Re: [exim] exim4, gmail and 550-5.7.1

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Chris Knadle
Data:  
Para: rob, exim-users
Asunto: Re: [exim] exim4, gmail and 550-5.7.1
Robert Steinmetz AIA:
> Chris Knadle wrote:
>> Robert Steinmetz AIA:
>>> Chris Knadle wrote:
>>>> Robert Steinmetz AIA:
>>>>> Just a reminder: the original issue we're discussing is that mail being sent
>>>>> to GMail via IPv6 fails due to lack of rDNS (i.e. lack of PTR record on the
>>>>> IPv6 sending address). So what is being sought after AFAIK is forcing mail
>>>>> being sent to GMail to use IPv4.
>>>>> It is my understanding that the ignore_target_hosts command listed above
>>>>> will match any ipv6 address. In the case there was no ipv4 address this
>>>>> router would not be used at all. That seems to be the correct result.
>>>> I don't see how that fits the intended goal above.
>>> The router would only be invoked if the domain were on the list and there was an
>>> ipv4 address available for that domain
>> That's right, but the email will go to the dnslookup router, where the
>> router will match and then sent + rejected. Once an email is rejected it's
>> a permanent sending failure for that message, so that needs to be avoided.
>
> So even if a message matched the domain list but no valid ipv4 address it found
> the message is still sent to the dnslookup driver ?


That's correct. To understand this you need to read Chapter 3 of the Exim
documentation -- the "routers" are tried in order under one matches and is used.

Please understand that I don't suggest reading Chapter 3 lightly. If you're
going to be administering Exim, you owe it to /yourself/ to read that
chapter to get the basic understanding of how Exim works. I'm telling you
this because /I/ didn't understand Exim configuration until I read that
chapter, and after doing so a lot more of Exim's config makes sense.

More specifically, the ipv4_only router you had shown:

   ipv4_only:
      driver = dnslookup
      domains = +ipv4_force_domains
      transport = ipv4_smtp
      ignore_target_hosts = <; 0::0/0|


/ignores/ all IPv6 addresses. Therefore if the DNS MX record lookup on a
domain your mail server is sending mail to returns no IPv4 addresses, the
router is thus skipped and the next one is tried. /Assuming/ the ipv4_only
router was in the configuration /before/ the dnslookup router, the dnslookup
router would be the router most likely to match. If the ipv4_only router
were /after/ the dnslookup router in the config, then the dnslookup router
would match first and get used, then the mail would go out via IPv6 and get
rejected.

So this is another hint: the /order/ that the routers are specified in
matters too. If you're familiar with iptables firewall rules, that's
similar: with iptables, the first rule that matches is what's done -- same
with routers in Exim.

> It seems if there is no ipv4 address the message would fail there.


Nope. ;-)

> I'm just trying to understand the process here.


In order for email to be processed, there /must/ be a router that matches
each email. If /no/ router matches, the email cannot be sent and ends up
"frozen".

I forget if these "frozen" messages get automatically cleared out at some
point -- might be 7 days, or they might not get deleted at all by default...
I forget. I have mine set to auto-delete after 5 days I think.

[...]
>>> OK so if I'm adding a file to the Debian configuration I should be able to add a
>>> new file in /etc/exim4/conf.d/main
>>>
>>> 05_ipv4_force_domains
>>>
>>> Containing:
>>>
>>> domainlist ipv4_force_domains = \
>>>     gmail.com : \
>>>     googlemail.com : \
>>>     virgin.net : \
>>>     linkedin.com : \
>>>     virginmedia.com

>>>
>>> dns_ipv4_lookup = ipv4_force_domains
>>>
>>> And that should be all it takes. It's actually much simpler and easier to
>>> understand.
>> Yes I think that should work. Because the DNS lookup should be for the MX
>> record of the domain, return an IPv4 address, then Exim should try to
>> connect via IPv4 and thus use a local IPv4 outbound IP to do so.
>
> Good. I'm confident enough in what should happen that I'm going to try to
> implement it.
> I'm getting ready to leave for the holidays so after the first of the year I'll
> be able to test it.
> I'll be able to report back if it works or doesn't. If it works this is pretty
> simple and I may suggest that it be added to the basic Debian configuration.


That likely won't be needed. Remember: the problem you're having with
sending via IPv6 is lack of rDNS (reverse DNS, i.e. lack of PTR DNS record
on the IPv6 IP). Lack of rDNS is a known issue for mail servers.

You could suggest it to the maintainers of exim4 in Debian with a 'wishlist'
bug and including a patch if you'd like -- they'll likely appreciate the
thought and effort, but I expect they'll let you know they don't intend to
include the patch because it's a niche issue that would normally be handled
by getting the ISP to insert a PTR record for the IP.

> If not it's still pretty simple and might help someone else out in the future.


Yes. If nothing else it's in the mailing list archives now, so it'll show
up in web searches and so forth.

>>
>>>> there are a bunch of .ifdefs for including options if-and-only-if the
>>>> associated variable is defined. i.e. all those things are optional.
>>> That's correct. My configurations is a pretty standard Ubuntu configuration and
>>> I haven't dug deep into it to see which of the options are actually defined. I
>>> know some of them are.
>> I think in my case none of the variables in the .ifdefs are defined, though
>> I've added another option to avoid the SSL/TLS POODLE attack:
>>
>> remote_smtp:
>>    debug_print = "T: remote_smtp for $local_part@$domain"
>>    driver = smtp
>>    # Avoid SSLv3 due to POODLE attack
>>    #http://www.gossamer-threads.com/lists/exim/users/100539
>>    tls_require_ciphers = NORMAL:!VERS-SSL3.0
>>    <list of .ifdefs after this>

>
> I believe some of them do get defined based on the questions you answer during
> the configurations but it's no altogether clear to me what the answers to those
> questions do.


I don't think these particular options are affected by the debconf
questions. (You can see these questions again at any time by running
'dpkg-reconfigure exim4-config' as root.) The debconf questions instead
write to /etc/exim4/update-exim4.conf.conf and the variables set there get
pulled into the main configuration via exim4.conf.template or the split
configuration files (depending if you're using the split config or not).

> Thank you for putting up with my simple questions.


You're welcome. I'm glad to help out an admin that's getting into Exim
configuration/administration.

-- Chris

--
Chris Knadle
Chris.Knadle@???