[exim] random callout + greylisting

Pàgina inicial
Delete this message
Reply to this message
Autor: Giuliano Gavazzi
Data:  
A: exim
Assumpte: [exim] random callout + greylisting
I think random callouts should use a recipient that is random but
uniquely determined by some local and remote characteristics like,
for instance, local and remote hostnames. Otherwise random callout
will fail when confronted to greylisting.
I have also noticed a potential problem with caching within a
session, see below.

I have two callout acls to emulate a multiple level callout result,
but because of the cache this should not need any more callouts than
a single acl.
I simulated a session from lists.samba.org because that server uses
greylisting also for null envelope senders. exim -bhc gives:

>>> check verify = sender/callout=30s,random

[...]
>>> Attempting full verification using callout
>>> callout cache: found domain record
>>> callout cache: need to check random address handling (not cached

or cache expired)
>>> interface=192.168.50.12 port=25
>>> Connecting to dp.samba.org [66.70.73.150]:25 from

192.168.50.12 ... connected
>>> SMTP<< 220 lists.samba.org NO UCE ESMTP Postfix
>>> SMTP>> HELO ns.ondecorte.net
>>> SMTP<< 250 lists.samba.org
>>> SMTP>> MAIL FROM:<>
>>> SMTP<< 250 Ok
>>> SMTP>> RCPT TO:<randomaddress1>
>>> SMTP<< 450 < randomaddress1 >: Recipient address rejected:

Greylisted for 300 seconds (see http://isg.ee.ethz.ch/tools/postgrey/
help/lists.samba.org.html)
>>> SMTP>> RSET
>>> SMTP<< 250 Ok
>>> SMTP>> MAIL FROM:<>
>>> SMTP<< 250 Ok
>>> SMTP>> RCPT TO:<envelopesender>
>>> SMTP<< 250 Ok
>>> SMTP>> QUIT
>>> wrote callout cache domain record:
>>> result=1 postmaster=0 random=0
>>> wrote positive callout cache address record


[...]

>>> check !verify = sender/callout=30s,random
>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing rsync-bounces+dev+lists=humph.com@???
>>> lists.samba.org in "dsearch;/usr/local/conf/exim/domains"? no

(end of list)
>>> lists.samba.org in "! +local_domains"? yes (end of list)
>>> calling dnslookup router
>>> 66.70.73.150 in "0.0.0.0 : 127.0.0.0/8 : 169.254.0.0/16 :

192.168.0.0/16"? no (end of list)
>>> routed by dnslookup router
>>> Attempting full verification using callout
>>> callout cache: found domain record
>>> callout cache: need to check random address handling (not cached

or cache expired)
>>> interface=192.168.50.12 port=25
>>> Connecting to dp.samba.org [66.70.73.150]:25 from

192.168.50.12 ... connected
>>> SMTP<< 220 lists.samba.org NO UCE ESMTP Postfix
>>> SMTP>> HELO ns.ondecorte.net
>>> SMTP<< 250 lists.samba.org
>>> SMTP>> MAIL FROM:<>
>>> SMTP<< 250 Ok
>>> SMTP>> RCPT TO:<randomaddress2>
>>> SMTP<< 450 <randomaddress2>: Recipient address rejected:

Greylisted for 300 seconds (see http://isg.ee.ethz.ch/tools/postgrey/
help/lists.samba.org.html)
>>> SMTP>> RSET
>>> SMTP<< 250 Ok
>>> SMTP>> MAIL FROM:<>
>>> SMTP<< 250 Ok
>>> SMTP>> RCPT TO:< envelopesender >
>>> SMTP<< 250 Ok
>>> SMTP>> QUIT
>>> wrote callout cache domain record:
>>> result=1 postmaster=0 random=0
>>> wrote positive callout cache address record


and indeed a dump of the callout database gives:

17-Jun-2007 22:48:01 lists.samba.org callout=accept
postmaster=unknown random=unknown
17-Jun-2007 22:48:01 envelopesender callout=accept

So:

1) random callouts will never pass with greylisting peers

2) in the session above the envelopesender has been checked twice,
even if the peer accepted the first one.

Giuliano