[exim] Sender verify at extreme

Top Pagina
Delete this message
Reply to this message
Auteur: Marcin Krol
Datum:  
Aan: exim-users
Onderwerp: [exim] Sender verify at extreme
Hello everyone,

OK, so I designed myself this ACL for sender verify with exceptions
made for some broken domains that are held in
/etc/exim/wildcard_whitelist_domains file ( *.badly.broken.domain ):

begin acl

acl_nsvdom:
        accept condition = ${lookup {${lc:$sender_address_domain}} partial1-lsearch {/etc/exim/wildcard_whitelist_domains} {yes}{no}}
        require verify = sender/callout=120s,defer_ok
        control = no_callout_flush
        accept


[...]

require verify = sender
acl = acl_nsvdom


It worked dandy until some of my users tried getting mails with
activation links from one badly misconfigured domain:

playfoto.pl.            259200  IN      MX      10 87.98.232.90.


exim -bh 87.98.232.90 gives me this:

>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> routing play@???
>>> playfoto.pl in "lsearch;/etc/virtual/domains"? no (end of list)
>>> playfoto.pl in "! +local_domains"? yes (end of list)
>>> calling lookuphost router
>>> lookuphost router declined for play@???
>>> "more" is false: skipping remaining routers
>>> no more routers
>>> ----------- end verify ------------
>>> require: condition test failed

LOG: H=gnugeneration.net (o) [87.98.232.90] sender verify fail for <play@???>: all relevant MX records point to non-existent hosts or (invalidly) to IP addresses
550-Verification failed for <play@???>
550-It appears that the DNS operator for playfoto.pl
550-has installed an invalid MX record with an IP address
550-instead of a domain name on the right hand side.
550 Sender verify failed
LOG: H=gnugeneration.net (o) [87.98.232.90] F=<play@???>
rejected RCPT xxx@???: Sender verify failed

Why would this condition fail??? After all, I clearly defined accept
condition:

accept condition = ${lookup {${lc:$sender_address_domain}} partial1-lsearch {/etc/exim/wildcard_whitelist_domains} {yes}{no}}

It is fulfilled, because the wildcard domain "*.playfoto.pl" is added
there (and I have tested it in case of domains that have good MX but
where sender verify fails for some other reasons, like greylisting).
Therefore, correctness of MX for the domain or lack thereof should play
no role in deciding whether to accept or reject the mail.

Anybody has a clue why this require fails?

Thanks in advance,
Marcin Krol