[exim] Sender verification, permanent vs. transient error co…

Top Page
Delete this message
Reply to this message
Author: Eric Messick
Date:  
To: exim-users
Subject: [exim] Sender verification, permanent vs. transient error codes
I'm having trouble sending email to a domain that uses exim 4.63. The
problem occurs with sender verification.

I snooped the packets on my outgoing smtp server and saw the following
exchange:

-------------------------
I (198.144.198.191) open a connection from port 4500 to their (209.51.152.98)
port 25.
They try to connect to my port 113 for auth.
I reply with an ICMP Destination Unreachable.
Then we do a normal SMTP exchange. When I send "RCPT TO:", they start the
sender verify:

They open a connection from port 40774 to my port 25, sending SYN.
I reply with SYN ACK.
They reply with ACK, completing the opening of the connection.
They send FIN ACK, immediately closing the connection.
I reply to the initial open with an ACK, followed by the text "220
syzygy.com ESMTP".
I then notice that they've closed the connection and send FIN ACK.
They reply to my last ACK and data packets with a pair of RST packets, since
they closed the connection without waiting for this data.

Back on the port 4500 connection, they reply with "451 Could not complete
sender verify callout".
-----------------------------

Well, I looked at :

http://www.exim.org/exim-html-3.00/doc/html/oview.html#SEC21

which says:

Unfortunately, several mailers believe that any error response after the
data for a message has been sent indicates a temporary error. Consequently,
such mailers will continue to try to send a message that has been rejected
as described above. To prevent this, whenever a message is rejected, Exim
records the time, bad address, and host in a DBM database. If the same host
sends the same bad address within 24 hours, it is rejected immediately at
the MAIL FROM command.

Sadly, even this doesn't stop some mailers from repeatedly trying to send
the message. As a last resort, if the same host sends the same bad address
for a third time in 24 hours, the MAIL FROM command is accepted, but all
subsequent RCPT TO commands are rejected. If this does not stop a remote
mailer then it is badly broken.

Since my MAIL FROM command is being accepted, and the RCPT TO is being
rejected, I'm guessing that I've landed in this DBM database. I know that
qmail is retrying these messages.

There are several curious things going on here. First, I have no idea why
sender verify would have ever failed, since I've never seen any error other
than the "451 Could not complete sender verify callout". There might be a
configuration problem on my end, but I can't get any info to debug it.

Second, the actual sender verify exchange doesn't seem to match what exim
claims to do. I gather that it's supposed to actually present an email
address and get back a yes/no reply from my side. Instead, it's just
opening the connection and closing it, without waiting for my initial 220
string. Perhaps it's finding me in the database and decides it doesn't need
to bother with the actual verification, so it just closes the connection.
That would be very bad, since I wouldn't have any chance of fixing a problem
once I got into that database. I'd have to flush my queue and not send any
email to that domain for 24 hours.

Most troubling, though, is that (according to the above link) exim expects
me to stop retrying, and tells me this by giving me a 451 TRANSIENT error.
Why would I stop trying when given a transient error?

Does exim record the error in this database, and resend it each time with
the same error code? That could explain the problem. Perhaps an actual
transient error occurred, and I retried enough to get stuck in the
database. Then, even though the error was fixed I still got an old copy of
the transient error message. It seems far fetched.

Can anyone tell from this what is going on?

What other info is needed to figure this out?

Thanks

-eric