gmane.mail.exim.user

Re: acl_added_headers

Simon Pin — 2013-06-17T08:52:00

There is in the current development head but it's not hit a release yet. Is that an option for you? 
Thanks, that's good to know. I'll certainly look into it, but as this will be used on production systems I'd rather stick to a stable branch (and if at all possible to whatever is available in Debian repos).
Is there another way to get at those headers? It doesn't need to be as simple as accessing the acl_added_headers variable - I'm willing to jump through some hoops to get at this data!

Re: Adding a whitelist to greylist

David Woodhouse — 2013-06-16T22:59:49

That sounds like a bug in your greylisting implementation. I'm not sure
why adding a whitelist would help.

See https://github.com/Exim/exim/wiki/SimpleGreylisting for a simple
example which doesn't suffer the same bug.

Re: Fwd: exim showing header incorrectly

David — 2013-06-16T14:46:18

AFAIK the "on behalf of" is shown in certain MUAs if Sender does not 
match From.

< at >Hillel Bilman:
You may want to try setting:
local_from_check = false

maybe in addition to these (depending on the headers set by phplist):
local_sender_retain = true
untrusted_set_sender = *

See the manual for what each setting does.

David

Re: Fwd: exim showing header incorrectly

Odhiambo Washington — 2013-06-16T14:42:16

If PHPList is correctly configured to set the From: header, then IIRC, you
need to tell Exim that apache is a trusted user, by including it the list

trusted_users = apache : foo : bar

That would enable apache (which PHPLIst is running as) to set the header
sender.


On 15 June 2013 21:56, Hillel Bilman <hillel.bilman< at >gmail.com> wrote:

Re: Fwd: exim showing header incorrectly

Jeremy Harris — 2013-06-16T13:17:29

The current sources do not contain the phrase "On Behalf Of".  While
I've not looked specifically at sources as of 4.77 I doubt that this
is Exim's fault.

Can you intercept a mmessage being sent between your PHP and MTA?

Fwd: exim showing header incorrectly

Hillel Bilman — 2013-06-15T18:56:30

Hi Exim Gurus,

We are using Exim 4.77 with PHPList and when we sent emails from PHPList we got:
Apache [mailto:apache< at >our_domain] On Behalf Of Client Name and email address

Terms: Our_domain is the domain set on our centos server.
Client Name and email address is the client name with their email address.

The emails should just show our client name and their email address and not have
"Apache [mailto:apache< at >our_domain] On Behalf Of"

To see if the problem was with PHPList we used Postfix and switched off exim.
The problem disappearance so we know the problem is with exim.
We have made no changes to Exim or Postfix configuration files.

Any suggestions to solve this?

Thanking you in advance.

Re: exim acting as client on office365

ramatukuma — 2013-06-16T10:56:58

Thanks Nigel but I have found the problem...

Was a temporary password problem at outlook 365 servers (was erroneously
disabled...)

Moderator, please, close this thread.

Thank's


2013/6/16 Nigel Metheringham <nigel< at >dotdot.it>

Re: Adding a whitelist to greylist

Odhiambo Washington — 2013-06-16T10:46:39

exim -bh some-host-in-the-whitelist



On 16 June 2013 13:10, Raphael Bauduin <rblists< at >gmail.com> wrote:

Re: Adding a whitelist to greylist

Raphael Bauduin — 2013-06-16T10:10:35


this is acl_check_rcpt



Nothing there.

I have done further tests. I added this accept directive at the start of
the act:

  accept
    domains      = +local_domains
    dnslists      = list.dnswl.org
    log_message      = $sender_host_address is whitelisted in rcpt check

and the result is that... nothing happens.

From my understanding, the dnswl includes the gmail servers as the
greylisting is skipped if I add the condition that greylisting is done only
if the sender ip is not in the dnswl list.
So the accept directive should make the acl accept the messages from gmail,
but that is apparently not the case. Am I misunderstanding something?

thanks

Raph

Re: exim acting as client on office365

Nigel Metheringham — 2013-06-16T09:11:25


ramatukuma wrote:

Try setting your transport to do STARTTLS and see what the second ESMTP 
negotiation gives you for AUTH - it may be they only allow AUTH when the 
session is encrypted

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECID185

Nigel.

Re: exim acting as client on office365

Jasen Betts — 2013-06-15T00:12:13

ng using openssl suggests their SSL is broken

nah, it's just I don't know how to drive openssl. I should have had
'-crlf' in there too.

Re: exim acting as client on office365

Jasen Betts — 2013-06-14T23:57:00

<< 250-pod51028.outlook.com Hello [189.74.52.32]
<< 250-SIZE 36700160
<< 250-PIPELINING
<< 250-DSN
<< 250-ENHANCEDSTATUSCODES
<< 250-STARTTLS
<< 250-AUTH
<< 250-8BITMIME
<< 250-BINARYMIME
<< 250 CHUNKING     

looks OK to me, 


AIUI auth by itself is AFAICT MAIL-AUTH


What does their server say after you do STARTTLS, and then EHLO?

testing using openssl suggests their SSL is broken

 openssl s_client -connect pod51028.outlook.com:25 -starttls smtp
 
I get a connection under starttls but after that I say EHLO and get 
no response...

compare with a working starttls service:

 openssl s_client -connect smtp.gmail.com:submission -starttls smtp

Re: Spoof prevention acl

Todd Lyons — 2013-06-14T20:33:00

I think you need to limit which hosts you apply this to and if smtp
auth is being used.

I also think you need to analyze what your system does when it
receives the following headers:

 From: Me <me< at >example.com>, Me <me< at >example.org>

Yes, you can have multiple from addresses.  So your expansion needs to
either check all of them, or just pick one (first, last, etc), and use
that one for the test.

 To: Me <me< at >example.com>, Me <me< at >example.org>

Consider what happens if both of these are domains you host?  Or only
one of them is?  Your condition needs to handle all possible
combinations and you need to decide if only one is correct that it is
an acceptable email or not.

Now you need to be warned of the BAD things that can happen due to
trying to detect forged headers:

Consider what happens if one of your users joins this mailing list.
Your domain is example.net.  Your user is user< at >example.net.  He joins
this mailing list.  He posts and complains about the spam filtering or
something.  The email comes to the

test2

Reinaldo Matukuma — 2013-06-14T20:03:22

test2

Re: acl_added_headers

Jeremy Harris — 2013-06-14T19:51:56

There is in the current development head but it's not hit a release yet.
Is that an option for you?

Re: exim acting as client on office365

ramatukuma — 2013-06-14T16:30:49

Hi Gergely.

No... I'm not a exim newbie.

The setup it's correct. Exim is doing both the server authentication for my
internal client as the client authentication with the outgoing smtp server.
And there no doubt about the setup because, if i change the address to
another ISP all works. With the gmail smtp server works too, but i need to
force ssl to work with it (that it's a requirement of gmail service and
this sounds okay for me).


------------------------------
Date: Fri, 14 Jun 2013 17:16:47 +0200
Subject: Re: [exim] exim acting as client on office365
From: gergely< at >polonkai.eu
To: ramatukuma< at >hotmail.com
CC: exim-users< at >exim.org


On 14 Jun 2013 15:56, "Reinaldo Matukuma" <ramatukuma< at >hotmail.com> wrote:
server with authentication.
LOGIN) that will be sent after TLS.
correct announce of AUTH mechanisms....
36700160         250-PIPELINING         250-DSN
250-ENHANCEDSTATUSCODES         250-STARTTLS         250-AUTH
250-8BITMIME         250-BINARYMIME         250 CHUNKING
don't find the correct authenticat

Re: exim acting as client on office365

ramatukuma — 2013-06-14T16:22:07

Hi Odhiambo.

The AUTH is incorrectly advertised. A correct setup would announce all the
mechanisms available for authentication.

So, a correct answer at smtp will be, for example:

250-AUTH PLAIN LOGIN

And what the office 365 servers are answering is:

250-AUTH

This is incorrect and that is the point of the problem because exim search
for the correct credential when acting as a client, based on the mechanisms
available (and in this case, there are no one mechanism available because
no one mechanism was announced).

This is what I search and asked if someone else has or had the same problem
because I think that the two ways to fix this is:

1 - make the office 365 do the right answer when receive the EHLO verb (but
it's exchange and it's microsoft - what means that this probably will never
be fixed).

2 - make the exim do the authentication using some fallback-style-schema
when you already had setup hosts_require_auth for some of the office 365
servers).

Had any other idea?

Thank's

And... Ya... It's fr

Re: exim acting as client on office365

Reinaldo Matukuma — 2013-06-14T17:49:47

Mike. You are right.
I forgot to see with the hosts_require_tls enabled for this host.
So... There are a strange behavior...
I have the correct user, the correct password and try again using the TLS.
And... On debug log... I had the same auth fail problem:

  SMTP>> STARTTLSwaiting for data on socketread response data: size=29  SMTP<< 220 2.0.0 SMTP server readysetting SSL CTX options: 0x1000000Diffie-Hellman initialized from default with 2048-bit primeInitialized TLSCalling SSL_connectSSL info: before/connect initializationSSL info: before/connect initializationSSL info: SSLv2/v3 write client hello ASSL info: SSLv3 read server hello ASSL info: SSLv3 read server certificate ASSL info: SSLv3 read server done ASSL info: SSLv3 write client key exchange ASSL info: SSLv3 write change cipher spec ASSL info: SSLv3 write finished ASSL info: SSLv3 flush dataSSL info: SSLv3 read finished ASSL info: SSL negotiation finished successfullySSL info: SSL negotiation finished successfullySSL_connect succeededCipher: TLSv1:AE

test

Reinaldo Matukuma — 2013-06-14T17:15:30

test
ignore please.
moderator, delete this message, please.
thanks

Re: exim acting as client on office365

Alain Williams — 2013-06-14T16:32:31


Exim should follow the RFC.

Having said that ... microsoft doesn't have the best of reputations of following
standards as if often believes that its implementations ARE the standard. I do
fear that if exim changes here then it might cause problems elsewhere.

Is anyone up to sending in a bug report to MS ?

Re: exim acting as client on office365

Reinaldo Matukuma — 2013-06-14T16:20:05

Hi Odhiambo.
The AUTH is incorrectly advertised. A correct setup would announce all the mechanisms available for authentication.
So, a correct answer at smtp will be, for example:
250-AUTH PLAIN LOGIN
And what the office 365 servers are answering is:
250-AUTH
This is incorrect and that is the point of the problem because exim search for the correct credential when acting as a client, based on the mechanisms available (and in this case, there are no one mechanism available because no one mechanism was announced).
This is what I search and asked if someone else has or had the same problem because I think that the two ways to fix this is:
1 - make the office 365 do the right answer when receive the EHLO verb (but it's exchange and it's microsoft - what means that this probably will never be fixed).
2 - make the exim do the authentication using some fallback-style-schema when you already had setup hosts_require_auth for some of the office 365 servers).
Had any other idea?
Thank's
And... Ya... It's friday... My b