rejected rcpt errors

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

rejected rcpt errors

Raymond Norton
I'm working on finishing my baruwa 2.0 install up. I am using the exim
and mailscanner .conf file from github  (with sed edits from Jermey's
script). I am not getting any messages to run through the scanner yet.
exim4 mainlog only shows the following error:

014-09-09 20:15:47 H=(xvm31164) [130.193.86.74] F=<[hidden email]>
rejected RCPT <[hidden email]>


The domain, account and delivery server are set up in baruwa. Is there a
way to get more verbose logging? The error is too generic for me to
indentify the problem??



According to this, exim should deliver the message:

root@relay-3:~# exim -bt [hidden email]
[hidden email]
   router = deliver_clean_smtp, transport = remote_smtp
   host 10.10.4.13 [10.10.4.13]



more info:

root@relay-3:~# exim -bP
no_accept_8bitmime
acl_not_smtp =
acl_not_smtp_mime =
acl_not_smtp_start =
acl_smtp_auth =
acl_smtp_connect =
acl_smtp_data =
acl_smtp_dkim =
acl_smtp_etrn =
acl_smtp_expn =
acl_smtp_helo =
acl_smtp_mail =
acl_smtp_mailauth =
acl_smtp_mime =
acl_smtp_notquit =
acl_smtp_predata =
acl_smtp_quit =
acl_smtp_rcpt =
acl_smtp_starttls =
acl_smtp_vrfy =
admin_groups =
no_allow_domain_literals
no_allow_mx_to_ip
no_allow_utf8_domains
auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
auto_thaw = 0s
av_scanner = clamd:/var/run/clamav/clamd.ctl
bi_command =
bounce_message_file =
bounce_message_text =
bounce_return_body
bounce_return_message
bounce_return_size_limit = 100K
bounce_sender_authentication =
callout_domain_negative_expire = 3h
callout_domain_positive_expire = 1w
callout_negative_expire = 2h
callout_positive_expire = 1d
callout_random_local_part = $primary_hostname-$tod_epoch-testing
check_log_inodes = 0
check_log_space = 0
check_rfc2047_length
check_spool_inodes = 0
check_spool_space = 0
daemon_smtp_ports = 25 : 465 : 587
daemon_startup_retries = 9
daemon_startup_sleep = 30s
delay_warning = 1d
delay_warning_condition = ${if or {{
!eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }{
match{$h_precedence:}{(?i)bulk|list|junk} }{
match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }} {no}{yes}}
no_deliver_drop_privilege
deliver_queue_load_max =
delivery_date_remove
no_disable_ipv6
dkim_verify_signers = $dkim_signers
dns_again_means_nonexist =
dns_check_names_pattern =
(?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9/_-]*[^\W])?)+(\.?)$
dns_csa_search_limit = 5
dns_csa_use_reverse
dns_ipv4_lookup =
dns_retrans = 0s
dns_retry = 0
dns_use_edns0 = -1
no_drop_cr
dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain>
envelope_to_remove
errors_copy =
errors_reply_to =
exim_group = Debian-exim
exim_path = /usr/sbin/exim4
exim_user = Debian-exim
extra_local_interfaces =
extract_addresses_remove_arguments
finduser_retries = 0
freeze_tell =
gecos_name =
gecos_pattern =
no_gnutls_compat_mode
gnutls_require_kx =
gnutls_require_mac =
gnutls_require_protocols =
header_line_maxsize = 0
header_maxsize = 1048576
headers_charset = UTF-8
helo_accept_junk_hosts =
helo_allow_chars =
helo_lookup_domains = @ : @[]
helo_try_verify_hosts =
helo_verify_hosts =
hold_domains =
host_lookup =
host_lookup_order = bydns:byaddr
host_reject_connection =
hosts_connection_nolog =
hosts_treat_as_local =
ignore_bounce_errors_after = 1d
ignore_fromline_hosts =
no_ignore_fromline_local
keep_malformed = 4d
ldap_ca_cert_dir =
ldap_ca_cert_file =
ldap_cert_file =
ldap_cert_key =
ldap_cipher_suite =
ldap_default_servers =
ldap_require_cert =
no_ldap_start_tls
ldap_version = -1
local_from_check
local_from_prefix =
local_from_suffix =
local_interfaces = <; ::0 ; 0.0.0.0
local_scan_path =
local_scan_timeout = 5m
no_local_sender_retain
localhost_number =
log_file_path = /var/log/exim4/%slog
log_selector =
no_log_timezone
lookup_open_max = 25
max_username_length = 0
no_message_body_newlines
message_body_visible = 500
message_id_header_domain =
message_id_header_text =
message_logs
message_size_limit = 20M
no_move_frozen_messages
no_mua_wrapper
mysql_servers =
never_users = root
openssl_options =
percent_hack_domains =
perl_at_start
perl_startup = do '/etc/exim4/baruwa/exim-bcrypt.pl'
pgsql_servers = 127.0.0.1::5432/baruwa/baruwa/password
pid_file_path = /var/run/exim4/exim.pid
pipelining_advertise_hosts = 127.0.0.1
no_preserve_message_logs
primary_hostname = relay-3.lctn.org
no_print_topbitchars
process_log_path = /var/spool/exim/exim-process.info
prod_requires_admin
qualify_domain = relay-3.lctn.org
qualify_recipient = relay-3.lctn.org
queue_domains =
queue_list_requires_admin
no_queue_only
queue_only_file =
queue_only_load =
queue_only_load_latch
queue_only_override
no_queue_run_in_order
queue_run_max = 5
queue_smtp_domains =
receive_timeout = 0s
received_header_text = Received: ${if def:sender_rcvhost {from
$sender_rcvhost\n\t}{${if def:sender_ident {from
${quote_local_part:$sender_ident} }}${if def:sender_helo_name
{(helo=$sender_helo_name)\n\t}}}}by $primary_hostname ${if
def:received_protocol {with $received_protocol}} ${if def:tls_cipher
{($tls_cipher)\n\t}}(Baruwa 2.0)\n\t${if def:sender_address
{(envelope-from <$sender_address>)\n\t}}id $message_exim_id${if !eq
{$received_protocol}{split} { ret-id none;}{}}${if def:received_for
{\n\tfor $received_for}}
received_headers_max = 30
recipient_unqualified_hosts =
recipients_max = 0
no_recipients_max_reject
remote_max_parallel = 2
remote_sort_domains =
retry_data_expire = 1w
retry_interval_max = 1d
return_path_remove
rfc1413_hosts = *
rfc1413_query_timeout = 0s
sender_unqualified_hosts =
smtp_accept_keepalive
smtp_accept_max = 0
smtp_accept_max_nonmail = 10
smtp_accept_max_nonmail_hosts = *
smtp_accept_max_per_connection = 60
smtp_accept_max_per_host =
smtp_accept_queue = 0
smtp_accept_queue_per_connection = 10
smtp_accept_reserve = 0
smtp_active_hostname = ${if
!eq{$sender_host_address}{$received_ip_address}{${lookup
dnsdb{ptr=$received_ip_address}}}{$primary_hostname}}
smtp_banner = Baruwa 2.0 $tod_full
smtp_check_spool_space
smtp_connect_backlog = 20
no_smtp_enforce_sync
smtp_etrn_command =
smtp_etrn_serialize
smtp_load_reserve = 15.0
smtp_max_synprot_errors = 3
smtp_max_unknown_commands = 1
smtp_ratelimit_hosts =
smtp_ratelimit_mail =
smtp_ratelimit_rcpt =
smtp_receive_timeout = 10m
smtp_reserve_hosts =
no_smtp_return_error_details
spamd_address = 127.0.0.1 783
no_split_spool_directory
spool_directory = /var/spool/exim.in
sqlite_lock_timeout = 5
no_strict_acl_vars
no_strip_excess_angle_brackets
no_strip_trailing_dot
syslog_duplication
syslog_facility =
syslog_processname = exim
syslog_timestamp
system_filter =
system_filter_directory_transport =
system_filter_file_transport =
system_filter_group =
system_filter_pipe_transport =
system_filter_reply_transport =
system_filter_user =
tcp_nodelay
timeout_frozen_after = 3d
timezone =
tls_advertise_hosts = *
tls_certificate = /etc/pki/baruwa/baruwa.pem
tls_crl =
tls_dhparam =
tls_on_connect_ports = 465
tls_privatekey = /etc/pki/baruwa/baruwa.key
no_tls_remember_esmtp
tls_require_ciphers = TLSv1+HIGH : !SSLv2 : RC4+MEDIUM : !aNULL : !eNULL
: !3DES : !MD5 : !AES : !CAMELLIA : !PSK : !KRB5 : @STRENGTH
tls_try_verify_hosts =
tls_verify_certificates =
tls_verify_hosts =
trusted_groups =
trusted_users =
unknown_login =
unknown_username =
untrusted_set_sender =
uucp_from_pattern =
^From\s+(\S+)\s+(?:[a-zA-Z]{3},?\s+)?(?:[a-zA-Z]{3}\s+\d?\d|\d?\d\s+[a-zA-Z]{3}\s+\d\d(?:\d\d)?)\s+\d\d?:\d\d?
uucp_from_sender = $1
warn_message_file =
write_rejectlog




_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Andrew Colin Kissa
Administrator

On 10 Sep 2014, at 3:44 AM, Raymond Norton <[hidden email]> wrote:

> The domain, account and delivery server are set up in baruwa. Is there a way to get more verbose logging? The error is too generic for me to indentify the problem??

Run a fake session from that address and do a SMTP conversation

exim -bh 130.193.86.74



_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Raymond Norton
Same issue:

ast login: Tue Sep  9 20:16:34 2014 from 10.50.50.30
root@relay-3:~# exim -bh 10.10.4.13

**** SMTP testing session as if from host 10.10.4.13
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? no (option unset)
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 Baruwa 2.0 Wed, 10 Sep 2014 05:52:19 -0500
helo mail.lctn.org
>>> mail.lctn.org in helo_lookup_domains? no (end of list)
250 relay-3.lctn.org Hello mail.lctn.org [10.10.4.13]
mail [hidden email]
250 OK
rcpt [hidden email]
>>> ACL is NULL: implicit DENY
550 Administrative prohibition
LOG: H=(mail.lctn.org) [10.10.4.13] F=[hidden email] rejected RCPT [hidden email]




On 09/10/2014 04:52 AM, Andrew Colin Kissa wrote:
On 10 Sep 2014, at 3:44 AM, Raymond Norton [hidden email] wrote:

The domain, account and delivery server are set up in baruwa. Is there a way to get more verbose logging? The error is too generic for me to indentify the problem??
Run a fake session from that address and do a SMTP conversation

exim -bh 130.193.86.74




_______________________________________________
http://pledgie.com/campaigns/12056


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Andrew Colin Kissa
Administrator

On 10 Sep 2014, at 12:56 PM, Raymond Norton <[hidden email]> wrote:

> >>> ACL is NULL: implicit DENY

That is your issue, you do not have ACL's

acl_not_smtp =
acl_not_smtp_mime =
acl_not_smtp_start =
acl_smtp_auth =
acl_smtp_connect =
acl_smtp_data =
acl_smtp_dkim =
acl_smtp_etrn =
acl_smtp_expn =
acl_smtp_helo =
acl_smtp_mail =
acl_smtp_mailauth =
acl_smtp_mime =
acl_smtp_notquit =
acl_smtp_predata =
acl_smtp_quit =
acl_smtp_rcpt =
acl_smtp_starttls =
acl_smtp_vrfy =

Why did you get the configuration file ?

Both Jeremy's and my sample configuration files do have ACL's enabled.

https://github.com/fluxlabs/baruwa/blob/master/2.0/extras/centos/config/exim/exim.conf#L18
https://github.com/akissa/baruwa2/blob/master/extras/config/exim/exim.conf#L18


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Raymond Norton
I see... I disabled all acls, because I couldn't get past the spf errors below. (private  ip not part of spf). Couldn't figure out how to just disable spf or make a simple exception.


 exim -bh 10.10.4.13

**** SMTP testing session as if from host 10.10.4.13
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? no (option unset)
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> using ACL "acl_check_connect"
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed
>>> processing "drop"
>>> check hosts = +blacklisted_hosts
>>> host in "pgsql;SELECT from_address FROM lists WHERE to_address='any' AND list_type=2 AND from_address='10.10.4.13';"? no (end of list)
>>> host in "+blacklisted_hosts"? no (end of list)
>>> drop: condition test failed
>>> processing "accept"
>>> check hosts = +whitelisted_hosts
>>> host in "pgsql;SELECT from_address FROM lists WHERE to_address='any' AND list_type=1 AND from_address='10.10.4.13';"? no (end of list)
>>> host in "+whitelisted_hosts"? no (end of list)
>>> accept: condition test failed
>>> processing "defer"
>>> check ratelimit = 250 / 15m / strict
>>> ratelimit condition limit=250 period=900 key=15m/per_mail/strict/10.10.4.13
>>> ratelimit initializing new key's data
>>> ratelimit db updated
>>> ratelimit computed rate 0.0
>>> defer: condition test failed
>>> processing "accept"
>>> accept: condition test succeeded
220 Baruwa 2.0 Wed, 10 Sep 2014 06:12:10 -0500
helo mail.lctn.org
>>> mail.lctn.org in helo_lookup_domains? no (end of list)
>>> using ACL "acl_check_helo"
>>> processing "drop"
>>> check condition = ${if def:sender_helo_name {false}{true}}
>>>                 = false
>>> drop: condition test failed
>>> processing "drop"
>>> check condition = ${if isip{$sender_helo_name}}
>>>                 =
>>> drop: condition test failed
>>> processing "accept"
>>> accept: condition test succeeded
250 relay-3.lctn.org Hello mail.lctn.org [10.10.4.13]
mail [hidden email]
250 OK
rcpt [hidden email]
>>> using ACL "acl_check_rcpt"
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed
>>> processing "drop"
>>> check hosts = +blacklisted_hosts
>>> host in "pgsql;SELECT from_address FROM lists WHERE to_address='any' AND list_type=2 AND from_address='10.10.4.13';"? no (end of list)
>>> host in "+blacklisted_hosts"? no (end of list)
>>> drop: condition test failed
>>> processing "drop"
>>> check domains = +blacklisted_domains
>>> lctn.org in "pgsql;SELECT from_address FROM lists WHERE to_address='any' AND list_type=2 AND from_address='lctn.org';"? no (end of list)
>>> lctn.org in "+blacklisted_domains"? no (end of list)
>>> drop: condition test failed
>>> processing "drop"
>>> check condition = ${if >{$rcpt_fail_count}{3} {yes}{no}}
>>>                 = no
>>> drop: condition test failed
>>> processing "drop"
>>> check senders = : postmaster@*
>>> lctn.org in ""? no (end of list)
>>> [hidden email] in ": postmaster@*"? no (end of list)
>>> drop: condition test failed
>>> processing "drop"
>>> check domains = +local_domains
>>> lctn.org in "@ : localhost : localhost.localdomain"? no (end of list)
>>> lctn.org in "+local_domains"? no (end of list)
>>> drop: condition test failed
>>> processing "drop"
>>> check domains = !+local_domains
>>> lctn.org in "!+local_domains"? yes (end of list)
>>> check local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
>>> support in "^[./|] : ^.*[@%!] : ^.*/\.\./"? no (end of list)
>>> drop: condition test failed
>>> processing "accept"
>>> check local_parts = postmaster
>>> support in "postmaster"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check hosts = +relay_from_hosts : +relay_sql_hosts
>>> gethostbyname2 looked up these IP addresses:
>>>   name=localhost address=::1
>>>   name=localhost address=127.0.0.1
>>> gethostbyname2 looked up these IP addresses:
>>>   name=localhost.localdomain address=127.0.0.1
>>> host in "localhost : localhost.localdomain"? no (end of list)
>>> host in "pgsql;SELECT address FROM relaysettings WHERE enabled='t' AND address='10.10.4.13';"? no (end of list)
>>> host in "+relay_from_hosts : +relay_sql_hosts"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check authenticated = *
>>> accept: condition test failed
>>> processing "require"
>>> check domains = +local_domains : +relay_sql_domains
>>> lctn.org in "pgsql;SELECT name FROM relaydomains WHERE name='lctn.org';"? yes (matched "pgsql;SELECT name FROM relaydomains WHERE name='lctn.org';")
>>> lctn.org in "+local_domains : +relay_sql_domains"? yes (matched "+relay_sql_domains")
>>> require: condition test succeeded
>>> processing "accept"
>>> check senders = +whitelisted_addresses
>>> [hidden email] in "pgsql;SELECT from_address FROM lists WHERE to_address='any' AND list_type=1 AND from_address='[hidden email]';"? no (end of list)
>>> [hidden email] in "+whitelisted_addresses"? no (end of list)
>>> accept: condition test failed
>>> processing "accept"
>>> check domains = +whitelisted_domains
>>> lctn.org in "pgsql;SELECT from_address FROM lists WHERE to_address='any' AND list_type=1 AND from_address='lctn.org';"? no (end of list)
>>> lctn.org in "+whitelisted_domains"? no (end of list)
>>> accept: condition test failed
>>> processing "drop"
>>> check dnslists = zen.spamhaus.org
>>> DNS list check: zen.spamhaus.org
>>> new DNS lookup for 13.4.10.10.zen.spamhaus.org
>>> DNS lookup for 13.4.10.10.zen.spamhaus.org failed
>>> => that means 10.10.4.13 is not listed at zen.spamhaus.org
>>> drop: condition test failed
>>> processing "drop"
>>> check dnslists = bl.spamcop.net : cbl.abuseat.org
>>> DNS list check: bl.spamcop.net
>>> new DNS lookup for 13.4.10.10.bl.spamcop.net
>>> DNS lookup for 13.4.10.10.bl.spamcop.net failed
>>> => that means 10.10.4.13 is not listed at bl.spamcop.net
>>> DNS list check: cbl.abuseat.org
>>> new DNS lookup for 13.4.10.10.cbl.abuseat.org
>>> DNS lookup for 13.4.10.10.cbl.abuseat.org failed
>>> => that means 10.10.4.13 is not listed at cbl.abuseat.org
>>> drop: condition test failed
>>> processing "drop"
>>> check dnslists = rbl.baruwa.net : rbl.baruwa.net/$sender_address_domain
>>>                = rbl.baruwa.net : rbl.baruwa.net/lctn.org
>>> DNS list check: rbl.baruwa.net
>>> new DNS lookup for 13.4.10.10.rbl.baruwa.net
>>> DNS lookup for 13.4.10.10.rbl.baruwa.net failed
>>> => that means 10.10.4.13 is not listed at rbl.baruwa.net
>>> DNS list check: rbl.baruwa.net/lctn.org
>>> new DNS lookup for lctn.org.rbl.baruwa.net
>>> DNS lookup for lctn.org.rbl.baruwa.net failed
>>> => that means lctn.org is not listed at rbl.baruwa.net
>>> drop: condition test failed
>>> processing "drop"
>>> check !verify = reverse_host_lookup
>>> looking up host name to force name/address consistency check
>>> looking up host name for 10.10.4.13
>>> IP address lookup yielded mail.lctn.org
>>> gethostbyname2 looked up these IP addresses:
>>>   name=mail.lctn.org address=10.10.4.13
>>> checking addresses for mail.lctn.org
>>>   10.10.4.13 OK
>>> drop: condition test failed
>>> processing "drop"
>>> check domains = +smtp_callback_domains
>>> lctn.org in "pgsql;SELECT name FROM mtasettings where name='lctn.org' AND smtp_callout='t';"? no (end of list)
>>> lctn.org in "+smtp_callback_domains"? no (end of list)
>>> drop: condition test failed
>>> processing "drop"
>>> check domains = +ldap_domains
>>> lctn.org in "pgsql;SELECT name FROM mtasettings WHERE name='lctn.org' AND ldap_callout='t';"? no (end of list)
>>> lctn.org in "+ldap_domains"? no (end of list)
>>> drop: condition test failed
>>> processing "deny"
>>> deny: condition test succeeded
550 Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=10.10.4.13
LOG: H=mail.lctn.org [10.10.4.13] F=[hidden email] rejected RCPT [hidden email]: Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=10.10.4.13


On 09/10/2014 06:09 AM, Andrew Colin Kissa wrote:
On 10 Sep 2014, at 12:56 PM, Raymond Norton [hidden email] wrote:

ACL is NULL: implicit DENY
That is your issue, you do not have ACL's

acl_not_smtp =
acl_not_smtp_mime =
acl_not_smtp_start =
acl_smtp_auth =
acl_smtp_connect =
acl_smtp_data =
acl_smtp_dkim =
acl_smtp_etrn =
acl_smtp_expn =
acl_smtp_helo =
acl_smtp_mail =
acl_smtp_mailauth =
acl_smtp_mime =
acl_smtp_notquit =
acl_smtp_predata =
acl_smtp_quit =
acl_smtp_rcpt =
acl_smtp_starttls =
acl_smtp_vrfy =

Why did you get the configuration file ?

Both Jeremy's and my sample configuration files do have ACL's enabled.

https://github.com/fluxlabs/baruwa/blob/master/2.0/extras/centos/config/exim/exim.conf#L18
https://github.com/akissa/baruwa2/blob/master/extras/config/exim/exim.conf#L18



_______________________________________________
http://pledgie.com/campaigns/12056


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Andrew Colin Kissa
Administrator

On 10 Sep 2014, at 1:16 PM, Raymond Norton <[hidden email]> wrote:

> >>> deny: condition test succeeded
> 550 Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=10.10.4.13
> LOG: H=mail.lctn.org [10.10.4.13] F=<[hidden email]> rejected RCPT [hidden email]: Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=10.10.4.13

Am sure you know why this is the case here.

"v=spf1 ip4:64.8.148.0/27 a mx a:rt3.lctn.org a:relay-1.lctn.org a:relay-2.lctn.org a:relay-4.lctn.org a:moodle.lctn.org a:mail.lctn-mrved.org mx:mail.lctn-mrved.org mx:lctn.k12.mn.us ~all"


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

jvangent
Technically speaking, this mail should have gone through as the SPF record is:

        "v=spf1 ip4:64.8.148.0/27 a mx a:rt3.lctn.org a:relay-1.lctn.org a:relay
-2.lctn.org a:relay-4.lctn.org a:moodle.lctn.org a:mail.lctn-mrved.org mx:mail.l
ctn-mrved.org mx:lctn.k12.mn.us ~all"

It does NOT state -all, so therefore exim should follow it and not deny it.

Apart from changing the actual SPF record, you could use a hostlist to exempt this server from spf check.

________________________________________
Van: [hidden email] <[hidden email]> namens Andrew Colin Kissa <[hidden email]>
Verzonden: woensdag 10 september 2014 13:51
Aan: Baruwa users list
Onderwerp: Re: [Baruwa] rejected rcpt errors

On 10 Sep 2014, at 1:16 PM, Raymond Norton <[hidden email]> wrote:

> >>> deny: condition test succeeded
> 550 Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=10.10.4.13
> LOG: H=mail.lctn.org [10.10.4.13] F=<[hidden email]> rejected RCPT [hidden email]: Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=10.10.4.13

Am sure you know why this is the case here.

"v=spf1 ip4:64.8.148.0/27 a mx a:rt3.lctn.org a:relay-1.lctn.org a:relay-2.lctn.org a:relay-4.lctn.org a:moodle.lctn.org a:mail.lctn-mrved.org mx:mail.lctn-mrved.org mx:lctn.k12.mn.us ~all"


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Andrew Colin Kissa
Administrator

On 10 Sep 2014, at 2:02 PM, Jacco van Gent <[hidden email]> wrote:

> It does NOT state -all, so therefore exim should follow it and not deny it.
>
> Apart from changing the actual SPF record, you could use a hostlist to exempt this server from spf check.

Also note that the debian/ubuntu package does not use the C based implementation of SPF
but a perl one, the behaviour may defer from what i wrote the ACL for.


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Raymond Norton
I believe the best answer is to disable spf checking by exim, or at least make it less stringent and allow spamassassin rules to assign points to the message. I can't have this server be that stringent in the production environment. How would I disable spf checking? Tried my hand at it, but didn't work.


On 09/10/2014 07:10 AM, Andrew Colin Kissa wrote:
On 10 Sep 2014, at 2:02 PM, Jacco van Gent [hidden email] wrote:

It does NOT state -all, so therefore exim should follow it and not deny it. 

Apart from changing the actual SPF record, you could use a hostlist to exempt this server from spf check. 
Also note that the debian/ubuntu package does not use the C based implementation of SPF
but a perl one, the behaviour may defer from what i wrote the ACL for.



_______________________________________________
http://pledgie.com/campaigns/12056


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Andrew Colin Kissa
Administrator

On 10 Sep 2014, at 2:21 PM, Raymond Norton <[hidden email]> wrote:

> I believe the best answer is to disable spf checking by exim, or at least make it less stringent and allow spamassassin rules to assign points to the message. I can't have this server be that stringent in the production environment. How would I disable spf checking? Tried my hand at it, but didn't work.

Just comment out the SPF part of the ACL or use Jeremy's config which does not have
SPF enabled.


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

jvangent
In reply to this post by Andrew Colin Kissa
For what it is worth, this is the config I am using for exim on Ubuntu 12.04 LTS with SPF compiled exim:

deny  message         = [SPF] $sender_host_address is not allowed to send mail \
                          from $sender_address_domain SPF_MSG
          hosts         =!+spf_host
  log_message           = SPF check failed.
  spf                   = fail

including a host list (could of course also be a domain list) to exempt hosts/domains from this check (in my case taken from the Baruwa database using macros.conf).

And as far as I can remember SPF works correctly, including making a distiction between a soft and a hard fail.

This is Exim 4.82 compiled from source with EXPERIMENTAL_SPF=yes



________________________________________
Van: [hidden email] <[hidden email]> namens Andrew Colin Kissa <[hidden email]>
Verzonden: woensdag 10 september 2014 13:09
Aan: Baruwa users list
Onderwerp: Re: [Baruwa] rejected rcpt errors

On 10 Sep 2014, at 12:56 PM, Raymond Norton <[hidden email]> wrote:

> >>> ACL is NULL: implicit DENY

That is your issue, you do not have ACL's

acl_not_smtp =
acl_not_smtp_mime =
acl_not_smtp_start =
acl_smtp_auth =
acl_smtp_connect =
acl_smtp_data =
acl_smtp_dkim =
acl_smtp_etrn =
acl_smtp_expn =
acl_smtp_helo =
acl_smtp_mail =
acl_smtp_mailauth =
acl_smtp_mime =
acl_smtp_notquit =
acl_smtp_predata =
acl_smtp_quit =
acl_smtp_rcpt =
acl_smtp_starttls =
acl_smtp_vrfy =

Why did you get the configuration file ?

Both Jeremy's and my sample configuration files do have ACL's enabled.

https://github.com/fluxlabs/baruwa/blob/master/2.0/extras/centos/config/exim/exim.conf#L18
https://github.com/akissa/baruwa2/blob/master/extras/config/exim/exim.conf#L18


_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Raymond Norton
In reply to this post by Andrew Colin Kissa
Just comment out the SPF part of the ACL or use Jeremy's config which does not have SPF enabled.


_______________________________________________


Its a mystery to me why I am still getting spf errors. I am using Jeremy's configs (exim4.conf, exim_out.conf, macro.conf) and commented anything I can find for spf, but still getting errors;

Here is what I have:

grep -R 'spf' /etc/exim4

(All lines containing 'spf' are commented out, outside of SPF_MSG)

/etc/exim4/exim4.conf.template:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/exim4.conf.template:  # http://www.openspf.org/)
/etc/exim4/exim4.conf.template:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/exim4.conf.template:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/exim4.conf.template:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/exim4.conf.template:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # http://www.openspf.org/)
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/exim4.conf:##spf =  = fail
/etc/exim4/exim4.conf:# #spf = _guess = fail
/etc/exim4/macros.conf:SPF_MSG = Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address


SPF error: (service exim4 restart)



2014-09-10 09:31:00 H=exchange-2.nls.k12.mn.us [64.8.148.99] F=[hidden email] rejected RCPT [hidden email]: Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=64.8.148.99



Jermey's edits:

mv /etc/exim4/exim.conf /etc/exim4/exim4.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/exim4.conf
        sed -i -e 's/spf/#spf = /' /etc/exim4/exim4.conf
        sed -i s/"user = exim"/"user = Debian-exim"/ /etc/exim4/exim4.conf
        sed -i -e 's/verysecretpw/'$pssqlpass'/' /etc/exim4/macros.conf
        sed -i -e 's/dbl_/#dbl_/' /etc/exim4/exim_out.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/exim_out.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/trusted-configs
        sed -i s/"clamd.sock"/"clamd.ctl"/ /etc/exim4/exim4.conf

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

jeremymcs
The Debian install was never tested completely. I wouldn't trust it. That was written when baruwa 2 was initially released. 

--
Jeremy McSpadden
Flux Labs | http://www.fluxlabs.net | Endless Solutions
Office : <a href="tel:850-250-5590;501">850-250-5590x501 | Cell : <a href="tel:850-890-2543">850-890-2543 | Fax : <a href="tel:850-254-2955">850-254-2955

On Sep 10, 2014, at 9:42 AM, Raymond Norton <[hidden email]> wrote:

Just comment out the SPF part of the ACL or use Jeremy's config which does not have SPF enabled.


_______________________________________________


Its a mystery to me why I am still getting spf errors. I am using Jeremy's configs (exim4.conf, exim_out.conf, macro.conf) and commented anything I can find for spf, but still getting errors;

Here is what I have:

grep -R 'spf' /etc/exim4

(All lines containing 'spf' are commented out, outside of SPF_MSG)

/etc/exim4/exim4.conf.template:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/exim4.conf.template:  # http://www.openspf.org/)
/etc/exim4/exim4.conf.template:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/exim4.conf.template:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/exim4.conf.template:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/exim4.conf.template:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # http://www.openspf.org/)
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/exim4.conf:##spf =  = fail
/etc/exim4/exim4.conf:# #spf = _guess = fail
/etc/exim4/macros.conf:SPF_MSG = Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address


SPF error: (service exim4 restart)



2014-09-10 09:31:00 H=exchange-2.nls.k12.mn.us [64.8.148.99] F=[hidden email] rejected RCPT [hidden email]: Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=64.8.148.99



Jermey's edits:

mv /etc/exim4/exim.conf /etc/exim4/exim4.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/exim4.conf
        sed -i -e 's/spf/#spf = /' /etc/exim4/exim4.conf
        sed -i s/"user = exim"/"user = Debian-exim"/ /etc/exim4/exim4.conf
        sed -i -e 's/verysecretpw/'$pssqlpass'/' /etc/exim4/macros.conf
        sed -i -e 's/dbl_/#dbl_/' /etc/exim4/exim_out.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/exim_out.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/trusted-configs
        sed -i s/"clamd.sock"/"clamd.ctl"/ /etc/exim4/exim4.conf
_______________________________________________
http://pledgie.com/campaigns/12056

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

admin-at-extremeshok-dot-com
In reply to this post by Raymond Norton
What does 

grep -R -i 'spf' /etc/exim4

Give you ?

Sent from my iPhone

On 10 Sep 2014, at 4:40 PM, Raymond Norton <[hidden email]> wrote:

Just comment out the SPF part of the ACL or use Jeremy's config which does not have SPF enabled.


_______________________________________________


Its a mystery to me why I am still getting spf errors. I am using Jeremy's configs (exim4.conf, exim_out.conf, macro.conf) and commented anything I can find for spf, but still getting errors;

Here is what I have:

grep -R 'spf' /etc/exim4

(All lines containing 'spf' are commented out, outside of SPF_MSG)

/etc/exim4/exim4.conf.template:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/exim4.conf.template:  # http://www.openspf.org/)
/etc/exim4/exim4.conf.template:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/exim4.conf.template:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/exim4.conf.template:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/exim4.conf.template:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # http://www.openspf.org/)
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/exim4.conf:##spf =  = fail
/etc/exim4/exim4.conf:# #spf = _guess = fail
/etc/exim4/macros.conf:SPF_MSG = Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address


SPF error: (service exim4 restart)



2014-09-10 09:31:00 H=exchange-2.nls.k12.mn.us [64.8.148.99] F=[hidden email] rejected RCPT [hidden email]: Please see http://www.openspf.org/Why?scope=mfrom;identity=user@...;ip=64.8.148.99



Jermey's edits:

mv /etc/exim4/exim.conf /etc/exim4/exim4.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/exim4.conf
        sed -i -e 's/spf/#spf = /' /etc/exim4/exim4.conf
        sed -i s/"user = exim"/"user = Debian-exim"/ /etc/exim4/exim4.conf
        sed -i -e 's/verysecretpw/'$pssqlpass'/' /etc/exim4/macros.conf
        sed -i -e 's/dbl_/#dbl_/' /etc/exim4/exim_out.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/exim_out.conf
        sed -i s/"\/etc\/exim"/"\/etc\/exim4"/ /etc/exim4/trusted-configs
        sed -i s/"clamd.sock"/"clamd.ctl"/ /etc/exim4/exim4.conf
_______________________________________________
http://pledgie.com/campaigns/12056

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Andrew Colin Kissa
Administrator
In reply to this post by Raymond Norton


On 10 Sep 2014, at 4:40 PM, Raymond Norton <[hidden email]> wrote:

> SPF error: (service exim4 restart)

No need to disable the debian specific split exim configuration an use the
one file setup of the supplied configuration.

Check the debian documentation on how you do this.


_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

Raymond Norton
In reply to this post by admin-at-extremeshok-dot-com


On 09/10/2014 09:45 AM, [hidden email] wrote:
What does 

grep -R -i 'spf' /etc/exim4

Give you ?


I had run dpkg reconfigure earlier and selected "Do not split files". Ran it again now. Still getting spf error

Here are the results of grep -R -i 'spf' /etc/exim4


(I moved conf.d to minimize the results)


root@relay-3:/etc/exim4# grep -R -i 'spf' /etc/exim4
/etc/exim4/exim4.conf.template:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/exim4.conf.template:  # http://www.openspf.org/)
/etc/exim4/exim4.conf.template:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/exim4.conf.template:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/exim4.conf.template:  # SPF check" warning.
/etc/exim4/exim4.conf.template:#  .ifdef CHECK_RCPT_SPF
/etc/exim4/exim4.conf.template:#    message = [SPF] $sender_host_address is not allowed to send mail from \
/etc/exim4/exim4.conf.template:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/exim4.conf.template:#    log_message = SPF check failed.
/etc/exim4/exim4.conf.template:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/exim4.conf.template:#    message = Temporary DNS error while checking SPF record.  Try again later.
/etc/exim4/exim4.conf.template:#    add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
/etc/exim4/exim4.conf.template:#    log_message = Unexpected error in SPF check.
/etc/exim4/exim4.conf:deny message = SPF_MSG
/etc/exim4/exim4.conf:##spf =  = fail
/etc/exim4/exim4.conf:# #spf = _guess = fail
/etc/exim4/macros.conf:SPF_MSG = Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: rejected rcpt errors

jvangent

/etc/exim4/exim4.conf:deny message = SPF_MSG

 

I think you forgot to comment the above line out.

 

Maybe post a few line prior and after the above line.

 


Van: [hidden email] <[hidden email]> namens Raymond Norton <[hidden email]>
Verzonden: woensdag 10 september 2014 17:55
Aan: Baruwa users list
Onderwerp: Re: [Baruwa] rejected rcpt errors
 


On 09/10/2014 09:45 AM, [hidden email] wrote:
What does 

 
grep -R -i 'spf' /etc/exim4

 
Give you ?


I had run dpkg reconfigure earlier and selected "Do not split files". Ran it again now. Still getting spf error

Here are the results of grep -R -i 'spf' /etc/exim4


(I moved conf.d to minimize the results)


root@relay-3:/etc/exim4# grep -R -i 'spf' /etc/exim4
/etc/exim4/exim4.conf.template:  # Use spfquery to perform a pair of SPF checks (for details, see
/etc/exim4/exim4.conf.template:  # http://www.openspf.org/)
/etc/exim4/exim4.conf.template:  # install "spf-tools-perl" which provides the spfquery command.
/etc/exim4/exim4.conf.template:  # Missing spf-tools-perl will trigger the "Unexpected error in
/etc/exim4/exim4.conf.template:  # SPF check" warning.
/etc/exim4/exim4.conf.template:#  .ifdef CHECK_RCPT_SPF
/etc/exim4/exim4.conf.template:#    message = [SPF] $sender_host_address is not allowed to send mail from \
/etc/exim4/exim4.conf.template:#          http://www.openspf.org/Why?scope=${if def:sender_address_domain \
/etc/exim4/exim4.conf.template:#    log_message = SPF check failed.
/etc/exim4/exim4.conf.template:#    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
/etc/exim4/exim4.conf.template:#    message = Temporary DNS error while checking SPF record.  Try again later.
/etc/exim4/exim4.conf.template:#    add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
/etc/exim4/exim4.conf.template:#    log_message = Unexpected error in SPF check.
/etc/exim4/exim4.conf:deny message = SPF_MSG
/etc/exim4/exim4.conf:##spf =  = fail
/etc/exim4/exim4.conf:# #spf = _guess = fail
/etc/exim4/macros.conf:SPF_MSG = Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address

_______________________________________________
http://pledgie.com/campaigns/12056