[exim] Some problems

Top Page
Delete this message
Reply to this message
Author: The Doctor
Date:  
To: exim-users
Subject: [exim] Some problems
Right number of issues.


----------------------- ns2 config file -----------------


primary_hostname = ns2
local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 : 0.0.0.0.465 : 0.0.0.0.587
domainlist local_domains = @
domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 204.209.81.0/24 : 192.168.0.0/16 : 208.118.93.0/24: 208.118.94.0/24
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
av_scanner = clamd:127.0.0.1 3310
spamd_address = 127.0.0.1 783
tls_advertise_hosts = *
tls_certificate = /usr/exim/ca.crt
tls_privatekey = /usr/exim/ca.key
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports =   465 
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
auto_thaw = 1m 
begin acl
acl_check_rcpt:
  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.
  accept  hosts = :
          control = dkim_disable_verify
  #############################################################################
  # The following section of the ACL is concerned with local parts that contain
  # @ or % or ! or / or | or dots in unusual places.
  #
  # The characters other than dots are rarely found in genuine local parts, but
  # are often tried by people looking to circumvent relaying restrictions.
  # Therefore, although they are valid in local parts, these rules lock them
  # out, as a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when applied to
  # someone like me, who has no second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # Two different rules are used. The first one is stricter, and is applied to
  # messages that are addressed to one of the local domains handled by this
  # host. The line "domains = +local_domains" restricts it to domains that are
  # defined by the "domainlist local_domains" setting above. The rule  blocks
  # local parts that begin with a dot or contain @ % ! / or |. If you have
  # local accounts that include these characters, you will have to modify this
  # rule.
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  # The second rule applies to all other domains, and is less strict. The line
  # "domains = !+local_domains" restricts it to domains that are NOT defined by
  # the "domainlist local_domains" setting above. The exclamation mark is a
  # negating operator. This rule allows your own users to send outgoing
  # messages to sites that use slashes and vertical bars in their local parts.
  # It blocks local parts that begin with a dot, slash, or vertical bar, but
  # allows these characters within the local part. However, the sequence /../
  # is barred. The use of @ % and ! is blocked, as before. The motivation here
  # is to prevent your users (or your users' viruses) from mounting certain
  # kinds of attack on remote sites.
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  #############################################################################
  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  accept  local_parts   = postmaster
          domains       = +local_domains
  # Deny unless the sender address can be verified.
  require verify        = sender
  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
  # so we set control=submission to make Exim treat the message as a
  # submission. It will fix up various errors in the message, for example, the
  # lack of a Date: header line. If you are actually relaying out out from
  # MTAs, you may want to disable this. If you are handling both relaying from
  # MTAs and submissions from MUAs you should probably split them into two
  # lists, and handle them differently.
  # Recipient verification is omitted here, because in many cases the clients
  # are dumb MUAs that don't cope well with SMTP error responses. If you are
  # actually relaying out from MTAs, you should probably add recipient
  # verification here.
  # Note that, by putting this test before any DNS black list checks, you will
  # always accept from these hosts, even if they end up on a black list. The
  # assumption is that they are your friends, and if they get onto a black
  # list, it is a mistake.
  accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify
  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted, and submission mode is set. And again, we do this
  # check before any black list tests.
  accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify
  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
  require message = relay not permitted
          domains = +local_domains : +relay_to_domains
  # We also require all accepted addresses to be verifiable. This check will
  # do local part verification for local domains, but only check the domain
  # for remote domains. The only way to check local parts for the remote
  # relay domains is to use a callout (add /callout), but please read the
  # documentation about callouts before doing this.
  require verify = recipient
  #############################################################################
  # There are no default checks on DNS black lists because the domains that
  # contain these lists are changing all the time. However, here are two
  # examples of how you can get Exim to perform a DNS black list lookup at this
  # point. The first one denies, whereas the second just warns.
  #
   deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text


            dnslists = sbl-xbl.spamhaus.org : \
             dnsbl.njabl.org : \
             combined.njabl.org : \
             dev.null.dk : \
             relays.visi.com : \
             bl.spamcop.net : \
             hostkarma.junkemailfilter.com=127.0.0.2
  #
   warn   dnslists = sbl-xbl.spamhaus.org: \
             dnsbl.njabl.org : \
             combined.njabl.org : \
             dev.null.dk : \
             relays.visi.com : \
             bl.spamcop.net : \
             hostkarma.junkemailfilter.com=127.0.0.2  
           add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
           log_message   = found in $dnslist_domain
  #############################################################################
  #############################################################################
  # This check is commented out because it is recognized that not every
  # sysadmin will want to do it. If you enable it, the check performs
  # Client SMTP Authorization (csa) checks on the sending host. These checks
  # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
  # an Internet draft. You can, of course, add additional conditions to this
  # ACL statement to restrict the CSA checks to certain hosts only.
  #
  # require verify = csa
  #############################################################################
  # At this point, the address has passed all the checks that have been
  # configured, so we accept it unconditionally.
  accept
acl_check_data:


  accept authenticated = *
  # Deny if the message contains a virus. Before enabling this check, you
  # must install a virus scanner and set the av_scanner option above.
  #
   deny    malware    = *
           message    = This message contains a virus ($malware_name).
  # Add headers to a message if it is judged to be spam. Before enabling this,
  # you must install SpamAssassin. You may also need to set the spamd_address
  # option above.
  #
   warn    spam       = nobody
           add_header = X-Spam_score: $spam_score\n\
                        X-Spam_score_int: $spam_score_int\n\
                        X-Spam_bar: $spam_bar\n\
                        X-Spam_report: $spam_report
  # Accept the message.
  accept
begin routers
check_dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  verify_only
  pass_router = amavis
  no_more
check_system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  verify_only
  pass_router = amavis
check_localuser:
  driver = accept
  check_local_user
  verify_only
  pass_router = amavis
failed_address_router:
  driver = accept
  verify_only
  fail_verify
amavis:
  driver = manualroute
  # Do NOT run if received via 10025/tcp or if already spam-scanned
  # or if bounce message ($sender_address="")
  condition = "${if or {{eq {$interface_port}{10025}} \
      {eq {$received_protocol}{spam-scanned}} \
      {eq {$sender_address}{}} \
      }{0}{1}}"
  transport = amavis
  route_list = "* localhost byname"
  self = send
dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more
system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  file_transport = address_file
  pipe_transport = address_pipe
userforward:
  driver = redirect
  check_local_user
  file = $home/.forward
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
localuser:
  driver = accept
  check_local_user
  transport = local_delivery
  cannot_route_message = Unknown user
  # Do NOT run if received via 10025/tcp or if already spam-scanned
  # or if bounce message ($sender_address="")
begin transports
remote_smtp:
  driver = smtp
  hosts_avoid_tls=*
amavis:
  driver = smtp
  port = 10024
  allow_localhost
local_delivery:
  driver = appendfile
  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0600
address_pipe:
  driver = pipe
  return_output
address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
address_reply:
  driver = autoreply
begin retry
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
PLAIN:
  driver                     = plaintext
  public_name                = PLAIN
  server_set_id              = $auth2
  server_prompts             = :
  server_condition           = ${if saslauthd{{$2}{$3}}{1}{0}}
  server_advertise_condition = ${if def:tls_cipher }
LOGIN:
  driver                     = plaintext
  public_name                = LOGIN
  server_set_id              = $auth1
 server_prompts             = <| Username: | Password:
 server_condition           =  ${if saslauthd{{$1}{$2}}{1}{0}}
  server_advertise_condition = ${if def:tls_cipher }



---- end of conf file ----------------------------


I wish to add that if an e-mail is done via port 465 then do not subject
it to anti-viral tests.

-------------- ns1 configuration -----------------------


primary_hostname = ns1
local_interfaces = 0.0.0.0.25 :  127.0.0.1.10025  : 0.0.0.0.465 : 0.0.0.0.587
domainlist local_domains = @:secure.nl2k.ab.ca:mail.nl2k.ab.ca:mail.nk.ca:nk.ca:nl2k.ca:nl2k.ab.ca:doctor.nl2k.ab.ca:lsearch;/usr/exim/vdom3 
domainlist relay_to_domains =
hostlist relay_from_hosts = 204.209.81.0/24 : 127.0.0.1 : 208.118.93.0/24: 208.118.94.0/24
trusted_users = exim : majordomo
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
av_scanner = clamd:127.0.0.1 3310
spamd_address = 127.0.0.1 783
tls_advertise_hosts = *
tls_certificate = /usr/exim/ca.crt
tls_privatekey = /usr/exim/ca.key
daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports =   465 
never_users = root
host_lookup = *
rfc1413_hosts = *
rfc1413_query_timeout = 5s
ignore_bounce_errors_after = 2h
timeout_frozen_after = 6h
auto_thaw = 1m 
begin acl
acl_check_rcpt:
  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.
  accept  hosts = :
          control = dkim_enable_verify
  #############################################################################
  # The following section of the ACL is concerned with local parts that contain
  # @ or % or ! or / or | or dots in unusual places.
  #
  # The characters other than dots are rarely found in genuine local parts, but
  # are often tried by people looking to circumvent relaying restrictions.
  # Therefore, although they are valid in local parts, these rules lock them
  # out, as a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when applied to
  # someone like me, who has no second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # Two different rules are used. The first one is stricter, and is applied to
  # messages that are addressed to one of the local domains handled by this
  # host. The line "domains = +local_domains" restricts it to domains that are
  # defined by the "domainlist local_domains" setting above. The rule  blocks
  # local parts that begin with a dot or contain @ % ! / or |. If you have
  # local accounts that include these characters, you will have to modify this
  # rule.
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  # The second rule applies to all other domains, and is less strict. The line
  # "domains = !+local_domains" restricts it to domains that are NOT defined by
  # the "domainlist local_domains" setting above. The exclamation mark is a
  # negating operator. This rule allows your own users to send outgoing
  # messages to sites that use slashes and vertical bars in their local parts.
  # It blocks local parts that begin with a dot, slash, or vertical bar, but
  # allows these characters within the local part. However, the sequence /../
  # is barred. The use of @ % and ! is blocked, as before. The motivation here
  # is to prevent your users (or your users' viruses) from mounting certain
  # kinds of attack on remote sites.
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  #############################################################################
  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  accept  local_parts   = postmaster
          domains       = +local_domains:lsearch;/usr/exim/vdom3
  # Deny unless the sender address can be verified.
  ##require verify        = sender
  accept  domains       = +local_domains:lsearch;/usr/exim/vdom3
  endpass



/*

The above is commented out as virtual e-mail addresses are not
being recognised properly. I am using a dbm file.
How Do I get exim to realises that we have local and virtual that needs
supporting ?


*/
  ## Sender Verify on 'Recipient' 
drop    message = REJECTED - Sender Verify Failed - error code \"$sender_verify_failure\"\n\n\
The return address you are using for this email message <$sender_address>\
does not seem to be a working account.
        log_message = REJECTED - Sender Verify Failed - error code \"$sender_verify_failure\"
        !hosts = +no_verify
        !verify = sender/callout=2m,defer_ok
        condition = ${if eq{recipient}{$sender_verify_failure}}
deny    message   = REJECTED - Recipient Verify Failed - User Not Found
        domains   = +all_mail_handled_locally
        !verify   = recipient/callout=2m,defer_ok,use_sender
warn    domains = +local_domains:lsearch;/usr/exim/vdom3
                !verify = recipient
                set acl_c0 = ${eval: $acl_c0+1}
                delay = ${eval: ($acl_c0 - 1) * 60}s
  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
  # so we set control=submission to make Exim treat the message as a
  # submission. It will fix up various errors in the message, for example, the
  # lack of a Date: header line. If you are actually relaying out out from
  # MTAs, you may want to disable this. If you are handling both relaying from
  # MTAs and submissions from MUAs you should probably split them into two
  # lists, and handle them differently.
  # Recipient verification is omitted here, because in many cases the clients
  # are dumb MUAs that don't cope well with SMTP error responses. If you are
  # actually relaying out from MTAs, you should probably add recipient
  # verification here.
  # Note that, by putting this test before any DNS black list checks, you will
  # always accept from these hosts, even if they end up on a black list. The
  # assumption is that they are your friends, and if they get onto a black
  # list, it is a mistake.
  accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify
  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted, and submission mode is set. And again, we do this
  # check before any black list tests.
  accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify
  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
  require message = relay not permitted
          domains = +local_domains : +relay_to_domains
  # We also require all accepted addresses to be verifiable. This check will
  # do local part verification for local domains, but only check the domain
  # for remote domains. The only way to check local parts for the remote
  # relay domains is to use a callout (add /callout), but please read the
  # documentation about callouts before doing this.
  require verify = recipient
  #############################################################################
  # There are no default checks on DNS black lists because the domains that
  # contain these lists are changing all the time. However, here are two
  # examples of how you can get Exim to perform a DNS black list lookup at this
  # point. The first one denies, whereas the second just warns.
  #
   deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text


            dnslists = sbl-xbl.spamhaus.org : \
             dnsbl.njabl.org : \
             combined.njabl.org : \
             dev.null.dk : \
             relays.visi.com : \
             bl.spamcop.net : \
             hostkarma.junkemailfilter.com=127.0.0.2
  #
   warn   dnslists = sbl-xbl.spamhaus.org: \
             dnsbl.njabl.org : \
             combined.njabl.org : \
             dev.null.dk : \
             relays.visi.com : \
             bl.spamcop.net : \
             hostkarma.junkemailfilter.com=127.0.0.2  
           add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
           log_message   = found in $dnslist_domain
  #############################################################################
  #############################################################################
  # This check is commented out because it is recognized that not every
  # sysadmin will want to do it. If you enable it, the check performs
  # Client SMTP Authorization (csa) checks on the sending host. These checks
  # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
  # an Internet draft. You can, of course, add additional conditions to this
  # ACL statement to restrict the CSA checks to certain hosts only.
  #
  # require verify = csa
  #############################################################################
  # At this point, the address has passed all the checks that have been
  # configured, so we accept it unconditionally.
  accept
acl_check_data:
  # Deny if the message contains a virus. Before enabling this check, you
  # must install a virus scanner and set the av_scanner option above.
  #
   deny    malware    = *
           message    = This message contains a virus ($malware_name).
  # Add headers to a message if it is judged to be spam. Before enabling this,
  # you must install SpamAssassin. You may also need to set the spamd_address
  # option above.
  #
   warn    spam       = nobody
           add_header = X-Spam_score: $spam_score\n\
                        X-Spam_score_int: $spam_score_int\n\
                        X-Spam_bar: $spam_bar\n\
                        X-Spam_report: $spam_report
  # Accept the message.
  accept
begin routers
check_dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  verify_only
  pass_router = amavis
  no_more
check_system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  verify_only
  pass_router = amavis
check_localuser:
  driver = accept
  check_local_user
  verify_only
  pass_router = amavis
failed_address_router:
  driver = accept
  verify_only
  fail_verify
domains_virtual:
  domains       = +local_domains
  driver = redirect
  data=${lookup{$local_part@$domain}dbm{/usr/exim/virtemail}}


domains_virtual_others:
  domains       = +local_domains
  driver = redirect
  data=${lookup{@$domain}dbm{/usr/exim/virtemail}}
amavis:
  driver = manualroute
  # Do NOT run if received via 10025/tcp or if already spam-scanned
  # or if bounce message ($sender_address="")
  condition = "${if or {{eq {$interface_port}{10025}} \
      {eq {$received_protocol}{spam-scanned}} \
      {eq {$sender_address}{}} \
      }{0}{1}}"
  transport = amavis
  route_list = "* localhost byname"
  self = send
dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more
system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  file_transport = address_file
  pipe_transport = address_pipe
userforward:
  driver = redirect
  check_local_user
  file = $home/.forward
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
localuser:
  driver = accept
  check_local_user
  transport = local_delivery
  cannot_route_message = Unknown user
procmail:
  driver = accept
  check_local_user
  require_files = $home/.procmailrc
  transport = procmail_pipe
  # Do NOT run if received via 10025/tcp or if already spam-scanned
  # or if bounce message ($sender_address="")
lists:
  driver = redirect
  file = /usr/home/majordomo/lists/$local_part
  forbid_pipe
  forbid_file
  errors_to = $local_part-request@???
  user = majordomo
  no_more
begin transports
remote_smtp:
  driver = smtp
procmail_pipe:
  driver = pipe
  command = /usr/bin/procmail -d $local_part
  return_path_add
  delivery_date_add
  envelope_to_add
  check_string = "From "
  escape_string = ">From "
  umask = 077
  user = $local_part
  group = mail


amavis:
  driver = smtp
  port = 10024
  allow_localhost
local_delivery:
  driver = appendfile
  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  mode = 0600
address_pipe:
  driver = pipe
  return_output
address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add
address_reply:
  driver = autoreply
begin retry
*                      *           F,1h,15m; G,10h,1h,1.5; F,7d,1h
begin rewrite
begin authenticators
PLAIN:
  driver                     = plaintext
  public_name                = PLAIN
  server_set_id              = $auth2
  server_prompts             = :
  server_condition           = ${if saslauthd{{$2}{$3}}{1}{0}}
  server_advertise_condition = ${if def:tls_cipher }
LOGIN:
  driver                     = plaintext
  public_name                = LOGIN
  server_set_id              = $auth1
 server_prompts             = <| Username: | Password:
 server_condition           = ${if saslauthd{{$1}{$2}}{1}{0}}
  server_advertise_condition = ${if def:tls_cipher }



-------------------------- end of ns1 ---------------

Also noticed mail taking about 1 minute to about several hours of days to come in.
How do I rectify this?


-- 
Member - Liberal International    This is doctor@??? Ici doctor@???
God, Queen and country! Never Satan President Republic! Beware AntiChrist rising! 
http://twitter.com/rootnl2k http://www.facebook.com/dyadallee
Now is the time time to declare your allegiance!