hi all,
ok, some progress.
case(1) Delivery OK : TBird, no-TLS / VIRUS + DK + SPAM checks in DATA ACL
case(2) Delivery OK : TBird, yes-TLS / VIRUS checks in DATA ACL
case(3) Delivery FAIL : TBird, yes-TLS / VIRUS + DK checks in DATA ACL
Delivery FAIL : TBird, yes-TLS / VIRUS + SPAM checks in DATA ACL
so, it seems something in DK &/or SPAM checks is causing the FAIL on TLS ... but what?
details follow ....
cheers,
richard
- - - ---------------------------------------------------------------------------
case(1): delivery is SUCCESSFUL.
with TBird's use-tls-on-outbound-smtp --> "OFF"
and, this DATA ACL:
=====================
acl_check_data:
...
### VIRUS ###
require acl = aux_scan_virus
### DOMAIN KEYS ###
require acl = aux_check_domainkeys
### SPAM ###
require acl = aux_scan_spam
condition = ${if <\
{$message_size}\
{MESSAGE_SIZE_SPAM_MAX}\
{1}{0}\
}
accept
# END acl_check_data:
=====================
case(2): delivery is SUCCESSFUL.
with TBird's use-tls-on-outbound-smtp --> "ON"
and, this DATA ACL:
=====================
acl_check_data:
...
### VIRUS ###
require acl = aux_scan_virus
# ### DOMAIN KEYS ###
# require acl = aux_check_domainkeys
# ### SPAM ###
# require acl = aux_scan_spam
# condition = ${if <\
# {$message_size}\
# {MESSAGE_SIZE_SPAM_MAX}\
# {1}{0}\
# }
accept
# END acl_check_data:
=====================
e.g., exim-debug-log output:
2005-10-10 09:42:47 -0700 SMTP connection from [10.0.0.6]:60670 I=[10.0.0.5]:25 (TCP/IP
connection count = 1)
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG Subject: sdfg
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG <= testuser@??? H=pb1.mydomain.com
[10.0.0.6]:60670 I=[10.0.0.5]:25 P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no
A=sasl_cram_md5:testuser@??? S=961 id=434A9A07.6010606@??? T="sdfg" from
<testuser@???> for testuser2@???
2005-10-10 09:42:48 -0700 SMTP connection from pb1.mydomain.com [10.0.0.6]:60670 I=[10.0.0.5]:25
closed by QUIT
2005-10-10 09:42:48 -0700 cwd=/var/MailServer/Mail/MailSpool 4 args: /usr/local/exim/bin/exim
- - - -d=0xfbbd5cfd -Mc IO5L3C-0008EN-CG
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG => testuser2@??? F=<testuser@???>
P=<testuser@???> R=dnslookup_nearby T=remote_smtp S=986 H=mail.presence-group.com
[10.0.0.2]:25 X=TLSv1:DES-CBC3-SHA:168 CV=no DN="/CN=mail.mydomain.com" C="250 3039208 ok" QT=2s
DT=1s
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG Completed QT=2s
case(3): delivery FAILS.
with TBird's use-tls-on-outbound-smtp --> "ON"
and, EITHER this DATA ACL:
=====================
acl_check_data:
...
### VIRUS ###
require acl = aux_scan_virus
### DOMAIN KEYS ###
require acl = aux_check_domainkeys
# ### SPAM ###
# require acl = aux_scan_spam
# condition = ${if <\
# {$message_size}\
# {MESSAGE_SIZE_SPAM_MAX}\
# {1}{0}\
# }
accept
# END acl_check_data:
=====================
*OR* this DATA ACL:
=====================
acl_check_data:
...
### VIRUS ###
require acl = aux_scan_virus
# ### DOMAIN KEYS ###
# require acl = aux_check_domainkeys
### SPAM ###
require acl = aux_scan_spam
condition = ${if <\
{$message_size}\
{MESSAGE_SIZE_SPAM_MAX}\
{1}{0}\
}
accept
# END acl_check_data:
=====================
and, with TBird's use-tls-on-outbound-smtp --> "ON", delivery is SUCCESSFUL.
2005-10-10 09:42:47 -0700 SMTP connection from [10.0.0.6]:60670 I=[10.0.0.5]:25 (TCP/IP
connection count = 1)
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG Subject: sdfg
2005-10-10 09:42:48 -0700 IO5L3C-0008EN-CG <= testuser@??? H=pb1.mydomain.com
[10.0.0.6]:60670 I=[10.0.0.5]:25 P=esmtpsa X=TLSv1:AES256-SHA:256 CV=no
A=sasl_cram_md5:testuser@??? S=961 id=434A9A07.6010606@??? T="sdfg" from
<testuser@???> for testuser2@???
2005-10-10 09:42:48 -0700 SMTP connection from pb1.mydomain.com [10.0.0.6]:60670 I=[10.0.0.5]:25
closed by QUIT
2005-10-10 09:42:48 -0700 cwd=/Volumes/g3_DATA1/MailServer/Mail/MailSpool 4 args:
/usr/local/exim/bin/exim -d=0xfbbd5cfd -Mc IO5L3C-0008EN-CG
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG => testuser2@??? F=<testuser@???>
P=<testuser@???> R=dnslookup_nearby T=remote_smtp S=986 H=mail.presence-group.com
[10.0.0.2]:25 X=TLSv1:DES-CBC3-SHA:168 CV=no DN="/CN=mail.mydomain.com" C="250 3039208 ok" QT=2s
DT=1s
2005-10-10 09:42:50 -0700 IO5L3C-0008EN-CG Completed QT=2s
looking at both 'errant' ACLs, DomainKeysCheck & SpamCheck,
#----------------------------------------------------------#
### DOMAIN KEYS ###
aux_check_domainkeys:
warn logwrite = $dk_result
warn message = X--DomainKeys: Scanned with Exiscan
deny set acl_m9 = REJECTED[domainkey] - \
DomainKey failed ($dk_status)
message = $acl_m9
log_message = LOG_HDR: $acl_m9
dk_policy = signsall
!dk_status = good
deny set acl_m9 = REJECTED[domainkey] - \
DomainKey failed ($dk_status)
message = $acl_m9
log_message = LOG_HDR: $acl_m9
!dk_policy = testing
dk_status = bad:revoked
warn message = X--DomainKey-Status: $dk_status
accept
# END aux_check_domainkeys:
#----------------------------------------------------------#
#----------------------------------------------------------#
### SPAM ###
aux_scan_spam:
# Check for pre-existing SPAM CHECK crypto header ID
accept condition = ${if eq \
{${hmac{md5}{SECRET_SPAM_SCAN}{$body_linecount}}}\
{$h_X--SpamScanID:}\
{1}{0}\
}
warn message = X--SpamScanner: Scanned with SpamAssassin
# discard @ score = 20+
deny set acl_m9 = REJECTED[spam] - \
Classified as spam (score $spam_score)
message = $acl_m9
log_message = LOG_HDR: $acl_m9
spam = nobody:true
condition = ${if >\
{$spam_score_int}\
{MY_SPAM_DUMP_SCORE}\
{1}{0}\
}
# NOTE: $spam_score_int is the messages score multiplied by ten
# Add crypto header ID
warn set acl_m9 = X--SpamScanID: \
${hmac{md5}{SECRET_SPAM_SCAN}{$body_linecount}}
message = $acl_m9
warn set acl_m9 = X--SpamScore: \
$spam_score ($spam_bar)
message = $acl_m9
spam = nobody:true
warn set acl_m9 = X--SpamReport: \
$spam_report
message = $acl_m9
spam = nobody:true
# redirect for viewing in SPAM_LEVEL_2 @ score = 6-19
warn set acl_m9 = X--Redirect-To: \
postmaster@MY_HOST_DOMAIN
message = $acl_m9
#message = Subject: **** SPAM **** $h_Subject
spam = nobody
# MY_SPAM_QUARANTINE_SCORE = 60
# redirect for viewing in SPAM_LEVEL_1 @ score = 4-6
accept
# END aux_scan_spam:
#----------------------------------------------------------#
the way i (currently) see it, something in BOTH of these is 'sensitive' to the presence of
TLS="on" in TBird.
but what/why?
richard
- - - --
/"\
\ / ASCII Ribbon Campaign
X against HTML email, vCards
/ \ & micro$oft attachments
