[exim] cram config problem

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Alexander Nagel
Date:  
À: exim-users
Sujet: [exim] cram config problem
Hi,
although I thought my exim config is ok (i read the book (it's always
under my pillow :-D) and the mailing list ), i was a mail relay last
night :-(
The problem is: I don't know why. Perhaps you can give me a hint.

The logfile section of one mail which looks quite normal except the
A=cram authenticator:

2010-12-03 23:11:36 1POdqq-0005Dd-Lg <= notmylocale1@notmydomain1
H=static-mum-XX.XXX.XXX.XX.YYYY.net.in (ZZZZ.com) [XX.XXX.XXX.XX]
P=esmtpa A=cram: S=1541
id=bffc0c4db7014b5f85f70fd3366406e2@5596f1f9ac9a4e95972a770a95afed48
from <notmylocale1@notmydomain1> for notmylocale3@notmydomain3
2010-12-03 23:11:40 1POdqt-0005Dd-Lp <= notmylocale2@notmydomain2
H=static-mum-XX.XXX.XXX.XX.YYY.net.in (ZZZZ.com) [XX.XXX.XX.XX] P=esmtpa
A=cram: S=1420
id=66f95d560e354a95905d29ba7a939ae3@266eba13b7e640dca0c0f1f0b0044aff
from <notmylocale2@notmydomain2> for notmylocale3@notmydomain3
2010-12-03 23:11:40 1POdqq-0005Dd-Lg Completed QT=4s

So, i checked the cram config and I think it's incomplete. I totally
oversee this :-( It seems to allow everything, i comment it out for now.
So how has it to be correct for cram auth? Whats the thing with server
and client config?

cram:
         driver                  = cram_md5
         public_name             = CRAM-MD5
         server_secret           = ${lookup pgsql{PG_Q_AUTH_CRAMMD5}}
         server_set_id           = $auth1


Here is my current acl. Perhaps it is somewhere broken, too.

Thank you
Alexander

# Anfang der ACL
begin acl

acl_check_connect:
    defer
        condition    = ${if eq{disabled}{${lookup pgsql{PG_Q_CHECK_RUN}}}}
        message     = Service is down for maintenance - please try later
        log_message    = REJECTED by preferences $sender_host_name
    accept


acl_check_helo:
    # drop connection if HELO/EHLO is empty
    drop
        condition    = ${if eq{$sender_helo_name}{}}
        message        = REJECTED - HELO is empty Polite hosts say HELO first Please 
see RFC 2821 section 4.1.1.1
        log_message    = REJECTED - HELO is empty Polite hosts say HELO first 
Please see RFC 2821 section 4.1.1.1


    # drop connection if HELO/EHLO contains IP 127.0.0.1
    drop
        condition    = ${if eq{127.0.0.1}{$sender_helo_name}}
        message        = REJECTED - HELO $sender_helo_name is loop address
        log_message    = REJECTED - HELO $sender_helo_name is loop address


    # drop connection if HELO/EHLO contains my IP
    drop
        condition       = ${if eq{$interface_address}{$sender_helo_name}}
        message         = REJECTED - HELO $interface_address is MY address
        log_message    = REJECTED - HELO $interface_address is MY address


    # beende Verbindung wenn im HELO/EHLO meine IP ist mit eckigen Klammern
    drop
        condition       = ${if eq{[$interface_address]}{$sender_helo_name}}
        message         = REJECTED - HELO [$interface_address] is MY address
        log_message     = REJECTED - HELO [$interface_address] is MY address


    # beende Verbindung wenn im HELO/EHLO eine IP ist
    drop
        condition       = ${if isip{$sender_helo_name}}
        message        = REJECTED - Invalid HELO name (See RFC2821 4.1.3)
        log_message     = REJECTED - HELO ($sender_helo_name) is IP only (See 
RFC2821 4.1.3)


    # beende Verbindung wenn im HELO/EHLO mein Hostname ist
    drop
        condition       = ${if match{$sender_helo_name}{$primary_hostname}}
        message        = REJECTED - This is MY hostname
        log_message    = REJECTED - HELO ($sender_helo_name) uses MY hostname


    accept


acl_check_rcpt:
    warn
        message        = $sender_address_domain is listed in $dnslist_domain 
($dnslist_text)
        log_message    = $sender_address_domain is listed in $dnslist_domain 
($dnslist_text)
        dnslists    = dsn.rfc-ignorant.org/$sender_address_domain : 
postmaster.rfc-ignorant.org/$sender_address_domain


    drop
#        condition    = ${if match_ip{$sender_host_address}{${lookup 
pgsql{PG_Q_BLACKLIST}}}{yes}{no}}
        !authenticated    = *
        message        = REJECTED - blacklisted - your appeal to my humanity is 
pointless.
        log_message    = REJECTED - blacklisting is active for <$sender_address> 
to <$local_part@$domain>.
        condition       = ${if match_ip{$sender_host_address}{${lookup 
pgsql{PG_Q_BLACKLIST}}}{yes}{no}}


    defer
        message        = $sender_host_address is not yet authorized to deliver mail 
from <$sender_address> to <$local_part@$domain>. \
                Greylisting is in effect. Please try later.
        log_message    = REJECTED - Greylisted in acl_check_rcpt.
        !senders       = :
        !hosts         = : +relay_from_hosts : \
                      ${if exists {/etc/greylistd/whitelist-hosts}\
                                  {/etc/greylistd/whitelist-hosts}{}} : \
                      ${if exists {/var/lib/greylistd/whitelist-hosts}\
                                  {/var/lib/greylistd/whitelist-hosts}{}}
        !authenticated = *
        domains        = +local_domains : +virtual_domains
        verify         = recipient/callout=20s,use_sender,defer_ok
        condition      = ${readsocket{/var/run/greylistd/socket}{--grey 
$sender_host_address $sender_address $local_part@$domain}{5s}{}{false}}


# Deny if blacklisted by greylist
    drop
        message = $sender_host_address is blacklisted from delivering mail 
from <$sender_address> to <$local_part@$domain>.
        log_message = REJECTED - blacklisted in acl_check_rcpt.
        !senders        = :
        !authenticated = *
        verify         = recipient/callout=20s,use_sender,defer_ok
        condition      = ${readsocket{/var/run/greylistd/socket}{--black 
$sender_host_address $sender_address $local_part@$domain}{5s}{}{false}}


    accept
        hosts = :


    accept
        local_parts    = postmaster
        domains        = +local_domains : +virtual_domains


    require
        verify        = sender/callout=20s,defer_ok
        message        = REJECTED - sender verify failed: $acl_verify_message
        log_message    = REJECTED - sender verify failed: $acl_verify_message


    accept
        hosts        = relay_from_hosts


    accept
        authenticated    = *
        control        = submission/sender_retain/domain=


    require    
        domains         = +local_domains : +virtual_domains
        message        = REJECTED - relay not permitted.
        log_message    = REJECTED - relay not permitted.


    require
        verify          = recipient
        message        = REJECTED - sorry, no mailbox here by that name.
        log_message    = REJECTED - sorry, no mailbox here by that name.


    accept


acl_check_data:

    # drop mail if there is no subject or body
    drop
        message        = REJECTED - message without subject or body
        log_message    = REJECTED - message without subject or body
        !condition    = ${if def:h_Subject:}
        condition    = ${if <{$body_linecount}{1}{true}{false}}


    # drop mail if certain files are found
    drop
        message     = REJECTED - $found_extension files are not accepted here.
        log_message    = REJECTED - $found_extension files are not accepted here.
        demime        = com:exe:vbs:bat:pif:reg:scr


    # drop mail with serious MIME defects
    drop
        message     = REJECTED - Serious MIME defect detected ($demime_reason).
        log_message    = REJECTED - Serious MIME defect detected ($demime_reason).
        demime         = *
        condition     = ${if >{$demime_errorlevel}{2}{1}{0}}


    # drop mail without message-id (presumbly SPAM)
    # HINT: very strict, blocks monster.com => only warn
#    warn
#        condition    = ${if !def:h_Message-ID: {1}}
#        message        = RFC2822 says that all mail SHOULD have a Message-ID 
header.\nMost messages without it are spam, so your mail has been rejected.
#        log_message     = RFC2822 says that all mail SHOULD have a Message-ID 
header.\nMost messages without it are spam, so your mail has been rejected.


    defer
        message        = $sender_host_address is not yet authorized to deliver mail 
from <$sender_address> to <$recipients>. Greylisting is in effect. 
Please try later.
        log_message    = REJECTED - greylisted in acl_check_data.
        senders        = :
        !hosts        = : +relay_from_hosts : \
                ${if exists {/etc/greylistd/whitelist-hosts}\
                                      {/etc/greylistd/whitelist-hosts}{}} : \
                ${if exists {/var/lib/greylistd/whitelist-hosts}\
                    {/var/lib/greylistd/whitelist-hosts}{}}
        !authenticated    = *
        condition    = ${readsocket{/var/run/greylistd/socket}{--grey 
$sender_host_address $recipients}{5s}{}{false}}


# Deny if blacklisted by greylist
    drop
        message        = $sender_host_address is blacklisted from delivering mail 
from <$sender_address> to <$recipients>.
        log_message    = REJECTED - blacklisted in acl_check_data.
        !senders    = :
        !authenticated    = *
        condition    = ${readsocket{/var/run/greylistd/socket}{--black 
$sender_host_address $recipients}{5s}{}{false}}


    drop
        condition     = ${if eq{t}{${lookup pgsql{PG_Q_VIRUS_CHECK}}} }
        add_header      = X-Virus-Check: ${primary_hostname}
        message        = REJECTED - This message contains malware ($malware_name)
        log_message    = REJECTED - This message contains malware ($malware_name)
        malware        = */defer_ok


    drop
        !authenticated  = *
        condition    = ${if eq{t}{${lookup pgsql{PG_Q_SPAM_CHECK}}} }
        spam        = $recipients:true/defer_ok
        condition       = ${if >{$spam_score_int} { ${lookup pgsql 
{PG_Q_SPAMSCORE} {$value}{200}} } {true}{false}}
        message         = REJECTED - This message scored $spam_score spam 
points, which is too much.
        log_message     = REJECTED - This message scored $spam_score spam 
points, which is too much.


    warn
        add_header      = X-Spam-Check: ${primary_hostname}
        condition       = ${if eq{t}{${lookup pgsql{PG_Q_SPAM_CHECK}}} }
        spam        = $recipients/defer_ok
        add_header      = X-Spam-Checked-Int: yes
        log_message    = WARNING - SPAM FOUND $spam_score
        add_header    = X-Spam-Score: $spam_score
        add_header    = X-Spam-Scorebar: $spam_bar
        add_header    = X-Spam-Report: $spam_report
        add_header    = X-Spam-Subject: ${lookup pgsql{PG_Q_SPAMTAG}} $h_Subject:


    accept


# Ende der ACL