[Exim] Problems with recipient verification...

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Lars Schimmer
Date:  
À: Exim-Users (E-mail)
Sujet: [Exim] Problems with recipient verification...
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--
This is a multi-part message in MIME format.
--
Hi!

I've got a problem with user verification:

Message 1BfcAu-0003wt-UD has been frozen (delivery error message).
The sender is <>.

The following address(es) have yet to be delivered:
ooxvjpchxb@??? <ooxvjpchxb@???>: LMTP error after RCPT
TO:<ooxvjpchxb@???>: 550-Mailbox unknown. Either there is
no mailbox associated with this\n550-name or you do not have
authorization to see it.\n550 5.1.1 User unknown

Is the message I've got.
The ACL is append as a txt attachment to this post.
Why doesn't exim reject that mail?

I use debian unstable and exim4-daemon-heavy 4.30-8 with sa-exim 4.0-2.

Cya & Thx
Lars
--
-----------------------------------------------------------------
Technische Universität Braunschweig, Institut für Computergraphik
Tel.: +49 531 391-2109            E-Mail: schimmer@???
PGP-Key-ID: 0xB87A0E03



--
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = :

  # Deny if the local part contains @ or % or / or | or !. These are rarely
  # found in genuine local parts, but are often tried by people looking to
  # circumvent relaying restrictions.
  #
  # Also deny if the local part starts with a dot. Empty components aren't
  # strictly legal in RFC 2822, but Exim allows them because this is common.
  # However, actually starting with a dot may cause trouble if the local part
  # is used as a file name (e.g. for a mailing list).
  #
  deny  domains       = +local_domains
      local_parts = ^.*[@%!/|] : ^\\.


  deny    domains       = !+local_domains
            local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


   # Accept mail to postmaster in any local domain, regardless of the source,
   # and without verifying the sender.
   #
      accept local_parts = postmaster
                 domains = +local_domains




  # Blacklist Eintrag http://ordb.org/faq/#usage Spamhaus & rfc-ignorant
  deny         message  = Host is listed in $dnslist_domain Blacklist
          log_message = deny by $dnslist_domain : Message rejected from $sender_host_address
        dnslists = relays.ordb.org:sbl.spamhaus.org:dsn.rfc-ignorant.org/$sender_address_domain :\
                   postmaster.rfc-ignorant.org/$sender_address_domain:\
               http://www.heise.de/ix/nixspam/nixspam.blackmatches


   warn     message       = X-SA-Do-Not-Rej: Yes
            local_parts   = postmaster:abuse


   warn     message       = X-SA-Do-Not-Run: Yes
            hosts         = +relay_from_hosts


   warn     message       = X-SA-Do-Not-Run: Yes
            authenticated = *



  # Be polite and say HELO. Reject anything from hosts that havn't given
  # a valid HELO/EHLO to us.
    deny condition = ${if or{{!def:sender_helo_name}{eq{$sender_helo_name}{}}}{yes}{no}}
    message = RFCs mandate HELO/EHLO before mail can be sent


  # Forged hostname - HELOs as my own hostname or domain
    deny message = Forged hostname detected in HELO: $sender_helo_name
    hosts   = !+relay_from_hosts
    log_message = Forged hostname detected in HELO: $sender_helo_name
    condition = ${lookup {$sender_helo_name} lsearch{CONFDIR/local_domains}{yes}{no}}


  # Forged hostname -HELOs as one of my own IPs
    deny message = Forged IP detected in HELO: $sender_helo_name
    hosts = !+relay_from_hosts
    log_message = Forged IP detected in HELO: $sender_helo_name
    condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}



  # Deny unless the sender address can be verified.
  #
  # This is disabled by default so that DNSless systems don't break. If
  # your system can do DNS lookups without delay or cost, you might want
  # to enable the following line.
   deny  !acl = acl_whitelist_local_deny
       !verify = sender


  # Warn if the sender host does not have valid reverse DNS.
  #
  # This is disabled by default so that DNSless systems don't break. If
  # your system can do DNS lookups without delay or cost, you might want
  # to enable the following lines.
   deny message = X-Broken-Reverse-DNS: no host name found for IP address $sender_host_address
        !verify = reverse_host_lookup


  # deny bad senders (envelope sender)
  # CONFDIR/local_sender_blacklist holds a list of envelope senders that
  # should have their access denied to the local host. Incoming messages
  # with one of these senders are rejected at RCPT time.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See /usr/share/doc/exim4-config/default_acl for details.
  deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
       !acl = acl_whitelist_local_deny
       senders = ${if exists{CONFDIR/local_sender_blacklist}\
                             {CONFDIR/local_sender_blacklist}\
                             {}}


  # deny bad sites (IP address)
  # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
  # and networks (CIDR notation)  that should have their access denied to
  # The local host. Messages coming in from a listed host will have all
  # RCPT statements rejected.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See /usr/share/doc/exim4-config/default_acl for details.
  #deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
  #    !acl = acl_whitelist_local_deny
  #     hosts = ${if exists{CONFDIR/local_host_blacklist}\
  #                          {CONFDIR/local_host_blacklist}\
  #                          {}}
  #
  # local_host_blacklist etwas erweitert
  # siehe http://jez.hancock-family.com/index.php?/archives/80_New_Blacklist_Exim_Configuration.html#extended
  #
  deny  message     = You have been blacklisted on this server.\n\n \
                If you feel this is an error, please mail <postmaster@???>.
    log_message = deny_by_local_blacklist: Message rejected from $sender_host_address
    !acl = acl_whitelist_local_deny
    senders     = @@lsearch*;/CONFDIR/local_host_blacklist2


   # Accept bounces to lists even if callbacks or other checks would fail
   # Wird benötigt wenn die verify = sender/callout Funktion genutzt wird
   # warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
   #           condition    = ${if and {{match{$local_part}{(.*)-bounces\+.*}}
   #                     {exists {MAILMAN_HOME/lists/$1/config.pck}}} \
   #                     {yes}{no}}
   #                         {yes}{no}}


   #  accept   condition    = ${if and {{match{$local_part}{(.*)-bounces\+.*}}
   #                 {exists {MAILMAN_HOME/lists/$1/config.pck}}} \
   #                 {yes}{no}}
   #                         {yes}{no}}


# Now, check sender address with SMTP callback.
# Auskommentiert, da nicht wirklich überall funktional!
# deny !verify = sender/callout=90s

#############################################################################
# There are no checks on DNS "black" lists because the domains that contain
# these lists are changing all the time. You can find examples of
# how to use dnslists in /usr/share/doc/exim4-config/examples/acl
#############################################################################

  # Accept if the address is in a local domain, but only if the recipient can
  # be verified. Otherwise deny. The "endpass" line is the border between
  # passing on to the next ACL statement (if tests above it fail) or denying
  # access (if tests below it fail).
  #
   accept domains = +local_domains
     message = user ist dagt
     endpass
         message = unknown user
         verify = recipient/callout


  # Accept if the address is in a domain for which we are relaying, but again,
  # only if the recipient can be verified.
  #
   accept domains = +relay_to_domains
         endpass
         message = unrouteable address
         verify = recipient/callout


# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should probably
# add recipient verification here.
#
accept hosts = +relay_from_hosts

# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
#
accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.
#
deny message = relay not permitted



--
Content-Description: OpenPGP digital signature

[ signature.asc of type application/pgp-signature deleted ]
--