On 2015-06-26 13:44, Marc Haber wrote:
> On Fri, 26 Jun 2015 11:14:40 -0700, Ernie Dunbar
> <maillist@???> wrote:
>> This whole segment of the ACL configuration is the default
>> configuration
>> that comes with Debian, and if these messages come in from a different
>> IP address, mail delivery works just fine.
>
> Is there something in the fine logs?
>
> Let me re-phrase this: You have a Debian exim running as a MX server
> which accepts mail from the Internet and which works fine if the MX
> record points to your exim host itself. Your list of local_domains in
> /etc/exim4/local_domains is in fine working order.
>
> Then, you just let the MX record point to your load balancer, and the
> exim suddenly begins to reject all messages with a "relay not
> permitted" error?
>
> I haven't done serious eximing in the the last few years, but there
> used to be a config option that made exim relay automatically to any
> target domain where the MX record of the domain points to an IP
> address bound to the host that runs exim. I have always thought that
> doing so would be a bad idea so I have never actually set this option,
> and I believe that it has gone away with exim3, but the behavior you
> report does fit this option. Alas, I'm gettig old and do not remember
> the name. This is really embarrassing.
>
> To explain Jeremy's comment: When your exim is accepting a message, it
> does so because some ACL statement in your config file between the
> lines saying "acl_check_rcpt:" and "message = relay not permitted"
> tells it to accept the message. In the default config, this is only
> the case if:
>
> - the message was not received via IP
> - the message is addressed to postmaster at a local domain
> - the message is delivered from an IP address that your exim is
> configured to relay for
> - the sender authenticated before delivering the message
I've actually fixed this issue (at least I hope it's fixed the way I've
set it) by adding the load balancer's IP address to the file
/etc/exim4/local_host_whitelist. As far as I can tell, this hasn't
turned our server into an open relay, while by default allowing mail to
come in from this IP address.
> I cannot think of a setup that would fail in the way you're reporting,
> this is really interesting.
>
> If you want help on this mailing list, I'm afraid that you'll need to
> post at least the part of your configuration between the lines saying
> "acl_check_rcpt:" and "message = relay not permitted". As an exception
> to my usual rule, you can also reply to me in private and I'll try
> helping.
>
> On the other hand: Why are you using a load balancer in the first
> place? SMTP does have its own mechanisms to spread load between
> systems that work quite well. A load balancer on the receiving end of
> an MX record is really only necessary in exceptional setups, such as
> when there is a vast number of MX hosts (more then twenty, thirty, I'd
> say) behind the domains in question.
Oh, we've set that up for all of the domains that we can control.
However, some of our idiot customers have decided that they could save a
buck by hosting their DNS somewhere else, their mail somewhere else, and
their website somewhere else. Or something like that. At any rate, some
MX records are beyond our control, and continue to point to the wrong
place in spite of our pleas that they fix this problem.
> My educated guess is that you have somehow configured exim to accept
> mail for any domain that has its MX record pointing to the host that
> runs exim, which is not recommended, and this of course jumps in your
> face claws forward when you point the MX away from the host running
> exim.
>
> Greetings
> Marc
> --
> -------------------------------------- !! No courtesy copies, please !!
> -----
> Marc Haber | " Questions are the | Mailadresse im
> Header
> Mannheim, Germany | Beginning of Wisdom " |
> http://www.zugschlus.de/
> Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621
> 72739834
