Re: [exim] exim4, gmail and 550-5.7.1

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Robert Steinmetz AIA
Data:  
Para: exim-users
Asunto: Re: [exim] exim4, gmail and 550-5.7.1
Chris Knadle wrote:

Robert Steinmetz AIA:

Chris Knadle wrote:

Robert Steinmetz AIA:

Just a reminder: the original issue we're discussing is that mail being sent
to GMail via IPv6 fails due to lack of rDNS (i.e. lack of PTR record on the
IPv6 sending address). So what is being sought after AFAIK is forcing mail
being sent to GMail to use IPv4.


It is my understanding that the ignore_target_hosts command listed above
will match any ipv6 address. In the case there was no ipv4 address this
router would not be used at all. That seems to be the correct result.

I don't see how that fits the intended goal above.

The router would only be invoked if the domain were on the list and there was an

ipv4 address available for that domain

That's right, but the email will go to the dnslookup router, where the
router will match and then sent + rejected. Once an email is rejected it's
a permanent sending failure for that message, so that needs to be avoided.

So even if a message matched the domain list but no valid ipv4 address
it found the message is still sent to the dnslookup driver ?
It seems if there is no ipv4 address the message would fail there. I'm
just trying to understand the process here.



If there are no ipv4 hosts for the domains in the list then it seems to me
the router will fail which I think is the desired result. If a router is
skipped, then the next up would be remote_smtp and it does handle ipv6
addresses.

It does, but AFAIK that's what was to be avoided.

Why is it to be avoided? If there's no ipv4 ipaddress it should fail. What
happens if you use the

The above statement looks incomplete. ;)

I forgot what I wanted to say ;(
See my comment above, I thought that if the domain were n the list and
no valid ipv4 address is found the message woudl fail. That seems to
indicate a problem and is what I would think is the desired result.


With the ipv4 router going first it is supposed to catch any mail
going to the domain list if there is an ipv4 MX record.

The thing is that one can mandate an IPv4 DNS lookup via dns_ipv4_lookup.
Without using that option, the DNS response might be IPv6, in which case the
ipv4_only router gets skipped, the normal dnslookup outbound router gets
used with an IPv6 outbound address, and the mail gets rejected from GMail
due to lack of rDNS.

Why would not the ipv4 address be part of the DNS lookup, if the mail host for
the domain had an ipv4 address?
What happens if the host for dns_ipv4_lookup does not have an ip[v4 address?
That surely fails but how?

I don't have an IPv6 connection to test DNS lookups with, but if you know
that sending email to GMail via IPv6 fails (which I think you do), then you
need to do something to avoid sending email via IPv6 (at least for the
domains that reject it on that basis), and these Exim options we've been
discussing don't force IPv4 without the /DNS lookup/ returning IPv4-only
addresses. i.e. the DNS lookups are the "control point" for this.


I'm not sure what happens if a domain on the list has no ipv4 address, the
possibilities are are for the mail to fail immediately and be rejected or it
to be passed on to for remote_smtp and sent to an ipv6 address which should
fail based on past experience

The advantage I see for this method is that it will be relatively easy to
maintain. I have found a surprising number of companies who host their email
on Google.

This is why Ian was suggesting either:

     disable_ipv6 = true
       or
     dns_ipv4_lookup = *


Note that the dns_ipv4_lookup= option takes a domainlist, so you could do
something like:

     dns_ipv4_lookup = ipv4_force_domains these statements part of the router?


Would these statements be part of the router, in lieu of the
ignore_target_hosts?

No, it's one of the options in the Main section.

OK so if I'm adding a file to the Debian configuration I should be able to add a

new file in /etc/exim4/conf.d/main

05_ipv4_force_domains

Containing:

domainlist ipv4_force_domains = \
gmail.com : \
googlemail.com : \
virgin.net : \
linkedin.com : \
virginmedia.com

dns_ipv4_lookup = ipv4_force_domains

And that should be all it takes. It's actually much simpler and easier to
understand.

Yes I think that should work. Because the DNS lookup should be for the MX
record of the domain, return an IPv4 address, then Exim should try to
connect via IPv4 and thus use a local IPv4 outbound IP to do so.

Good. I'm confident enough in what should happen that I'm going to try
to implement it.
I'm getting ready to leave for the holidays so after the first of the
year I'll be able to test it.
I'll be able to report back if it works or doesn't. If it works this is
pretty simple and I may suggest that it be added to the basic Debian
configuration. If not it's still pretty simple and might help someone
else out in the future.

there are a bunch of .ifdefs for including options if-and-only-if the
associated variable is defined. i.e. all those things are optional.

That's correct. My configurations is a pretty standard Ubuntu configuration and
I haven't dug deep into it to see which of the options are actually defined. I
know some of them are.

I think in my case none of the variables in the .ifdefs are defined, though
I've added another option to avoid the SSL/TLS POODLE attack:

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
  # Avoid SSLv3 due to POODLE attack
  #     [1]http://www.gossamer-threads.com/lists/exim/users/100539
  tls_require_ciphers = NORMAL:!VERS-SSL3.0
  <list of .ifdefs after this>


I believe some of them do get defined based on the questions you answer
during the configurations but it's no altogether clear to me what the
answers to those questions do.



    -- Chris



Thank you for your assistance.

*waves* :)

-- Chris


Thank you for putting up with my simple questions.

References

1. http://www.gossamer-threads.com/lists/exim/users/100539