[exim] problem with greylistd

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jan Johansson
Date:  
À: exim-users
Sujet: [exim] problem with greylistd
If i run the below without the defer part in ACL_check_rcpt about
mailscanner, all works ok.

But if I enable that section, the incoming mail just gets dropped in the
incoming spool-dir, and never gets picket up by mailscanner.

Any clue as to why that is happening? (Exim 4.63, exim4-daemon-heavy in
Debian)


haven:/var/run/greylistd# cat /etc/exim4/exim4.conf.template | grep -v
^#
.include /etc/xams/exim-custom.conf
trusted_users = root : mail : xams
domainlist local_domains = @:+xams_domains:+custom_local_domains
domainlist relay_to_domains = +custom_relay_to_domains
hostlist relay_from_hosts = 127.0.0.1:+custom_relay_from_hosts

acl_smtp_rcpt = acl_check_rcpt

never_users = root

host_lookup = *

rfc1413_hosts = *
rfc1413_query_timeout = 30s

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

.ifdef TLS_ENCRYPTION
tls_advertise_hosts = *
tls_certificate = /usr/local/exim/exim.cert
tls_privatekey = /usr/local/exim/exim.pem
.endif


.ifdef EXISCAN_MODULE
    # The following ACL entry is used if you want to do content scanning
with the
    # exiscan-acl patch. When you uncomment this line, you must also
review the
    # acl_check_content entry in the ACL section further below.
    acl_smtp_data = acl_check_content
.endif


.ifdef MAILSCANNER_INCOMING
spool_directory = /var/spool/exim4-incoming
queue_only = true
.elifdef MAILSCANNER_OUTGOING
spool_directory = /var/spool/exim4-outgoing
pid_file_path = /var/run/exim4/exim-outgoing.pid
.else
spool_directory = /var/spool/exim4
.endif

.include /etc/xams/exim-global.conf

.include /etc/xams/exim-sql-macros.conf

begin acl

acl_check_rcpt:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do
this by
# testing for an empty sending host field.

  accept  hosts = :
        accept  authenticated = *


#defer
#                message = Please try later.
#                !hosts      = /etc/greylistd/whitelist-hosts
#                !senders    = :
##               !acl        = acl_clean_helo
#                log_message = greylisted.
#                set acl_m9  = ${mask:$sender_host_address/24}
$sender_address $local_part@$domain
#                set acl_m9  =
${readsocket{/var/run/greylistd/socket}{$acl_m9}{5s}{}{}}
#                condition   = ${if eq {$acl_m9}{grey}{true}{false}}




########################################################################
#####
# The following section of the ACL is concerned with local parts that
contain
# @ or % or ! or / or | or dots in unusual places.
#
# The characters other than dots are rarely found in genuine local
parts, but
# are often tried by people looking to circumvent relaying
restrictions.
# Therefore, although they are valid in local parts, these rules lock
them
# out, as a precaution.
#
# Empty components (two dots in a row) are not valid in RFC 2822, but
Exim
# allows them because they have been encountered. (Consider local
parts
# constructed as "firstinitial.secondinitial.familyname" when applied
to
# someone like me, who has no second initial.) However, a local part
starting
# with a dot or containing /../ can cause trouble if it is used as
part of a
# file name (e.g. for a mailing list). This is also true for local
parts that
# contain slashes. A pipe symbol can also be troublesome if the local
part is
# incorporated unthinkingly into a shell command line.
#
# Two different rules are used. The first one is stricter, and is
applied to
# messages that are addressed to one of the local domains handled by
this
# host. It blocks local parts that begin with a dot or contain @ % ! /
or |.
# If you have local accounts that include these characters, you will
have to
# modify this rule.

  deny    domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]


# The second rule applies to all other domains, and is less strict.
This
# allows your own users to send outgoing messages to sites that use
slashes
# and vertical bars in their local parts. It blocks local parts that
begin
# with a dot, slash, or vertical bar, but allows these characters
within the
# local part. However, the sequence /../ is barred. The use of @ % and
! is
# blocked, as before. The motivation here is to prevent your users (or
# your users' viruses) from mounting certain kinds of attack on remote
sites.

  deny    domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


########################################################################
#####

# Accept mail to postmaster in any local domain, regardless of the
source,
# and without verifying the sender.

  accept  local_parts   = postmaster
          domains       = +local_domains


# Deny unless the sender address can be verified.

  require verify        = sender



########################################################################
#####
  # There are no checks on DNS "black" lists because the domains that
contain
  # these lists are changing all the time. However, here are two
examples of
  # how you could get Exim to perform a DNS black list lookup at this
point.
  # The first one denies, while the second just warns.
  #
  # deny    message       = rejected because $sender_host_address is in
a black list at $dnslist_domain\n$dnslist_text
  #         dnslists      = black.list.example
  #
  # warn    message       = X-Warning: $sender_host_address is in a
black list at $dnslist_domain
  #         log_message   = found in $dnslist_domain
  #         dnslists      = black.list.example


########################################################################
#####

# Accept if the address is in a local domain, but only if the
recipient can
# be verified. Otherwise deny. The "endpass" line is the border
between
# passing on to the next ACL statement (if tests above it fail) or
denying
# access (if tests below it fail).

  accept  domains       = +local_domains
          endpass
          verify        = recipient


# Accept if the address is in a domain for which we are relaying, but
again,
# only if the recipient can be verified.

  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient


# If control reaches this point, the domain is neither in
+local_domains
# nor in +relay_to_domains.

# Accept if the message comes from one of the hosts for which we are
an
# outgoing relay. Recipient verification is omitted here, because in
many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.

  accept  hosts         = +relay_from_hosts


# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.

accept authenticated = *

# Reaching the end of the ACL causes a "deny", but we might as well
give
# an explicit message.

  deny    message       = relay not permitted


.ifdef EXISCAN_MODULE
    # This access control list is used for content scanning with the
exiscan-acl
    # patch. You must also uncomment the entry for acl_smtp_data (scroll
up),
    # otherwise the ACL will not be used.


    acl_check_content:


        accept  hosts = +relay_from_hosts


        accept  authenticated = *


        # Include the site content ACL definitions
        .include /etc/xams/exim-content-acl.conf


        # finally accept all the rest
        accept
.endif



begin routers

.ifdef MAILSCANNER_INCOMING
defer_router:
driver = redirect
allow_defer
data = :defer: All deliveries are deferred
verify = false
.endif

.include /etc/xams/exim-routers.conf





dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more







system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe






userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply


localuser:
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user




begin transports
.include /etc/xams/exim-transports.conf


remote_smtp:
driver = smtp



local_delivery:
driver = appendfile
file = /var/mail/$local_part
delivery_date_add
envelope_to_add
return_path_add



address_pipe:
driver = pipe
return_output



address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add



address_reply:
driver = autoreply




begin retry



*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h






begin rewrite




begin authenticators

plain:
  driver = plaintext
  public_name = PLAIN
  server_condition = ${if !eq {} \
    {${if eq {} {${domain:$2}} \
        {${lookup SQL_AUTH_UNIQUE_PLAIN{1}}} \
        {${lookup SQL_AUTH_PLAIN{1}}} \
    }} \
    {yes}{no} \
  }
  server_set_id = $2


login:
  driver = plaintext
  public_name = LOGIN
  server_prompts = "Username:: : Password::"
  server_condition = ${if !eq {} \
    {${if eq {} {${domain:$1}} \
        {${lookup SQL_AUTH_UNIQUE_LOGIN{1}}} \
        {${lookup SQL_AUTH_LOGIN{1}}} \
    }} \
    {yes}{no} \
  }
  server_set_id = $1