gmane.mail.exim.user

Scripts/mail

Adriano Anselmo — 2013-06-19T18:31:29

Dear


The emails via scripts enviandos out with the main ip 999.157.999.30. The
emails via SMTP out with ip 999.157.999.31
I have a domain which has own IP 999.157.999.33 which makes uploads via
scripts through a cron, which then sends the ip 999.157.999.30
I wonder if there is a way that this domain has own IP, the emails are
enviandos out with him being the  ip own.

Re: Adding a whitelist to greylist

Raphael Bauduin — 2013-06-19T10:22:52


This is a system I'm temporarily taking over, and I'd like to make the
least changes possible.
It is using http://greylistd.sourceforge.net/
Wouldn't adding a whitelist short-circuit the greylisting for the hosts in
the whitelist?





thanks, I had this bookmarked :-)
In addition to change the least possible, I'm at this point also interested
in understanding the behaviour I see when adding the whitelist.

Raph

Re: acl_added_headers

Simon Pin — 2013-06-17T08:52:00

There is in the current development head but it's not hit a release yet. Is that an option for you? 
Thanks, that's good to know. I'll certainly look into it, but as this will be used on production systems I'd rather stick to a stable branch (and if at all possible to whatever is available in Debian repos).
Is there another way to get at those headers? It doesn't need to be as simple as accessing the acl_added_headers variable - I'm willing to jump through some hoops to get at this data!

Re: Adding a whitelist to greylist

David Woodhouse — 2013-06-16T22:59:49

That sounds like a bug in your greylisting implementation. I'm not sure
why adding a whitelist would help.

See https://github.com/Exim/exim/wiki/SimpleGreylisting for a simple
example which doesn't suffer the same bug.

Re: Fwd: exim showing header incorrectly

David — 2013-06-16T14:46:18

AFAIK the "on behalf of" is shown in certain MUAs if Sender does not 
match From.

< at >Hillel Bilman:
You may want to try setting:
local_from_check = false

maybe in addition to these (depending on the headers set by phplist):
local_sender_retain = true
untrusted_set_sender = *

See the manual for what each setting does.

David

Re: Fwd: exim showing header incorrectly

Odhiambo Washington — 2013-06-16T14:42:16

If PHPList is correctly configured to set the From: header, then IIRC, you
need to tell Exim that apache is a trusted user, by including it the list

trusted_users = apache : foo : bar

That would enable apache (which PHPLIst is running as) to set the header
sender.


On 15 June 2013 21:56, Hillel Bilman <hillel.bilman< at >gmail.com> wrote:

Re: Fwd: exim showing header incorrectly

Jeremy Harris — 2013-06-16T13:17:29

The current sources do not contain the phrase "On Behalf Of".  While
I've not looked specifically at sources as of 4.77 I doubt that this
is Exim's fault.

Can you intercept a mmessage being sent between your PHP and MTA?

Fwd: exim showing header incorrectly

Hillel Bilman — 2013-06-15T18:56:30

Hi Exim Gurus,

We are using Exim 4.77 with PHPList and when we sent emails from PHPList we got:
Apache [mailto:apache< at >our_domain] On Behalf Of Client Name and email address

Terms: Our_domain is the domain set on our centos server.
Client Name and email address is the client name with their email address.

The emails should just show our client name and their email address and not have
"Apache [mailto:apache< at >our_domain] On Behalf Of"

To see if the problem was with PHPList we used Postfix and switched off exim.
The problem disappearance so we know the problem is with exim.
We have made no changes to Exim or Postfix configuration files.

Any suggestions to solve this?

Thanking you in advance.

Re: exim acting as client on office365

ramatukuma — 2013-06-16T10:56:58

Thanks Nigel but I have found the problem...

Was a temporary password problem at outlook 365 servers (was erroneously
disabled...)

Moderator, please, close this thread.

Thank's


2013/6/16 Nigel Metheringham <nigel< at >dotdot.it>

Re: Adding a whitelist to greylist

Odhiambo Washington — 2013-06-16T10:46:39

exim -bh some-host-in-the-whitelist



On 16 June 2013 13:10, Raphael Bauduin <rblists< at >gmail.com> wrote:

Re: Adding a whitelist to greylist

Raphael Bauduin — 2013-06-16T10:10:35


this is acl_check_rcpt



Nothing there.

I have done further tests. I added this accept directive at the start of
the act:

  accept
    domains      = +local_domains
    dnslists      = list.dnswl.org
    log_message      = $sender_host_address is whitelisted in rcpt check

and the result is that... nothing happens.

From my understanding, the dnswl includes the gmail servers as the
greylisting is skipped if I add the condition that greylisting is done only
if the sender ip is not in the dnswl list.
So the accept directive should make the acl accept the messages from gmail,
but that is apparently not the case. Am I misunderstanding something?

thanks

Raph

Re: exim acting as client on office365

Nigel Metheringham — 2013-06-16T09:11:25


ramatukuma wrote:

Try setting your transport to do STARTTLS and see what the second ESMTP 
negotiation gives you for AUTH - it may be they only allow AUTH when the 
session is encrypted

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECID185

Nigel.

Re: exim acting as client on office365

Jasen Betts — 2013-06-15T00:12:13

ng using openssl suggests their SSL is broken

nah, it's just I don't know how to drive openssl. I should have had
'-crlf' in there too.

Re: exim acting as client on office365

Jasen Betts — 2013-06-14T23:57:00

<< 250-pod51028.outlook.com Hello [189.74.52.32]
<< 250-SIZE 36700160
<< 250-PIPELINING
<< 250-DSN
<< 250-ENHANCEDSTATUSCODES
<< 250-STARTTLS
<< 250-AUTH
<< 250-8BITMIME
<< 250-BINARYMIME
<< 250 CHUNKING     

looks OK to me, 


AIUI auth by itself is AFAICT MAIL-AUTH


What does their server say after you do STARTTLS, and then EHLO?

testing using openssl suggests their SSL is broken

 openssl s_client -connect pod51028.outlook.com:25 -starttls smtp
 
I get a connection under starttls but after that I say EHLO and get 
no response...

compare with a working starttls service:

 openssl s_client -connect smtp.gmail.com:submission -starttls smtp

Re: Spoof prevention acl

Todd Lyons — 2013-06-14T20:33:00

I think you need to limit which hosts you apply this to and if smtp
auth is being used.

I also think you need to analyze what your system does when it
receives the following headers:

 From: Me <me< at >example.com>, Me <me< at >example.org>

Yes, you can have multiple from addresses.  So your expansion needs to
either check all of them, or just pick one (first, last, etc), and use
that one for the test.

 To: Me <me< at >example.com>, Me <me< at >example.org>

Consider what happens if both of these are domains you host?  Or only
one of them is?  Your condition needs to handle all possible
combinations and you need to decide if only one is correct that it is
an acceptable email or not.

Now you need to be warned of the BAD things that can happen due to
trying to detect forged headers:

Consider what happens if one of your users joins this mailing list.
Your domain is example.net.  Your user is user< at >example.net.  He joins
this mailing list.  He posts and complains about the spam filtering or
something.  The email comes to the exim-users mailing list server, and
the exim-user mailing list server sends out emails to everybody
subscribed.  Your mail server receives the email and the header From:
says it's from "user< at >example.net", but you are configuring your exim
to know that example.net is a local domain and assume it must be
forged, so you reject it.  That was a valid case where the header from
does not match the envelope MAIL FROM, but your system is going to
reject it.  That's bad.

The alternative approach is to configure your exim system to detect
these purported forgeries and instead of rejecting it, redirect it to
a user's .Spam folder.  I think you will find that a large amount of
emails will erroneously end up in that Spam folder instead of their
Inbox.


Right, only in the DATA acl because that's *after* the message headers
and body have been received.  The PREDATA acl means that the headers
have not yet been sent to your server, so $h_to and $h_from have no
value (becuase they have not been received yet).

...Todd
--
The total budget at all receivers for solving senders' problems is $0.
 If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

test2

Reinaldo Matukuma — 2013-06-14T20:03:22

test2

Re: acl_added_headers

Jeremy Harris — 2013-06-14T19:51:56

There is in the current development head but it's not hit a release yet.
Is that an option for you?

Re: exim acting as client on office365

ramatukuma — 2013-06-14T16:30:49

Hi Gergely.

No... I'm not a exim newbie.

The setup it's correct. Exim is doing both the server authentication for my
internal client as the client authentication with the outgoing smtp server.
And there no doubt about the setup because, if i change the address to
another ISP all works. With the gmail smtp server works too, but i need to
force ssl to work with it (that it's a requirement of gmail service and
this sounds okay for me).


------------------------------
Date: Fri, 14 Jun 2013 17:16:47 +0200
Subject: Re: [exim] exim acting as client on office365
From: gergely< at >polonkai.eu
To: ramatukuma< at >hotmail.com
CC: exim-users< at >exim.org


On 14 Jun 2013 15:56, "Reinaldo Matukuma" <ramatukuma< at >hotmail.com> wrote:
server with authentication.
LOGIN) that will be sent after TLS.
correct announce of AUTH mechanisms....
36700160         250-PIPELINING         250-DSN
250-ENHANCEDSTATUSCODES         250-STARTTLS         250-AUTH
250-8BITMIME         250-BINARYMIME         250 CHUNKING
don't find the correct authenticator data to use:
authentication mechanismsskipping server_plain authenticator: not
configured as a clientskipping server_login authenticator: not configured
as a client  SMTP>> QUIT
LOGIN mechanism as fallback when it don't find any valid mechanism for auth
as client? Someone had the same problem? How to fix this? Or maybe this is
something to send to bug list?

Hello,

for me it seems that your authenticators are not set up to login on other
servers, but to accept client logins. I'm not near a computer at the
moment, but it was a common issue when people tried to use GMail as a
smarthost, so if you try searching on that topic, you may find a solution.

Best,
Gergely

Hi all.
I had a situation today where i need that exim act as client on office365
server with authentication.
So, i have configured two authenticators (one for PLAIN and other for
LOGIN) that will be sent after TLS.
The problem that i found is that the office365 server isn't doing the
correct announce of AUTH mechanisms....
Running exim in debug mode i saw this:
  SMTP<< 250-pod51028.outlook.com Hello [189.74.52.32]         250-SIZE
36700160         250-PIPELINING         250-DSN
250-ENHANCEDSTATUSCODES         250-STARTTLS         250-AUTH
250-8BITMIME         250-BINARYMIME         250 CHUNKING
They are announcing only that has auth capability, right? So... the exim
don't find the correct authenticator data to use:
207.46.4.237 in hosts_require_auth? yes (matched
"pod51028.outlook.com")scanning
authentication mechanismsskipping server_plain authenticator: not
configured as a clientskipping server_login authenticator: not configured
as a client  SMTP>> QUIT
So... My doubt is... There are a way to configure exim to use for example
LOGIN mechanism as fallback when it don't find any valid mechanism for auth
as client? Someone had the same problem? How to fix this? Or maybe this is
something to send to bug list?
Thanks
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim acting as client on office365

ramatukuma — 2013-06-14T16:22:07

Hi Odhiambo.

The AUTH is incorrectly advertised. A correct setup would announce all the
mechanisms available for authentication.

So, a correct answer at smtp will be, for example:

250-AUTH PLAIN LOGIN

And what the office 365 servers are answering is:

250-AUTH

This is incorrect and that is the point of the problem because exim search
for the correct credential when acting as a client, based on the mechanisms
available (and in this case, there are no one mechanism available because
no one mechanism was announced).

This is what I search and asked if someone else has or had the same problem
because I think that the two ways to fix this is:

1 - make the office 365 do the right answer when receive the EHLO verb (but
it's exchange and it's microsoft - what means that this probably will never
be fixed).

2 - make the exim do the authentication using some fallback-style-schema
when you already had setup hosts_require_auth for some of the office 365
servers).

Had any other idea?

Thank's

And... Ya... It's friday... My brain is exhausted too!



------------------------------
From: odhiambo< at >gmail.com
Date: Fri, 14 Jun 2013 17:02:18 +0300
Subject: Re: [exim] exim acting as client on office365
To: ramatukuma< at >hotmail.com
CC: exim-users< at >exim.org

How can you use AUTH when it's not advertised? Or maybe it's Friday my
brain is already tuned to something.


On 14 June 2013 16:54, Reinaldo Matukuma <ramatukuma< at >hotmail.com> wrote:

Hi all.
I had a situation today where i need that exim act as client on office365
server with authentication.
So, i have configured two authenticators (one for PLAIN and other for
LOGIN) that will be sent after TLS.
The problem that i found is that the office365 server isn't doing the
correct announce of AUTH mechanisms....
Running exim in debug mode i saw this:
  SMTP<< 250-pod51028.outlook.com Hello [189.74.52.32]         250-SIZE
36700160         250-PIPELINING         250-DSN
250-ENHANCEDSTATUSCODES         250-STARTTLS         250-AUTH
250-8BITMIME         250-BINARYMIME         250 CHUNKING
They are announcing only that has auth capability, right? So... the exim
don't find the correct authenticator data to use:
207.46.4.237 in hosts_require_auth? yes (matched
"pod51028.outlook.com")scanning
authentication mechanismsskipping server_plain authenticator: not
configured as a clientskipping server_login authenticator: not configured
as a client  SMTP>> QUIT
So... My doubt is... There are a way to configure exim to use for example
LOGIN mechanism as fallback when it don't find any valid mechanism for auth
as client? Someone had the same problem? How to fix this? Or maybe this is
something to send to bug list?
Thanks
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: exim acting as client on office365

Reinaldo Matukuma — 2013-06-14T17:49:47

Mike. You are right.
I forgot to see with the hosts_require_tls enabled for this host.
So... There are a strange behavior...
I have the correct user, the correct password and try again using the TLS.
And... On debug log... I had the same auth fail problem:

  SMTP>> STARTTLSwaiting for data on socketread response data: size=29  SMTP<< 220 2.0.0 SMTP server readysetting SSL CTX options: 0x1000000Diffie-Hellman initialized from default with 2048-bit primeInitialized TLSCalling SSL_connectSSL info: before/connect initializationSSL info: before/connect initializationSSL info: SSLv2/v3 write client hello ASSL info: SSLv3 read server hello ASSL info: SSLv3 read server certificate ASSL info: SSLv3 read server done ASSL info: SSLv3 write client key exchange ASSL info: SSLv3 write change cipher spec ASSL info: SSLv3 write finished ASSL info: SSLv3 flush dataSSL info: SSLv3 read finished ASSL info: SSL negotiation finished successfullySSL info: SSL negotiation finished successfullySSL_connect succeededCipher: TLSv1:AES128-SHA:128  SMTP>> EHLO host.mylo
 calsmtp.com.brtls_do_write(0xbf9ff3fc, 25)SSL_write(SSL, 0xbf9ff3fc, 25)outbytes=25 error=0waiting for data on socketCalling SSL_read(0x8143148, 0xbf9fd3fc, 4096)read response data: size=176  SMTP<< 250-pod51028.outlook.com Hello [189.74.52.32]         250-SIZE 36700160         250-PIPELINING         250-DSN         250-ENHANCEDSTATUSCODES         250-AUTH LOGIN         250-8BITMIME         250-BINARYMIME         250 CHUNKING207.46.4.237 in hosts_avoid_pipelining? no (option unset)using PIPELININGgethostbyname looked up these IP addresses:  name=pod51028.outlook.com address=207.46.4.237207.46.4.237 in hosts_require_auth? yes (matched "pod51028.outlook.com")scanning authentication mechanismsskipping server_plain authenticator: not configured as a clientskipping server_login authenticator:
  not configured as a client  SMTP>> AUTH LOGINtls_do_write(0xbf9ff3fc, 12)SSL_write(SSL, 0xbf9ff3fc, 12)outbytes=12 error=0waiting for data on socketCalling SSL_read(0x8143148, 0xbf9fd3fc, 4096)read response data: size=18  SMTP<< 334 VXNlcm5hbWU6search_open: lsearch "/opt/addons/etc/exim/client_credentials.conf"search_find: file="/opt/addons/etc/exim/client_credentials.conf"  key="emexis_redirect_delivery_5" partial=-1 affix=NULL starflags=0LRU list:  5/opt/addons/etc/exim/client_credentials.conf  Endinternal_search_find: file="/opt/addons/etc/exim/client_credentials.conf"  type=lsearch key="redirect_delivery_5"file lookup required for redirect_delivery_5  in /opt/addons/etc/exim/client_credentials.conflookup yielded: user="xxx< at >domain" pass="mypass"  SMTP>> ****************************tl
 s_do_write(0xbf9ff3fc, 30)SSL_write(SSL, 0xbf9ff3fc, 30)outbytes=30 error=0waiting for data on socketCalling SSL_read(0x8143148, 0xbf9fd3fc, 4096)read response data: size=18  SMTP<< 334 UGFzc3dvcmQ6search_open: lsearch "/opt/addons/etc/exim/client_credentials.conf"  cached opensearch_find: file="/opt/addons/etc/exim/client_credentials.conf"  key="emexis_redirect_delivery_5" partial=-1 affix=NULL starflags=0LRU list:  5/opt/addons/etc/exim/client_credentials.conf  Endinternal_search_find: file="/opt/addons/etc/exim/brc_client_credentials.conf"  type=lsearch key="redirect_delivery_5"cached data used for lookup of redirect_delivery_5  in /opt/addons/etc/exim/client_credentials.conflookup yielded: user="xxx< at >domain" pass="mypass"  SMTP>> ************tls_do_write(0xbf9ff3fc, 14)SSL_write(SSL, 
 0xbf9ff3fc, 14)outbytes=14 error=0waiting for data on socketCalling SSL_read(0x8143148, 0xbf9fd3fc, 4096)read response data: size=39  SMTP<< 535 5.7.3 Authentication unsuccessful

test

Reinaldo Matukuma — 2013-06-14T17:15:30

test
ignore please.
moderator, delete this message, please.
thanks