logs archiveIRC Archive / Freenode / #exim / 2010 / May / 4 / 1
mwc
I'm having trouble with SMTP client certificates. I've got two exim servers, one running on debian as a secondary MX for several domains, and one primary running on Arch (vanilla Exim source). I'm trying to have the primary MX authenticate the secondary by TLS certificate verification, but I can't seem to get the debian exim to send a certificate
2010-05-03 17:06:17 TLS error on connection from mattcox.ca [76.74.129.249] (SSL_accept): error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
there's the log from the primary mx when the secondary mx tries to relay a message
the secondary mx is in tls_verify_hosts, so it demands a client cert
http://pastebin.com/Adm7nQxr Here is a log from an exim -d+all -M foo run trying to relay a message
it finds the certificate and key I've set in the smtp transport on the secondary mx
but it gives some sort of TLS connection error. Is there some sort of issue with a GnuTLS client and an OpenSSL server?
TLS error on connection to darkstar.mattcox.ca [65.49.73.77] (gnutls_handshake): A TLS fatal alert has been received.
borei
hi all
i have one question - what is the "privileged Exim users" ?
i need dspam to run exim as "/usr/sbin/exim -oMr spam-scanned"
don't want to play with headers
lau
hello, i am trying to set up a relay smarthost w/o local delivery
I can send email to the outside world through the smtp.relay.com
but I failed keeping local delivery to the /var/mail/login
if for instance I echo "test" | mail -s"test" root
the exim mainlog shows that exim sent the mail to root@my.domain through the smtp.relay.com
I checked update-exim4.conf.conf but do not know what to set... any idea ?
henk
i don't quite understand your problem. you don't want local delivery right? exim sends a mail to 'root' via the relay, right? so no local delivery happens, which is what you want, isn't it?
lau
hello henk, I think your are right I am going to try to be clearer
I use dpkg-reconfigure exim4-config (debian based OS)
I have two interesting choices, 1) smarthost and SMTP reception or fetchmail 2)smarthost no local mail
which one should I select in order to send outiside mails via smtp.relay.com and keep local deliveries on the machine ?
henk
lau: i'd use the first.
lau
ok henk, now I would like all sent mails to be From: mydedicated.user@fqdn instead of user {u} where should I look over; router conf ?
phx
lau, i'm just doing that
a smarthost, that just relays to an exchange backend from the inet, and relays for the local network as well
with a tiny flavor, it does filtering, quarantining and AUTH using ldap with the AD
lau
hello phx, thus If I want all mails to be sent with the From: set to 'arbitrary@from' I should set up a router ?
         

phx
lau, address rewriting. http://exim.org/exim-html-current/doc/html/spec_html/ch31.html
lau, you can do address rewriting as global rules or in transports
lau
ok phx, are you suggesting to modify existing exim4.conf.template REMOTE_SMTP_HEADERS_REWRITE=*@+local_domains $1@DCreadhost frs : *@ETC_MAILNAME $1@DCreadhost frs
to REMOTE_SMTP_HEADERS_REWRITE=arbitrary@from ?
phx
i'm writing everything to /usr/local/etc/exim/configure
morex
Hi there
I've got a problem with a spammer using our server for namespace mining
Although we're set not to be an open relay
phx
namespace mining, as checking for valid users?
morex
Yes, at yahoo and hotmail
They're opening a connection to our exim
Which opens a connection to the target mail server
Although we're not sending any emails
phx
please write long lines, it's IRC and not MSN
so they are using your recipient address verification mechanisms?
morex
Maybe
It's not clear from the logs
Here's what we see
phx
pastebin please
morex
It's just one line...
2010-05-04 12:15:05 [19894] H=219-70-169-60.cable.dynamic.giga.net.tw (none-d31682136e) [219.70.169.60]:3033 I=[213.232.93.17]:25 F=<xkdifcrp@yahoo.com.tw> rejected RCPT <k4881502@yahoo.com.tw>: relay not permitted
2
If I do a netstat -aeW, I can see an open connectin to yahoo's mail server
Even though we're rejecting the mail
phx
F= is from, right?
what is I=? i can't recall that
morex
That's our mail server IP address
phx
so they are trying to relay over you, and you're not permitting that. that's OK
morex
Yes
phx
you don't have to worry for this
morex
But our mail server is opening a connection to yahoo in the process and then sending no data
Also to hotmail
Who have blocked our mail server as a result
phx
you can use various RBLs that contain enduser IP ranges
henk
morex: don't do callouts then...
phx
sender address verification
henk, i wouldn't go that far
morex
Henk: How do I turn off the callouts?
         

phx
i'd say, reorder your rules
henk
phx: depends on where he does them...
phx
wait :)
i'd suggest reordering the rules first. before callouts, check whether you allow relaying for that user/domain
henk
morex: in general i'd only do callouts to servers you know or control. so do as phx says and reorder your rules...
morex
I'm not sure I'm even doing callouts
phx
check your config
morex
I've moved the relay not permitted rule as close to the top of config-check-rcpt as I can
(it's just behind the greylist filter)
phx
is that an RCPT TO or a MAIL FROM ACL?
morex
It's for a RCPT message
phx
if you're verifying from MAIL FROM, then move the callout to the RCPT TO one. this way you can check the local relaying BEFORE sender address verification
morex
Doesn't say to or from
phx
morex
Yes
phx
ok
morex
I tried putting the code in the config_check_mail ACL
But then it wouldn't accept any mail at all.
phx
Q1: how business critical is that mailserver? could it handle 30-40minutes of downtime?
morex
Not just at the moment
phx
then shut it down.
mails will get delivered later
morex
I've got the spammer blocked at the firewall for now
Based on address range
phx
read the config, reorder your rules, and fire it up again
blocking at firewall level is also good
morex
The problem is the rules in RCPT TO won't work in the MAIL FROM
phx
you can do RBLs from connect-time ACLs, that's good
morex, RCPT-TO acls are good for you right now
even for the MAILTO acls, i've already explained this
morex
OK
I'm going to add the 'relay not permitted' condition to the MAILTO ACL
Nope now it won't accept any mail at all.
I'm going to add my greylist code to the MAILTO ACL
It says:
2010-05-04 12:41:39 [21991] H=blu0-omc2-s38.blu0.hotmail.com [65.55.111.113]:51038 I=[213.232.93.17]:25 temporarily rejected MAIL <oqwhatsup@hotmail.co.uk>: cannot test domains condition in MAIL ACL
20
henk
morex: read the docs on the acl condition 'domains'...
morex
Spammer has found a new IP address...
Henk: What are callouts? How can I stop them?
henk
morex: you don't need to generally stop them, but to do them generally is a bad idea... as you have seen. afaik that's exactly how they are configured: with the 'callout' keyword appended to 'verify = sender/callout' for example...
morex
Ah yes
I see in my greylist configuration
verify = recipient/callout=20s,use_sender,defer_ok
That's just before my 'relay not permitted' message
henk
search for those statements and get them in the correct place regarding the order or checks so that they are only done for mail that's about to go to one of your servers or servers you know.
s/or checks/of checks/
it should be after that relay-check.
morex
OK cool it's greylisted incoming from hotmail (correct)
And it's not doing the callout for the spammer too :-)
Thanks for your help!
phx
i <3 exim
easy quarantaining: control = freeze :)
needs to be delivered? exim -M
i can't do anything better.
henk
hm... aren't frozen messages deleted after a while?
phx
yes
and it's done automaticly. we're keeping virus/spam mails for 30d
henk
ah ok
phx
frozen timeout handles it automatically
henk
sweet
phx
aye
talin
hello. there is a user who can't receive e-mail, and when i look at the log, i see:
May 4 17:04:54 cp imapd: Error: Disk quota exceeded
May 4 17:04:54 cp imapd: Failed to create cache file: .
any idea where i can check for this problem? the disk is far from exceeded
doubletwist-
Is it possible to tell from the typical default exim logs if a destination address was from the To: CC: or Bcc: lines?
petemc
no
doubletwist-
bummer :)
Thanks.
petemc
np
dmezentsev
hi all
borei
can somebody gimme heads - is it possible to execute external command at the acl level ?
« prev next »