonly triggered from a commandline option. It is documented in the Exim docs, and possibly (I've not checked a Debian system) the manpage for exim. Attempt a test connection using a commandline message send, along the lines of $ exim -d+all -odf per...@externaldomsin.com &1 | tee eximdebug.txt | less You will see the processing that exim does, and should be able to infer at what point it diverges from your needs. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 31/03/2023 20:28, Evgeniy Berdnikov via Exim-users wrote: while $auth1 should always be null string for PLAIN. Wups, not for the dovecot driver. You're thinking of the plaintext driver. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 31/03/2023 16:36, Peter via Exim-users wrote: submissions 465/tcp ssmtp smtps urd # Submission over TLS [RFC8314] Should a line beginning smtps be added? Eg. smtps 465/tcp ... Not needed. The "smtps" values for the exim smtp transport driver is a keyword, not a reference looked up in /etc/services. But I'm still thinking that the Debian configuration wizard for Exim likely has a question on this, and you shouldn't be needing to manually find the right place in their resulting set of configuration files. This is my inference from the presence of that macros use pointed out by Evgeniy. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 31/03/2023 16:15, Evgeniy Berdnikov via Exim-users wrote: .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL .endif Doesn't that imply the wizard has a question that sets that? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I'm trying to deny users successful authentication if they connect not from the internal network but from the Internet. At the same time, I have a file with exception users. server_condition is used to deny authentication. At the same time, this works for CRAM_MD5, but does not work for PLAIN (an error message appears in the log, but the message is sent as coming from an authorized user). What error message? In what fashion does it "not work"? Show us an example. Use the debug facilities (quite likely, doing that will show you where your issue is). There are also notes for PLAIN in the documentation: "This option must be set for a plaintext server authenticator, where it is used directly to control authentication. See section 34.3 for details." I don't know how to apply or bypass this in my case. As it says, for a plaintext authenticator. You are not using one, you are using dovecot authenticators. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
On 30/03/2023 20:00, Peter via Exim-users wrote: Debian 11 here with exim4 4.94.2-7. Debian has a configuration wizard. In what respect is not offering what you need? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Make auth unsuccessful with some conditions
On 30/03/2023 13:58, Dzmitry Shykuts via Exim-users wrote: I have a file with exception users But the server_advertise_condition wants an emtpty/nonempty string, and you appear to be handing it a filename. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] nwildlsearch does not match
On 31/03/2023 07:51, Niels Kobschätzki via Exim-users wrote: What am I doing wrong? I thought that nwildlsearch can use wildcards and * and .* are wildcards to me. https://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsinglekeylookups -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Something like "domains_require_tls"
On 29/03/2023 17:59, Viktor Dukhovni via Exim-users wrote: It is (at least in Postfix) also possible Please note that this mailing list is not focussed on Postfix. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Something like "domains_require_tls"
On 29/03/2023 10:40, Slavko via Exim-users wrote: Dňa 29. 3. o 10:56 Olaf Hopp (SCC) via Exim-users napísal(a): decided still to live with 2 pairs of routers and transports and keep in mind, when I change one of them, I have to change the other one as well. And what about include common transport parts from separate file in both? I never did it in transport, but i use it in ACL to not touch (very mutch) debian's default config. Alternatively, using macros for the common bits across the pairs would get you partway. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Something like "domains_require_tls"
On 24/03/2023 14:45, Olaf Hopp (SCC) via Exim-users wrote: Am I missing something ? The behaviour defined in the docs does not cover your use. The actual implementation, and behaviour, could change underneath you. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Something like "domains_require_tls"
On 24/03/2023 12:28, Olaf Hopp (SCC) via Exim-users wrote: Do you think "multi_domain = false" is not worth for trying ? Corrrect. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Something like "domains_require_tls"
On 23/03/2023 16:01, Jeremy Harris via Exim-users wrote: allsmtp: driver = smtp hosts_require_tls = ${if match_domain{$domain}{+domainlist-with-TLS-Domains} {*}{}} multi_domain = false Actually, better have max_rcpt = 1 rather than the multi_domain; I'm not certain that there's coding in the transport to check for all-same-domain when expanding $domain. Note that there's a cost here in efficiency, which the separate routers & transports solution does not have. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Something like "domains_require_tls"
On 23/03/2023 15:30, Olaf Hopp (SCC) via Exim-users wrote: router_A: domains: +domainlist-with-TLS-Domains transport: tlssmtp router_B: domains: * transport: smtp tlssmtp: hosts_require_tls = * driver = smtp smtp: driver smtp in reality two routers and transports are much more complicated but almost identical. The same is true for the transports. Is it somehow possible to consolidate this into one router and one transport allsmtp: driver = smtp hosts_require_tls = ${if match_domain{$domain}{+domainlist-with-TLS-Domains} {*}{}} multi_domain = false -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Tainted search query is not properly quoted
On 20/03/2023 15:14, Odhiambo Washington via Exim-users wrote: What mod do I need to make on it? Quote it. Like you already are for $sender_helo_name. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Stacking or renaming headers
On 19/03/2023 17:42, Ian Z via Exim-users wrote: X-Original-Foo: the-ur-foo Foo: the-no-longer-ur-foo I am not thinking of a header with addresses here, so Exim's rewrite mechanism doesn't apply. Is there a "best" or "accepted" way to do this? In particular, can I do this in an ACL: add_header = X-Original-Foo: $h_foo: set acl_m_original_foo = $h_foo: remove_header = Foo add_header = Foo: the-no-longer-$acl_m_original_foo Yes. And you don't need the temporary variable. (I am not sure if the last add_header trum^H^H^H^Hoverrides the preceding remove_header.) No. And if not in ACL, can I do something similar in a router or transport? Yes, both. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Single quotes and transport_filter
On 19/03/2023 17:22, Ian Z via Exim-users wrote: Chapter 24 documents the transport_filter option. An example is given where the argv vector for the command comes from an expansion: transport_filter = '/bin/cmd${if eq{$host}{a.b.c}{1}{2}}' This runs the command /bin/cmd1 if the host name is a.b.c, and /bin/cmd2 otherwise. If double quotes had been used, they would have been stripped by Exim when it read the option’s value. When the value is used, if the single quotes were missing, the line would be split into two items, /bin/cmd${if and eq{$host}{a.b.c}{1}{2}, and an error would occur when Exim tried to expand the first one. I have two problems grokking this: - I can find no other place in the spec where it is specifically explained what single quotes do, as opposed to double quotes. Yup; this could be better. In the coding I find an explanatory comment: /* Split the command up into arguments terminated by white space. Lose trailing space at the start and end. Double-quoted arguments can contain \\ and \" escapes and so can be handled by the standard function; single-quoted arguments are verbatim. Copy each argument into a new string. */ - In Section 29.3 on pipe commands (which are supposedly expanded the same way), there is this example: command = /some/path ${if eq{$local_part}{postmaster}{xx}{yy}} will not work, because the expansion item gets split between several arguments. You have to write command = /some/path "${if eq{$local_part}{postmaster}{xx}{yy}}" So why are double quotes OK here? The difference is an artefact of the option-handling described in Ch.6 Sec.17 :- if an option value *starts* with a doublequote then it must end with one (and, implicitly, they get stripped at that processing phase. The pipe example does not. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Tainted search query is not properly quoted
On 19/03/2023 10:58, Odhiambo Washington via Exim-users wrote: warn condition= ${if eq {$acl_m_greyexpiry}{} {1}} set acl_m_dontcare = ${lookup sqlite {INSERT INTO greylist \ VALUES ( '$acl_m_greyident', \ '${eval10:$tod_epoch+300}', \ '${quote_sqlite:$sender_host_address}', \ '${quote_sqlite:$sender_helo_name}' );}} It's not obvious to me what I haven't quoted properly. The only obvious element is your $acl_m_greyindent, since $tod_epoch shouldn't be derived from wire information. The debug "expand" channel would show you for definite. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] strip incoming messages of A-R headers that claim to be from our own
On 16/03/2023 14:53, Jim Lamers via Exim-users wrote: headers_remove = Authentication-Results headers_add = "Authentication-Results: TEST" You might prefer to only do the (remove, add-stripped) sequence when there is an offending AR header present. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] strip incoming messages of A-R headers that claim to be from our own
On 16/03/2023 14:53, Jim Lamers via Exim-users wrote: was wondering if there are better ways to remove incoming A-R headers that claim to be from our own admd? Nope. I raised a wishlist item for it. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
On 15/03/2023 20:00, Andrew C Aitchison via Exim-users wrote: > When exim acting as a mail client wishes to send a message, a Meddler-in-the-Middle (MitM) may respond to the STARTTLS command by also sending a response to the *next* command, which exim will erroneously treat as a trusted response. Sigh. Nobody has *ever* shown any way that could have been exploited.-- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while checking expression with exim -be
On 14/03/2023 13:17, Victor Ustugov via Exim-users wrote: Office365 OAutn2 access token response size is over 4K) You are seriously stretching the original intent of Exim's string-handling with this. [ Have you considered writing an Exim authenticator module? ] Entering this expression interactively many times will be very inconvenient. a) you should be able to use stdin. If you are having problems with it, they are probably from the shell (as in Bourne Shell, Ksh, Csh) expanding or dequoting things you didn't expect b) recent version of the "-be" support let you define macros and set variables -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Hide IP address of authenticated users
On 14/03/2023 22:02, Yves Goergen via Exim-users wrote: Is there some explanation about this? Does it work? What does it do? Should I create the mentioned file if I don't have it yet? It's a macro definition, in Exim terms. What having it defined means depends on the rest of the configuration; it's in no way a builtin thing for Exim. You need to investigate the configuration that it is intended to be used with, and _its_ documentation. Possibly Debian's. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] strip incoming messages of A-R headers that claim to be from our own
On 13/03/2023 15:59, Jim Lamers via Exim-users wrote: This solution does not seem to work in all situations, Can you characterize the nonworking ones? headers_add Authentication-Results TEST Did you miss a colon there? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while checking expression with exim -be
On 14/03/2023 11:46, Victor Ustugov via Exim-users wrote: When I tried to run exim with a long value of -be option, I got an error: exim: length limit exceeded (386 > 256) for: recipient Yes, I've run into that (just this week!) I assume the "-be " was a retrofit after the use of a trailing arg for a mail recipient, and just uses the same machinery. What you can do is use the interactive mode of -be instead; that's ok up to more like a kB - and after that, use "backlash, newline" continuations. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is that SPAM? Or am I compromised?
On 13/03/2023 23:43, Gedalya via Exim-users wrote: 4. On ports 587, authentication should not be advertised before STARTTLS is issued. A slight suggested relaxation of that rule: Only authentication methods which are self-encrypted should be used on a cleartext channel. That mean the same as your simpler rule for PLAIN and LOGIN, which are the common ones. But the SCRAM family, for example, would be safe. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] expansion error in OAuth2 client authenticator
On 12/03/2023 21:51, Victor Ustugov via Exim-users wrote: Rather, the lack of SNI support does not prevent me from getting response to access token refresh request. But Exim puts certificate verification error message into the logs. Having found a way of doing basic functionality testing of it, pushed 6fdf76d0eae4. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] expansion error in OAuth2 client authenticator
On 12/03/2023 17:31, Victor Ustugov via Exim-users wrote: Jeremy Harris via Exim-users wrote on 12.03.2023 19:09: On 12/03/2023 16:25, Victor Ustugov via Exim-users wrote: Is it possible to use SNI with ${readsocket? No. Do you plan to implement this functionality? It's not currently on the radar. Glancing round the code, it could be implemented with a bit of a hack. Choosing a syntax would also be needed. How badly do you need it? Testing is an issue. I think you mentioned building a FreeBSD port for yourself; does that mean you could take a patch and test that? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] expansion error in OAuth2 client authenticator
On 12/03/2023 16:25, Victor Ustugov via Exim-users wrote: Is it possible to use SNI with ${readsocket? No. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] $spam_score_int
On 10/03/2023 10:26, John McMurray via Exim-users wrote: I'd also like to be able to increase the $spam_score_int variable so that mail clients can decide how they want to handle higher spam scores. That variable is set by a call to SpamAssasin. Your code snippet doesn't mention it; it's unclear how you are thinking of using it. It is described in the documentation. You can't modify it. You might not need to, to do what you want. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Ratelimiting recipients per sender_address
On 09/03/2023 19:30, Slavko via Exim-users wrote: Dňa 9. marca 2023 16:08:08 UTC používateľ Jeremy Harris via Exim-users napísal: On 09/03/2023 15:47, Olaf Hopp (SCC) via Exim-users wrote: "x recipients per distinct sender per time period y > z" ? If yoe used $sender_address@$recipient as the key, would it do what you want? Are not per_rcpt/per_addr option for that? Probably; it depends on exactly what's being asked for. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Ratelimiting recipients per sender_address
On 09/03/2023 15:47, Olaf Hopp (SCC) via Exim-users wrote: "x recipients per distinct sender per time period y > z" ? If yoe used $sender_address@$recipient as the key, would it do what you want? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim, OAUTH2 and gnutls problem
On 05/03/2023 15:59, ael via Exim-users wrote: While testing, I have encountered two apparently benign error messages: 1) H=outlook.xx.office365.com [xx.xx.xxx.xxx] TLS error on connection (recv): Error in the pull function. Yes, the GnuTLS library produces this somewhat obscure message when a read it's trying to do on the underlying TCP socket returns an error to it. The error can be, and most often is "the far end closed the TCP connection" when GnuTLS is expecting a proper, graceful notification that the TLS layer is being closed. So long as the mail message was apparently transferred properly you can ignore this one. Your debug shows SMTP-leve success responses for both the data phase for the message and the SMTP QUIT after it. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Question about SRS
On 03/03/2023 14:47, Patrick Cernko via Exim-users wrote: obviously I have to use that domain in the inbound_srs* routers then Plus any other places where your config has a notino as to what it does with what domain names. You're moving further away from a basic set; you'll need to reason about it yourself. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Any plan to integrate DMARC for incoming email in Debian/Ubuntu releases?
On 02/03/2023 18:43, Jämes Ménétrey via Exim-users wrote: official packages for these platforms. Here is the wrong place to be asking, being the upstream project and not Debian -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Question about SRS
On 03/03/2023 13:22, Patrick Cernko via Exim-users wrote: Why is it required to set max_rcpt=1 in the remote_forwarded_smtp transport? For $original_domain to be valid. If the transport was handling multiple recipients then the domains could potentially be disparate. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to customize the autoreply email subject?
On 28/02/2023 08:54, Cyborg via Exim-users wrote: Am 28.02.23 um 00:27 schrieb Tony via Exim-users: Now, the auto reply email subject start with "*Autoreply*:" , I want to change it. How? Sounds like a custom rule: grep -r -i "Autoreply" /etc/exim/* The autoreply transport has a "subject" option (and the string "Autoreply" is no in the source code). https://exim.org/exim-html-current/doc/html/spec_html/ch-the_autoreply_transport.html -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] renewing the SSL certificate doesn't work
On 27/02/2023 11:15, Gary Stainburn via Exim-users wrote: I did suspect this, but the private key is in the correct format. Try running Exim with debug; does it give any further hint? Check the file ownership & permissions, also. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] renewing the SSL certificate doesn't work
On 27/02/2023 10:21, Gary Stainburn via Exim-users wrote: TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14] (SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key): error:0906D06C:PEM routines:PEM_read_bio:no start line I seem to remember in the past that I had to merge the certificate with the bundle, so I did that too, but I still get the above error. The error notes specifically the private-key file, so the bundle is not the issue. What does the file look like (do NOT post the whole thing publically!) ? The first couple of line should be, for the expected format, something like -BEGIN PRIVATE KEY- MIIEvAIBADANBgkqh... and there should be a line -END PRIVATE KEY- after the block of ascii-ized binary data. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim rewrites the "From:" address
On 25/02/2023 23:21, Nick via Exim-users wrote: Why is it doing this Possibility 1: the macro is not in fact set. Check by running "exim -bP macros | grep MAIN_FORCE_SENDER" -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim rewrites the "From:" address
On 25/02/2023 23:21, Nick via Exim-users wrote: Why is it doing this and how can I stop it? Possibility 2: "mailx" does not actually run exim with the arguments you think it does. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] A study of failing tls certs, with valid certificate files
On 25/02/2023 14:45, Andreas Metzler via Exim-users wrote: So it looks like something else was broken at some point in time and is fixed again. Good to hear. Thanks for the follow-up. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Issue with Exim on an IPv6-only host
On 21/02/2023 11:59, Sebastian Tennant via Exim-users wrote: hosts_require_auth = $host Why not hosts_require_auth = * ? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Issue with Exim on an IPv6-only host
On 20/02/2023 14:53, Sebastian Tennant via Exim-users wrote: ** […] R=all_via_fast_smtp_server T=fast_smtp_server […]: SMTP error from remote mail server after pipelined MAIL FROM:<[…]> SIZE=1537: 530 5.7.1 Authentication required DT=1m You got an SMTP response. You were already talking TLS; the TLS error basically says that the peer didn't shut it down cleanly having sent that SMTP response - but that's fine, we got enough. You didn't authenticate to that peer, and it's insisting that you need to. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Is there a way to forcably disconnect remote session using tempfail 4xx code
On 21/02/2023 03:14, Matt Bryant via Exim-users wrote: Is there anyway in exim to force a disconnect but with a temporary 4xx failure rather than a hard deny and 5xx error ???. I can see 'drop' does the latter case but there seem no equivalent action/verb or command to issue a tempfail and then disconnect. No; that's a further departure from standards than Exim is coded to do. You could raise an RFE if you have a convincing case for it. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On 17/02/2023 04:18, Ian Zimmerman via Exim-users wrote: what is a "variable of type certificate" in exim's proudly unityped macro language? $tls_{in,out}_(our,peer)cert are all certificate-type variables. They are not useable as text, but can be used by a "certextract" expansion. The documentation Concept Index has an entry for "certificate", "variables". -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On 16/02/2023 21:09, Viktor Dukhovni via Exim-users wrote: Some applications (want to) only accept client certificates issued by a dedicated non-public CA, which amounts to an authorisation server In exim usage that's a test on a certextract of the issuer of $tls_in_peercert, either just in ACL or as part of the serer_condition for an authenticator using the tls driver. For either, the TLS session has to have been accepted first. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
On 14/02/2023 00:40, Ian Zimmerman via Exim-users wrote: Is it at all possible with OpenSSL to stop the "system" location from being checked? No. If not, that seems to make the use of TLS for client authentication impossible because any certificate presented by e.g. Google will pass verification. Am I reading this correctly? Please define your authentication requirements: exactly what do you want checked? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Windows based Mail servers and exim
On 07/02/2023 15:19, The Doctor via Exim-users wrote: For Email Admins No connection could be made because the target computer actively refused it. That bit there is the important info. Unfortunately, they didn't say what IP they tried to connect from, and unless you can infer anything else about them (such as IPs used by previous messages from them that you did accept), you need it to search for in your logs. You might have to contact the operator of tha system and ask. Then: search your Exim mainlog for connections from that IP. If there is one that matches the expected date/time, what was logged about it? If none such: do you run a firewall? What about its logs? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.96 on Devuan 4.0 build problem with PCRE2
On 05/02/2023 23:12, Mike Tubby via Exim-users wrote: The thing is that I have pcre3-dev and the rest of the PCRE2 libraries installed (mine you someone will will have to explain why version numbers are going backwards) ... ;-) I'm not aware of a PCRE3 (and neither ia https://www.pcre.org/ AFAICS)... but I suspect your Local/Makefile is not including the right pcre library (which is the version 2 one). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Connection timed out errors
On 01/02/2023 22:53, MRob via Exim-users wrote: Sorry, maybe I wrote it wrong: question is more to inquire if Exim checking any internal flags or status that make it different from use "telnet [host] 25" on command line. I dont understand why I could telnet-by-hand with immediate successful connection/no slow connect as soon after I saw the error in the log tail. If there has been an error for a specific destination host in the past, it is remembered so as to avoid trying to use that host again. Most mail destinations run multiple MX's so an alternate will get used. That memory does expire eventually. Look up "hints database" in the Concept Index, if you want more details. Is any tip for how to take other debug steps or a way to "coax" exim to see what I see? Thank you for response, I do not mean to bother but this problem is very hard to understand. If you have a queued message which needs to be sent to the host in question, you can run a deliver attempt on it manually, with debug enabled. See the manual section on commandline options. Also, maybe simple problem is the "timer" length was inadvertantly change. Do you mind to say if that timeout comes from a certain exim configuration setting? Thank you! The value is an option for the transport, in the configuration. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Connection timed out errors
On 01/02/2023 22:02, MRob via Exim-users wrote: How to find why exim thinks it is timing out? Exim thinks the connection timed out because it sets an alarm before calling the syscall "connect" - and that timer went off. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] New install EXIM + Dovecot - auth permission error
On 01/02/2023 13:26, Heiko Schlittermann via Exim-users wrote: Sure about $auth1? Isn'tit $auth2 in case of the PLAIN driver? Not for the dovecot driver (only for the plaintext driver). $auth1 is correct, here, -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] FreeBSD: Moving from BDB5 to BDB18
On 31/01/2023 14:38, Odhiambo Washington via Exim-users wrote: What changes do I need to make in Local/Makefile to achieve this? For TDB: USE_TDB = y DBMLIB = -ltdb For gdbm: USE_GDBM = yes DBMLIB = -lgdbm -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Moving from BDB5 to BDB18
On 31/01/2023 13:33, Odhiambo Washington via Exim-users wrote: Will it ever be possible to have Exim officially build against BDB18 ? Ever? That depends on - the library owner making information about it freely available (something that stopped after BDB version 5, Oracle having bought up Sleepycat) - a maintainer with enough interest to put in the time -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] FreeBSD: Moving from BDB5 to BDB18
On 31/01/2023 13:28, Odhiambo Washington via Exim-users wrote: I have deinstalled BDB5 and instead installed BDB18 for the obvious reason. Now Exim will not build at all and I am wondering whether it's possible to build Exim against BDB18. No. Use gdbm or tdb. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim auth driver dovecot 'LOGIN' fails?
On 25/01/2023 16:25, Sander Smeenk via Exim-users wrote: Is Exim's dovecot driver for LOGIN auth broken or am i doing something wrong? It's working fine for me in test, though I don't see you doing anything wrong. The debug shows the "OK" response from dovecot; it's not clear where the temporary-error creeps in, between there and the SMTP response. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] spam_score_int - what to do with negative values?
On 26/01/2023 10:31, Niels Kobschätzki via Exim-users wrote: with a score of -12.6 How was that part verified? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient verification
On 23/01/2023 19:38, Johnnie W Adams via Exim-users wrote: A light has come on in my brain. Is this as simple as going into my ingress node and adding "require verify = recipient/callout" somewhere sensible, like right after "require verify = sender"? If the ingres exim routers and transports known how to talk to said recipient, and if the recipient as the ingress sees it ig the same as the recipient as your current egress sees it (it has not been modified [forwarded, redirected] by or in between those two)... yes. Why are your sources not sending these mails direct in the first place? Ie there value in your ingress+egress stage? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient verification
On 23/01/2023 18:36, Johnnie W Adams wrote: On Fri, Jan 20, 2023 at 3:12 PM Jeremy Harris via Exim-users < exim-users@exim.org> wrote: On 20/01/2023 19:50, Johnnie W Adams via Exim-users wrote: An R-verify checks routability, and (with callout) acceptability by the destination. If your intent is to discover nonexistent recipients *during SMTP reception* of a message, so that you can reject at SMTP time and thereby not have to generate a bounce - then yes, it'll do that. But you should be doing this check in your rcpt ACL, and it'll only cover messages *you* receive using SMTP (as opposed to cmdline/stdin). I'm okay with that limitation. What I'm unclear on is the full consequences of doing this on our egress node rather than our ingress node. It seems to me--but I could be wrong!--the worst that can happen is that the mail passes through our ingress node, is refused at our egress node, and our ingress node has to pass that failure back where it came from. What am I missing? You're not. If your overall system, with these two separated nodes. is forwarding external-source messages out to somewhere else, that's what'll happen if you R-verify on the last of your nodes. If there's no other nodes on the path between your "ingress" and "egress", and if the ingress is Exim, you can do something called "cutthrough routing" to still avoid the bounce-generation. This turns your ingress from traditional store-and-forward mode to a realtime forwarder, and means that a response from the egress can be passed right back to the message source while the source-ingress SMTP connection is active. You can decide when to cutthrough on a per-message basis; it's an ACL control. Or, probably at the cost of more knowledge needed there, you could just arrange this verification in the ingress node. Also, if done for message-submission receptions by you it will upset many MUAs (which have little notion that a message being rejected is a thing, it seems). So if that was your hope, you're onto a loser. Our egress node should Never accept mail from an MUA, so that would not worry me in the configuration I'm thinking of, but if the check must be made at the ingress node, that would mean (I assume) I'd have to write a more complicated ACL, because it does accept mail from MUAs. Yes. It commonly suffices to condition your ACL paths by $recieved_port - 25 vs. everything else, the latter being your MUA clients. But situations differ. On looking again, I see that I need to put "acl_smtp_vrfy = acl_check_vrfy" in my main configuration settings to use acl_check_vrfy in the begin acl: section. Almost certainly not. acl_smtp_vrfy deals with the SMTP VRFY command, which is not what we're dealing with here despite the naming (it's also pretty much obsolete. Nobody uses it; most sites refuse to answer it). You probably want this action being done in your RCPT-time acl. If it's just a single verb, with a couple of conditions, put it inline. [ ACL is a programming language. With subroutines. You don't have to use them, but once you're doing something complicated... ] -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient verification
On 20/01/2023 19:50, Johnnie W Adams via Exim-users wrote: Calling the ACL on all mail prevents bounces, correct? An R-verify checks routability, and (with callout) acceptability by the destination. If your intent is to discover nonexistent recipients *during SMTP reception* of a message, so that you can reject at SMTP time and thereby not have to generate a bounce - then yes, it'll do that. But you should be doing this check in your rcpt ACL, and it'll only cover messages *you* receive using SMTP (as opposed to cmdline/stdin). Also, if done for message-submission receptions by you it will upset many MUAs (which have little notion that a message being rejected is a thing, it seems). So if that was your hope, you're onto a loser. As to when this is called, I would put it on our egress node, which only has acl_check_rcpt. I planned to put it after that. So more like this? acl_check_vrfy: I'm still trying to work out your intent. Is that word "acl_check_vrfy" never mentioned elsewhere (in your proposed config)? If so, it will have no effect. ACL names are not magic. When do you want it run? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Recipient verification
On 20/01/2023 18:18, Johnnie W Adams via Exim-users wrote: I've been doing some research on recipient verification to eliminate bounces, and am wondering if it's as simple something like this at the end of my ACL list: acl_check_vrfy: deny senders = '' !verify = recipient/callout Surely it's not that simple, but I'm at a loss as to what else is needed You didn't say when you'd be calling this ACL, nor why you'd only be verifying bounces. Not generating bounces yourself is also worthy, which means validating recipients of nonbounce messages; using the routers and possibly transports to do the validation (which is what "verify" does) is one way. I assume the recipients you are validating are non-local to this box, since you specify callout. But you could be confused about the intent of recipient verification. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Blocking a Class C
On 19/01/2023 17:32, The Doctor via Exim-users wrote: I assumed that you were blocking the pair (src ip 46.148.40.108, target port 25) and was checking that you are also blocking (src ip 46.148.40.108, target port 465) Could this cause a 601 error? Possibly a typo? SMTP does not define any 6xx error code. Also, irrelevant. Blocking done by a firewall would be stopping TCP-level connection, so you won't get any SMTP communication at all. How a client reports that is up to it. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/