logs archiveIRC Archive / Freenode / #exim / 2010 / June / 29 / 1
caffiend
got an ldap issue which I believe is related to openldap 2.4, the same config with exim 4.71 works just fine with openldap 2.3 however if there is a workaround with exim I'd prefer that route
I keep getting ldap filter errors and it looks like there is a trailing space in the filter
5059 ldap_search failed: -7, Bad search filter
5059 perform_ldap_search: ldap URL = "ldap:///DC=hsmc,DC=com?mail?sub?(proxyAddresses=SMTP:****@hsmc.com) " server=sf-dc-03.hsmc.com port=3268 sizelimit=0 timelimit=0 tcplimit=0
and for the router, the seemingly tried and true;
data = ${lookup ldap { \
user="cn=XXXX,CN=Users,DC=hsmc,DC=com" pass=XXXX \
ldap:///DC=hsmc,DC=com?mail?sub?(proxyAddresses=SMTP:${quote_ldap:$local_part}@${quote_ldap:$domain})}}
joar
I've got some exim mx'es running and they deliver local mail to a folder mounted via nfs. I need to reboot the server containing all local mail and do some maintenance, is there a way to tell exim to temorarily queue up mail and postpone local deliveries until the mailstore server is up again ?
any hints pointing me in direction of any help is apreciated :)
lloks like -odq might be something (ref. man exim)
Simon-
joar: system filter file with "freeze" in it
joar: or a "control = freeze" in the appropriate acl
although -odq looks simpler...
however it won't do what you want unless you also disable the queue runner
joar
Simon: thnx, looking into it :)
caffiend
got an ldap issue which I believe is related to openldap 2.4, the same config with exim 4.71 works just fine with openldap 2.3 however if there is a workaround with exim I'd prefer that route
I keep getting ldap filter errors and it looks like there is a trailing space in the filter and it is making me loony, as if that's a stretch so any assistance is kindly appreciated
5059 ldap_search failed: -7, Bad search filter
5059 perform_ldap_search: ldap URL = "ldap:///DC=hsmc,DC=com?mail?sub?(proxyAddresses=SMTP:****@hsmc.com) " server=sf-dc-03.hsmc.com port=3268 sizelimit=0 timelimit=0 tcplimit=0
and for the router, the seemingly tried and true;
data = ${lookup ldap { \
user="cn=XXXX,CN=Users,DC=hsmc,DC=com" pass=XXXX \
ldap:///DC=hsmc,DC=com?mail?sub?(proxyAddresses=SMTP:${quote_ldap:$local_part}@${quote_ldap:$domain})}}
leftStanding
what's the preferred way to add virtual users? is it done through an alias file, mysql database, or other?
petemc
both those methods work
leftStanding
petemc: i've placed info@domain1.com: myPrivateAddy@gmail.com in the /etc/alias file but i get a rejection notice as a reply
i'll google some more
petemc
exim -d -bt info@mydomain1.com
         

pierrep
hi
I got one server mail that works nice using email like user@mydomain.com
I add a front server today and it can send email to gmail but not to the another mail server
log file full of Unrouteable address
if somebody got a hint about that :-)
petemc
exim -d -bt user@other_mail_server
(Action) feels like a bot
caffiend
(Action) oils petemc
petemc
a bot that knows nothing of ldap, im afraid
caffiend
no worries, I'm chillin
petemc
some people here do, im sure
caffiend
but not able to turn down an opening like that
petemc
or else try the exim-users mailing list
:)
caffiend
yeah that's my next stop
I've nto irc'd in years now so I'm just enjoying the idling
petemc
kewl
Kobaz
http://pastebin.com/L76HFJyq
i'm trying to only do a sender callout verify for all domains except for the ones matching... ie: foo.com
exim complains you can't do a domain match in a data acl
so... how would i do that?
i don't see why you shouldn't be able to match domains... seems like a needless restriction
ij_
hi!
(Action) has an authorization problem with cram_md5 driver
http://paste.debian.net/79107/
apparently a spammer is submitting credentials like user=inna and password=''... the SQL query returns a '' because a user inna is unknown and no password is stored. so the lookup matches...
Kobaz
YES
i'm seeing the SAME THING
ij_
any advice how to modify the lookup?
Kobaz
i turned off cram
looking for a fix at the moment
i have 3847982374982374928374 emails in my queue going to yahoo, from the inna user
ij_
yes, same here...
Kobaz
i blocked yahoo for now. so they stop being delivered so i can clear them out
ij_
i wrote a script to clean up the queue...
Kobaz
yeah
writing one now
heh
grep auth_id inna
i picked up the cram example off the web
apparently any user that doesn't exist, with an empty password is let through
i kept wondering... where the hell is this inna user coming from... since all of my logins are user@host
ij_
well, two weeks ago it was a different user...
         

Kobaz
yeah
ij_
oh, it was even an empty user ''
Kobaz
yeah
here's the problem
cram is expecting to see the secret
so if the lookup fails... '' is returned... which matches the given secret of ''
so the cram would need to be modified to reject an empty secret
ij_
true... I already tried to modify the sql query to return a random secret if the secret of the questioned user is empty... but to no success, sadly
Kobaz
ij_
the exim syntax is imho horrible in that respect with all those {}... reminds me of lisp... ;)
Kobaz
yeah
i think exim is a really nice solid server
but the syntax is really horrible
someone should rewrite the config interface
caffiend
you try adding fail after your lookup? Cause per the docs it is not set
Kobaz
yeah, i'm trying to figure out where i would put the fail
caffiend
server_secret = ${lookup pgsql{select clear from passwd where passwd.usr='$1' limit 1}{$value}fail} shoudl do it
Kobaz
server_secret = ${lookup pgsql {SELECT "passwd FROM email_users WHERE "login" = '${quote_pgsql:$1}'}}
is what i have
caffiend
server_secret = ${lookup pgsql {SELECT "passwd FROM email_users WHERE "login" = '${quote_pgsql:$1}'}fail} I believe
Kobaz
yeah
trying that
except it should be "passwd"
i missed a quote
ij_
Kobaz: no I get "2010-06-29 21:55:17 cram_md5 authenticator failed for (mxsqac.com) [183.7.159.33]: 535 Incorrect authentication data (set_id=inna)"
ah, quote_pgsql seems to be nice to have as well
Kobaz
yeah
it is
prevents sql injection
server_secret = ${lookup pgsql \
{SELECT "passwd" FROM email_users WHERE "login" = '${quote_pgsql:$1}'}{$value}fail}
okay... that's working for me... i think
ij_
(Action) wonders if that is something "new"... ;)
Kobaz
heh... it looks like it's been in there for a while
that's so crazy
every cram-md5 sql example i've ever seen... has never included the fail bit
ij_
well, my exim4.conf is there for a while as well ;)
Kobaz
so everyone who has used those examples is vulnerable to being an open spam relay
ij_
(Action) thinks the exim4.conf is from 2003 or so
Kobaz
which is why it's probably being exploited
since the examples are flawed
ij_
yep, but it's strange that it lasted that long...
Kobaz
heh, yeah
caffiend
you pickup those examples from the main site or elsewhere?
Kobaz
so i deleted all the inna emails from my queue... at 26,000 of them,
s/at/all
caffiend: dont know where i picked it up... i think i got it from the exim book maybe
i dont have it handy... i know i did a lot of searching online too
caffiend
ugh, I hate books with piss-poor examples and there are many of them
Kobaz
hmm... i also seem to have a lot of emails in the queue for mx2.mail.tw.yahoo.com
2300 of those
ij_
I remember that i tried with fail back then as well, but for some reasons it didn't worked as expected... maybe there was a bug with that back then which is solved in the meantime?
Kobaz
maybe
ij_
could explain why all those examples miss the fail
Kobaz
i dont remember even seeing fail though
ij_
Kobaz: hinet.net as well
caffiend
those actions have been around as far as I can remember, but it doesn't surprise me in the least that there are untested formulas out there
Kobaz
i should set up that honeypot thing
i forgot the name
it's a checksum service... you run it on an email that's not public... or specifically posted to catch spam
and then if that same email content is sent to a legit email... it rejects it
dcc
i think
ij_
hmmm, now with fail it seems to work... and valid mail is still sent :-)
Kobaz
yeah
ij_
Kobaz: thx for the help, anyway :)
Kobaz
heh. no problem
still cleaning up my mail queuer
leftStanding
i'm running exim4 and have three domains on the same server. i've added virtual users to /etc/exim4/virtual/domain1.com but when i send an email help@domain1.com i get an unroutable address. any suggestions?
the server can send mail from the system outward and remap email addresses
Kobaz
leftStanding: paste your config
caffiend
leftStanding, what do you get from exim -d -bt help@domain1.com
ij_
Kobaz: i was just running "mailq | grep "-" | awk '{print $3}' | xargs -n 10 exim -Mrm" on the queue to get rid off the spams... should work fairly well when you've delivered valid mails already
Kobaz
3200 emails left
ij_: yeah... i dont know if i have any non-delivered valid mails
ij_
(Action) got 34.000 mails in the queue 14 days ago when that spammer hit me first...
Kobaz
heh
yeah... i had 26,000 from inna, just today
ij_
Kobaz: i once wrote a python script when I was still doing UUCP... it tries to deliver the mail and acts different according to the return code and such...
i run that script first and regular mail should then be delivered. the rest is mostly undeliverable mail
Kobaz
ah
leftStanding
Kobaz: my config http://pastebin.org/367053
ij_
Kobaz: http://bluespice.dyndns.org/check_mailq
leftStanding
caffiend|afk: output from exim -d bt http://pastebin.org/367058
Kobaz
hmm... i have a large amount of zero byte files in the queue directory from 2007, 2008, and 2009
okay... much better
24 files in the mail queue
leftStanding
i've been following the online tutorials and what not but it seems like a lot of it is out of date or one author complains another author is using the config files incorrectly
its difficult to figure out a set of config changes that will grant virtual users on virtual domains. heh, even an article pointed out that those terms have fuzzy definitions
ij_
leftStanding: the best tutorials are on exim.org in the official exim documentation
Kobaz
leftStanding: your config looks pretty vanilla... quick glance i don't see anything for virutal hosts... you're best bet is yeah... look at the docs
leftStanding
yeah my config is pretty much the output of the debian reconfigure package
plus a few modications that the debian admin page said i should follow for multiple domains
ij_
leftStanding: ah, you're using the Debian cluttered config files?
(Action) just replaced it right away with a single exim4.conf
leftStanding
yeah i ran the dpkg-reconfigure exim4-config. i can't tell whether exim4 is using the split files or one big file, even though i'm telling it to use the one big file
ij_
leftStanding: i was just confused by all those config files... so I just deployed a standard exim4.conf (from /usr/share/doc/exim.../examples I think) and modified that to my needs
leftStanding
i will try that. the main things i want the email server to do, is not act as an open relay and send/receive mail
tsunamie
yo yo yo
anyone in the house
guess no one is awake
ow well
ij_
leftStanding: well, that's easy: limit it to listen on 127.0.0.1 for the while
tsunamie
Does anyone have a quick link to a guide on how to configure exim to use another mounted location as the location for the queue.
Background info
I want to see how much of a performance boost or loss I get by using a SAN (ISCSI or FC mostly likely iscsi since thats actually affordable) as the location the mail is stored in the queue.
The reasoning around this is that I want to create a VM that uses this SAN storage location to store the emails when it first gets received. Since exim will always keep a copy of the email in its queue when it receives an email even when processing it and will only delete it after it has written the new email to disk.
Or am I just barking mad
next »