--
Dear all,
Something's been gradually melting my brain this morning and I've decided to
melt some other brains with it too.
We have three mail servers and 13,000 users. Each user lives on one of the
servers and we have some cunning trickery with transports to pass the mail
between servers. This has worked fine for several years. We're using exim
3.35 at the moment, and we can't afford to risk downtime moving to version 4
until the Summer.
A few weeks back, we got attacked by a vast flood of spam which brought the
service to its knees. So, I've rearranged things to take the spam scanning
out of the exim scripts and into an offline scanner which looks at the
spool. Now, when mail comes in, it gets queued until it's been virus and
spam scanned. Then a queue runner fires off the messages to another copy of
exim running on port 2525 on the appropriate recipient server (like
mailscanner does).
The copy of exim on port 2525 is running with a pretty much standard
configuration. Now, however, if someone has a vacation message, the
returned message gets stuck in the queue. I've done some poking around and
found that the exim/input/* files for such messages are being created as the
local user rather than as the exim user. Running the queue manually from
root allows the messages to go through OK, as does changing the ownership of
the spool files to the exim user.
I can make this happen reliably without going through the port 25 listener,
using "echo test | exim -C port2525.conf auj"
All this sounds quite similar to the following thread
http://www.exim.org/mailman/htdig/exim-users/Week-of-Mon-20020930/044374.html
but I can't find anything listing a resolution of that.
I'm including a copy of the config file and a debug log. If anyone can
explain what's going on, I'll be most grateful...
Oh, and the perl functions are pretty simple - "Misc::shouldforward" looks
up whether the local user should have mail passed to one of the other
servers; Misc::forwardtransport returns the name of the transport that
should be used to do this and Biff::send sends a biff message to them.
(The first two could be done with a fairly complicated ${lookup...)
Cheers,
Alun.
=============== port2525.conf
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
# Perl filtering. /etc/exim.pl contains subroutine definitions that
# we can then use in filters using ${perl{...
perl_at_start = true
perl_startup = do '/etc/exim/exim.pl'
daemon_smtp_port = 2525
localhost_number = ${lookup{$primary_hostname}lsearch{/etc/exim/servernumbers.t
xt}{$value}{255}}
rfc1413_hosts =
# Obscure our software version info.
smtp_banner = "${primary_hostname} ESMTP UWA EMail Service \* ${tod_full}"
# Added 26/5/1999 auj - we can get rid of the extra bumf from the end
# of people's gecos entries...
gecos_pattern = "([^,]*)"
gecos_name = $1
exim_user = exim
exim_group = exim
# Specify the domain you want to be added to all unqualified addresses
# here. If this option is not set, the primary_hostname value is used.
qualify_domain = aber.ac.uk
# Local domains
local_domains = "\
aber.ac.uk:\
aberystwyth.ac.uk:\
glac.ies.aber.ac.uk:\
glac2.ies.aber.ac.uk:\
lib.aber.ac.uk:\
grg.aber.ac.uk:\
nwales.wea.org.uk:\
cllc.org.uk:\
wbc.org.uk:\
rcahmw.org.uk:\
planetmagazine.org.uk:\
mappingwales.ac.uk:\
cymru-breeding.org.uk:\
welsh-lit-abroad.org:\
llen-cymru-dramor.org:\
lit-across-frontiers.org:\
llcd-wla.org:\
abergc.com:\
"
# No local deliveries will ever be run under the uids of these users (a colon-
# separated list).
never_users = root
# Here's the prohibition message.
prohibition_message = "${lookup{$prohibition_reason}lsearch\
{/etc/exim/reject.messages}{${expand:$value}}}"
# The delivery copy only accepts connections from other Aber mail
# servers.
host_accept_relay = "144.124.16.40:144.124.16.41:144.124.16.42:127.0.0.1:144.12
4.16.34"
# Message Protection Measures
message_size_limit = 15M
smtp_accept_max = 60
headers_sender_verify_errmsg
# Drop bounce messages that give errors
ignore_errmsg_errors
host_lookup = 0.0.0.0/0
message_body_visible = 4000
message_filter = /etc/exim/message-filter
message_filter_reply_transport = address_reply
message_filter_pipe_transport = address_pipe
message_filter_file_transport = address_file
# Allow local hosts to specify unqualified usernames, add qualify_domain
# gkb 18/8/97
sender_unqualified_hosts = *.aber.ac.uk
receiver_unqualified_hosts = *.aber.ac.uk
# If you are running Exim under its own uid (recommended), then you should
# set up that uid as a trusted user by de-commenting the following and
# changing the name if necessary.
# We're still doing this for systems safety - rwj
trusted_users = exim:majordom
######################################################################
# TRANPORTS CONFIGURATION #
######################################################################
# This transport is used for local delivery to user mailboxes. By default
# it will be run under the uid and gid of the local user, and requires
# the sticky bit to be set on the /var/mail directory. Some systems use
# the alternative approach of running mail deliveries under a particular
# group instead of using the sticky bit. The commented options below show
# how this can be done.
local_delivery:
driver = appendfile
file = /var/mail/${local_part}
# This transport is used for handling pipe addresses generated by alias
# or .forward files. It has a conventional name, since it is not actually
# mentioned elsewhere in this configuration file. If the pipe generates
# any standard output, it is returned to the sender of the message as a
# delivery error. Set return_fail_output instead if you want this to happen
# only when the pipe fails to complete normally.
address_pipe:
driver = pipe
return_output
# This transport is used for handling file addresses generated by alias
# or .forward files. It has a conventional name, since it is not actually
# mentioned elsewhere in this configuration file.
address_file:
driver = appendfile
# This transport is used for handling autoreplies generated by the filtering
# option of the forwardfile director. It has a conventional name, since it
# is not actually mentioned elsewhere in this configuration file.
address_reply:
driver = autoreply
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
hosts_avoid_tls = *
# This transport puts stuff into /dev/null
# Used for dropping bounce messages early.
devnull:
driver = appendfile
user = nobody
file = /dev/null
# Transports which bounce local mail to the appropriate local server.
# One transport per server.
send_to_braint:
driver = smtp
port = 2525
allow_localhost = yes
hosts = braint.aber.ac.uk
send_to_cefni:
driver = smtp
port = 2525
allow_localhost = yes
hosts = cefni.aber.ac.uk
send_to_tweli:
driver = smtp
port = 2525
allow_localhost = yes
hosts = tweli.aber.ac.uk
######################################################################
# DIRECTORS CONFIGURATION #
######################################################################
# Aliases come next, so that local addresses get resolved down to usernames.
system_aliases:
home_directory = /var/spool/mail
user = exim
driver = aliasfile
file = /etc/aliases.dbm
search_type = dbm
file_transport = address_file
pipe_transport = address_pipe
modemask = 133
condition = "${if match {$local_part}{.*-outgoing} \
{${if eq {$received_protocol}{local} \
{${if eq {$sender_ident}{majordom} \
{true}{false}}}{false}}}{true}}"
# System-wide automatic processing on a per-address basis that depends on
# the contents of messages can be implemented by means of a system mail
# filter file, using a director such as the following:
#
system_filter:
home_directory = /var/spool/mail
no_verify
driver = forwardfile
no_check_local_user
filter
file = /etc/exim/system-filter
user = nobody
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
# Forward files. Ours are kept in /var/mail/forward since
# our users don't have individual home directories on the
# mail servers.
userforward:
home_directory = /var/spool/mail
no_verify
driver = forwardfile
check_ancestor
file = /var/mail/forward/$local_part
headers_add = "X-Forwarded-For: $local_part@???.\n\tSee
http://www.inf.aber.ac.uk/ns3/systems/forward.asp\n\tor e-mail
forward-request@??? to change\n"
filter
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
# This is getting silly! If the exim delivery daemon
# ends up generating a new local address then we might need
# to bounce that around again!
bounce_to_server:
home_directory = /var/spool/mail
driver = localuser
transport = ${perl{Misc::forwardtransport}}
condition = ${perl{Misc::shouldforward}}
localuser:
home_directory = /var/spool/mail
driver = localuser
condition = ${perl{Biff::send}}
transport = local_delivery
######################################################################
# ROUTERS CONFIGURATION #
######################################################################
# Drop bounce messages that can't get back to the alleged external sender
# after 12 hours. -- Added auj 7/3/2003 to try to drop spam bounces
# more quickly than the other dross.
early_bounce:
driver = domainlist
domains = !aber.ac.uk
condition = ${if and {{> {$message_age}{43200}}{eq{$sender_address}{}}}{yes}{
no}}
route_list = "* localhost byname"
transport = devnull
# This router routes to remote hosts over SMTP using a DNS lookup with
# default options.
lookuphost:
driver = lookuphost
ignore_target_hosts = 127.0.0.1
transport = remote_smtp
# This router routes to remote hosts over SMTP by explicit IP address,
# given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
# require this facility, which is why it is enabled by default in Exim.
# If you want to lock it out, set forbid_domain_literals in the main
# configuration section above.
literal:
driver = ipliteral
transport = remote_smtp
######################################################################
# RETRY CONFIGURATION #
######################################################################
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 2 hours and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 8 hours until 4 days have passed since the first
# failed delivery.
# Domain Error Retries
# ------ ----- -------
* * F,2h,15m; G,16h,2h,1.5; F,4d,8h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications.
######################################################################
# AUTH CONFIGURATION #
######################################################################
# There are no authentication rules.
# End of Exim configuration file
=============== delivery.log
Exim version 3.35 debug level 99 uid=0 gid=0
Berkeley DB: Sleepycat Software: DB 2.4.14: (6/2/98)
search_open: lsearch "/etc/exim/servernumbers.txt"
search_find: file="/etc/exim/servernumbers.txt"
key="braint.aber.ac.uk" partial=-1
LRU list:
7/etc/exim/servernumbers.txt
End
internal_search_find: file="/etc/exim/servernumbers.txt"
type=lsearch key="braint.aber.ac.uk"
file lookup required for braint.aber.ac.uk
in /etc/exim/servernumbers.txt
lookup yielded: 1
Starting Perl interpreter
Caller is an admin user
Caller is a trusted user
user name "root" extracted from gecos field "root"
originator: uid=0 gid=0 login=root name=root
sender address = root@???
set_process_info: 8170 accepting a local non-SMTP message from
<root@???>
Sender: root@???
Recipients:
auj
search_tidyup called
>>Original headers (size=18):
Subject: AUJ TEST
rewrite_one_header: type=F:
From: root <root@???>
>>Final headers:
P Received: from root by braint.aber.ac.uk with local (Exim 3.35 #3)
id 193vpi-00027m-01
for auj@???; Fri, 11 Apr 2003 11:32:34 +0100
Subject: AUJ TEST
I Message-Id: <E193vpi-00027m-01@???>
F From: root <root@???>
T To: auj@???
Date: Fri, 11 Apr 2003 11:32:34 +0100
search_tidyup called
Data file written for message 193vpi-00027m-01
Writing spool header file
Size of headers = 295
LOG: 0 MAIN
<= root@??? U=root P=local S=301
search_tidyup called
exec /usr/sbin/exim -d99 -C /etc/exim/exim.delivery.conf -Mc 193vpi-00027m-01
Exim version 3.35 debug level 99 uid=93 gid=93
Berkeley DB: Sleepycat Software: DB 2.4.14: (6/2/98)
search_open: lsearch "/etc/exim/servernumbers.txt"
search_find: file="/etc/exim/servernumbers.txt"
key="braint.aber.ac.uk" partial=-1
LRU list:
7/etc/exim/servernumbers.txt
End
internal_search_find: file="/etc/exim/servernumbers.txt"
type=lsearch key="braint.aber.ac.uk"
file lookup required for braint.aber.ac.uk
in /etc/exim/servernumbers.txt
lookup yielded: 1
Starting Perl interpreter
Caller is an admin user
Caller is a trusted user
set_process_info: 8171 delivering specified messages
delivering message 193vpi-00027m-01
set_process_info: 8171 delivering 193vpi-00027m-01
Opened spool file 193vpi-00027m-01-H
user=root uid=0 gid=0 sender=root@???
sender_local=1 resent=no ident=root
Non-recipients:
Empty Tree
---- End of tree ----
recipients_count=1
body_linecount=1 message_linecount=8
running system filter as uid=0 gid=93 euid=93 egid=93
Filter: start of processing
Filter: at end "delivered" is false
Filter: end of processing
Delivery address list:
auj@???
locked /var/spool/exim/db/retry.lockfile
opened DB file /var/spool/exim/db/retry: flags=0
>>>>>>>>>>>>>>>>>>>>>>>>
Considering: auj@???
aber.ac.uk in local_domains? yes (matched aber.ac.uk)
aber.ac.uk in percent_hack_domains? no (end of list)
unique = auj@???
dbfn_read: key=D:auj@???
auj@???: queued for directing
>>>>>>>>>>>>>>>>>>>>>>>>
directing auj@???
calling system_aliases director
df_lookup entered: search type = dbm
system_aliases director: dbm key=auj
file="/etc/aliases.dbm"
search_open: dbm "/etc/aliases.dbm"
search_find: file="/etc/aliases.dbm"
key="auj" partial=-1
LRU list:
1/etc/aliases.dbm
7/etc/exim/servernumbers.txt
End
internal_search_find: file="/etc/aliases.dbm"
type=dbm key="auj"
file lookup required for auj
in /etc/aliases.dbm
lookup failed
system_aliases director declined for auj:
calling system_filter director
system_filter director: file = /etc/exim/system-filter
set uid=0 gid=93 euid=99 egid=99
528 bytes read from /etc/exim/system-filter
file is a filter file
Filter: start of processing
search_open: dbm "/etc/exim/lock25.dbm"
search_find: file="/etc/exim/lock25.dbm"
key="auj" partial=-1
LRU list:
1/etc/exim/lock25.dbm
1/etc/aliases.dbm
7/etc/exim/servernumbers.txt
End
internal_search_find: file="/etc/exim/lock25.dbm"
type=dbm key="auj"
file lookup required for auj
in /etc/exim/lock25.dbm
lookup failed
Condition is false: ${lookup{$local_part}dbm{/etc/exim/lock25.dbm}{$value}} is
1
Filter: at end "delivered" is false
Filter: end of processing
restored uid=0 gid=93 euid=93 egid=93
calling userforward director
userforward director: file = /var/mail/forward/auj
set uid=0 gid=93 euid=6001 egid=6001
181 bytes read from /var/mail/forward/auj
file is a filter file
Filter: start of processing
Condition is true: $h_subject is AUJ TEST
Filter: mail to: root <root@???>
file: /var/mail/forward/auj.vacation.msg (expanded)
log: /var/mail/forward/auj.vacation.log
once: /var/mail/forward/auj.vacation
Filter: at end "delivered" is false
Filter: end of processing
restored uid=0 gid=93 euid=93 egid=93
userforward director generated >root <root@???>
pipe, file, or autoreply
errors_to=NULL transport=address_reply
uid=6001 gid=6001 home=/var/spool/mail
userforward director generated auj@???
userforward director succeeded for auj
locked /var/spool/exim/db/retry.lockfile
opened DB file /var/spool/exim/db/retry: flags=0
>>>>>>>>>>>>>>>>>>>>>>>>
Considering: auj@???
aber.ac.uk in local_domains? yes (matched aber.ac.uk)
aber.ac.uk in percent_hack_domains? no (end of list)
unique = \auj@???
dbfn_read: key=D:auj@???
auj@???: queued for directing
>>>>>>>>>>>>>>>>>>>>>>>>
Considering: >root <root@???>
unique = >root <root@???>:auj@???
>>>>>>>>>>>>>>>>>>>>>>>>
directing auj@???
calling system_aliases director
df_lookup entered: search type = dbm
system_aliases director: dbm key=auj
file="/etc/aliases.dbm"
search_open: dbm "/etc/aliases.dbm"
cached open
search_find: file="/etc/aliases.dbm"
key="auj" partial=-1
LRU list:
1/etc/aliases.dbm
1/etc/exim/lock25.dbm
7/etc/exim/servernumbers.txt
End
internal_search_find: file="/etc/aliases.dbm"
type=dbm key="auj"
cached data used for lookup of auj
in /etc/aliases.dbm
lookup failed
system_aliases director declined for auj:
calling system_filter director
system_filter director: file = /etc/exim/system-filter
set uid=0 gid=93 euid=99 egid=99
528 bytes read from /etc/exim/system-filter
file is a filter file
Filter: start of processing
search_open: dbm "/etc/exim/lock25.dbm"
cached open
search_find: file="/etc/exim/lock25.dbm"
key="auj" partial=-1
LRU list:
1/etc/exim/lock25.dbm
1/etc/aliases.dbm
7/etc/exim/servernumbers.txt
End
internal_search_find: file="/etc/exim/lock25.dbm"
type=dbm key="auj"
cached data used for lookup of auj
in /etc/exim/lock25.dbm
lookup failed
Condition is false: ${lookup{$local_part}dbm{/etc/exim/lock25.dbm}{$value}} is
1
Filter: at end "delivered" is false
Filter: end of processing
restored uid=0 gid=93 euid=93 egid=93
userforward director skipped: previously directed auj@???
calling localuser director
queued for local_delivery transport: local_part=auj domain=aber.ac.uk
errors_to=NULL
domain_data=NULL local_part_data=NULL
localuser director succeeded for auj
>>>>>>>>>>>>>>>>>>>>>>>>
After directing:
Local deliveries:
auj@???
>root <root@???>
Remote deliveries:
Failed addresses:
Addresses to be routed:
Deferred addresses:
search_tidyup called
>>>>>> Local deliveries >>>>>>
locked /var/spool/exim/db/retry.lockfile
opened DB file /var/spool/exim/db/retry: flags=0
dbfn_read: key=T:auj@???
delivering auj@??? as auj using local_delivery:
uid=6001 gid=6001 home=/var/spool/mail current=/var/spool/mail
auxiliary group list: <none>
set_process_info: 8172 delivering 193vpi-00027m-01 to auj using local_delivery
appendfile transport entered
appendfile: mode=600 notify_comsat=0 quota=0
file=/var/mail/auj format=unix
prefix=From ${if def:return_path{$return_path}{MAILER-DAEMON}}
${tod_bsdinbox}\n
suffix=\n
locking by lockfile fcntl
lock name: /var/mail/auj.lock
hitch name: /var/mail/auj.lock.braint.aber.ac.uk.3e9699c2.00001fec
lock file created
mailbox /var/mail/auj is locked
writing to file /var/mail/auj
writing data block fd=6 size=46 timeout=0
writing data block fd=6 size=437 timeout=0
writing data block fd=6 size=1 timeout=0
appendfile yields 0 with errno=0 more_errno=0
journalled \auj@???
search_tidyup called
local_delivery transport returned OK for auj@???
post-process auj@??? (0)
auj@??? succeeded: adding to nonrecipients list
LOG: 0 MAIN
=> auj <auj@???> D=localuser T=local_delivery
locked /var/spool/exim/db/retry.lockfile
opened DB file /var/spool/exim/db/retry: flags=0
dbfn_read: key=T:>root <root@???>@aber.ac.uk
delivering >root <root@???> as >root <root@???> using
address_reply:
uid=6001 gid=6001 home=/var/spool/mail current=/var/spool/mail
auxiliary group list: <none>
set_process_info: 8174 delivering 193vpi-00027m-01 to >root <root@???>
using address_reply
address_reply transport entered
taking data from address
no previous message sent to root <root@???>
Exim version 3.35 debug level 99 uid=6001 gid=6001
Berkeley DB: Sleepycat Software: DB 2.4.14: (6/2/98)
Removed setuid privilege: uid=6001 gid=6001 euid=6001 egid=6001
search_open: lsearch "/etc/exim/servernumbers.txt"
search_find: file="/etc/exim/servernumbers.txt"
key="braint.aber.ac.uk" partial=-1
LRU list:
7/etc/exim/servernumbers.txt
End
internal_search_find: file="/etc/exim/servernumbers.txt"
type=lsearch key="braint.aber.ac.uk"
file lookup required for braint.aber.ac.uk
in /etc/exim/servernumbers.txt
lookup yielded: 1
Starting Perl interpreter
LOG: 0 MAIN
<= <> R=193vpi-00027m-01 U=auj P=local S=337
logging message details
address_reply transport succeeded
journalled >root <root@???>:auj@???
search_tidyup called
address_reply transport returned OK for >root <root@???>
post-process >root <root@???> (0)
>root <root@???> succeeded: adding to nonrecipients list
auj@???: children all complete
LOG: 0 MAIN
=> >root <root@???> <auj@???> D=userforward T=address_reply
set_process_info: 8171 tidying up after delivering 193vpi-00027m-01
Processing retry items
Succeeded addresses:
>root <root@???>: no retry items
auj@???: no retry items
auj@???: no retry items
auj@???: no retry items
auj@???: no retry items
Failed addresses:
Deferred addresses:
end of retry processing
LOG: 0 MAIN
Completed
end delivery of 193vpi-00027m-01
search_tidyup called
search_tidyup called
Exim version 3.35 debug level 1 uid=6001 gid=6001
Berkeley DB: Sleepycat Software: DB 2.4.14: (6/2/98)
exim: Permission denied
--
[ Content of type application/pgp-signature deleted ]
--