Folks,
A little stuck here debugging my acls.
I have been listed as an open relay :-( and am trying to fix it.
exim version :- 4.34, with exiscan.
I do a lengthy LDAP lookup. Nowhere within the results is
relaytest@??? (naturally), yet the lookup succeeds (see at
the end of the mail).
If I put the list in a file, it says 'no relay'.
Helpp ..
Cheers, Andy!
Relevant (I hope) parts of exim.conf :-
#########################################3
domainlist relay_domains = ldapm;ldap::///dc=wizzy,dc=org,dc=za?associatedDomain?one? : \
ldapm;ldap::///dc=wcape,dc=school,dc=za?associatedDomain?one? : \
ldapm;ldap::///dc=kzn,dc=school,dc=za?associatedDomain?one?
domainlist local_domains = wizzy.org.za : barn.wizzy.org.za
#### snip
#!!# ACL that is used after the RCPT command
check_recipient:
# deny addresses with funny letters and shell escapes
deny local_parts = ^.*[@%!/|] : ^\\.
# accept locally generated emails
accept hosts = :
# accept anyone who can authenticate
accept authenticated = *
# deny non-local domains - this is the test that fails
deny !domains = +local_domains : +relay_domains
message = We do not relay
# accept null senders - bounced bounces or address verification to local
# domains
accept senders = : postmaster
domains = +local_domains
###############################################3
Testing the configuration :-
/usr/sbin/exim -C /tmp/exim.conf -d+acl -bh 209.208.0.15
Exim version 4.34 uid=0 gid=0 pid=24845 D=fbb95cfd
Berkeley DB: Sleepycat Software: Berkeley DB 4.1.25: (December 11, 2003)
Support for: iconv() PAM
Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz dsearch ldap ldapdn ldapm mysql
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=24845
auxiliary group list: <none>
configuration file is /tmp/exim.conf
log selectors = 00000ffc 00010400
trusted user
admin user
changed uid/gid: privilege not needed
uid=79 gid=79 pid=24845
auxiliary group list: <none>
finduser used cached passwd data for uucp
originator: uid=0 gid=0 login=root name=root
sender address = root@???
sender_fullhost = [209.208.0.15]
sender_rcvhost = [209.208.0.15]
**** SMTP testing session as if from host 209.208.0.15
**** but without any ident (RFC 1413) callback.
**** This is not for real!
LOG: smtp_connection MAIN
SMTP connection from [209.208.0.15]
host in host_lookup? yes (matched "0.0.0.0/0")
looking up host name for 209.208.0.15
DNS lookup of 15.0.208.209.in-addr.arpa (PTR) succeeded
IP address lookup yielded rt.njabl.org
alias before-reporting-as-abuse-please-see-
www.njabl.org
gethostbyname looked up these IP addresses:
name=rt.njabl.org address=209.208.0.15
checking addresses for rt.njabl.org
209.208.0.15 OK
gethostbyname looked up these IP addresses:
name=before-reporting-as-abuse-please-see-
www.njabl.org
address=209.208.0.15
checking addresses for before-reporting-as-abuse-please-see-
www.njabl.org
209.208.0.15 OK
sender_fullhost = rt.njabl.org [209.208.0.15]
sender_rcvhost = rt.njabl.org ([209.208.0.15])
set_process_info: 24845 handling incoming connection from rt.njabl.org [209.208.0.15]
host in host_reject_connection? no (option unset)
host in sender_unqualified_hosts? no (option unset)
host in recipient_unqualified_hosts? no (option unset)
host in helo_verify_hosts? no (option unset)
host in helo_try_verify_hosts? no (option unset)
host in helo_accept_junk_hosts? no (option unset)
SMTP>> 220 barn.wizzy.org.za ESMTP Exim 4.34 Mon, 07 Mar 2005 18:30:56 +0200
220 barn.wizzy.org.za ESMTP Exim 4.34 Mon, 07 Mar 2005 18:30:56 +0200
smtp_setup_msg entered
EHLO wizyy.com
SMTP<< EHLO wizyy.com
sender_fullhost = rt.njabl.org (wizyy.com) [209.208.0.15]
sender_rcvhost = rt.njabl.org ([209.208.0.15] helo=wizyy.com)
set_process_info: 24845 handling incoming connection from rt.njabl.org (wizyy.com) [209.208.0.15]
host in pipelining_advertise_hosts? yes (matched "*")
host in auth_advertise_hosts? yes (matched "*")
250-barn.wizzy.org.za Hello rt.njabl.org [209.208.0.15]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
SMTP>> 250-barn.wizzy.org.za Hello rt.njabl.org [209.208.0.15]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
MAIL FROM: <>
SMTP<< MAIL FROM: <>
SMTP>> 250 OK
250 OK
RCPT TO: relaytest@???
SMTP<< RCPT TO: relaytest@???
using ACL "check_recipient"
processing "deny"
check local_parts = ^.*[@%!/|] : ^\\.
relaytest in "^.*[@%!/|] : ^\."? no (end of list)
deny: condition test failed
processing "accept"
check hosts = :
host in ":"? no (end of list)
accept: condition test failed
processing "accept"
check authenticated = *
accept: condition test failed
processing "deny"
check !domains = +local_domains : +relay_domains
rr.njabl.org in "wizzy.org.za : barn.wizzy.org.za"? no (end of list)
search_open: ldapm "NULL"
search_find: file="NULL"
key="ldap:///dc=wizzy,dc=org,dc=za?associatedDomain?one?" partial=-1
affix=NULL starflags=0
LRU list:
internal_search_find: file="NULL"
type=ldapm key="ldap:///dc=wizzy,dc=org,dc=za?associatedDomain?one?"
database lookup required for
ldap:///dc=wizzy,dc=org,dc=za?associatedDomain?one?
LDAP parameters: user=NULL pass=NULL size=0 time=0 connect=-1
dereference=0
perform_ldap_search: ldapm URL ="ldap:///dc=wizzy,dc=org,dc=za?associatedDomain?one?" server=NULL port=0 sizelimit=0 timelimit=0 tcplimit=-1
after ldap_url_parse: host=NULL port=389
ldap_initialize with URL ldap://:389/
initialized for LDAP (v3) server NULL:389
LDAP_OPT_X_TLS_TRY set
binding with user=NULL password=NULL
Start search
ldap_result loop
LDAP entry loop
LDAP attr loop associatedDomain:bunkhouse.wizzy.org.za
ldap_result loop
[...]
LDAP entry loop
LDAP attr loop associatedDomain:admin.wizzy.org.za
search ended by ldap_result yielding 101
ldap_parse_result yielded 0: Success
LDAP search: returning: bunkhouse.wizzy.org.za
nooitgedacht.wizzy.org.za
[...]
admin.wizzy.org.za
lookup yielded: bunkhouse.wizzy.org.za
nooitgedacht.wizzy.org.za
nansindlela.wizzy.org.za
barn.wizzy.org.za
gratton.wizzy.org.za
esjnr.wizzy.org.za
pc340.wizzy.org.za
esangweni.wizzy.org.za
eshigh.wizzy.org.za
eshowe.wizzy.org.za
zibonele.wizzy.org.za
westendps.wizzy.org.za
gsps.wizzy.org.za
lavender.wizzy.org.za
pwcfa.com
spurwingps.wcape.school.za
eshowe.com, rabagliati.com
wizzy.com, cpt.wizzy.com
tsf.wizzy.org.za
kidzkorner.wizzy.org.za
smtp.wizzy.org.za
admin.wizzy.org.za
rr.njabl.org in "ldapm;ldap::///dc=wizzy,dc=org,dc=za?associatedDomain?one? : ldapm;ldap::///dc=wcape,dc=school,dc=za?associatedDomain?one? : ldapm;ldap::///dc=kzn,dc=school,dc=za?associatedDomain?one?"? yes (matched "ldapm;ldap:///dc=wizzy,dc=org,dc=za?associatedDomain?one?")
See that match ????