Re: [exim] Smtp-Authentication problems (usingcourier-authda…

Top Page
Delete this message
Reply to this message
Author: Andreas Kahl
Date:  
To: exim-users
Subject: Re: [exim] Smtp-Authentication problems (usingcourier-authdaemond on debian etch)


Phil Pennock schrieb:
> [...]In the first section of your config should be a line defining which
> named ACL test is to be used for "acl_smtp_rcpt". You need to post that
> ACL here -- all of it.
>
>

Here's my whole ACLs section: (I'll skip commented-out lines to make
this message smaller)
begin acl
.include /etc/exim4/vexim-acl-check-spf.conf
#this file is attached

acl_check_helo:
.include /etc/exim4/vexim-acl-check-helo.conf
#this file is attached


acl_check_rcpt:
accept hosts = :
.include /etc/exim4/vexim-acl-check-rcpt.conf
#this file is attached

  deny    local_parts   = ^.*[@%!/|] : ^\\.


accept  local_parts   = postmaster
          domains       = +local_domains


accept  domains       = +local_domains
          endpass
          verify        = recipient


accept  domains       = +relay_to_domains
          endpass
          verify        = recipient


  accept  hosts         = +relay_from_hosts


accept authenticated = *

  deny    message       = relay not permitted


acl_check_content:

.include /etc/exim4/vexim-acl-check-content.conf #This file is attached

accept
> You can get more diagnostics, running a debug Exim; this won't detach
> >from the terminal, so you'll see what's going on. For instance:
>
> # exim -d+acl+auth -oX 26 -bd
>
>

I also did this (with Port 25). A copy of my console is attached in
exim-session.txt .

Regards
Andreas
# deny hosts = ! +relay_from_hosts
#          condition     = ${if eq {${lookup mysql{select count(*) from domains \
#                          where domain = '${quote_mysql:$domain}' \
#                          and spamassassin='1'}}}{1} {yes}{no}}
#          !acl          = spf_rcpt_acl


#  deny    message       = DNSBL listed at $dnslist_domain\n$dnslist_text
#          dnslists      = sbl-xbl.spamhaus.org:list.dsbl.org:dynablock.njabl.org


deny senders = :
        hosts   = ! +relay_from_hosts
        !acl    = spf_from_acl
        message = Your sender is not permitted (read spf.pobox.com)


  # First unpack MIME containers and reject serious errors.
  deny  message = This message contains a MIME error ($demime_reason)
        demime = *
        condition = ${if >{$demime_errorlevel}{2}{1}{0}}


  # Reject typically wormish file extensions. There is almost no
  # sense in sending such files by email.
  deny  message = This message contains an unwanted file extension ($found_extension)
        demime = scr:vbs:bat:lnk:pif:bz2


  # Reject virus infested messages.
  warn  message = This message contains malware ($malware_name)
        malware = *
        log_message = This message contains malware ($malware_name)


  # Reject messages containing "viagra" in all kinds of whitespace/case combinations
  # WARNING: this is an example !
  # deny  message = This message matches a blacklisted regular expression ($regex_match_string)
  #      regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]


  # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings
  # (user "nobody"), no matter if over threshold or not.
  warn  message = X-Spam-Score: $spam_score ($spam_bar)
        spam = vmail:true
  warn  message = X-Spam-Report: $spam_report
        spam = vmail:true


  # This code was derived from a post to exim-users by Alan J. Flavell:
  # http://www.exim.org/pipermail/exim-users/Week-of-Mon-20031201/063095.html
  deny  hosts           = emi.mail.pas.earthlink.net
        message         = X-PH-FW: leaky forwarder, $dnslist_domain=$dnslist_value
                          set acl_m4 = ${if match {$h_received:}\
                                {\N\[(\d+)\.(\d+)\.(\d+)\.(\d+)\]\)\s+.*by \
                                emi\.mail\.pas\.earthlink\.net\N}\
                                {$4.$3.$2.$1}fail}
        dnslists        = sbl-xbl.spamhaus.org:list.dsbl.org:dynablock.njabl.org/$acl_m4


  deny  hosts           = emi.mail.pas.earthlink.net
        message         = Please use your FQDN for HELO
        condition       = ${if match {$h_received:}{\Nhelo=\d+\.\d+\.\d+\.\d+\N}{yes}{no} }



# Lets drop all messages where the HELO argument is our IP address

  accept hosts = :
  accept hosts = +relay_from_hosts
  drop condition = ${if match{$sender_helo_name}{MY_IP}{yes}{no} }
       message   = "Dropped spammer pretending to be us"
  drop condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} }
       message   = "Dropped IP-only or IP-starting helo"
  accept


# SPF Auth test for Exim 4.xx
# Version 2.05 by david @ ols . es
#
# Features:
#
#    Full SPF support via spfd socket
#
# Warning:
#
#    Will use acl_m9, acl_m8, acl_m7 and acl_m6
#
# Requires
#
#    Mail::SPF::Query ver 1.9.1
#
# Usage instructions:
#
# 1. copy this file to your /usr/local/exim
#
# 2. add this line to your exim configuration file after your
#    begin acl:
#
#    .include /usr/local/exim/spf.acl
#
# 3. Grab a copy of Mail::SPF::Query from
#    http://spf.pobox.com/downloads.html and install it
#
# 4. Run spfd -path=/tmp/spfd as the same user as Exim runs
#
# 5. Now you can use the test on your RCPT/MAIL ACL this way:
#
#    deny    !acl        = spf_rcpt_acl
#
#    And on your DATA ACL:
#
#    deny    senders     = :
#            !acl        = spf_from_acl
#
#    now acl_m8 will hold 'pass','fail', 'unknown'
#    so you can take other decisions based on the result


#auskommentiert Andreas_Kahl@???
spf_rcpt_acl:

    # Check envelope sender


    warn     set acl_m8  = $sender_address
    deny     !acl        = spf_check
    warn     message     = Received-SPF: $acl_m7
    accept


spf_from_acl:

    # Check header From:


    warn     set acl_m8  = ${address:$h_from:}
    deny     !acl        = spf_check
    warn     message     = Received-SPF: $acl_m7
    accept
#Ende auskommentiert


spf_check:

    warn     set acl_m9  = ${readsocket{/tmp/spfd}\
                           {ip=$sender_host_address\n\
               helo=${if def:sender_helo_name\
               {$sender_helo_name}{NOHELO}}\
                           \nsender=$acl_m8\n\n}{20s}{\n}{socket failure}} 


    # Defer on socket error


    defer    condition   = ${if eq{$acl_m9}{socket failure}{yes}{no}}
             message     = Cannot connect to spfd


    # Prepare answer and get results


    warn     set acl_m9  = ${sg{$acl_m9}{\N=(.*)\n\N}{=\"\$1\" }}
             set acl_m8  = ${extract{result}{$acl_m9}{$value}{unknown}}
             set acl_m7  = ${extract{header_comment}{$acl_m9}{$value}{}}


    # Check for fail


    deny     condition   = ${if eq{$acl_m8}{fail}{yes}{no}}
             message     = $acl_m7
             log_message = Not authorized by SPF


    accept


vitruvia:/var/run/courier/authdaemon# exim -d+acl+auth -oX 25 -bd
Exim version 4.63 uid=0 gid=0 pid=28266 D=fbb95cfd
Berkeley DB: Sleepycat Software: Berkeley DB 4.3.29: (September 6, 2005)
Support for: crypteq iconv() IPv6 PAM Perl GnuTLS move_frozen_messages Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=28266
auxiliary group list: <none>
seeking password data for user "vmail": cache not available
getpwnam() succeeded uid=99 gid=99
seeking password data for user "www-data": cache not available
getpwnam() succeeded uid=33 gid=33
seeking password data for user "Debian-exim": cache not available
getpwnam() succeeded uid=100 gid=102
seeking password data for user "root": cache not available
getpwnam() succeeded uid=0 gid=0
configuration file is /etc/exim4/exim4.conf
log selectors = 00000ffc 000a9001
cwd=/var/run/courier/authdaemon 5 args: exim -d+acl+auth -oX 25 -bd
trusted user
admin user
seeking password data for user "Debian-exim": cache not available
getpwnam() succeeded uid=100 gid=102
seeking password data for user "list": cache not available
getpwnam() succeeded uid=38 gid=38
originator: uid=0 gid=0 login=root name=root
28266 daemon_smtp_port overridden by -oX:
28266 <: 25
28266 listening on all interfaces (IPv6) port 25
28266 listening on all interfaces (IPv4) port 25
28266 changed uid/gid: running as a daemon
28266 uid=100 gid=102 pid=28266
28266 auxiliary group list: 102
28266 LOG: MAIN
28266 exim 4.63 daemon started: pid=28266, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4)
28266 set_process_info: 28266 daemon: no queue runs, listening for SMTP on port 25 (IPv6 and IPv4)
28266 daemon running with uid=100 gid=102 euid=100 egid=102
28266 Listening...

### Here I tried to send my mail: 
28266 Connection request from 84.153.120.56 port 56590
28266 search_tidyup called
28267 sender_fullhost = [84.153.120.56]
28267 sender_rcvhost = [84.153.120.56]
28267 Process 28267 is handling incoming connection from [84.153.120.56]
28267 host in host_lookup? yes (matched "*")
28267 looking up host name for 84.153.120.56
28266 1 SMTP accept process running
28266 Listening...
28267 DNS lookup of 56.120.153.84.in-addr.arpa (PTR) succeeded
28267 IP address lookup yielded p54997838.dip.t-dialin.net
28267 gethostbyname2(af=inet6) returned 4 (NO_DATA)
28267 gethostbyname2 looked up these IP addresses:
28267   name=p54997838.dip.t-dialin.net address=84.153.120.56
28267 checking addresses for p54997838.dip.t-dialin.net
28267   84.153.120.56 OK
28267 sender_fullhost = p54997838.dip.t-dialin.net [84.153.120.56]
28267 sender_rcvhost = p54997838.dip.t-dialin.net ([84.153.120.56])
28267 set_process_info: 28267 handling incoming connection from p54997838.dip.t-dialin.net [84.153.120.56]
28267 host in host_reject_connection? no (option unset)
28267 host in sender_unqualified_hosts? no (option unset)
28267 host in recipient_unqualified_hosts? no (option unset)
28267 host in helo_verify_hosts? no (option unset)
28267 host in helo_try_verify_hosts? no (option unset)
28267 host in helo_accept_junk_hosts? no (option unset)
28267 SMTP>> 220 vitruvia.dyndns.org ESMTP Exim 4.63 Tue, 12 Jun 2007 22:02:33 +0200
28267 Process 28267 is ready for new message
28267 smtp_setup_msg entered
28267 SMTP<< XXXX Cirrus.local
28267 LOG: smtp_syntax_error MAIN
28267   SMTP syntax error in "XXXX Cirrus.local" H=p54997838.dip.t-dialin.net [84.153.120.56] unrecognized command
28267 SMTP>> 500 unrecognized command
28267 SMTP<< HELO Cirrus.local
28267 sender_fullhost = p54997838.dip.t-dialin.net (Cirrus.local) [84.153.120.56]
28267 sender_rcvhost = p54997838.dip.t-dialin.net ([84.153.120.56] helo=Cirrus.local)
28267 set_process_info: 28267 handling incoming connection from p54997838.dip.t-dialin.net (Cirrus.local) [84.153.120.56]
28267 using ACL "acl_check_helo"
28267 processing "accept"
28267 check hosts = :
28267 host in ":"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check hosts = +relay_from_hosts
28267 gethostbyname2(af=inet6) returned 1 (HOST_NOT_FOUND)
28267 gethostbyname2 looked up these IP addresses:
28267   name=localhost address=127.0.0.1
28267 host in "localhost"? no (end of list)
28267 host in "+relay_from_hosts"? no (end of list)
28267 accept: condition test failed
28267 processing "drop"
28267 check condition = ${if match{$sender_helo_name}{vitruvia.dyndns.org}{yes}{no} }
28267                 = no
28267 drop: condition test failed
28267 processing "drop"
28267 check condition = ${if match{$sender_helo_name}{^[0-9]\.[0-9]\.[0-9]\.[0-9]}{yes}{no} }
28267                 = no
28267 drop: condition test failed
28267 processing "accept"
28267 accept: condition test succeeded
28267 SMTP>> 250 vitruvia.dyndns.org Hello p54997838.dip.t-dialin.net [84.153.120.56]
28267 SMTP<< MAIL FROM:<kahl3@???>
28267 SMTP>> 250 OK
28267 SMTP<< RCPT TO:<Andreas_Kahl@???>
28267 using ACL "acl_check_rcpt"
28267 processing "accept"
28267 check hosts = :
28267 host in ":"? no (end of list)
28267 accept: condition test failed
28267 processing "deny"
28267 check local_parts = ^.*[@%!/|] : ^\\.
28267 Andreas_Kahl in "^.*[@%!/|] : ^\."? no (end of list)
28267 deny: condition test failed
28267 processing "accept"
28267 check local_parts = postmaster
28267 Andreas_Kahl in "postmaster"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check domains = +local_domains
28267 search_open: mysql "NULL"
28267 search_find: file="NULL"
28267   key="SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'" partial=-1 affix=NULL starflags=0
28267 LRU list:
28267 internal_search_find: file="NULL"
28267   type=mysql key="SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'"
28267 database lookup required for SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'
28267 MYSQL query: SELECT DISTINCT domain FROM domains WHERE type = 'local' AND enabled = '1I ' AND domain = 'gmx.net'
28267 MYSQL new connection: host=localhost port=0 socket=/var/run/mysqld/mysqld.sock database=vexim user=vexim
28267 MYSQL: no data found
28267 lookup failed
28267 search_open: mysql "NULL"
28267   cached open
28267 search_find: file="NULL"
28267   key="SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'" partial=-1 affix=NULL starflags=0
28267 LRU list:
28267 internal_search_find: file="NULL"
28267   type=mysql key="SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'"
28267 database lookup required for SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'
28267 MYSQL query: SELECT DISTINCT alias FROM domainalias WHERE alias = 'gmx.net'
28267 MYSQL using cached connection for localhost:(/var/run/mysqld/mysqld.sock)/vexim/vexim
28267 MYSQL: no data found
28267 lookup failed
28267 gmx.net in "@ :  : "? no (end of list)
28267 gmx.net in "+local_domains"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check domains = +relay_to_domains
28267 search_open: mysql "NULL"
28267   cached open
28267 search_find: file="NULL"
28267   key="SELECT DISTINCT domain FROM domains WHERE type = 'relay'  AND domain = 'gmx.net'" partial=-1 affix=NULL starflags=0
28267 LRU list:
28267 internal_search_find: file="NULL"
28267   type=mysql key="SELECT DISTINCT domain FROM domains WHERE type = 'relay'  AND domain = 'gmx.net'"
28267 database lookup required for SELECT DISTINCT domain FROM domains WHERE type = 'relay'  AND domain = 'gmx.net'
28267 MYSQL query: SELECT DISTINCT domain FROM domains WHERE type = 'relay'  AND domain = 'gmx.net'
28267 MYSQL using cached connection for localhost:(/var/run/mysqld/mysqld.sock)/vexim/vexim
28267 MYSQL: no data found
28267 lookup failed
28267 gmx.net in ""? no (end of list)
28267 gmx.net in "+relay_to_domains"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check hosts = +relay_from_hosts
28267 cached no match for +relay_from_hosts
28267 cached lookup data = NULL
28267 host in "+relay_from_hosts"? no (end of list)
28267 accept: condition test failed
28267 processing "accept"
28267 check authenticated = *
28267 accept: condition test failed
28267 processing "deny"
28267 deny: condition test succeeded
28267 SMTP>> 550 relay not permitted
28267 LOG: MAIN REJECT
28267   H=p54997838.dip.t-dialin.net (Cirrus.local) [84.153.120.56] F=<kahl3@???> rejected RCPT <Andreas_Kahl@???>: relay not permitted