RE: [Exim] Exim-Exiscan 4.22-12 w/SA scanning outgoing mail

Top Page
Delete this message
Reply to this message
Author: Mirko Thiesen
Date:  
To: Dickenson, Steven
CC: exim-users
Subject: RE: [Exim] Exim-Exiscan 4.22-12 w/SA scanning outgoing mail
On Mon, 19 Apr 2004, Dickenson, Steven wrote:

> Mirko Thiesen wrote:
> > Okay. The box in question is in fact relaying mail for a few internal
> > hosts. It is connected to the Internet and does deliveries directly,
> > and since it is the only host with an external IP, it also receives
> > incoming all incoming mail.
>
> Does it relay for end-users, or for other internal mail servers? Do you


It only does relaying for end-users, i.e. none of the other internal
servers do have any MTA installed.

> have your internal IP range in the relay_from_hosts hostlist? Have you


relay_from_hosts does not contain an IP range as I want to permit mail
relaying only from specific hosts and not a complete subnet. However, all
hosts which should be able to relay mail through the Exim box are listed,
and it does not make any difference whether the email actually originates
on another internal server or on the system running Exim itself.

> tried running a simulated delivery? (exim -bh <internal_ip>)


I just did several simulated deliveries. Look at this one:

(00:32:28) root@ReLink [/usr/pkg/etc/exim] # exim -bh 127.0.0.1

**** SMTP testing session as if from host 127.0.0.1
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 127.0.0.1
>>> IP address lookup yielded localhost
>>> gethostbyname2 looked up these IP addresses:
>>> name=localhost address=::1
>>> name=localhost address=127.0.0.1
>>> checking addresses for localhost
>>> ::1
>>> 127.0.0.1 OK
>>> host in host_reject_connection? no (option unset)
>>> gethostbyname2 looked up these IP addresses:
>>> name=localhost address=::1
>>> name=localhost address=127.0.0.1
>>> host in sender_unqualified_hosts? yes (matched "localhost")
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 NetWorkXXIII.de ESMTP Exim 4.22 Tue, 20 Apr 2004 00:32:29 +0200
EHLO NetWorkXXIII.de
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? no (option unset)

250-NetWorkXXIII.de Hello localhost [127.0.0.1]
250-SIZE 52428800
250-PIPELINING
250 HELP
MAIL From:<thiesi>
250 OK
RCPT To:<thiesi@???>
>>> using ACL "acl_check_rcpt"
>>> processing "deny"
>>> check senders = @@lsearch;/usr/pkg/etc/exim/rejectlist
>>> thiesi@??? in "@@lsearch;/usr/pkg/etc/exim/rejectlist"? no

(end of list)
>>> deny: condition test failed
>>> processing "accept"
>>> check hosts = :127.0.0.1:+relay_from_hosts
>>> host in ":127.0.0.1:+relay_from_hosts"? yes (matched "127.0.0.1")
>>> accept: condition test succeeded

250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Message-ID: <31072961.1061202644666.JavaMail.root@???>
.
>>> host in ignore_fromline_hosts? no (option unset)
>>> using ACL "acl_check_content"
>>> processing "accept"
>>> check condition = ${if eq

{${hmac{md5}{secret}{$body_linecount}}}{$h_X-Scan-Signature:}
{1}{0}}
>>>                 = 0
>>> accept: condition test failed
>>> processing "accept"
>>> check hosts = 127.0.0.1:+relay_from_hosts
>>> host in "127.0.0.1:+relay_from_hosts"? yes (matched "127.0.0.1")
>>> accept: condition test succeeded

LOG: 1BFhKA-0007MT-8t <= thiesi@??? H=localhost
(NetWorkXXIII.de) [127.0.0.1] P=esmtp S=335
id=31072961.1061202644666.JavaMail.root@???
250 OK id=1BFhKA-0007MT-8t

**** SMTP testing: that is not a real message id!

Actually it looks like everything would be fine: The message gets accepted
without further processing as 127.0.0.1 is recognized to be part of an
"accept hosts" list. But then, when I su to a test account and do a quick
"pine test", Exim puts the following message in test's mailbox:

Return-path: <test@???>
Envelope-to: test@???
Delivery-date: Tue, 20 Apr 2004 00:40:46 +0200
Received: from test (helo=localhost)
        by NetWorkXXIII.de with local-esmtp (Exim 4.22)
        id 1BFhRQ-0007N5-Dj
        for test@???; Tue, 20 Apr 2004 00:40:40 +0200
Date: Tue, 20 Apr 2004 00:40:40 +0200 (CEST)
From: Sample Test Idiot <test@???>
To: Sample Test Idiot <test@???>
Message-ID: <Pine.NEB.4.58.0404200040360.28338@???>
X-Composed-on: "This message was composed on Reliable Link, part of
NetWork XXIII, running NetBSD."
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.0 (/)
X-Spam-Report: Spam detection software, running on the system
"ReLink.NetWorkXXIII.de", has
        identified this incoming email as possible spam.  The original
message
        has been attached to this so you can view it (if it isn't spam) or
block
        similar future email.  If you have any questions, see
        postmaster@??? for details.
        Content preview:  [...]
        Content analysis details:   (0.0 points, 5.0 required)
        pts rule name              description
        ---- ----------------------
--------------------------------------------------
X-Scan-Signature: d192e813d2f8d58612774d27c76294f0


After further playing around, I noticed that it seems to be somewhat
related to the MUA, as a test email sent via standard Un*x "mail" went
through without any spam checks. And yes, I made sure that "mail" was not
calling sendmail or anything the like directly; the message sent with
"mail" shows up in Exim's logfile normally. This last thing is what really
makes me nervous - what the heck is different when sending mail with pine?
Hopefully you've got any further pointers for me. Thanks for your help so
far!

Bye, K&K,
T-Zee
--
thiesi@??? ---- NetBSD: Power to the people!
Tel.: ++49-(0)171-416 05 09 -- Fax: ++49-(0)171-134 16 05 09
Mirko Thiesen, P.O. Box 26 03 54, D-13413 Berlin, W. Germany
             "We're with you all the way, mostly"