[Exim] Problem with Exim 3.3x split configuration (MailScann…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Schramm, Dominik
Dátum:  
Címzett: Exim-Users (E-Mail)
Tárgy: [Exim] Problem with Exim 3.3x split configuration (MailScanner): "Remote Host is the local host"
Hi all,

We have Exim 3.35 running at our site (I know, "Please upgrade", but before
I do, I'd like to at least know what the problem is with the old installation
because maybe it will happen with Exim 4.x as well) and only now noticed that
irregularly but several times a day mails are not delivered and an NDR is
generated. This seems to have worsened over time.

I'd be very glad if anyone could (and would) still help me with this. I think I'm missing
something fundamental, which I might adopt into the 4.x configuration.
So when this is figured out, I'll happily migrate.

The situation:
We have Exim 3.35 running with two configurations "incoming" and "outgoing"
with Mailscanner/SpamAssassin 4.13.
The incoming exim process should do nothing more but verify recipient
addresses, partially based on the sender's domain, queue the messages
and leave them on the queue.
MailScanner checks the mails on the queue and hands them over to the
outgoing process, which does the actual delivering.
The eximhost is primary MX for the domains ourdomain.de, 2nddomain.de,
and some others, and as such is reachable from the Internet;
but this should not be a problem since all domains that should be local
because of what the MX records say and in fact aren't
are statically routed to another smart host. This smart host is an
MS Exchange server located in our internal network, which is not reachable
from the Internet.

All this works reliably in over 99% of all our mails (about 5000 per day), but for
about 20 per day (average), the following is logged:

2003-06-23 08:23:01 19UKjE-0002Hi-00 <= Order@??? H=(Internet) [Internet] ....
2003-06-23 08:23:01 19UKjE-0002Hi-00 == organizer@??? R=defer_router defer (-1): remote host address is the local host
2003-06-23 08:23:01 19UKjE-0002Hi-00 ** organizer@???: retry timeout exceeded
2003-06-23 08:23:01 19UKjE-0002Hi-00 Error message sent to Order@???
2003-06-23 08:23:01 19UKjE-0002Hi-00 Completed

2003-06-19 00:08:01 19Sl60-0006NM-00 <= ml-errors@??? H=(newsfeed.cts.com) [Internet] ....
2003-06-19 00:08:02 19Sl60-0006NM-00 == xy@??? R=defer_router defer (-1): remote host address is the local host
2003-06-19 00:08:02 19Sl60-0006NM-00 ** xy@???: retry timeout exceeded
2003-06-19 00:08:02 19Sl60-0006NM-00 Error message sent to ml-errors@???
2003-06-19 00:08:02 19Sl60-0006NM-00 Completed

2003-06-16 08:38:00 19Rncu-0004sM-00 <= organizer@??? H=(...) [10.16.24.9 LAN!!] ....
2003-06-16 08:38:01 19Rncu-0004sM-00 == abc@??? R=defer_router defer (-1): remote host address is the local host
2003-06-16 08:38:09 19Rncu-0004sM-00 => abc@??? R=lookuphost T=remote_smtp H=(Internet) [Internet]
2003-06-16 08:38:09 19Rncu-0004sM-00 Completed

So this seems to happen for any sender and any recipient (inside and outside the
company).
Is it possible that this is due to the retry rules in the incoming configuration.
Messages are put on the queue, but not even one second later (i.e. long before
the retry timeout), "retry timeout exceeded" is logged, and the message is sent
back to the sender with an NDR. Strangely enough, often sender and recipient are
identical: e.g. organizer@???; then sometimes the message can't be
delivered with the afore-mentioned error and an NDR is *successfully* sent to
the same address!
Since this often happens within one second, I finally dropped the idea that
our MS Exchange server might have something to do with this (it's caused a lot of
other trouble, though). This is the smarthost that receives the emails
for the company employees (with domains @ourdomain.de and @2nddomain.de).
All the other domains mentioned are either virtual (no real users, just
machines using these domains in sender addresses; replies to these
machine mails are forwarded to some user(s) in ourdomain.de or 2nddomain.de)
or have an MX somewhere else.

I also wonder if this may have anything to do with the defer router
in the incoming configuration:
defer_router:
driver = domainlist
self = defer
route_list = * 127.0.0.1 byname
no_verify

I'm using 127.0.0.1 here for no particular reason; mainly because I think it's
relevant since the incoming process just puts the messages on the queue and
does nothing else. The Reference Manual just states
> defer
> Delivery of the message is tried again later.

for the self option in routers. Normal retry rules should apply, but the error
is generated within one second after arrival.

I hope this is not too much information, but I think this configuration
has grown pretty complex by now, so I just included it whole.

Thanks for any help.

Dominik Schramm





Here's the default ("incoming") configuration which is stored as "configure_file"
(i.e., is also called when no explicit configuration file is given) has the
following main settings.

############
# INCOMING #
############

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


qualify_domain = eximhost.ourdomain.de
local_domains = localhost:eximhost.ourdomain.de:eximhost
local_domains_include_host = true
relay_domains = 4thdomain.de:5thdomain.de:ourdomain.de:2nddomain.de:2nddomain.at
# relay_domains_include_local_mx = true
host_accept_relay = 127.0.0.1 : 10.16.0.0/16 : 10.16.24.200
spool_directory = /var/spool/exim_incoming
queue_only = true
sender_reject_recipients = partial-dbm;/etc/exim/bounce_senders
smtp_verify = false
smtp_accept_queue_per_connection = 100
receiver_try_verify = true
receiver_verify_hosts = ! 10.16.0.0/8


######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
local_delivery:
  driver = appendfile
  user = $local_part
  group = mail
  mode = 0660
  mode_fail_narrower = false
  envelope_to_add = true
  return_path_add = true
  file = /var/spool/mail/${local_part}


remote_smtp:
driver = smtp


######################################################################
#                      DIRECTORS CONFIGURATION                       #
######################################################################
real_local:
  prefix = real-
  driver = localuser
  transport = local_delivery
  verify_only
  verify_recipient


system_aliases:
driver = aliasfile
file_transport = address_file
pipe_transport = address_pipe
file = /etc/aliases
search_type = lsearch
verify_only
verify_recipient

lists:
driver = forwardfile
file = /usr/lists/$local_part
no_check_local_user
verify_only
verify_recipient

localuser:
driver = localuser
transport = local_delivery
verify_only
verify_recipient

defer_director:
driver = smartuser
new_address = :defer: All deliveries are deferred
no_verify


######################################################################
#                      ROUTERS CONFIGURATION                         #
######################################################################
bounce_recipients:
  condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/bounce_recipients}{yes}{no}}
  driver = domainlist
  route_list = ourdomain.de 10.16.24.9 byname; \
               2nddomain.de 10.16.24.9 byname; \
               5thdomain.de 10.16.24.9 byname; \
               2nddomain.at 10.16.24.9 byname
  verify_only
  verify_recipient
  fail_verify


localdelivery:
  condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/local_users}{yes}{no}}
  driver = domainlist
  transport = local_delivery
  route_list = ourdomain.de localhost byname; \
               5thdomain.de localhost byname; \
               2nddomain.de localhost byname; \
               2nddomain.at localhost byname
  verify_only
  verify_recipient


smarthost:
  driver = domainlist
  transport = remote_smtp
  route_list = ourdomain.de 10.16.24.9 byname; \
               2nddomain.de 10.16.24.9 byname; \
               5thdomain.de 10.16.24.9 byname; \
               2nddomain.at 10.16.24.9 byname
  verify_only
  verify_recipient


defer_router:
driver = domainlist
self = defer
route_list = * 127.0.0.1 byname
no_verify


######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################
*                      *           F,2h,15m; G,16h,2h,1.5; F,4d,8h



######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################
*@eximhost    ${lookup{$1}lsearch{/etc/email-addresses}\
                                                {$value}fail} frFs






--------------------------------------------------------------------

Here is the outgoing configuration, which is used to actually deliver mail.
Mails are taken out of the incoming queue by MailScanner, are scanned
for viruses etc. and put on the outgoing queue.

############
# OUTGOING #
############

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


qualify_domain = eximhost.ourdomain.de
local_domains = localhost:eximhost.ourdomain.de:eximhost
local_domains_include_host = true
relay_domains = 4thdomain.de:5thdomain.de:ourdomain.de:2nddomain.de:2nddomain.at
# relay_domains_include_local_mx = true
host_accept_relay = 127.0.0.1 : 10.16.0.0/16
smtp_verify = false
smtp_accept_queue_per_connection = 100
freeze_tell_mailmaster = true
receiver_try_verify = true
message_filter = /etc/exim/system_filter


######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
throw_away:
  driver = appendfile
  user = mail
  file = /dev/null


local_delivery:
driver = appendfile
user = $local_part
group = mail
mode = 0660
mode_fail_narrower = false
envelope_to_add = true
return_path_add = true
file = /var/spool/mail/${local_part}

remote_smtp:
driver = smtp

maildirdrop:
driver = appendfile
directory = /home/$local_part/Mail
delivery_date_add
envelope_to_add
return_path_add
maildir_format
user = $local_part
prefix =
suffix =
check_string =


######################################################################
#                      DIRECTORS CONFIGURATION                       #
######################################################################
real_local:
  prefix = real-
  driver = localuser
  transport = local_delivery


system_aliases:
driver = aliasfile
file_transport = address_file
pipe_transport = address_pipe
file = /etc/aliases
search_type = lsearch

lists:
driver = forwardfile
file = /usr/lists/$local_part
no_check_local_user
forbid_pipe
forbid_file
errors_to = $local_part-request@$domain

localimap:
condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/imap_users}{yes}{no}}
driver = localuser
transport = maildirdrop

localuser:
driver = localuser
transport = local_delivery


######################################################################
#                      ROUTERS CONFIGURATION                         #
######################################################################
# certain local_parts should be delivered locally
# to imap server even though domain is not in local_domains
localimap:
  condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/imap_users}{yes}{no}}
  transport = maildirdrop
  driver = domainlist
  route_list = ourdomain.de localhost byname; \
               2nddomain.de localhost byname; \
               5thdomain.de localhost byname; \
               2nddomain.at localhost byname


# certain local_parts should be delivered locally
# (non-imap) even though domain is not in local_domains
localdelivery:
  condition = ${lookup{$local_part@$domain}lsearch{/etc/exim/local_users}{yes}{no}}
  driver = domainlist
  transport = local_delivery
  route_list = ourdomain.de localhost byname; \
               2nddomain.de localhost byname; \
               5thdomain.de localhost byname; \
               2nddomain.at localhost byname


smarthost:
  driver = domainlist
  transport = remote_smtp
  route_list = ourdomain.de 10.16.24.9 byname; \
               2nddomain.de 10.16.24.9 byname; \
               5thdomain.de 10.16.24.9 byname; \
               2nddomain.at 10.16.24.9 byname


throw_away:
condition = ${lookup{$sender_host_address}lsearch{/etc/exim/throw_away_domains}{yes}{no}}
driver = domainlist
transport = throw_away
route_list = * localhost byname

lookuphost:
driver = lookuphost
transport = remote_smtp


######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################
*                      *           F,2h,15m; G,16h,2h,1.5; F,4d,8h



######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################
*@eximhost    ${lookup{$1}lsearch{/etc/email-addresses}\
                        {$value}fail} frFs





--------------------------------------------------------------------

And finally here's the system filter file referenced in the outgoing configuration:

# Exim filter

if first_delivery and
  ($h_to: contains "@3rddomain.de" or $h_from: contains "@???")
then
   unseen deliver imcopy@localhost errors_to postmaster@???
   if error_message then
      seen deliver 3rddomain@??? errors_to postmaster@???
      finish
   endif
endif
if first_delivery and
  ($h_to: contains "info@???" or $h_to: contains "registration@???" or
   $h_to: contains "organizer@???" or $h_to: contains "hotline@???")
then
  unseen deliver 3rddomain@??? errors_to postmaster@???
  deliver external@??? errors_to postmaster@???
endif


if error_message then finish endif

if first_delivery and
($h_to: matches "(order|silent|bestellung|registration)@2nddomain.de" or
$h_from: matches "(order|silent|bestellung|registration)@2nddomain.de")
then
unseen deliver nmcopy@localhost errors_to postmaster@???
endif


if first_delivery and $h_to: contains 4thdomain@??? then
unseen deliver external@??? errors_to postmaster@???
unseen deliver shops.2nddomain@??? errors_to postmaster@???
endif

if first_delivery and
($h_to: matches "(hotline|order|registration|shop.registrierung)@4thdomain.de" or
$h_from: matches "(hotline|order|registration|shop.registrierung)@4thdomain.de")
then
unseen deliver whcopy@localhost errors_to postmaster@???

  if $h_to: matches "silentwh@???"
  then
     unseen deliver silent@??? errors_to postmaster@???
  elif $h_to: matches "basketwh@???"
  then
     unseen deliver basket@??? errors_to postmaster@???
  elif $h_to: matches "test.silentwh@???"
  then
     unseen deliver test.silent@??? errors_to postmaster@???
  elif $h_to: matches "test.basketwh@???"
  then
     unseen deliver test.basket@??? errors_to postmaster@???
  endif
endif






Dominik Schramm
Senior System Administrator
businessMart AG
eMail dominik.schramm@???
Web <http://www.businessmart.de>