logs archiveIRC Archive / Freenode / #exim / 2015 / September / 4 / 1
pthree
it seems to be most prominent with *myvzw.com
I've had it happen with my home IP, otherwise I'd say just myvzw
jgh_
but not always, on your home IP?
pthree
let me grep and see if I can get positive confirmation re: home ip
correct
and not always on myvzw either!
i though it had to do with entropy so I built a static dh file, but it still happens.
jgh_
makes a version/cipher prob less likely then
pthree
ok, it happened on 8/26 with my home ip
here is a failed transaction via my home ip: http://pastebin.com/9MuQNNaA
jgh_
my next thing would be to try to get either or both of a packet-capture or an exim debug run of a failing connection - but if it's not consistent that's kinda hard
pthree
Prior to today I'd have said it was the changes to iOS mail introduced with 8.4.1 but it happened with outlook this morn.
yeah
i dont know if there is any correlation, but my logs are littered with these: 2015-09-03 15:10:59 TLS error on connection from mail-bn1bon0063.outbound.protection.outlook.com (na01-bn1-obe.outbound.protection.outlook.com) [157.56.111.63] (send): Error in the push function.
'error in the push function'
jgh_
"a write into the ssl layer failed" is my translation of that
pthree
how can I fix that?
they aren't my clients or users
         

jgh_
it's probably another symptom of the same issue
maybe something really is interfering with your connections
pthree
port would come up as filtered, right?
jgh_
um, you may be asking about something other than Exim, there
pthree
i see
are you familiar with openssl s_client -starttls smtp -crlf -connect <ip>:587 ?
one line in particular, "No client certificate CA names sent" stands out for me
jgh_
not especially
pthree
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482012
i'm disabling MAIN_TLS_TRY_VERIFY_HOSTS
uh fingers crossed but I think that was it. Going to go for a walk while I tail logs
20 mins later, the only TLS errors are the 'error in the push function' which I've had in my logs forever. No unexpected length nor invalidation errors
thanks guys :)
bjornar_
Can I set a acl_m variable in routers?
Nuu
henk, hello, are you here?
if you remeber me, we talk yesterday about aliases and receiving mails, I have placed my mysql_aliases config before mysql_users config, now if I have alias in database - It will forward message with this alias, but I will not receive a message to the main mailbox, now it's just redirect a message to another mailbox, but I need something as a forward
jgh_
explain what you see as the difference between a redirect and a forward?
Nuu
Maybe someone can help? What I need is a messages forward, so, if I send a message to mailbox "sample@mydomain.com" I want to receive an emeil on this mailbox, and send a copy of message to different mailbox on this server
maybe not a "full" redirect, sorry for english, I need to send a full copy of message to different mailbox on the same server... I think thats is named as a "forward"
jgh_
a redirect router is given data which defines where to direct to. This can be a single address or a list of addresses. List items are comma-separated. Any item can be identical to the original; this does not cause a routing loop.
http://exim.org/exim-html-current/doc/html/spec_html/ch-the_redirect_router.html#SECTitenonfilred
Nuu
Ohh, thanx a lot! You are awesome.
R3turn
I'm using sender_address_domain inside a client authenticator. More specific in the login: one, driver = plaintext... It's working as expected but with bounces it seems to be empty?
jgh_
and the sender for a bounce is empty...
henk
what do you expect it to be and why?
R3turn
I thought these were sent using the mailserver's hostname, but it seems not to be the case :)
I want this exim server to forward emails to different relay servers based on the sender. But I need bounces to get to the right location.
jgh_
define "right"
R3turn
Well, for now email is coming from server A and needs to be forwarded to different relay servers. Bounces should actually always go back to server A. So I actually need to modify my router I guess. But how do I know if an email is a bounce or not, inside a router?
jgh_
actually, no, bounces should not always go to server A
R3turn
no?
         

jgh_
bounces need to end up at an MV for the domain of the envelope sender of the original. If you need to send via some specific gateway, then that's a local rules problem - but the answer won't always be "the system it came from"
wups, s/MV/MX
R3turn
What I'm setting up here is the folowing: I have a Kerio Connect mailserver and a SpamExperts spam filter. Kerio Connect can use SpamExpert's smtp relay for outgoing spam filtering but SpamExperts needs a different authentication for each domain. So it can effectively block only 1 domain if spam is sent out by that domain.
Kerio Connect can't do that. It only has a global smtp relay option.
So I want Kerio connect to forward it's messages to my exim installation. And have Exim forward it to SpamExperts smtp using the right authentication.
The only event where a bounce can occure is when spamexperts is rejecting the message. And in that case it should always go back to Kerio Connect
or am I missing something?
jgh_
yes: just because the original cam from this K-system does not mean that the envelope sender lives on that system. If they're sending as (envelope) from fred@gmail.com then any bounce you generate should go to a gmail MX
R3turn
actually kerio connect will accept it and relay it in that case
but can I somehow know if an email is a regular mail or a bounce, from within an exim router?
jgh_
bounces have an empty sender
that won't tell you if *you* generated it...
R3turn
idd, but I guess there's no easy way to know if 'I' generated it?
bjornar_
Is there any really good schematic representation of what happends in routers... thinking advanced features like expading aliases, figuring if the current address routed is a direct address or a expanded one, what happends if redirect router gives data equal to input .. or even just includes original rcpt in output...
These things are hardly or badly documented afaik
pthree
follow up to my TLS issues yesterday: I added an accept to the RBL acl for authenticated users and that seems to have removed all the TLS weirdness except 'error in the push function'. It appears to have fixed the issue where emails were periodically rejected.
The biggest clue to that was prior to a TLS error on connection, I'd have an entry in mainlog like this: 2015-09-03 16:49:50 DNS list lookup defer (probably timeout) for 165.4.197.70.l1.apews.org: assumed not in list
R3turn
How can I tell exim that an SMTP authentication error is a permanent error? It keeps retrying...
rjek
Lots of SMTP clients/spam bots are quite happy to ignore permanent errors and try again
jgh_
R3turn: http://exim.org/exim-html-current/doc/html/spec_html/ch-retry_configuration.html#SECID161
bjornar_
R3turn, just disconnect them
rjek
drop delay=10s
henk
pthree: how is that a clue? I dont see any connection between the two messages &
pthree
henk: it was an intermittent issue, but the ones that resulted in a failure were preceded by that RBL lookup.
I dont care about RBL for authenticated users, so within that acl block I added !authenticated = *
henk
pthree: IMHO the only logical conclusion that allows is "connection issues" & probably your serverss connection.
pthree
to clarify, all transactions were subject to rbl lookup, the ones that failed had that specific dns list lookup defer entry
hmm, wan is 5 bonded t1's. moving to gige fiber this month. from there will migrate exim to o365 so one way or another it'll be resolved :)
henk
an RBL lookup certainly has no influence on the ssl connection & correlation != causation
ok
pthree
oh, no i'm saying that the delay the rbl timeout introduced borked the mua's transaction
!dnslists = hostkarma.junkemailfilter.com=127.0.0.1,127.0.0.3 dnslists = b.barracudacentral.org=127.0.0.2 : l1.apews.org=127.0.0.2 : ix.dnsbl.manitu.net : hostkarma.junkemailfilter.com=127.0.0.2 : zen.spamhaus.org : bl.spamcop.net : psbl.surriel.com : dnsbl-1.uceprotect.net : dnsbl-2.uceprotect.net : dnsbl.sorbs.net : new.spam.dnsbl.sorbs.net : smtp.dnsbl.sorbs.net : http.dnsbl.sorbs.net : black.uribl.com
jgh_
ah, you often have to treat MUAs with kid gloves as they're stupid
R3turn
I have this in my retry rules now '* auth_failed F,3m,1m' .. Shouldn't it stop retrying after 3 minutes (my queue is set to run every minute for now...) ? .. It keeps retrying while the remote smtp server is sending a 535 Incorrect authentication data
jgh_
is the transport hosts_require_auth matching this destination?
R3turn
yes
jgh_
is there some other retry rule you could be hitting first? They are searched in order.
R3turn
oh, yes, true. I added it in the wrong place. Thanks jgh_ :)
another problem I'm facing is 'remote host address is the local host' .. errors. Can I prevent this check?
jgh_
mmm, something like "self=true", I think
on the relevant router
self=send
http://exim.org/exim-html-current/doc/html/spec_html/ch-generic_options_for_routers.html
R3turn
thanks
jgh_
"This setting should be used with extreme caution"
R3turn
jgh_: I have set the retry like this '* auth_failed F,1h,1m' but now it seems to never retry. I get an error back telling me I reached max. retry time right after it received the first 535 Incorrect authentication data
ACtually, it's sending a retry failure, but it should just forward the '535 Incorrect authentication data' :)
jgh_
you may ned to wipe the retry hints DB, having changes the rules
changed
(policy opinion) I'd label a 1-minute retry abusive, if it hit my servers
R3turn
jgh_: it's for testing now :)
« prev 1 2 next »