Re: [exim] Verify outgoing email while using a smarthost

Top Page
Delete this message
Reply to this message
Author: Jason
Date:  
To: Exim Users
CC: Mike Brudenell
Subject: Re: [exim] Verify outgoing email while using a smarthost
Thanks, Mike. I'll check out the lookup. So from the way you described
it, when sending mail (not testing with -bv or -bt), it hits the
"verify_address" router, does the check, and would fail, but it still
continues to the next router ("smarthost" in my case) which delivers the
message? Shouldn't the verify_address router failure halt/defer the
message and not send it onto the next router? If not, is that possible in
the router configuration (without a lookup)? What purpose does a
verify_only router serve if it doesn't defer/fail a message from being
processed further?

The reason we want to do the check before forwarding to the relay is
because our relay is Amazon SES, and if we relay mail that's destined to
NXDOMAINs, for example, then it will be a bounce and you get penalized for
submitting mail that bounces (we're trying to cleanup email addresses that
are in our database that are entered incorrectly, but for now, they're
there). So we're trying to deal with the "bad" mail before it even gets to
SES.

Thanks,
-- Jason

On Wed, Aug 3, 2016 at 1:04 PM, Mike Brudenell <mike.brudenell@???>
wrote:

> Hi,
>
> Exim is doing exactly what your routers are currently written to tell it
> do…
>
> Your *verify_address* router is set (by the *verify_only*) to be used
> only when verifying an address: for example, as you're doing when you use
> the "-bv" command line option. If the DNS lookup says that the domain
> doesn't exist then the router declines to handle the message and it falls
> through to the next router.
>
> The next router is *smarthost* which is set not to be used when verifying
> (because you have given it *no_verify*). So when you're verifying there's
> no later router that handles the address being verified so you get the
> "Unrouteable address" result.
>
> *However* when you're doing it for real then when *verify_address* finds
> a domain that doesn't exist in the DNS and declines, the *smarthost* router
> *does* run and do exactly what you tell it: send the message over to your
> smarthost. (I've not used *host_find_failed* but suspect it applies if
> Exim can't find IP addresses for the smarthost(s) you've defined in
> *route_list*, not for the recipient address' domain.)
>
> As it says in at the start of the *Specification* when describing a
> *manualroute* router (emphasis by underlining mine)…
>
> The *manualroute* router is so-called because it provides a way of
> manually routing an address according to its domain. It is mainly used when
> you want to route addresses to remote hosts according to your own rules, *bypassing
> the normal DNS routing that looks up MX records*.
>
>
> I have a feeling that you trying to check in your *smarthost* router whether
> the MX records for the recipient address' domains are valid might be
> unusual; it's easy to argue that should be the job of the smarthost rather
> than yourself!
>
> But if you're determined to do it then presumably you could use a
>
> *${lookup dnsdb{mx=$domain}{$value}fail}*
>
> (Someone else might be able to suggest an easier way of doing the check,
> but this could be one way.)
>
> Read the chapter *File and database lookups
> <http://www.exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html>*
> in the *Specification* for more on theis and other types of lookup.
>
> Cheers,
> Mike B-)
>
> On 3 August 2016 at 14:10, Jason <silo82@???> wrote:
>
>> Hi,
>> Is it possible for Exim to verify outgoing mail when using a smarthost?
>> Specifically, I'm looking to have Exim verify (using dnslookup) that the
>> domain exists for the recipient. If the domain returns NXDOMAIN (or some
>> other DNS error), defer it, if DNS exists, continue with the routing. I
>> tried the following:
>>
>> # Verify the recipient domain exists in DNS before sending to the relay.
>> verify_address:
>> debug_print = "R: verify_address for $domain"
>> driver = dnslookup
>> domains = ! +local_domains
>> verify_only
>> no_more
>>
>>
>> smarthost:
>> debug_print = "R: smarthost for $local_part@$domain"
>> driver = manualroute
>> domains = ! +local_domains
>> transport = remote_smtp_smarthost
>> route_list = * DCsmarthost byname
>> host_find_failed = defer
>> same_domain_copy_routing = yes
>> no_verify
>> no_more
>>
>> And it seems to work during testing:
>>
>> # exim -bv someone@???
>> someone@??? failed to verify: Unrouteable
>> address
>> # exim -bv someone@???
>> someone@??? verified
>>
>>
>> However, when sending a test message to an NXDOMAIN, exim happily forwards
>> it to the smarthost:
>>
>> 2016-08-03 08:07:28 1bUvtQ-0007bm-Vh <= root@somehost U=root P=local
>> S=486
>> T="test"
>> 2016-08-03 08:07:29 1bUvtQ-0007bm-Vh =>
>> someone@??? R=smarthost T=remote_smtp_smarthost
>> S=505 H=ses-smtp-prod-335357831.us-east-1.elb.amazonaws.com
>> [50.19.94.229]
>> X=TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
>> DN="C=US,ST=Washington,L=Seattle,O=Amazon.com\, Inc.,CN=
>> email-smtp.us-east-1.amazonaws.com"
>> 2016-08-03 08:07:29 1bUvtQ-0007bm-Vh Completed
>>
>> Is it possible for Exim to do outbound verification while using a
>> smarthost? If so, what am I missing?
>>
>> Thanks
>> --
>> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
>> ## Exim details at http://www.exim.org/
>> ## Please use the Wiki with this list - http://wiki.exim.org/
>
>
>
>
> --
> Systems Administrator & Change Manager
> IT Services, University of York, Heslington, York YO10 5DD, UK
> Tel: +44-(0)1904-323811
>
> Web: www.york.ac.uk/it-services
> Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm
>