Re: [Exim] ORDB relay problems and sense of helo_verify in t…

Top Page
Delete this message
Reply to this message
Author: Nico Erfurth
Date:  
To: Michael Jakscht
CC: exim-users
Subject: Re: [Exim] ORDB relay problems and sense of helo_verify in this case...
Michael Jakscht wrote:

> Hi,
>
> I tried to test my mailhub with the ordb.org relaytester.
> All of the tests were rejected as they should except of two mails.
> One mail crashed amavis with an address like
> "localpart%domain.extern@???
> amavis didn't like that and sent out an error message - which ordb thought
> to be a relayed mail...


This shouldn't happen at all, the address shouldn't reach your amavis, I
hope you used no_verify in your amavis router.

> Second one was a director in exim for the case that our internal
> notes-server which doesn't recognize it's own domain "@vit.de" and
> therefore sends out those mails addressed to "localpart@???" to our
> external exim mailhub (to the notes-server this seems to be the internet of
> course...).
> On the mailhub I configured the following director for this special
> situation which came in conflict with one of the ORDB checks.


What kind of conflict?
Can you provide some debugoutput and your full configfile?
You can do some checking yourself, by testing with exim -bh
some.ext.ernal.ip

> ======================
> smtp_rzv_rzv_director:
>   driver = smartuser
>   condition = "${if and { \
>                         {eq {$sender_address_domain}{vit.de}} \
>                         {eq {$domain}{vit.de}} \
>                         } {yes}{no}}"
>   transport = transport_intern_rzv_smtp_rzv
> ======================


You should also check for the sender_host_address here (but amavis could
be a problem here :-/).

> ======================
> transport_intern_rzv_smtp_rzv:
> driver = smtp
> hosts = rzvmail.vit.de
> ======================
>
>
>
> As those two mails went back to ORDB it took my mailserver on the list of
> the hosts which allow relaying which I explicitly don't want to allow, of
> course not. :-)


The mails should have been rejected before being routed/directed at all.

> To get out of the ORDB I had to set I think almost all of exims
> restrictions for checking mail before accepting it.


Yes, but next time you should be more careful, and check WHY the mail
was accepted, before enable just everything :)

> I configured the following globlas and threw out (commented out) the amavis
> viruschecking as well as my special director (see above).
>
> ======================
> headers_sender_verify = yes
> headers_sender_verify_errmsg = yes
> headers_checks_fail = yes
> sender_verify = yes
> sender_verify_hosts = *
> sender_verify_reject = yes
> receiver_verify = yes
> receiver_verify_addresses = vit.de:nlb.de:nlbintra.net
> receiver_verify_hosts = vit.de:nlb.de:nlbintra.net
> receiver_verify_senders =
> *.ewetel.net:ewetel.net:*.ewetel.de:ewetel.de:*.ewe.de:ewe.de:!*
> host_lookup = *
> # helo_verify = lsearch;/etc/exim/no_helo_verify
> # receiver_unqualified_hosts =
> # sender_unqualified_hosts =
> # no_sender_verify
> # no_verify_recipient
> # percent_hack_domains = *
> smtp_verify = yes
> ======================


Your full config would be more helpful, just using receiver and sender
verify does not help you against relaying, unless your setup is REALLY
screwed ;)

> ======================
> /etc/exim/no_helo_verify
> ======================
> !gatekeeper2.vit.de:\

.....
> !*.sebastopol.ua:\
> !sebastopol.ua:\
> ======================
>
> Instead of accepting mails from above domains exim still rejected them...
> :-(
> Okay, maybe I missed something (like always... :-( ) and mistyped all
> these entries,
> but I still hope my way of adding them into the /etc/exim/no_helo_verify
> was okay...


It wasn't :)
Just add them line by line, like

gatekeeper2.vit.de
213.69.199.226
rzvnotes.vit.de
....

and use !lsearch-partial;/etc/exim/no_helo_verify in helo_verfiy


> The config change above was added yesterday (2003-01-07) at about 12:00
> local time (GMT+1)
>
> ======================
> /var/log/exim/exim_reject.log
> ======================
>
> ---------------------------------------------------------------------------
> ---
> 2003-01-07 16:19:27 rejected EHLO from smtp02.web.de (smtp.web.de)
> [217.72.192.151]
> ---------------------------------------------------------------------------


Well, this is exactly what helo_verify should do, and that's why it is
disabled by default ;)

Rejecting the connection if the HELO-name doesn't match the real
hostname (or reverse looked ip ip, etc).

....

> Now when I look at those reject logs I still see domains I think I
> explicitly disabled to do this mx-checking...
> Also I can see big email companis being rejected because of this "reverse
> mx-check" like web.de or epost.de.


Well, the manual says, that this is for people who want to be real
strict, but IMHO noone uses this these days.

> To me it seems like at this stage and/or in this/my situation the
> "helo_verify" is useless because exim does not really accept any mails from
> important emailcompanies any more. (even MARS company !!!! (snickers,
> twix, coca cola and so on) is rejected!!!)
>
> Has anyone the same problem or has anyone some tips for me?


Remove the helo_verify completly, and try to find you REAL problems with
your setup.

exim -d9 -bh is your friend.

ciao