[exim] Exim rejecting outside messages

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Tony Hake
Dátum:  
Címzett: exim-users
Tárgy: [exim] Exim rejecting outside messages
I am fighting an issue with my cPanel Exim server in which some customers
are unable to intermittently receive mail. The sender receives an error
message back as if they were trying to SMTP directly through my server which
of course they are not. The message they receive says:

<joe@???>:
[MY SERVER IP] does not like recipient.
Remote host said: 550-[CUSTOMERS PROVIDER] [CUSTOMERS IP]:55846 is
currently not permitted to
550-relay through this server. Perhaps you have not logged into the
pop/imap
550-server in the last 30 minutes or do not have SMTP Authentication
turned on
550 in your email client.
Giving up on [MY SERVER IP]

The important thing to note is that an outside person sending email to a
domain on my server is receiving this message. This is NOT coming from
someone actually using my server to send an email - it happens on incoming
messages. If the sender re-sends the message, it goes through just fine.

It is my understanding that this will happen if exim can't properly read the
localdomains file but I have done everything I can think of with that.

Here is what I have done so far:

- Verified recipients domain is in /etc/localdomains and /etc/userdomains
- Deleted locadomain and recreated it
- Tried #/scripts/eximup -force
- Verified no domains were in remotedomains

Below is a portion of my exim.conf. Any help would be very much greatly
appreciated as I have searched high and low and cannot find an answer.
Thanks!

Tony

#!!# cPanel Exim 4 Config

log_selector = +all


#!!# These options specify the Access Control Lists (ACLs) that
#!!# are used for incoming SMTP messages - after the RCPT and DATA
#!!# commands, respectively.

av_scanner = clamd:/var/clamd

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

#!!# This setting defines a named domain list called
#!!# local_domains, created from the old options that
#!!# referred to local domains. It will be referenced
#!!# later on by the syntax "+local_domains".
#!!# Other domain and host lists may follow.

domainlist local_domains = lsearch;/etc/localdomains

domainlist relay_domains = lsearch;/etc/localdomains : \
    lsearch;/etc/secondarymx
hostlist relay_hosts = lsearch;/etc/relayhosts : \
    localhost
hostlist auth_relay_hosts = *


######################################################################
#                  Runtime configuration file for Exim               #
######################################################################



# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML) are available from
# the Exim ftp sites. The manual is also online via the Exim web sites.


# This file is divided into several parts, all but the last of which are
# terminated by a line containing the word "end". The parts must appear
# in the correct order, and all must be present (even if some of them are
# in fact empty). Blank lines, and lines starting with # are ignored.



######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


perl_startup = do '/etc/exim.pl'

#dns_retry = 1
#dns_retrans = 1s

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name.

smtp_banner = "${primary_hostname} ESMTP Exim ${version_number} \
\#${compile_number} ${tod_full} \n\
We do not authorize the use of this system to transport unsolicited, \n\
and/or bulk e-mail."


#nobody as the sender seems to annoy people
untrusted_set_sender = *
local_from_check = false

rfc1413_query_timeout = 2s

split_spool_directory = yes

smtp_connect_backlog = 50
smtp_accept_max = 100

# primary_hostname =
deliver_queue_load_max = 3
auto_thaw = 6d
ignore_bounce_errors_after = 7d
timeout_frozen_after = 8d

# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "caesar@???" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an
unqualified
# email address. Unqualified addresses are accepted only from local callers
by
# default. See the receiver_unqualified_{hosts,nets} options if you want
# to permit unqualified addresses from remote sources. If this option is
# not set, the primary_hostname value is used for qualification.

# qualify_domain =


# If you want unqualified recipient addresses to be qualified with a
different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

# qualify_recipient =


# Specify your local domains as a colon-separated list here. If this option
# is not set (i.e. not mentioned in the configuration file), the
# qualify_recipient value is used as the only local domain. If you do not
want
# to do any local deliveries, uncomment the following line, but do not
supply
# any data for it. This sets local_domains to an empty string, which is not
# the same as not mentioning it at all. An empty string specifies that there
# are no local domains; not setting it at all causes the default value (the
# setting of qualify_recipient) to be used.

#!!# message_filter renamed system_filter
system_filter = /etc/antivirus.exim
message_body_visible = 5000

# If you want to accept mail addressed to your host's literal IP address,
for
# example, mail addressed to "user@???", then uncomment the
# following line, or supply the literal domain(s) as part of "local_domains"
# above.

# local_domains_include_host_literals

# No local deliveries will ever be run under the uids of these users (a
colon-
# separated list). An attempt to do so gets changed so that it runs under
the
# uid of "nobody" instead. This is a paranoic safety catch. Note the default
# setting means you cannot deliver mail addressed to root as if it were a
# normal user. This isn't usually a problem, as most sites have an alias for
# root that redirects such mail to a human administrator.

never_users = root

# The use of your host as a mail relay by any host, including the local host
# calling its own SMTP port, is locked out by default. If you want to permit
# relaying from the local host, you should set
#
# host_accept_relay = localhost
#
# If you want to permit relaying through your host from certain hosts or IP
# networks, you need to set the option appropriately, for example
#
#
#
# If you are an MX backup or gateway of some kind for some domains, you must
# set relay_domains to match those domains. This will allow any host to
# relay through your host to those domains.
#
# See the section of the manual entitled "Control of relaying" for more
# information.

# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

#host_lookup = 0.0.0.0/0


# By default, Exim expects all envelope addresses to be fully qualified,
that
# is, they must contain both a local part and a domain. If you want to
accept
# unqualified addresses (just a local part) from certain hosts, you can
specify
# these hosts by setting one or both of
#
# receiver_unqualified_hosts =
# sender_unqualified_hosts =
#
# to control sender and receiver addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).


# Exim contains support for the Realtime Blocking List (RBL) that is being
# maintained as part of the DNS. See http://maps.vix.com/rbl/ for
background.
# Uncommenting the first line below will make Exim reject mail from any
# host whose IP address is blacklisted in the RBL at maps.vix.com. Some
# others have followed the RBL lead and have produced other lists: DUL is
# a list of dial-up addresses, and ORBS is a list of open relay systems. The
# second line below checks all three lists.

# rbl_domains = rbl.maps.vix.com
# rbl_domains = rbl.maps.vix.com


# If you want Exim to support the "percent hack" for all your local domains,
# uncomment the following line. This is the feature by which mail addressed
# to x%y@z (where z is one of your local domains) is locally rerouted to
# x@y and sent on. Otherwise x%y is treated as an ordinary local part.

# percent_hack_domains = *

#sender_host_accept = +include_unknown:*
#sender_host_reject = +include_unknown:lsearch*;/etc/spammers

tls_certificate = /etc/exim.crt
tls_privatekey = /etc/exim.key
tls_advertise_hosts = *

helo_accept_junk_hosts = *

smtp_enforce_sync = false


#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3      #!!#
#!!# policy control options.                             #!!#
#!!#######################################################!!#


#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}



  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}
}} \
                {yes}{no}}


  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}
}} \
                {yes}{no}}


#if it gets here it isn't mailman


#sender verifications are required for all messages that are not sent to
lists


require verify = sender

deny      message = Message rejected because $sender_host_address is \
                    blacklisted at $dnslist_domain
          dnslists = bl.spamcop.net : \
                     cbl.abuseat.org : \
                     dnsbl.njabl.org : \
                     cn-kr.blackholes.us : \
                     Sbl.spamhaus.org



accept domains = +local_domains
endpass


#recipient verifications are required for all messages that are not sent
to the local machine
#this was done at multiple users requests


message = "The recipient cannot be verified. Please all recipients of
this message to verify they are valid."
verify = recipient


accept domains = +relay_domains
accept hosts = +relay_hosts
accept condition = ${perl{checkrelayhost}{$sender_host_address}}


  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication
turned on in your email client.
          authenticated = *


  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication
turned on in your email client.



#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept