[exim] Recipient Verification Bypassed

Top Page
Delete this message
Reply to this message
Author: Rical Jasan
Date:  
To: exim-users
Subject: [exim] Recipient Verification Bypassed
Hi,

I noticed a few spam messages being accepted (saw the bounces failing)
for seemingly unverified recipients, and having a hard time tracking
down why.

ACLs:

acl_check_rcpt:
  accept  hosts = :
          control = dkim_disable_verify
  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]
  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
  accept  local_parts   = postmaster
          domains       = +local_domains
  require verify        = sender
  accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify
  accept  authenticated = *
          control       = submission/domain=
          control       = dkim_disable_verify
  require message       = nice boys say HELO first
          condition     = ${if def:sender_helo_name}
  require message = relay not permitted
          domains = +local_domains : +relay_to_domains : +vmail_domains
  require verify = recipient/callout
  accept


acl_check_data:
  deny    condition  = ${if > {$max_received_linelength}{998}}
  deny    malware    = *
          message    = This message contains a virus ($malware_name).
  warn    spam       = nobody
          add_header = X-Spam_score: $spam_score\n\
                       X-Spam_score_int: $spam_score_int\n\
                       X-Spam_bar: $spam_bar\n\
                       X-Spam_report: $spam_report
  accept


Log:

2016-11-27 23:35:50 [2194] SMTP connection from [216.24.94.16]:39443
I=[w.x.y.z]:25 (TCP/IP connection count = 1)
2016-11-27 23:35:54 [7000] 1cBGTh-0001ou-9V <=
Honeycutt_Otis@??? H=216-24-94-16.access.naxs.com
[216.24.94.16]:39443 I=[w.x.y.z]:25 P=smtp S=33040 M8S=0
id=84398580631436.837cck97654xu@??? T="Avoid fraud, Real
Ero-boosters" from <Honeycutt_Otis@???> for user@???
2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args:
/usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V
2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** user@???
F=<Honeycutt_Otis@???> P=<Honeycutt_Otis@???>
R=dovecot T=lmtp: LMTP error after RCPT TO:<user@???> 550 5.1.1
<user@???> User doesn't exist: user@???
2016-11-27 23:35:54 [7009] cwd=/var/local/spool/exim 7 args:
/usr/local/sbin/exim -t -oem -oi -f <> -E1cBGTh-0001ou-9V
2016-11-27 23:35:54 [7009] 1cBGTi-0001p3-8e <= <> R=1cBGTh-0001ou-9V
U=exim P=local S=34428 M8S=0 T="Mail delivery failed: returning message
to sender" from <> for Honeycutt_Otis@???
2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V Completed QT=1s
2016-11-27 23:35:54 [7011] cwd=/var/local/spool/exim 3 args:
/usr/local/sbin/exim -Mc 1cBGTi-0001p3-8e
2016-11-27 23:35:54 [7000] SMTP connection from
216-24-94-16.access.naxs.com [216.24.94.16]:39443 I=[w.x.y.z]:25 closed
by QUIT
2016-11-27 23:35:56 [7011] 1cBGTi-0001p3-8e **
honeycutt_otis@??? <Honeycutt_Otis@???> F=<>
P=<> R=dnslookup T=remote_smtp H=mx.pachijimenez.com [66.96.140.93]:25
I=[w.x.y.z]:56602 X=TLS1.0:RSA_AES_128_CBC_SHA1:128 CV=no
DN="C=US,O=Sample\, Inc.,OU=IT Team,CN=Server": SMTP error from remote
mail server after MAIL FROM:<> SIZE=35963: 550 <> Sender rejected.
2016-11-27 23:35:56 [7011] 1cBGTi-0001p3-8e Frozen (delivery error message)

"require verify = recipient/callout" should have prevented this message
from being accepted at all, yet it was. It was not from a
locally-generated message, to postmaster, from a relay_from_hosts, or
authenticated, so how was it ultimately accepted? Other messages appear
to correctly use recipient/callout, but there are some that don't (this
is one of 3 or so over the last few days).

I can provide whatever configuration information you need, any requested
test output (-bh, etc.), the message, etc., but am not dumping it all
here because it gets very verbose, and I'm not sure what's relevant.

Thank you,
Rical