Re: [exim] debugging 550 rejects 'after DATA' ?

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: OpenMacNews
Fecha:  
Cc: exim-users
Asunto: Re: [exim] debugging 550 rejects 'after DATA' ?
hi all,

ok, some progress.

    case(1) Delivery OK   : TBird,  no-TLS / VIRUS + DK + SPAM checks in DATA ACL
    case(2) Delivery OK   : TBird, yes-TLS / VIRUS             checks in DATA ACL
    case(3) Delivery FAIL : TBird, yes-TLS / VIRUS + DK        checks in DATA ACL
            Delivery FAIL : TBird, yes-TLS / VIRUS      + SPAM checks in DATA ACL


so, it seems something in DK &/or SPAM checks is causing the FAIL on TLS ... but what?

details follow ....

cheers,

richard



- - - ---------------------------------------------------------------------------
case(1): delivery is SUCCESSFUL.

with TBird's use-tls-on-outbound-smtp --> "OFF"

and, this DATA ACL:

    =====================
        acl_check_data:
            ...
            ### VIRUS ###
            require  acl             = aux_scan_virus


            ### DOMAIN KEYS ###
            require  acl             = aux_check_domainkeys


            ### SPAM ###
            require  acl             = aux_scan_spam
                     condition       = ${if <\
                                         {$message_size}\
                                         {MESSAGE_SIZE_SPAM_MAX}\
                                         {1}{0}\
                                        }


            accept
        # END acl_check_data:
    =====================





case(2): delivery is SUCCESSFUL.

with TBird's use-tls-on-outbound-smtp --> "ON"

and, this DATA ACL:

    =====================
        acl_check_data:
            ...
            ### VIRUS ###
            require  acl             = aux_scan_virus


    #        ### DOMAIN KEYS ###
    #        require  acl             = aux_check_domainkeys


    #        ### SPAM ###
    #        require  acl             = aux_scan_spam
    #                 condition       = ${if <\
    #                                     {$message_size}\
    #                                     {MESSAGE_SIZE_SPAM_MAX}\
    #                                     {1}{0}\
    #                                    }


            accept
        # END acl_check_data:
    =====================


e.g., exim-debug-log output:

2005-10-10 09:42:47 -0700 SMTP connection from [10.0.0.6]:60670 I=[10.0.0.5]:25 (TCP/IP
connection count = 1)
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG Subject: sdfg
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG <= testuser@??? H=pb1.mydomain.com
[10.0.0.6]:60670 I=[10.0.0.5]:25 P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no
A=sasl_cram_md5:testuser@??? S=961 id=434A9A07.6010606@??? T="sdfg" from
<testuser@???> for testuser2@???
2005-10-10 09:42:48 -0700 SMTP connection from pb1.mydomain.com [10.0.0.6]:60670 I=[10.0.0.5]:25
closed by QUIT
2005-10-10 09:42:48 -0700 cwd=/var/MailServer/Mail/MailSpool 4 args: /usr/local/exim/bin/exim
- - - -d=0xfbbd5cfd -Mc IO5L3C-0008EN-CG
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG => testuser2@??? F=<testuser@???>
P=<testuser@???> R=dnslookup_nearby T=remote_smtp S=986 H=mail.presence-group.com
[10.0.0.2]:25 X=TLSv1:DES-CBC3-SHA:168 CV=no DN="/CN=mail.mydomain.com" C="250 3039208 ok" QT=2s
DT=1s
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG Completed QT=2s



case(3): delivery FAILS.

with TBird's use-tls-on-outbound-smtp --> "ON"

and, EITHER this DATA ACL:

    =====================
        acl_check_data:
            ...
            ### VIRUS ###
            require  acl             = aux_scan_virus


            ### DOMAIN KEYS ###
            require  acl             = aux_check_domainkeys


    #        ### SPAM ###
    #        require  acl             = aux_scan_spam
    #                 condition       = ${if <\
    #                                     {$message_size}\
    #                                     {MESSAGE_SIZE_SPAM_MAX}\
    #                                     {1}{0}\
    #                                    }


            accept
        # END acl_check_data:
    =====================


*OR* this DATA ACL:

    =====================
        acl_check_data:
            ...
            ### VIRUS ###
            require  acl             = aux_scan_virus


    #        ### DOMAIN KEYS ###
    #        require  acl             = aux_check_domainkeys


            ### SPAM ###
            require  acl             = aux_scan_spam
                     condition       = ${if <\
                                         {$message_size}\
                                         {MESSAGE_SIZE_SPAM_MAX}\
                                         {1}{0}\
                                        }


            accept
        # END acl_check_data:
    =====================



and, with TBird's use-tls-on-outbound-smtp --> "ON", delivery is SUCCESSFUL.

2005-10-10 09:42:47 -0700 SMTP connection from [10.0.0.6]:60670 I=[10.0.0.5]:25 (TCP/IP
connection count = 1)
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG Subject: sdfg
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG <= testuser@??? H=pb1.mydomain.com
[10.0.0.6]:60670 I=[10.0.0.5]:25 P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no
A=sasl_cram_md5:testuser@??? S=961 id=434A9A07.6010606@??? T="sdfg" from
<testuser@???> for testuser2@???
2005-10-10 09:42:48 -0700 SMTP connection from pb1.mydomain.com [10.0.0.6]:60670 I=[10.0.0.5]:25
closed by QUIT
2005-10-10 09:42:48 -0700 cwd=/Volumes/g3_DATA1/MailServer/Mail/MailSpool 4 args:
/usr/local/exim/bin/exim -d=0xfbbd5cfd -Mc IO5L3C-0008EN-CG
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG => testuser2@??? F=<testuser@???>
P=<testuser@???> R=dnslookup_nearby T=remote_smtp S=986 H=mail.presence-group.com
[10.0.0.2]:25 X=TLSv1:DES-CBC3-SHA:168 CV=no DN="/CN=mail.mydomain.com" C="250 3039208 ok" QT=2s
DT=1s
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG Completed QT=2s




looking at both 'errant' ACLs, DomainKeysCheck & SpamCheck,


#----------------------------------------------------------#
### DOMAIN KEYS ###
aux_check_domainkeys:
    warn     logwrite        = $dk_result


    warn     message         = X--DomainKeys: Scanned with Exiscan


    deny     set acl_m9      = REJECTED[domainkey] - \
                               DomainKey failed ($dk_status)
             message         = $acl_m9
             log_message     = LOG_HDR: $acl_m9
             dk_policy       = signsall
             !dk_status      = good


    deny     set acl_m9      = REJECTED[domainkey] - \
                               DomainKey failed ($dk_status)
             message         = $acl_m9
             log_message     = LOG_HDR: $acl_m9
             !dk_policy      = testing
             dk_status       = bad:revoked


    warn     message         = X--DomainKey-Status: $dk_status


    accept
# END aux_check_domainkeys:
#----------------------------------------------------------#



#----------------------------------------------------------#
### SPAM ###
aux_scan_spam:
    # Check for pre-existing SPAM CHECK crypto header ID
    accept   condition       = ${if eq \
                                 {${hmac{md5}{SECRET_SPAM_SCAN}{$body_linecount}}}\
                                 {$h_X--SpamScanID:}\
                                 {1}{0}\
                                }


    warn     message         = X--SpamScanner: Scanned with SpamAssassin
    # discard @ score = 20+
    deny     set acl_m9      = REJECTED[spam] - \
                               Classified as spam (score $spam_score)
             message         = $acl_m9
             log_message     = LOG_HDR: $acl_m9
             spam            = nobody:true
             condition       = ${if >\
                                 {$spam_score_int}\
                                 {MY_SPAM_DUMP_SCORE}\
                                 {1}{0}\
                                }
             # NOTE: $spam_score_int is  the messages score multiplied by ten



    # Add crypto header ID
    warn     set acl_m9      = X--SpamScanID: \
                               ${hmac{md5}{SECRET_SPAM_SCAN}{$body_linecount}}
             message         = $acl_m9


    warn     set acl_m9      = X--SpamScore: \
                               $spam_score ($spam_bar)
             message         = $acl_m9
             spam            = nobody:true


    warn     set acl_m9      = X--SpamReport: \
                               $spam_report
             message         = $acl_m9
             spam            = nobody:true


    # redirect for viewing in SPAM_LEVEL_2 @ score = 6-19
    warn     set acl_m9      = X--Redirect-To: \
                               postmaster@MY_HOST_DOMAIN
             message         = $acl_m9
             #message        = Subject: **** SPAM **** $h_Subject
             spam            = nobody
             # MY_SPAM_QUARANTINE_SCORE     = 60


    # redirect for viewing in SPAM_LEVEL_1 @ score = 4-6


    accept
# END aux_scan_spam:
#----------------------------------------------------------#



the way i (currently) see it, something in BOTH of these is 'sensitive' to the presence of
TLS="on" in TBird.

but what/why?

richard
- - - --

/"\
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments