Hi Dean,
Thanks for your input.
Per your suggestion, I just tried:
exim -v -bv good-user@mydomain
Result is one line of output:
good-user@mydomain failed to verify: Unknown user good-user
That is the message generated by the localuser: router
Same result for any address, good or bad, except local users. Local
users are accepted as verified. But, of course, what I want is for all
valid aliases to also be accepted as verified.
My RCPT acl and routers are as follows:
============== A C L ===============
# -------------------------
acl_check_rcpt:
# -------------------------
# accept any emails originated in this host
accept hosts = :
control = dkim_disable_verify
# Reject anybody in spamhaus zen list
deny message = X-Warning: $sender_host_address is listed at
$dnslist_domain. $dnslist_text
log_message = $sender_host_address is listed at
$dnslist_domain ($dnslist_value: $dnslist_text)
dnslists = zen.spamhaus.org
# deny any email pretending to be sending from our domain (local
origination was already accepted)
drop message = You are not who you say you are
!hosts = +relay_from_hosts
condition = ${if
match_domain{$sender_address_domain}{+local_domains}{yes}{no}}
# No bad stuff allowed in address
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# Make sure we allow postmaster emails for our domains
accept local_parts = postmaster
domains = +local_domains
# allow our own domains
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
# No delivery to any domains but our own
require message = relay not permitted
domains = +local_domains : +relay_to_domains
# Following causes rejection of all emails
# require message = Unknown recipient $local_part
# hosts = ! +relay_from_hosts
# domains = +local_domains
# verify = recipient
accept
============ R O U T E R S =============
begin routers
# -------------------------
dnslookup:
# -------------------------
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
transport = remote_smtp
no_more
# -------------------------
virtual_aliases_nostar:
# -------------------------
driver = redirect
allow_defer
allow_fail
data = ${if
exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch{/etc/virtual/$domain/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
# -------------------------
virtual_aliases:
# -------------------------
driver = redirect
allow_defer
allow_fail
condition = ${if eq {}{${if
exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}}{yes}{no}}
data = ${if
exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch*{/etc/virtual/$domain/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
# -------------------------
system_aliases:
# -------------------------
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
# -------------------------
localuser:
# -------------------------
driver = accept
check_local_user
transport = local_delivery
cannot_route_message = Unknown user $local_part
=======================================================
On 10/28/2014 8:04 AM, Dean Brooks wrote:
> Hi,
>
> Without seeing the entire al_check_rcpt ACL and you entire list of
> routers, it's going to be difficult to guess. However, if you haven't
> already, try running address verification testing with both the "-bv"
> and the "-v" options on the command line. That may help shed some light.
>
> --
> Dean Brooks
> dean@???
>
> On Mon, Oct 27, 2014 at 12:41:22PM -0700, Phillip Carroll wrote:
>> Using exim 4.80 on Centos 5.5.
>>
>> My exim configuration uses virtual domain routers similar to shown
>> in chapter 49.7 of the current doc. This has been working perfectly
>> for about 10 years on several different servers I have migrated to
>> over the years. I have never used recipient verification, but
>> instead have simply bounced the email back to sender in the delivery
>> phase.
>>
>> Because of a recent spate of spam emails with forged senders, most
>> of which are also addressed to nonexistent local_parts, I would now
>> prefer to reject the emails at RCPT time. However, try as I may, I
>> cannot get "verify = recipient" to work. If I put this into the
>> acl_check_rcpt ACL, all email is rejected with "550 Unknown user
>> xxx".
>>
>> Somewhere in the manual I read that verify in an ACL uses the same
>> router sequence as used in delivery. Clearly it does not! Tearing my
>> hair out with this. Basically everything I thought I understood
>> about exim seems to be under suspicion. As usual, it seems there is
>> what the manual says...and then there is what the code actually
>> does. I am hoping that someone with deeper understanding of the
>> inner mysteries of exim can explain why unverified recipients are
>> routed perfectly, but any attempt to verify them rejects every
>> recipient. And, can tell me a workaround.
>>
>> None of the redirect routers have "no_more", because all emails are
>> ultimately routed by the local_user router, using the final data
>> from the redirect routers.
>>
>> Running exim from command line with -bh gives me no clues, as it
>> routes to all addresses perfectly, cascading down through all
>> routers as expected, finally routing to the actual local user. (By
>> the way, no local user id is ever used as an actual external email
>> address, although is used internally) I presume this -bh doesn't pay
>> any attention to ACLs.
>>
>> It would also be nice if someone can tell me how to test this kind
>> of issue without using the live system. Users tend to get cranky if
>> their mail is returned to sender.
>>
>>
>>
>>
>>
>>
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>>
