[Exim] ORDB relay problems and sense of helo_verify in this …

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Michael Jakscht
Date:  
À: exim-users
Sujet: [Exim] ORDB relay problems and sense of helo_verify in this case...


Hi,

I tried to test my mailhub with the ordb.org relaytester.
All of the tests were rejected as they should except of two mails.
One mail crashed amavis with an address like
"localpart%domain.extern@???
amavis didn't like that and sent out an error message - which ordb thought
to be a relayed mail...
Second one was a director in exim for the case that our internal
notes-server which doesn't recognize it's own domain "@vit.de" and
therefore sends out those mails addressed to "localpart@???" to our
external exim mailhub (to the notes-server this seems to be the internet of
course...).
On the mailhub I configured the following director for this special
situation which came in conflict with one of the ORDB checks.


======================
smtp_rzv_rzv_director:
  driver = smartuser
  condition = "${if and { \
                        {eq {$sender_address_domain}{vit.de}} \
                        {eq {$domain}{vit.de}} \
                        } {yes}{no}}"
  transport = transport_intern_rzv_smtp_rzv
======================


======================
transport_intern_rzv_smtp_rzv:
driver = smtp
hosts = rzvmail.vit.de
======================



As those two mails went back to ORDB it took my mailserver on the list of
the hosts which allow relaying which I explicitly don't want to allow, of
course not. :-)
To get out of the ORDB I had to set I think almost all of exims
restrictions for checking mail before accepting it.
I configured the following globlas and threw out (commented out) the amavis
viruschecking as well as my special director (see above).

======================
headers_sender_verify = yes
headers_sender_verify_errmsg = yes
headers_checks_fail = yes
sender_verify = yes
sender_verify_hosts = *
sender_verify_reject = yes
receiver_verify = yes
receiver_verify_addresses = vit.de:nlb.de:nlbintra.net
receiver_verify_hosts = vit.de:nlb.de:nlbintra.net
receiver_verify_senders =
*.ewetel.net:ewetel.net:*.ewetel.de:ewetel.de:*.ewe.de:ewe.de:!*
host_lookup = *
# helo_verify = lsearch;/etc/exim/no_helo_verify
# receiver_unqualified_hosts =
# sender_unqualified_hosts =
# no_sender_verify
# no_verify_recipient
# percent_hack_domains = *
smtp_verify = yes
======================


======================
/etc/exim/no_helo_verify
======================
!gatekeeper2.vit.de:\
!213.69.199.226:\
!rzvnotes.vit.de:\
!rzvnotes3.vit.de:\
!rzvmail.vit.de:\
!nlbmail.vit.de:\
!*.nlbintra.net:\
!192.168.200.0/24:\
!172.16.1.27:\
!nlb.de:\
!*.fn-dokr.de:\
!*.lkvbw.de:\
!*.effem.co.uk:\
!*.eu.mars:\
!*.ebay.de:\
!*.ebay.com:\
!*.sourceforge.net:\
!*.krystaltech.de:\
!*.eins-und-eins.com:\
!*.eins-und-eins.de:\
!*.einsundeins.com:\
!*.einsundeins.de:\
!*.sebastopol.ua:\
!sebastopol.ua:\
======================

Instead of accepting mails from above domains exim still rejected them...
:-(
Okay, maybe I missed something (like always... :-( ) and mistyped all
these entries,
but I still hope my way of adding them into the /etc/exim/no_helo_verify
was okay...
The config change above was added yesterday (2003-01-07) at about 12:00
local time (GMT+1)

======================
/var/log/exim/exim_reject.log
======================
---------------------------------------------------------------------------
---
2003-01-07 16:19:27 rejected EHLO from smtp02.web.de (smtp.web.de)
[217.72.192.151]
---------------------------------------------------------------------------
---
2003-01-07 16:19:27 rejected HELO from smtp02.web.de (smtp.web.de)
[217.72.192.151]
---------------------------------------------------------------------------
---
2003-01-08 07:46:45 rejected HELO from unity5.einsundeins.com
(unity5db.haus.eins-und-eins.de) [212.227.34.161]
---------------------------------------------------------------------------
---
2003-01-08 07:48:40 rejected EHLO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:48:40 rejected HELO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:49:12 rejected EHLO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:49:12 rejected HELO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:50:10 rejected EHLO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:50:11 rejected HELO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:50:33 rejected EHLO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:50:34 rejected HELO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:50:38 rejected EHLO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:50:38 rejected HELO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 07:56:57 rejected HELO from lists1.mysql.com (web.mysql.com)
[62.119.101.229]
---------------------------------------------------------------------------
---
2003-01-08 08:03:42 rejected HELO from nlbmail.vit.de (nlb.de)
[172.16.1.26]
---------------------------------------------------------------------------
---
2003-01-08 08:03:42 rejected MAIL FROM from nlbmail.vit.de (nlb.de)
[172.16.1.26]: no HELO/EHLO given
---------------------------------------------------------------------------
---
2003-01-08 08:07:16 rejected EHLO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 08:07:16 rejected HELO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 08:11:40 rejected EHLO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 08:11:40 rejected HELO from lists.sourceforge.net
(sc8-sf-list2.sourceforge.net) [66.35.250.206]
---------------------------------------------------------------------------
---
2003-01-08 08:12:42 rejected HELO from nlbmail.vit.de (nlb.de)
[172.16.1.26]
---------------------------------------------------------------------------
---
2003-01-08 08:12:42 rejected MAIL FROM from nlbmail.vit.de (nlb.de)
[172.16.1.26]: no HELO/EHLO given
---------------------------------------------------------------------------
---
2003-01-08 08:48:27 rejected EHLO from iswfwm1.effem.co.uk
(iswmsw4.isw.eu.mars) [194.130.42.214]
---------------------------------------------------------------------------
---
2003-01-08 08:48:27 rejected HELO from iswfwm1.effem.co.uk
(iswmsw4.isw.eu.mars) [194.130.42.214]
---------------------------------------------------------------------------
---
2003-01-08 08:49:20 rejected EHLO from iswfwm1.effem.co.uk
(iswmsw4.isw.eu.mars) [194.130.42.214]
---------------------------------------------------------------------------
---
2003-01-08 08:49:20 rejected HELO from iswfwm1.effem.co.uk
(iswmsw4.isw.eu.mars) [194.130.42.214]
---------------------------------------------------------------------------
---
2003-01-08 08:51:01 rejected EHLO from (vmmintsrv03) [212.18.21.119]
---------------------------------------------------------------------------
---
2003-01-08 09:13:43 rejected HELO from (server1-dmz.gifhorn.de)
[62.154.205.10]
---------------------------------------------------------------------------
---
2003-01-08 09:18:07 rejected HELO from (mailserver.lkv.tlk.com)
[195.202.62.166]
---------------------------------------------------------------------------
---
2003-01-08 09:19:28 rejected HELO from (server1-dmz.gifhorn.de)
[62.154.205.10]
---------------------------------------------------------------------------
---
2003-01-08 09:21:44 rejected EHLO from (mail.epost.de) [193.28.100.187]
---------------------------------------------------------------------------
---
2003-01-08 09:21:44 rejected HELO from (mail.epost.de) [193.28.100.187]
---------------------------------------------------------------------------
---
2003-01-08 09:41:57 rejected EHLO from (mail.epost.de) [193.28.100.187]
---------------------------------------------------------------------------
---
2003-01-08 09:41:57 rejected HELO from (mail.epost.de) [193.28.100.187]
---------------------------------------------------------------------------
---
2003-01-08 09:47:37 rejected EHLO from (fncl1.fn-dokr.de) [80.156.8.226]
---------------------------------------------------------------------------
---
2003-01-08 09:47:37 rejected HELO from (fncl1.fn-dokr.de) [80.156.8.226]
---------------------------------------------------------------------------
---
======================


Now when I look at those reject logs I still see domains I think I
explicitly disabled to do this mx-checking...
Also I can see big email companis being rejected because of this "reverse
mx-check" like web.de or epost.de.

To me it seems like at this stage and/or in this/my situation the
"helo_verify" is useless because exim does not really accept any mails from
important emailcompanies any more. (even MARS company !!!! (snickers,
twix, coca cola and so on) is rejected!!!)

Has anyone the same problem or has anyone some tips for me?

Thanks for reading and maybe ;-) helping me out again,

Michael