Re: [exim-dev] Exim from mailnull by local "Auto-Submitted: …

Top Pagina
Delete this message
Reply to this message
Auteur: Matthew Byng-Maddick
Datum:  
Aan: Tony Marques
CC: exim-dev
Onderwerp: Re: [exim-dev] Exim from mailnull by local "Auto-Submitted: auto-generated" bounces keep bouncing
[OP cc-ed in as I'm assuming he's not on the list]
On Tue, Jun 07, 2005 at 10:40:19AM -0700, Tony Marques wrote:
> I don't operate or have experience with Exim, but I've have noticed a
> problem with several different exim mail servers (one 4.50 several
> 4.41 and probably other versions). Perhaps someone can look at this
> and determine if it is a bug in Exim.
>
> A virus spoofing my domain will send an Exim server a message which
> will initially accept the message but later tries to bounce the
> message because it finds the illicit .scr/.pif/.exe attachment, the
> mailbox is full, no such user or some other problem. So now the Exim
> server generates and sends a bounce to my server which detects the
> illicit attachment or forgery and responds with either a
>
> after DATA "."
> 554 5.7.1 Message cannot be accepted, virus found
>
> after RCPT TO: fake@???
> 550 5.1.1 fake@??? User unknown; rejecting
>
> Here is the problem, the Exim servers will retry to resend the message
> (ignoring the 55x errors) every two hours for 2 or 3 days. The
> bounce's message-id, date, other headers, and the quoted forgery all
> demonstrate that the multiple bounces are caused by a single message
> and the multiples are a result of a problem with Exim not
> acknowledging my server's 55x responses. Normally this problem
> wouldn't be noticed as bounces aren't normally seen.


Ok, first off exim doesn't do this. If it gets a 550, this means the
message will be bounced, if it gets a 550 on a bounce, it will "freeze"
the message.

Obviously, in the case you've suggested above, you know that the "single
message" that has the multiples you're talking about is rejected after
DATA (you wouldn't see it at all if rejected after RCPT), so, my first
question is: have you timed how long it takes to do the virus scanning,
and in particular, what is the time delay between the sender-SMTP sending
a final "." and your receiver saying "554 5.7.1"? Is it possible that the
sender-SMTP has timed out?

> Can someone determine if this is a current bug or when it was fixed


Such a bug does not exist. If it did, we would be in much deeper water.

> and under what condition this exists? I presume all MAIL FROM: <>
> SHOULD be deleted or forwarded to a badmail mailbox after rejected
> with a 55x error and not remain in the outgoing queue.


"badmail mailbox" ? ugh! No, exim has the concept of "freezing" a message,
which means that it doesn't get processed in a normal queue run. This has
roughly the effect that you describe, however.

It is possible (given that you've used the same host as an example
several times), that someone has a cronjob which unfreezes messages. This
would be considered bad practice, but it wouldn't be the first time that
bad practice existed on the internet.

Cheers

MBM

-- 
Matthew Byng-Maddick          <mbm@???>           http://colondot.net/
                      (Please use this address to reply)