[Exim] Callout makes Header Checks fail (incorrectly?)

Top Page
Delete this message
Reply to this message
Author: Andreas M. Kirchwitz
Date:  
To: exim-users
Subject: [Exim] Callout makes Header Checks fail (incorrectly?)
Hi Exim users!

I'm running Exim 4.34 with the following setup:

Callouts (to verify the sender's address) should be made, but if
the check fails, messages should not be rejected, instead a nice
warning should be added to the header.

For this, my ACL for "acl_smtp_rcpt" contains:

    warn message = X-Callout-Warning: invalid sender $sender_address
         !verify = sender/callout=15s,defer_ok,postmaster,random


Furthermore, Exim should do header checks on the sender (A/MX record
must exist for domain), and this time I want it to reject mail that
failed this very basic verification.

For this, my ACL for "acl_smtp_data" contains:

    require verify = header_sender


On its own, each feature works fine. But they don't work well
if I use both together. Exim then rejects mail that should not
be rejected.

The problem is:

Let's say, an incoming mail comes from "invalid_local@valid_domain".
(same address in envelope-sender and "From:" in header).

The callout will fail (because of the invalid local-part).
Correct, that's expected behaviour. A nice warning in the
header is added.

The verification of the sender in the header should _not_
fail because the domain is valid for mail.

But Exim doesn't behave that way. If the callout fails, Exim
remembers the result for the current session, and this makes
the header check fail as well. Exim's logfile says:
"rejected after DATA: there is no valid sender in any header line"

It's not a good idea that the header checks remember the result of
the callout checks. In my example, the callout check also writes
a warning on a non-existing "postmaster" account (even if the
sender's address is perfectly fine). In such a case, the
header checks give a wrong result because the sender _is_ valid.
Mail should not be rejected in that case.

On the other hand, if the envelope-sender is "invalid_1@domain"
and the "From:" reads "invalid_2@domain" (domain is valid, and
local-parts are both invalid, but they are different), then
the callout check adds the warning to the header (what is
expected behaviour) and the header check succeeds (what is
correct, because the domain itself is valid). The mail is not
rejected (as expected).

According the documentation the results of the callout checks
are cached, but only for subsequent callout checks - not for
any other type of address verification.

Is my configuration wrong? Did I miss something in the
documentation?

    Greetings, Andreas