Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-18 Thread Sebastian Arcus via Exim-users
On 18/04/2023 17:45, Jan Ingvoldstad via Exim-users wrote: 17. apr. 2023 kl. 14:44 skrev Sebastian Arcus via Exim-users : I couldn't agree more. I am permanently scarred emotionally from installing and configuring SpamAssassin for the first time - and even after years of working

Re: [exim] Dynamic received_header_text

2023-04-17 Thread Sebastian Arcus via Exim-users
On 17/04/2023 12:26, Jeremy Harris via Exim-users wrote: The documentation does answer these questions.  Was some of it unclear? You are absolutely right. I did read the documentation before posting, but I missed the bit where it says received_header_text is expanded each time it is used. So

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-17 Thread Sebastian Arcus via Exim-users
c On 17/04/2023 04:33, Ian Z via Exim-users wrote: On Sun, Apr 16, 2023 at 07:11:51PM +0100, Sebastian Arcus via Exim-users wrote: One thing I have to try and figure out is how Spamassassin does the SPF checks. Does it look at all the Received: headers, and if at least one of them matches one

[exim] Dynamic received_header_text

2023-04-17 Thread Sebastian Arcus via Exim-users
This question is related to my other thread which deals with Exim being used in a front-end / back-end configuration, with back-end machines handling separate email domains. I thought it would be better to post a separate thread, in case it would help someone find it one day. I would like the

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-16 Thread Sebastian Arcus via Exim-users
On 16/04/2023 20:22, Jeremy Harris via Exim-users wrote: On 16/04/2023 19:17, Sebastian Arcus via Exim-users wrote: relay_to_compan1:    driver = manualroute    domains = company1.com    route_list = company1.com 192.168.100.10    transport = remote_relay_company1    host_find_failed = defer

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-16 Thread Sebastian Arcus via Exim-users
On 16/04/2023 11:44, Jeremy Harris via Exim-users wrote: On 15/04/2023 23:31, Sebastian Arcus via Exim-users wrote:  you might be able to use cutthrough delivery from the front-end to the real server, which might allow you to reject rather than bounce some of the time; it might even help with

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-16 Thread Sebastian Arcus via Exim-users
On 16/04/2023 11:04, Paul Muster via Exim-users wrote: On 15.04.23 21:54, Sebastian Arcus via Exim-users wrote: The "back-end" machines are physical machines, on regular ADSL/VDSL/cable/fibre connections at various locations. At the moment they send directly to the internet, which

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-16 Thread Sebastian Arcus via Exim-users
On 15/04/2023 23:16, Fabio Martins wrote: solution inline On 2023-04-15 17:05, Sebastian Arcus via Exim-users wrote: On 15/04/2023 17:00, Fabio Martins wrote: I believe you are trying to use the same IP address for the 3 exim instances, otherwise the solution would be quite simple binding

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-16 Thread Sebastian Arcus via Exim-users
On 15/04/2023 21:38, Jeremy Harris via Exim-users wrote: On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote: Exim does talk the inbound-proxy protocol tha HAProxy apparently uses (or can use): https://exim.org/exim-html-current/doc/html/spec_html/ch-proxies.html#SECTproxyInbound Thi

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
On 15/04/2023 23:19, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote: These are all separate servers belonging to

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
On 15/04/2023 21:20, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 08:44:08PM +0100, Sebastian Arcus via Exim-users wrote: These are all separate servers belonging to different organisations. They each host their own mail domain and users. This can't be changed. I a

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
On 15/04/2023 18:50, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 06:03:29PM +0100, Sebastian Arcus wrote: On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote: My question is: why do you want to use so complicated scheme, while it's very simple task to set up

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
On 15/04/2023 19:09, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus wrote: On 15/04/2023 18:44, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
On 15/04/2023 13:53, Jeremy Harris via Exim-users wrote: On 15/04/2023 12:53, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like t

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
On 15/04/2023 16:46, Evgeniy Berdnikov via Exim-users wrote: On Sat, Apr 15, 2023 at 12:53:54PM +0100, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to thi

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
On 15/04/2023 18:44, Andrew C Aitchison wrote: On Sat, 15 Apr 2023, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gatew

Re: [exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
trying to suggest - but I don't think having emails on subdomains would help with my problem -- On 2023-04-15 11:53, Sebastian Arcus via Exim-users wrote: I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this

[exim] Proxy smtp connections to multiple Exim servers behind proxy

2023-04-15 Thread Sebastian Arcus via Exim-users
I have a number of Exim servers behind a NAT gateway (actually connected with vpn's to a cloud vps - but I'm hoping this is not relevant to this post). I would like the gateway to send incoming port 25 traffic to the correct Exim server based on SNI in incoming TLS packets - as different Exim i

Re: [exim] Exim proxy / relay for disaster recovery for lost connectivity

2022-05-23 Thread Sebastian Arcus via Exim-users
On 23/05/2022 14:11, Jeremy Harris via Exim-users wrote: On 23/05/2022 14:02, Sebastian Arcus via Exim-users wrote: [internet] <-> [relay Exim] <-> [inhouse Exim] Can the smtp router or transport on the relay Exim be configured to keep the connection open for inbound email until

[exim] Exim proxy / relay for disaster recovery for lost connectivity

2022-05-23 Thread Sebastian Arcus via Exim-users
I might be asking this question the wrong way, so please bear with me. I would like to setup Exim as a relay which pretty much passes an incoming connection to another Exim server, but keeps the connection open until the final server accepts the message or not (after it checks the recipient, sp

Re: [exim] Cannot negate router lookup condition

2020-08-12 Thread Sebastian Arcus via Exim-users
On 12/08/20 22:04, Jeremy Harris via Exim-users wrote: On 12/08/2020 21:45, Sebastian Arcus via Exim-users wrote: I am running Exim 4.89. I have the following router in exim.conf: send_direct:     driver = dnslookup     condition = ! ${lookup{$local_part@$domain}\   lsearch{/etc

[exim] Cannot negate router lookup condition

2020-08-12 Thread Sebastian Arcus via Exim-users
I am running Exim 4.89. I have the following router in exim.conf: send_direct: driver = dnslookup condition = ! ${lookup{$local_part@$domain}\ lsearch{/etc/exim/exim.passwd}{$value}{}} transport = remote_smtp I just can't seem to negate the condition. I want it to evaluate

[exim] Ratelimit doesn't work as expected

2019-08-09 Thread Sebastian Arcus via Exim-users
I have a set of ACL's in place to ban connections from IP's after a number of retries. The first one checks if connections from an IP address have already been rejected 5 times or more in 24 hours and drops them, while the second one just adds to the count (up to 10 max) every time we reject a

Re: [exim] DKIM signing options - specially list of headers

2018-07-31 Thread Sebastian Arcus via Exim-users
On 31/07/18 14:02, Richard James Salts via Exim-users wrote: On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote: On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote: X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=open

Re: [exim] DKIM signing options - specially list of headers

2018-07-31 Thread Sebastian Arcus via Exim-users
On 31/07/18 10:18, Mike Brudenell via Exim-users wrote: Hi, Sebastian - You didn't tell us the version of Exim you're running so I can't give you the exact chapter/section names, but if you look in the *Specification* for the chapter on DKIM, in the section called something like *Signing outgo

[exim] DKIM signing options - specially list of headers

2018-07-31 Thread Sebastian Arcus via Exim-users
I post messages from time to time to Spamassassin mailing list, and several members have been complaining about my DKIM setup - they say they can't receive my emails because of it. Specifically, the complaint is that my Exim signs the List-* headers. Now I can't really figure this one out. Ther

Re: [exim] Creating local blacklist

2018-04-26 Thread Sebastian Arcus via Exim-users
On 26/04/18 02:25, Mike Brown via Exim-users wrote: On Wed, Apr 25, 2018 at 11:19:56PM +0100, Jeremy Harris via Exim-users wrote: On 25/04/18 15:19, Mike Brown via Exim-users wrote: I went back and looked again and found the following: acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_c

Re: [exim] Checking if a list of domains contains a domain contained in another list?

2018-02-28 Thread Sebastian Arcus via Exim-users
On 27/02/18 19:18, Jeremy Harris via Exim-users wrote: On 27/02/18 18:35, Sebastian Arcus via Exim-users wrote: condition = ${if match_domain {${lookup dnsdb{mx=$sender_address_domain}}}{+no_extended_callout_mxs}} For example the mx query might return: 10 mx1.exampledomain.com 20 mx2

[exim] Checking if a list of domains contains a domain contained in another list?

2018-02-27 Thread Sebastian Arcus via Exim-users
I don't know if this check can be accomplished in Exim at all - but here it goes. I need to know if any of the results of a dnsdb lookup which returns multiple records exists in a predefined dnslist. I'm guessing this is not really possible, I just thought I'd check. To expand a bit, I need to

Re: [exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject

2018-01-26 Thread Sebastian Arcus via Exim-users
On 25/01/18 10:24, Sebastian Arcus via Exim-users wrote: On 25/01/18 09:20, Jeremy Harris wrote: On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote:   I can see in the ratelimit db quite a few hosts which have reached the 5/24h limit. But strangely in the Exim log I can't se

Re: [exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject

2018-01-25 Thread Sebastian Arcus via Exim-users
t some point even if the ACL's keeping on getting hit. Cheers, Mike B-) On 25 January 2018 at 10:24, Sebastian Arcus via Exim-users < exim-users@exim.org> wrote: On 25/01/18 09:20, Jeremy Harris wrote: On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote: I can see in the

Re: [exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject

2018-01-25 Thread Sebastian Arcus via Exim-users
On 25/01/18 09:20, Jeremy Harris wrote: On 25/01/18 05:56, Sebastian Arcus via Exim-users wrote: I can see in the ratelimit db quite a few hosts which have reached the 5/24h limit. But strangely in the Exim log I can't see the appropriate reject messages - although I can see reject mes

Re: [exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject

2018-01-24 Thread Sebastian Arcus via Exim-users
On 24/01/18 22:09, Jeremy Harris wrote: On 24/01/18 21:40, Sebastian Arcus via Exim-users wrote: Does the above look right? I've had it in place on one server for about a week, but I can't see in the logs ever kicking in - so now I'm not sure if the syntax is wrong, or maybe I

[exim] ACL to early reject connections from hosts which keep on retrying after a permanent reject

2018-01-24 Thread Sebastian Arcus via Exim-users
Hello and thank you in advance for any help. I've built an ACL to early reject connections from really naughty and persistent hosts, which keep on coming back even after they have been given a permanent error. It looks like so: acl_check_connect: drop message = Temporary ban - too many ret

[exim] Count only rejected connections

2017-12-31 Thread Sebastian Arcus via Exim-users
I would like to keep track of how many times connections from each IP are rejected over a period of time (maybe 24 hours?), and when a limit is reached, reject them much earlier in the acl's - at connection time - to reduce resources used by Exim, and maybe discourage them from connecting for a

Re: [exim] Correct extended verification of noreply@ type email addresses

2017-12-29 Thread Sebastian Arcus via Exim-users
On 29/12/17 12:18, Jeremy Harris wrote: First decide on your policy. Only then go on to mechanism. You could, for example. decide that anyone not wanting replies (and nondelivery notifications) really doesn't care if their mail gets to you (or anywhere). Hmm - seems drastic - but there is a

[exim] Correct extended verification of noreply@ type email addresses

2017-12-29 Thread Sebastian Arcus via Exim-users
I use sender extended callout/varification in Exim: denymessage = Sender cannot be verified log_message = "Reject: sender cannot be verified" !verify = sender/callout=2m,defer_ok I find the above extremely useful in combating spam from addresses with a real dom

Re: [exim] Exim not obeying "delay = " in acl_smtp_connect

2017-12-28 Thread Sebastian Arcus via Exim-users
On 27/12/17 18:20, Sebastian Arcus via Exim-users wrote: On 27/12/17 16:49, Jeremy Harris wrote: Do the lookup manually, with a ${lookup dnsdb ...} expansion; you then have more control.  Treat the ACL flow as a programming > language. That's a good pointer - I will investig

Re: [exim] Exim not obeying "delay = " in acl_smtp_connect

2017-12-27 Thread Sebastian Arcus via Exim-users
On 27/12/17 16:49, Jeremy Harris wrote: On 27/12/17 15:21, Sebastian Arcus via Exim-users wrote: Yes, a way to turn a defer into a hard fail is what I would need in this case. Am I correct in thinking that when the defer happens and the ACL processing is aborted, the DELAY gets skipped? 1

Re: [exim] Possibly unclear logging after connection is closed by the far end during DELAY

2017-12-27 Thread Sebastian Arcus via Exim-users
On 27/12/17 17:00, Jeremy Harris wrote: On 27/12/17 16:24, Sebastian Arcus via Exim-users wrote: I've spotted this while investigating issues with DELAY in in acl's, in my other recent thread. It would seem that if a DROP acl has a long DELAY set, and if during that DELAY the remot

[exim] Possibly unclear logging after connection is closed by the far end during DELAY

2017-12-27 Thread Sebastian Arcus via Exim-users
I've spotted this while investigating issues with DELAY in in acl's, in my other recent thread. It would seem that if a DROP acl has a long DELAY set, and if during that DELAY the remote end just gets fed up and closes the connection, Exim somehow still treats this as the ACL processing has suc

Re: [exim] Exim not obeying "delay = " in acl_smtp_connect

2017-12-27 Thread Sebastian Arcus via Exim-users
On 27/12/17 12:58, Jeremy Harris wrote: On 27/12/17 12:39, Sebastian Arcus via Exim-users wrote: processing "drop"  5976   message: Reverse DNS record incorrect or missing  5976 check !condition = ${if eq{$received_port}{587}}  5976  =  5976 che

Re: [exim] Exim not obeying "delay = " in acl_smtp_connect

2017-12-27 Thread Sebastian Arcus via Exim-users
On 27/12/17 12:58, Jeremy Harris wrote: On 27/12/17 12:39, Sebastian Arcus via Exim-users wrote: processing "drop"  5976   message: Reverse DNS record incorrect or missing  5976 check !condition = ${if eq{$received_port}{587}}  5976  =  5976 che

Re: [exim] Exim not obeying "delay = " in acl_smtp_connect

2017-12-27 Thread Sebastian Arcus via Exim-users
On 27/12/17 13:57, Heiko Schlittermann via Exim-users wrote: Sebastian Arcus via Exim-users (Mi 27 Dez 2017 13:39:26 CET): …. Thank you for the suggestion. I think the following are the relevant lines of output: processing "drop" 5976 message: Reverse DNS record incorrect

Re: [exim] Exim not obeying "delay = " in acl_smtp_connect

2017-12-27 Thread Sebastian Arcus via Exim-users
On 27/12/17 11:01, Jeremy Harris wrote: On 27/12/17 10:19, Sebastian Arcus via Exim-users wrote: Apologies for posting for the third time in three days. I have the following acl in acl_smtp_connect, which appears to be ignoring completely the "delay =" setting: drop message = R

[exim] Exim not obeying "delay = " in acl_smtp_connect

2017-12-27 Thread Sebastian Arcus via Exim-users
Apologies for posting for the third time in three days. I have the following acl in acl_smtp_connect, which appears to be ignoring completely the "delay =" setting: drop message = Reverse DNS record incorrect or missing ! condition = ${if eq{$received_port}{587}} ! verify=

Re: [exim] Advice on using acl_smtp_vrfy - good, bad?

2017-12-26 Thread Sebastian Arcus via Exim-users
On 27/12/17 01:27, Sebastian Arcus via Exim-users wrote: I have just discovered that Exim doesn't enable VERIFY by default - unless the acl_smtp_vrfy is configured. Searching online, some suggest that enabling acl_smtp_vrfy is bad, as it would open the door to dictionary attacks - which

[exim] Advice on using acl_smtp_vrfy - good, bad?

2017-12-26 Thread Sebastian Arcus via Exim-users
I have just discovered that Exim doesn't enable VERIFY by default - unless the acl_smtp_vrfy is configured. Searching online, some suggest that enabling acl_smtp_vrfy is bad, as it would open the door to dictionary attacks - which makes sense. On the other hand, I use myself the VERIFY command

Re: [exim] Best/correct way to disable AUTH on port 25?

2017-12-26 Thread Sebastian Arcus via Exim-users
On 26/12/17 22:01, Heiko Schlittermann via Exim-users wrote: Sebastian Arcus via Exim-users (Di 26 Dez 2017 22:28:03 CET): What is the simplest and best way to disable any AUTH on port 25? Up until now I have the following working: 1. Only advertise TLS on port 587

Re: [exim] Best/correct way to disable AUTH on port 25?

2017-12-26 Thread Sebastian Arcus via Exim-users
On 26/12/17 22:01, Heiko Schlittermann via Exim-users wrote: Sebastian Arcus via Exim-users (Di 26 Dez 2017 22:28:03 CET): What is the simplest and best way to disable any AUTH on port 25? Up until now I have the following working: 1. Only advertise TLS on port 587

[exim] Best/correct way to disable AUTH on port 25?

2017-12-26 Thread Sebastian Arcus via Exim-users
What is the simplest and best way to disable any AUTH on port 25? Up until now I have the following working: 1. Only advertise TLS on port 587: auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} 2. Disable authenticated connections without TLS: acl_check_auth deny message = TLS r

Re: [exim] List of DNSBL's anywhere?

2017-12-06 Thread Sebastian Arcus via Exim-users
On 06/12/17 09:32, Mike Brudenell via Exim-users wrote: Exim is probably flexible enough to work with most DNSBLs. One way of finding out ones that exist is to use a lookup tool such as https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3aexample.com You can also find a list of DNSBLs (wit

Re: [exim] Sender verify for inbound emails when using smart relay for sending

2017-12-06 Thread Sebastian Arcus via Exim-users
On 06/12/17 12:26, Sebastian Arcus via Exim-users wrote: On 06/12/17 12:09, Graeme Fowler via Exim-users wrote: On 6 Dec 2017, at 11:56, Sebastian Arcus via Exim-users wrote:     domains = +local_domains Are you sure? I would have thought you were verifying non-local domains at this

Re: [exim] Sender verify for inbound emails when using smart relay for sending

2017-12-06 Thread Sebastian Arcus via Exim-users
On 06/12/17 12:09, Graeme Fowler via Exim-users wrote: On 6 Dec 2017, at 11:56, Sebastian Arcus via Exim-users wrote: domains = +local_domains Are you sure? I would have thought you were verifying non-local domains at this point… Try ‘domains = !+local_domains’ (or '!do

[exim] Sender verify for inbound emails when using smart relay for sending

2017-12-06 Thread Sebastian Arcus via Exim-users
I am trying to setup a special router which will verify sender's domain (simple verification) for inbound emails (we receive direct, but send through smart host). acl_check_rcpt: deny message = Sender cannot be verified log_message = "Reject: sender cannot be verified"

[exim] List of DNSBL's anywhere?

2017-12-05 Thread Sebastian Arcus via Exim-users
Is there anywhere a (semi)authoritative list of DNSBL's which can be used with Exim? I see various examples including some DNSBL's - but I was wondering if there is a complete(ish) -and preferably up-to-date list of DNSBL's which can be used? -- ## List details at https://lists.exim.org/mailma

Re: [exim] Verifying local addresses for inbound emails when using Dovecot/pipe transport

2017-11-29 Thread Sebastian Arcus via Exim-users
On 29/11/17 22:44 Jeremy Harris wrote: > On 29/11/17 22:18, Sebastian Arcus via Exim-users wrote: > > Is there a way to build a router only for verification of local > > addresses for inbound messages? As far as I can tell, verify = recipient > > doesn't work whe

Re: [exim] Verifying local addresses for inbound emails when using Dovecot/pipe transport

2017-11-29 Thread Sebastian Arcus via Exim-users
On 29/11/17 23:25, Phil Pennock wrote: On 2017-11-29 at 22:18 +, Sebastian Arcus via Exim-users wrote: Is there a way to build a router only for verification of local addresses for inbound messages? As far as I can tell, verify = recipient doesn't work when Exim delivers to Dovecot th

[exim] Verifying local addresses for inbound emails when using Dovecot/pipe transport

2017-11-29 Thread Sebastian Arcus via Exim-users
Is there a way to build a router only for verification of local addresses for inbound messages? As far as I can tell, verify = recipient doesn't work when Exim delivers to Dovecot through dovecot-lda - as this always verifies the recipient (as long as the domain is in +local_domains) no matter