Re: [exim] Sender verification, permanent vs. transient erro…

Top Page
Delete this message
Reply to this message
Author: Magnus Holmgren
Date:  
To: exim-users
Subject: Re: [exim] Sender verification, permanent vs. transient error codes
On Thursday 25 January 2007 01:02, Eric Messick wrote:
> I'm having trouble sending email to a domain that uses exim 4.63. The
> problem occurs with sender verification.
>
> I snooped the packets on my outgoing smtp server and saw the following
> exchange:
>
> -------------------------
> I (198.144.198.191) open a connection from port 4500 to their
> (209.51.152.98) port 25.
> They try to connect to my port 113 for auth.
> I reply with an ICMP Destination Unreachable.
> Then we do a normal SMTP exchange. When I send "RCPT TO:", they start the
> sender verify:
>
> They open a connection from port 40774 to my port 25, sending SYN.
> I reply with SYN ACK.
> They reply with ACK, completing the opening of the connection.
> They send FIN ACK, immediately closing the connection.
> I reply to the initial open with an ACK, followed by the text "220
> syzygy.com ESMTP".
> I then notice that they've closed the connection and send FIN ACK.
> They reply to my last ACK and data packets with a pair of RST packets,
> since they closed the connection without waiting for this data.
>
> Back on the port 4500 connection, they reply with "451 Could not complete
> sender verify callout".


That's strange. I tested from sesame (the www.exim.org box) and got through
fine. I can see the sender verification in Exim's log.

> Well, I looked at :
>
> http://www.exim.org/exim-html-3.00/doc/html/oview.html#SEC21


That document is massively outdated. Some information may still be valid,
though.

> Unfortunately, several mailers believe that any error response after the
> data for a message has been sent indicates a temporary error. Consequently,
> such mailers will continue to try to send a message that has been rejected
> as described above. To prevent this, whenever a message is rejected, Exim
> records the time, bad address, and host in a DBM database. If the same host
> sends the same bad address within 24 hours, it is rejected immediately at
> the MAIL FROM command.
>
> Sadly, even this doesn't stop some mailers from repeatedly trying to send
> the message. As a last resort, if the same host sends the same bad address
> for a third time in 24 hours, the MAIL FROM command is accepted, but all
> subsequent RCPT TO commands are rejected. If this does not stop a remote
> mailer then it is badly broken.


This talks about sender verification and the subsequent possible rejection
after the DATA command. As you never got that far, it doesn't apply.

> Since my MAIL FROM command is being accepted, and the RCPT TO is being
> rejected, I'm guessing that I've landed in this DBM database. I know that
> qmail is retrying these messages.


This is something Exim 3.00 apparently was doing. Exim 4.63 has way more
flexibility; thus you can't draw any conclusions as to whether you've ended
up in any database. Usually callout verification is done after RCPT TO and
there is no such database at all.

So sorry, the rest of your mail is irrelevant as well.

I can't say for sure where the problem lies. Perhaps they had a temporary
problem. Maybe someone else on this list has a similar configuration so that
you can test against their server.

-- 
Magnus Holmgren        holmgren@???
                       (No Cc of list mail needed, thanks)


"Exim is better at being younger, whereas sendmail is better for
Scrabble (50 point bonus for clearing your rack)" -- Dave Evans