Re: [exim] "sender verify" problem

Top Page
Delete this message
Reply to this message
Author: Henry Kupets
Date:  
To: exim-users
Subject: Re: [exim] "sender verify" problem
Hello guys,

I greatly appreciate your help.

Just to make something clear:




Giuliano Gavazzi wrote:
> At 4:27 pm -0500 2004/12/08, Henry Kupets wrote:
>
>> I tried:
>>
>> hostlist sunhosts = dia20.dia.state.ma.us : dia30.dia.state.ma.us
>> ...
>> deny message = sender verification failed
>>      hosts = !+sunhosts
>>      !verify = sender

>>
>> It worked (kind of).
>
>
> well, I do not know if those two domain names resolve correctly in your
> LAN, they still not resolve in the global DNS.


Those two hosts resolve correctly in our LAN and should not be resolved
in the global DNS.

>
>> All the messages from my internal Sun boxes can get through to me and
>> other users in our LAN, no more rejection. Scheduled email can also
>> go from those Sun servers to the certain addresses on the Internet.
>>
>> But when I send email from those servers manually from the command
>> line to couple random addresses(for instance my home, etc.) it does
>> not get through. I can find in the mainlog file on my 'smart mailer':
>> "sender verification failed".
>
>
> who gives the error? Your smart host or the remote mailhost?


My 'smart host' gives this error.


>
>
>> Unfortunately I can not make DNS changes in the DMZ DNS servers (there
>> are separate DNS servers in DMZ). I am still not sure why I can not
>> send email from 'dia20.dia.state.ma.us' to any Internet email address
>> if my "smart mailer" does not do any sender verification for this box
>> now (according to my new configuration file).
>
>
> [sorry, I do not understand this DMZ DNS thing...]


DMZ stands for demilitarized zone - the network segment that does not
belong to our LAN but belongs to the state of Massachusetts that we are
part of, and has special firewall rules to be accessed from the
Internet. There are separate DNS servers in this zone that know nothing
(and should not know) about hosts inside of our LAN. We are running so
called split DNS.


>
> I though I had been clear... You *must* fix the sender address generated
> by those scripts as there is no point in accepting to relay on your
> smarthost, when the receiving mailserver elsewere on the internet will
> do a sender address verification of some kind.
> You must find what is wrong with those addresses and change that. Are
> they of the kind user@??? ? If so it is clear why they
> do not work, as there is neither MX not A record for
> dia20.dia.state.ma.us. And even if there was an A or MX record for
> dia20.dia.state.ma.us, for some servers it would also be required that
> dia20.dia.state.ma.us (or its MX) accept mail from <> to
> user@???. This is in case they implement sender
> callout verification.



Yes, the email coming out of those servers are from
user@??? and user@???. There are no A or MX
records for dia20.dia.state.ma.us of course. What looks strange to me
is if I completely comment out the line

require verify = sender

everything is working with no problems. My 'smart host' does not
complain, I can login to any of those servers as 'root' and send email
anywhere.
I thought by implementing following I would be all set:

deny message = sender verification failed
      hosts = !+sunhosts
      !verify = sender


How can I fix it now? Is the problem only in the address
user@??? ? Can I change anything that email will come
out from those servers as: user@??? ???

Thank you again.

>
> I hope this helps.
>
> Giuliano
>


--
Henry Kupets
Sys.Admin
Department of Industrial Accidents
henry@???