Re: [exim] Some problems

Góra strony
Delete this message
Reply to this message
Autor: Ian Eiloart
Data:  
Dla: The Doctor
CC: exim-users
Temat: Re: [exim] Some problems
I'm lost.

Please start again. State your problems clearly, and don't include your
config file - describe what you think it does in English. Where are you
spam messages going? Tell us what you think is causing the problem.

It's hard to find your text amongst all that quoted stuff. We can refer
back to the config file if neccessary.

Oh, and regarding the slow deliveries. WHERE is that problem occurring?
Inbound transport?

--On 21 March 2011 10:10:45 -0600 The Doctor <doctor@???>
wrote:

> On Mon, Mar 21, 2011 at 09:23:49AM +0000, Ian Eiloart wrote:
>>
>>
>> --On 16 March 2011 22:00:47 -0600 The Doctor <doctor@???>
>> wrote:
>>
>>> Right number of issues.
>>
>> You've got the correct number of issues? Or "Right, I've got a number of
>> issues?"
>>
>> Would you care to tell us what the issues are?
>>
>
> Correct a number of issues.
>
>>
>> Way down below this config file, you say inbound messages sometimes take
>> a while to arrive. Have you checked "Received" headers to determine
>> which step is taking the time? have you checked your log files to see
>> whether you are temporarily rejecting messages, or whether connections
>> are timing out (being dropped)?
>
> Apparently when a huge number of spam, say N, hits the server,
> it might take m hours for a message that is non-spam to be delivered.
>
> N messages are frozen rather crippling exim in doing a proper job.
>
> Now going below:
>
>>
>>>
>>> ----------------------- ns2 config file -----------------
>>>
>>>
>>> primary_hostname = ns2
>>> local_interfaces = 0.0.0.0.25 : 127.0.0.1.10025 : 0.0.0.0.465 :
>>> 0.0.0.0.587 domainlist local_domains = @
>>> domainlist relay_to_domains =
>>> hostlist relay_from_hosts = 127.0.0.1 : 204.209.81.0/24 : 192.168.0.0/16
>>> : 208.118.93.0/24: 208.118.94.0/24 acl_smtp_rcpt = acl_check_rcpt
>>> acl_smtp_data = acl_check_data
>>> av_scanner = clamd:127.0.0.1 3310
>>> spamd_address = 127.0.0.1 783
>>> tls_advertise_hosts = *
>>> tls_certificate = /usr/exim/ca.crt
>>> tls_privatekey = /usr/exim/ca.key
>>> daemon_smtp_ports = 25 : 465 : 587
>>> tls_on_connect_ports =   465
>>> never_users = root
>>> host_lookup = *
>>> rfc1413_hosts = *
>>> rfc1413_query_timeout = 5s
>>> ignore_bounce_errors_after = 2d
>>> timeout_frozen_after = 7d
>>> auto_thaw = 1m
>>> begin acl
>>> acl_check_rcpt:
>>>   # Accept if the source is local SMTP (i.e. not over TCP/IP). We do
>>>   # this
>>> by   # testing for an empty sending host field.
>>>   accept  hosts = :
>>>           control = dkim_disable_verify

>>>
>>>   deny    message       = Restricted characters in address
>>>           domains       = +local_domains
>>>           local_parts   = ^[.] : ^.*[@%!/|]

>
>>>   deny    message       = Restricted characters in address
>>>           domains       = !+local_domains
>>>           local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

>>>
>>>   accept  local_parts   = postmaster
>>>           domains       = +local_domains
>>>   # Deny unless the sender address can be verified.
>>>   require verify        = sender

>
>>>   accept  hosts         = +relay_from_hosts
>>>           control       = submission
>>>           control       = dkim_disable_verify

>
>>>   accept  authenticated = *
>>>           control       = submission
>>>           control       = dkim_disable_verify

>>>
>>>    require message = relay not permitted
>>>           domains = +local_domains : +relay_to_domains

>>>
>>> require verify = recipient
>>>
>>>   #
>>>    deny    message       = rejected because $sender_host_address is in a
>>> black list at $dnslist_domain\n$dnslist_text
>>>             dnslists = sbl-xbl.spamhaus.org : \
>>>              dnsbl.njabl.org : \
>>>              combined.njabl.org : \
>>>              dev.null.dk : \
>>>              relays.visi.com : \
>>>              bl.spamcop.net : \
>>>              hostkarma.junkemailfilter.com=127.0.0.2
>>>   #
>>>    warn   dnslists = sbl-xbl.spamhaus.org: \
>>>              dnsbl.njabl.org : \
>>>              combined.njabl.org : \
>>>              dev.null.dk : \
>>>              relays.visi.com : \
>>>              bl.spamcop.net : \
>>>              hostkarma.junkemailfilter.com=127.0.0.2
>>>            add_header    = X-Warning: $sender_host_address is in a black
>>> list at $dnslist_domain            log_message   = found in
>>> $dnslist_domain

>>>
>>> accept
>>> acl_check_data:
>>>
>>> accept authenticated = *
>>>
>>>    deny    malware    = *
>>>            message    = This message contains a virus ($malware_name).
>>>   #
>>>    warn    spam       = nobody
>>>            add_header = X-Spam_score: $spam_score\n\
>>>                         X-Spam_score_int: $spam_score_int\n\
>>>                         X-Spam_bar: $spam_bar\n\
>>>                         X-Spam_report: $spam_report
>>>   # Accept the message.
>>>   accept
>>> begin routers
>>> check_dnslookup:
>>>   driver = dnslookup
>>>   domains = ! +local_domains
>>>   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>>>   verify_only
>>>   pass_router = amavis
>>>   no_more
>>> check_system_aliases:
>>>   driver = redirect
>>>   allow_fail
>>>   allow_defer
>>>   data = ${lookup{$local_part}lsearch{/etc/aliases}}
>>>   verify_only
>>>   pass_router = amavis
>>> check_localuser:
>>>   driver = accept
>>>   check_local_user
>>>   verify_only
>>>   pass_router = amavis
>>> failed_address_router:
>>>   driver = accept
>>>   verify_only
>>>   fail_verify
>>> amavis:
>>>   driver = manualroute
>>>   # Do NOT run if received via 10025/tcp or if already spam-scanned
>>>   # or if bounce message ($sender_address="")
>>>   condition = "${if or {{eq {$interface_port}{10025}} \
>>>       {eq {$received_protocol}{spam-scanned}} \
>>>       {eq {$sender_address}{}} \
>>>       }{0}{1}}"
>>>   transport = amavis
>>>   route_list = "* localhost byname"
>>>   self = send
>>> dnslookup:
>>>   driver = dnslookup
>>>   domains = ! +local_domains
>>>   transport = remote_smtp
>>>   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>>>   no_more
>>> system_aliases:
>>>   driver = redirect
>>>   allow_fail
>>>   allow_defer
>>>   data = ${lookup{$local_part}lsearch{/etc/aliases}}
>>>   file_transport = address_file
>>>   pipe_transport = address_pipe
>>> userforward:
>>>   driver = redirect
>>>   check_local_user
>>>   file = $home/.forward
>>>   no_verify
>>>   no_expn
>>>   check_ancestor
>>>   file_transport = address_file
>>>   pipe_transport = address_pipe
>>>   reply_transport = address_reply
>>> localuser:
>>>   driver = accept
>>>   check_local_user
>>>   transport = local_delivery
>>>   cannot_route_message = Unknown user
>>>   # Do NOT run if received via 10025/tcp or if already spam-scanned
>>>   # or if bounce message ($sender_address="")
>>> begin transports
>>> remote_smtp:
>>>   driver = smtp
>>>   hosts_avoid_tls=*
>>> amavis:
>>>   driver = smtp
>>>   port = 10024
>>>   allow_localhost
>>> local_delivery:
>>>   driver = appendfile
>>>   file = /var/mail/$local_part
>>>   delivery_date_add
>>>   envelope_to_add
>>>   return_path_add
>>>   group = mail
>>>   mode = 0600
>>> address_pipe:
>>>   driver = pipe
>>>   return_output
>>> address_file:
>>>   driver = appendfile
>>>   delivery_date_add
>>>   envelope_to_add
>>>   return_path_add
>>> address_reply:
>>>   driver = autoreply
>>> begin retry
>>> *                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
>>> begin rewrite
>>> begin authenticators
>>> PLAIN:
>>>   driver                     = plaintext
>>>   public_name                = PLAIN
>>>   server_set_id              = $auth2
>>>   server_prompts             = :
>>>   server_condition           = ${if saslauthd{{$2}{$3}}{1}{0}}
>>>   server_advertise_condition = ${if def:tls_cipher }
>>> LOGIN:
>>>   driver                     = plaintext
>>>   public_name                = LOGIN
>>>   server_set_id              = $auth1
>>>  server_prompts             = <| Username: | Password:
>>>  server_condition           =  ${if saslauthd{{$1}{$2}}{1}{0}}
>>>   server_advertise_condition = ${if def:tls_cipher }

>>>
>>>
>>> ---- end of conf file ----------------------------
>>>
>>>
>>> I wish to add that if an e-mail is done via port 465 then do not subject
>>> it to anti-viral tests.
>
>
> Again, the above is working nicely wqith the exception of an e-mail
> getting identified as a potentinal virus.
>
> How do I tell exim anything ***authenticated*** on 465/587
> should not be subjugated to anti-viral / anti-spam tests?
>
>>>
>>> -------------- ns1 configuration -----------------------
>>>
>>>
>>> primary_hostname = ns1
>>> local_interfaces = 0.0.0.0.25 :  127.0.0.1.10025  : 0.0.0.0.465 :
>>> 0.0.0.0.587 domainlist local_domains =
>>> @:secure.nl2k.ab.ca:mail.nl2k.ab.ca:mail.nk.ca:nk.ca:nl2k.ca:nl2k.ab.ca
>>> :d octor.nl2k.ab.ca:lsearch;/usr/exim/vdom3  domainlist
>>> relay_to_domains = hostlist relay_from_hosts = 204.209.81.0/24 :
>>> 127.0.0.1 :
>>> 208.118.93.0/24: 208.118.94.0/24 trusted_users = exim : majordomo
>>> acl_smtp_rcpt = acl_check_rcpt
>>> acl_smtp_data = acl_check_data
>>> av_scanner = clamd:127.0.0.1 3310
>>> spamd_address = 127.0.0.1 783
>>> tls_advertise_hosts = *
>>> tls_certificate = /usr/exim/ca.crt
>>> tls_privatekey = /usr/exim/ca.key
>>> daemon_smtp_ports = 25 : 465 : 587
>>> tls_on_connect_ports =   465
>>> never_users = root
>>> host_lookup = *
>>> rfc1413_hosts = *
>>> rfc1413_query_timeout = 5s
>>> ignore_bounce_errors_after = 2h
>>> timeout_frozen_after = 6h
>>> auto_thaw = 1m
>>> begin acl
>>> acl_check_rcpt:
>>>   # Accept if the source is local SMTP (i.e. not over TCP/IP). We do
>>>   # this
>>> by   # testing for an empty sending host field.
>>>   accept  hosts = :
>>>           control = dkim_enable_verify
>>> #
>>>   deny    message       = Restricted characters in address
>>>           domains       = +local_domains
>>>           local_parts   = ^[.] : ^.*[@%!/|]
>>> #
>>>   deny    message       = Restricted characters in address
>>>           domains       = !+local_domains
>>>           local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

>>>
>>>   accept  local_parts   = postmaster
>>>           domains       = +local_domains:lsearch;/usr/exim/vdom3
>>>   # Deny unless the sender address can be verified.
>>>   ## require verify        = sender
>>>   accept  domains       = +local_domains:lsearch;/usr/exim/vdom3
>>>   endpass

>>>
>>>
>>> /*
>>>
>>> The above is commented out as virtual e-mail addresses are not
>>> being recognised properly. I am using a dbm file.
>>> How Do I get exim to realises that we have local and virtual that needs
>>> supporting ?
>>>
>>>
>>> */
>
>
> I doubt C comments exists in exim for its configure file.
>
> Again here is what the above is saying:
>
> The above is commented out as virtual e-mail addresses are not
> being recognised properly. I am using a dbm file.
> How Do I get exim to realise that we have local and virtual that needs
> supporting ?
>
>>>   ## Sender Verify on 'Recipient'
>>> drop    message = REJECTED - Sender Verify Failed - error code
>>> \"$sender_verify_failure\"\n\n\ The return address you are using for
>>> this email message <$sender_address>\ does not seem to be a working
>>> account. log_message = REJECTED - Sender Verify Failed - error code
>>> \"$sender_verify_failure\"         !hosts = +no_verify
>>>         !verify = sender/callout=2m,defer_ok
>>>         condition = ${if eq{recipient}{$sender_verify_failure}}
>>> deny    message   = REJECTED - Recipient Verify Failed - User Not Found
>>>         domains   = +all_mail_handled_locally
>>>         !verify   = recipient/callout=2m,defer_ok,use_sender
>>> warn    domains = +local_domains:lsearch;/usr/exim/vdom3
>>>                 !verify = recipient
>>>                 set acl_c0 = ${eval: $acl_c0+1}
>>>                 delay = ${eval: ($acl_c0 - 1) * 60}s
>>> #
>>>   accept  hosts         = +relay_from_hosts
>>>           control       = submission
>>>           control       = dkim_disable_verify
>>> #
>>>   accept  authenticated = *
>>>           control       = submission
>>>           control       = dkim_disable_verify
>>> #
>>>  require message = relay not permitted
>>>           domains = +local_domains : +relay_to_domains
>>> #
>>>   require verify = recipient

>>>
>>>   #
>>>    deny    message       = rejected because $sender_host_address is in a
>>> black list at $dnslist_domain\n$dnslist_text
>>>             dnslists = sbl-xbl.spamhaus.org : \
>>>              dnsbl.njabl.org : \
>>>              combined.njabl.org : \
>>>              dev.null.dk : \
>>>              relays.visi.com : \
>>>              bl.spamcop.net : \
>>>              hostkarma.junkemailfilter.com=127.0.0.2
>>>   #
>>>    warn   dnslists = sbl-xbl.spamhaus.org: \
>>>              dnsbl.njabl.org : \
>>>              combined.njabl.org : \
>>>              dev.null.dk : \
>>>              relays.visi.com : \
>>>              bl.spamcop.net : \
>>>              hostkarma.junkemailfilter.com=127.0.0.2
>>>            add_header    = X-Warning: $sender_host_address is in a black
>>> list at $dnslist_domain            log_message   = found in
>>> $dnslist_domain

>>>
>>>
>>>   accept
>>> acl_check_data:
>>>   #
>>>    deny    malware    = *
>>>            message    = This message contains a virus ($malware_name).
>>>   #
>>>    warn    spam       = nobody
>>>            add_header = X-Spam_score: $spam_score\n\
>>>                         X-Spam_score_int: $spam_score_int\n\
>>>                         X-Spam_bar: $spam_bar\n\
>>>                         X-Spam_report: $spam_report
>>>   # Accept the message.
>>>   accept
>>> begin routers
>>> check_dnslookup:
>>>   driver = dnslookup
>>>   domains = ! +local_domains
>>>   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>>>   verify_only
>>>   pass_router = amavis
>>>   no_more
>>> check_system_aliases:
>>>   driver = redirect
>>>   allow_fail
>>>   allow_defer
>>>   data = ${lookup{$local_part}lsearch{/etc/aliases}}
>>>   verify_only
>>>   pass_router = amavis
>>> check_localuser:
>>>   driver = accept
>>>   check_local_user
>>>   verify_only
>>>   pass_router = amavis
>>> failed_address_router:
>>>   driver = accept
>>>   verify_only
>>>   fail_verify
>>> domains_virtual:
>>>   domains       = +local_domains
>>>   driver = redirect
>>>   data=${lookup{$local_part@$domain}dbm{/usr/exim/virtemail}}

>>>
>>> domains_virtual_others:
>>>   domains       = +local_domains
>>>   driver = redirect
>>>   data=${lookup{@$domain}dbm{/usr/exim/virtemail}}
>>> amavis:
>>>   driver = manualroute
>>>   # Do NOT run if received via 10025/tcp or if already spam-scanned
>>>   # or if bounce message ($sender_address="")
>>>   condition = "${if or {{eq {$interface_port}{10025}} \
>>>       {eq {$received_protocol}{spam-scanned}} \
>>>       {eq {$sender_address}{}} \
>>>       }{0}{1}}"
>>>   transport = amavis
>>>   route_list = "* localhost byname"
>>>   self = send
>>> dnslookup:
>>>   driver = dnslookup
>>>   domains = ! +local_domains
>>>   transport = remote_smtp
>>>   ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>>>   no_more
>>> system_aliases:
>>>   driver = redirect
>>>   allow_fail
>>>   allow_defer
>>>   data = ${lookup{$local_part}lsearch{/etc/aliases}}
>>>   file_transport = address_file
>>>   pipe_transport = address_pipe
>>> userforward:
>>>   driver = redirect
>>>   check_local_user
>>>   file = $home/.forward
>>>   no_verify
>>>   no_expn
>>>   check_ancestor
>>>   file_transport = address_file
>>>   pipe_transport = address_pipe
>>>   reply_transport = address_reply
>>> localuser:
>>>   driver = accept
>>>   check_local_user
>>>   transport = local_delivery
>>>   cannot_route_message = Unknown user
>>> procmail:
>>>   driver = accept
>>>   check_local_user
>>>   require_files = $home/.procmailrc
>>>   transport = procmail_pipe
>>>   # Do NOT run if received via 10025/tcp or if already spam-scanned
>>>   # or if bounce message ($sender_address="")
>>> lists:
>>>   driver = redirect
>>>   file = /usr/home/majordomo/lists/$local_part
>>>   forbid_pipe
>>>   forbid_file
>>>   errors_to = $local_part-request@???
>>>   user = majordomo
>>>   no_more
>>> begin transports
>>> remote_smtp:
>>>   driver = smtp
>>> procmail_pipe:
>>>   driver = pipe
>>>   command = /usr/bin/procmail -d $local_part
>>>   return_path_add
>>>   delivery_date_add
>>>   envelope_to_add
>>>   check_string = "From "
>>>   escape_string = ">From "
>>>   umask = 077
>>>   user = $local_part
>>>   group = mail

>>>
>>> amavis:
>>>   driver = smtp
>>>   port = 10024
>>>   allow_localhost
>>> local_delivery:
>>>   driver = appendfile
>>>   file = /var/mail/$local_part
>>>   delivery_date_add
>>>   envelope_to_add
>>>   return_path_add
>>>   group = mail
>>>   mode = 0600
>>> address_pipe:
>>>   driver = pipe
>>>   return_output
>>> address_file:
>>>   driver = appendfile
>>>   delivery_date_add
>>>   envelope_to_add
>>>   return_path_add
>>> address_reply:
>>>   driver = autoreply
>>> begin retry
>>> *                      *           F,1h,15m; G,10h,1h,1.5; F,1d,1h
>>> begin rewrite
>>> begin authenticators
>>> PLAIN:
>>>   driver                     = plaintext
>>>   public_name                = PLAIN
>>>   server_set_id              = $auth2
>>>   server_prompts             = :
>>>   server_condition           = ${if saslauthd{{$2}{$3}}{1}{0}}
>>>   server_advertise_condition = ${if def:tls_cipher }
>>> LOGIN:
>>>   driver                     = plaintext
>>>   public_name                = LOGIN
>>>   server_set_id              = $auth1
>>>  server_prompts             = <| Username: | Password:
>>>  server_condition           = ${if saslauthd{{$1}{$2}}{1}{0}}
>>>   server_advertise_condition = ${if def:tls_cipher }

>>>
>>>
>>> -------------------------- end of ns1 ---------------
>>>
>>> Also noticed mail taking about 1 minute to about several hours of days
>>> to come in. How do I rectify this?
>>>
>>
>> --
>> ## List details at http://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
> If the ns1 questions can also be answered, then we should be a go.
>
> Once established, what is the best CA authority reasonably priced
> for EXIM SSL certificates?




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/