[exim] Modify behaviour of 451 Could not complete recipient …

Top Page
Delete this message
Reply to this message
Author: Ron White
Date:  
To: Exim Users
Subject: [exim] Modify behaviour of 451 Could not complete recipient verify callout
There are a couple of things I don't fully understand when making
callous to verify recipients and would appreciate some pointers.

My system is currently experimental (non production) and I'm trying to
iron out some issues with some more unusual 'features' I'm hoping to
implement. I'm still at a very 'junior' student level with Exim so my
logic and way of doing things may be entirely wrong and I'm happy to be
corrected.

The issue I'm currently stuck with is recipient verification to relay
hosts using callouts.

One of the remote servers I'm testing against routinely greylists new
connections. In production this final destination would have the IP of
the Exim gateway in a whitelist, so the issue would be mitigated, but it
crossed my mind I may have issues in other scenarios where the
destination server gave a 4xx defer. In this case the SMTP session with
Exim stalls with:

451 Could not complete recipient verify callout

The ACL stanza performing the call out looks like this:

drop    message  = REJECTED - Remote Recipient Verify Failed
        log_message = relay recipient verification failed
        domains   = +hosted_domains
        !verify   = recipient/callout=15s,defer_ok,no_cache


[noted that adding/removing defer_ok makes no difference] I would like
to understand why the 'defer_ok' does not seem to bite. My understanding
is if the remote server gives a 4xx code it the condition would succeed.

That to one side I'm delighted that Exim gives the 451 back - it's just
what I want it to do. I would like to be able to do two things to
'modify' the behaviour a bit, but I can't seem to find how to do it.
First, when it gives that 451 back I'd like it to then close/drop the
connection - not leave it open until it times out. I'd also like to know
if it's possible to change the message in the runtime config, or if it's
set in stone in the source?

COMPLICATION:
As I understand it the drop condition/callout must live in an ACL. I
can't put a drop condition in a router(?). Which gives me one possible
complication.

My Exim is set up to handle multiple domains/multiple recipients on
those domains but there is a further split. Some recipients of
'example.com' are hosted locally, some are relayed on to another host.
This is all working fine but gives me a concern about callouts. If
billy@??? is hosted locally what will happen when the ACL gets
to the point of recipient verification? +hosted_domains will test true,
so will it try and callout to itself?

I guess there are other ways I can get the ACL condition to match, such
as creating a list of 'relayto' users to check (potentially this could
be very large) - or with an additional SQL lookup to stop it bothering
to try callouts for local hosted users?

A side note, I must say I am loving Exim. I won't pretend I'm finding it
easy working out the logic, but it is clearly more powerful and flexible
than the Postfix we've been using. It really is rather remarkable.