Phil Pennock schrieb:
> [...]In the first section of your config should be a line defining which
> named ACL test is to be used for "acl_smtp_rcpt". You need to post that
> ACL here -- all of it.
>
>
Here's my whole ACLs section: (I'll skip commented-out lines to make
this message smaller)
begin acl
.include /etc/exim4/vexim-acl-check-spf.conf
#this file is attached
acl_check_helo:
.include /etc/exim4/vexim-acl-check-helo.conf
#this file is attached
acl_check_rcpt:
accept hosts = :
.include /etc/exim4/vexim-acl-check-rcpt.conf
#this file is attached
deny local_parts = ^.*[@%!/|] : ^\\.
accept local_parts = postmaster
domains = +local_domains
accept domains = +local_domains
endpass
verify = recipient
accept domains = +relay_to_domains
endpass
verify = recipient
accept hosts = +relay_from_hosts
accept authenticated = *
deny message = relay not permitted
acl_check_content:
.include /etc/exim4/vexim-acl-check-content.conf #This file is attached
accept
> You can get more diagnostics, running a debug Exim; this won't detach
> >from the terminal, so you'll see what's going on. For instance:
>
> # exim -d+acl+auth -oX 26 -bd
>
>
I also did this (with Port 25). A copy of my console is attached in
exim-session.txt .
Regards
Andreas
# deny hosts = ! +relay_from_hosts
# condition = ${if eq {${lookup mysql{select count(*) from domains \
# where domain = '${quote_mysql:$domain}' \
# and spamassassin='1'}}}{1} {yes}{no}}
# !acl = spf_rcpt_acl
# deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
# dnslists = sbl-xbl.spamhaus.org:list.dsbl.org:dynablock.njabl.org
deny senders = :
hosts = ! +relay_from_hosts
!acl = spf_from_acl
message = Your sender is not permitted (read spf.pobox.com)
# First unpack MIME containers and reject serious errors.
deny message = This message contains a MIME error ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
# Reject typically wormish file extensions. There is almost no
# sense in sending such files by email.
deny message = This message contains an unwanted file extension ($found_extension)
demime = scr:vbs:bat:lnk:pif:bz2
# Reject virus infested messages.
warn message = This message contains malware ($malware_name)
malware = *
log_message = This message contains malware ($malware_name)
# Reject messages containing "viagra" in all kinds of whitespace/case combinations
# WARNING: this is an example !
# deny message = This message matches a blacklisted regular expression ($regex_match_string)
# regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]
# Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings
# (user "nobody"), no matter if over threshold or not.
warn message = X-Spam-Score: $spam_score ($spam_bar)
spam = vmail:true
warn message = X-Spam-Report: $spam_report
spam = vmail:true
# This code was derived from a post to exim-users by Alan J. Flavell:
# http://www.exim.org/pipermail/exim-users/Week-of-Mon-20031201/063095.html
deny hosts = emi.mail.pas.earthlink.net
message = X-PH-FW: leaky forwarder, $dnslist_domain=$dnslist_value
set acl_m4 = ${if match {$h_received:}\
{\N\[(\d+)\.(\d+)\.(\d+)\.(\d+)\]\)\s+.*by \
emi\.mail\.pas\.earthlink\.net\N}\
{$4.$3.$2.$1}fail}
dnslists = sbl-xbl.spamhaus.org:list.dsbl.org:dynablock.njabl.org/$acl_m4
deny hosts = emi.mail.pas.earthlink.net
message = Please use your FQDN for HELO
condition = ${if match {$h_received:}{\Nhelo=\d+\.\d+\.\d+\.\d+\N}{yes}{no} }
# Lets drop all messages where the HELO argument is our IP address
accept hosts = :
accept hosts = +relay_from_hosts
drop condition = ${if match{$sender_helo_name}{MY_IP}{yes}{no} }
message = "Dropped spammer pretending to be us"
drop condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} }
message = "Dropped IP-only or IP-starting helo"
accept
# SPF Auth test for Exim 4.xx
# Version 2.05 by david @ ols . es
#
# Features:
#
# Full SPF support via spfd socket
#
# Warning:
#
# Will use acl_m9, acl_m8, acl_m7 and acl_m6
#
# Requires
#
# Mail::SPF::Query ver 1.9.1
#
# Usage instructions:
#
# 1. copy this file to your /usr/local/exim
#
# 2. add this line to your exim configuration file after your
# begin acl:
#
# .include /usr/local/exim/spf.acl
#
# 3. Grab a copy of Mail::SPF::Query from
# http://spf.pobox.com/downloads.html and install it
#
# 4. Run spfd -path=/tmp/spfd as the same user as Exim runs
#
# 5. Now you can use the test on your RCPT/MAIL ACL this way:
#
# deny !acl = spf_rcpt_acl
#
# And on your DATA ACL:
#
# deny senders = :
# !acl = spf_from_acl
#
# now acl_m8 will hold 'pass','fail', 'unknown'
# so you can take other decisions based on the result
#auskommentiert Andreas_Kahl@???
spf_rcpt_acl:
# Check envelope sender
warn set acl_m8 = $sender_address
deny !acl = spf_check
warn message = Received-SPF: $acl_m7
accept
spf_from_acl:
# Check header From:
warn set acl_m8 = ${address:$h_from:}
deny !acl = spf_check
warn message = Received-SPF: $acl_m7
accept
#Ende auskommentiert
spf_check:
warn set acl_m9 = ${readsocket{/tmp/spfd}\
{ip=$sender_host_address\n\
helo=${if def:sender_helo_name\
{$sender_helo_name}{NOHELO}}\
\nsender=$acl_m8\n\n}{20s}{\n}{socket failure}}
# Defer on socket error
defer condition = ${if eq{$acl_m9}{socket failure}{yes}{no}}
message = Cannot connect to spfd
# Prepare answer and get results
warn set acl_m9 = ${sg{$acl_m9}{\N=(.*)\n\N}{=\"\$1\" }}
set acl_m8 = ${extract{result}{$acl_m9}{$value}{unknown}}
set acl_m7 = ${extract{header_comment}{$acl_m9}{$value}{}}
# Check for fail
deny condition = ${if eq{$acl_m8}{fail}{yes}{no}}
message = $acl_m7
log_message = Not authorized by SPF
accept
vitruvia:/var/run/courier/authdaemon# exim -d+acl+auth -oX 25 -bd
Exim version 4.63 uid=0 gid=0 pid=28266 D=fbb95cfd
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 6, 2005)
Support for: crypteq iconv() IPv6 PAM Perl GnuTLS move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=28266
auxiliary group list: <none>
seeking password data for user "vmail": cache not available
getpwnam() succeeded uid=99 gid=99
seeking password data for user "www-data": cache not available
getpwnam() succeeded uid=33 gid=33
seeking password data for user "Debian-exim": cache not available
getpwnam() succeeded uid=100 gid=102
seeking password data for user "root": cache not available
getpwnam() succeeded uid=0 gid=0
configuration file is /etc/exim4/exim4.conf
log selectors = 00000ffc 000a9001
cwd=/var/run/courier/authdaemon 5 args: exim -d+acl+auth -oX 25 -bd
trusted user
admin user
seeking password data for user "Debian-exim": cache not available
getpwnam() succeeded uid=100 gid=102
seeking password data for user "list": cache not available
getpwnam() succeeded uid=38 gid=38
originator: uid=0 gid=0 login=root name=root
28266 daemon_smtp_port overridden by -oX:
28266 <: 25
28266 listening on all interfaces (IPv6) port 25
28266 listening on all interfaces (IPv4) port 25
28266 changed uid/gid: running as a daemon
28266 uid=100 gid=102 pid=28266
28266 auxiliary group list: 102
28266 LOG: MAIN
28266 exim 4.63 daemon started: pid=28266, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4)
28266 set_process_info: 28266 daemon: no queue runs, listening for SMTP on port 25 (IPv6 and IPv4)
28266 daemon running with uid=100 gid=102 euid=100 egid=102
28266 Listening...
### Here I tried to send my mail:
28266 Connection request from 84.153.120.56 port 56590
28266 search_tidyup called
28267 sender_fullhost = [84.153.120.56]
28267 sender_rcvhost = [84.153.120.56]
28267 Process 28267 is handling incoming connection from [84.153.120.56]
28267 host in host_lookup? yes (matched "*")
28267 looking up host name for 84.153.120.56
28266 1 SMTP accept process running
28266 Listening...
28267 DNS lookup of 56.120.153.84.in-addr.arpa (PTR) succeeded
28267 IP address lookup yielded p54997838.dip.t-dialin.net
28267 gethostbyname2(af=inet6) returned 4 (NO_DATA)
28267 gethostbyname2 looked up these IP addresses:
28267 name=p54997838.dip.t-dialin.net address=84.153.120.56
28267 checking addresses for p54997838.dip.t-dialin.net
28267 84.153.120.56 OK
28267 sender_fullhost = p54997838.dip.t-dialin.net [84.153.120.56]
28267 sender_rcvhost = p54997838.dip.t-dialin.net ([84.153.120.56])
28267 set_process_info: 28267 handling incoming connection from p54997838.dip.t-dialin.net [84.153.120.56]
28267 host in host_reject_connection? no (option unset)
28267 host in sender_unqualified_hosts? no (option unset)
28267 host in recipient_unqualified_hosts? no (option unset)
28267 host in helo_verify_hosts? no (option unset)
28267 host in helo_try_verify_hosts? no (option unset)
28267 host in helo_accept_junk_hosts? no (option unset)
28267 SMTP>> 220 vitruvia.dyndns.org ESMTP Exim 4.63 Tue, 12 Jun 2007 22:02:33 +0200
28267 Process 28267 is ready for new message
28267 smtp_setup_msg entered
28267 SMTP<< XXXX Cirrus.local
28267 LOG: smtp_syntax_error MAIN
28267 SMTP syntax error in "XXXX Cirrus.local" H=p54997838.dip.t-dialin.net [84.153.120.56] unrecognized command
28267 SMTP>> 500 unrecognized command
28267 SMTP<< HELO Cirrus.local
28267 sender_fullhost = p54997838.dip.t-dialin.net (Cirrus.local) [84.153.120.56]
28267 sender_rcvhost = p54997838.dip.t-dialin.net ([84.153.120.56] helo=Cirrus.local)
28267 set_process_info: 28267 handling incoming connection from p54997838.dip.t-dialin.net (Cirrus.local) [84.153.120.56]
28267 using ACL "acl_check_helo"
28267 processing "accept"
28267 check hosts = :
28267 host in ":"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check hosts = +relay_from_hosts
28267 gethostbyname2(af=inet6) returned 1 (HOST_NOT_FOUND)
28267 gethostbyname2 looked up these IP addresses:
28267 name=localhost address=127.0.0.1
28267 host in "localhost"? no (end of list)
28267 host in "+relay_from_hosts"? no (end of list)
28267 accept: condition test failed
28267 processing "drop"
28267 check condition = ${if match{$sender_helo_name}{vitruvia.dyndns.org}{yes}{no} }
28267 = no
28267 drop: condition test failed
28267 processing "drop"
28267 check condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} }
28267 = no
28267 drop: condition test failed
28267 processing "accept"
28267 accept: condition test succeeded
28267 SMTP>> 250 vitruvia.dyndns.org Hello p54997838.dip.t-dialin.net [84.153.120.56]
28267 SMTP<< MAIL FROM:<kahl3@???>
28267 SMTP>> 250 OK
28267 SMTP<< RCPT TO:<Andreas_Kahl@???>
28267 using ACL "acl_check_rcpt"
28267 processing "accept"
28267 check hosts = :
28267 host in ":"? no (end of list)
28267 accept: condition test failed
28267 processing "deny"
28267 check local_parts = ^.*[@%!/|] : ^\\.
28267 Andreas_Kahl in "^.*[@%!/|] : ^\."? no (end of list)
28267 deny: condition test failed
28267 processing "accept"
28267 check local_parts = postmaster
28267 Andreas_Kahl in "postmaster"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check domains = +local_domains
28267 search_open: mysql "NULL"
28267 search_find: file="NULL"
28267 key="SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'" partial=-1 affix=NULL starflags=0
28267 LRU list:
28267 internal_search_find: file="NULL"
28267 type=mysql key="SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'"
28267 database lookup required for SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'
28267 MYSQL query: SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'
28267 MYSQL new connection: host=localhost port=0 socket=/var/run/mysqld/mysqld.sock database=vexim user=vexim
28267 MYSQL: no data found
28267 lookup failed
28267 search_open: mysql "NULL"
28267 cached open
28267 search_find: file="NULL"
28267 key="SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'" partial=-1 affix=NULL starflags=0
28267 LRU list:
28267 internal_search_find: file="NULL"
28267 type=mysql key="SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'"
28267 database lookup required for SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'
28267 MYSQL query: SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'
28267 MYSQL using cached connection for localhost:(/var/run/mysqld/mysqld.sock)/vexim/vexim
28267 MYSQL: no data found
28267 lookup failed
28267 gmx.net in "@ : : "? no (end of list)
28267 gmx.net in "+local_domains"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check domains = +relay_to_domains
28267 search_open: mysql "NULL"
28267 cached open
28267 search_find: file="NULL"
28267 key="SELECT DISTINCT domain FROM domains WHERE type = 'relay' AND domain = 'gmx.net'" partial=-1 affix=NULL starflags=0
28267 LRU list:
28267 internal_search_find: file="NULL"
28267 type=mysql key="SELECT DISTINCT domain FROM domains WHERE type = 'relay' AND domain = 'gmx.net'"
28267 database lookup required for SELECT DISTINCT domain FROM domains WHERE type = 'relay' AND domain = 'gmx.net'
28267 MYSQL query: SELECT DISTINCT domain FROM domains WHERE type = 'relay' AND domain = 'gmx.net'
28267 MYSQL using cached connection for localhost:(/var/run/mysqld/mysqld.sock)/vexim/vexim
28267 MYSQL: no data found
28267 lookup failed
28267 gmx.net in ""? no (end of list)
28267 gmx.net in "+relay_to_domains"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check hosts = +relay_from_hosts
28267 cached no match for +relay_from_hosts
28267 cached lookup data = NULL
28267 host in "+relay_from_hosts"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check authenticated = *
28267 accept: condition test failed
28267 processing "deny"
28267 deny: condition test succeeded
28267 SMTP>> 550 relay not permitted
28267 LOG: MAIN REJECT
28267 H=p54997838.dip.t-dialin.net (Cirrus.local) [84.153.120.56] F=<kahl3@???> rejected RCPT <Andreas_Kahl@???>: relay not permitted 
