Hi,
I noticed a few spam messages being accepted (saw the bounces failing)
for seemingly unverified recipients, and having a hard time tracking
down why.
ACLs:
acl_check_rcpt:
accept hosts = :
control = dkim_disable_verify
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
deny message = Restricted characters in address
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
require verify = sender
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
accept authenticated = *
control = submission/domain=
control = dkim_disable_verify
require message = nice boys say HELO first
condition = ${if def:sender_helo_name}
require message = relay not permitted
domains = +local_domains : +relay_to_domains : +vmail_domains
require verify = recipient/callout
accept
acl_check_data:
deny condition = ${if > {$max_received_linelength}{998}}
deny malware = *
message = This message contains a virus ($malware_name).
warn spam = nobody
add_header = X-Spam_score: $spam_score\n\
X-Spam_score_int: $spam_score_int\n\
X-Spam_bar: $spam_bar\n\
X-Spam_report: $spam_report
accept
Log:
2016-11-27 23:35:50 [2194] SMTP connection from [216.24.94.16]:39443
I=[w.x.y.z]:25 (TCP/IP connection count = 1)
2016-11-27 23:35:54 [7000] 1cBGTh-0001ou-9V <=
Honeycutt_Otis@??? H=216-24-94-16.access.naxs.com
[216.24.94.16]:39443 I=[w.x.y.z]:25 P=smtp S=33040 M8S=0
id=84398580631436.837cck97654xu@??? T="Avoid fraud, Real
Ero-boosters" from <Honeycutt_Otis@???> for user@???
2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args:
/usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V
2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** user@???
F=<Honeycutt_Otis@???> P=<Honeycutt_Otis@???>
R=dovecot T=lmtp: LMTP error after RCPT TO:<user@???> 550 5.1.1
<user@???> User doesn't exist: user@???
2016-11-27 23:35:54 [7009] cwd=/var/local/spool/exim 7 args:
/usr/local/sbin/exim -t -oem -oi -f <> -E1cBGTh-0001ou-9V
2016-11-27 23:35:54 [7009] 1cBGTi-0001p3-8e <= <> R=1cBGTh-0001ou-9V
U=exim P=local S=34428 M8S=0 T="Mail delivery failed: returning message
to sender" from <> for Honeycutt_Otis@???
2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V Completed QT=1s
2016-11-27 23:35:54 [7011] cwd=/var/local/spool/exim 3 args:
/usr/local/sbin/exim -Mc 1cBGTi-0001p3-8e
2016-11-27 23:35:54 [7000] SMTP connection from
216-24-94-16.access.naxs.com [216.24.94.16]:39443 I=[w.x.y.z]:25 closed
by QUIT
2016-11-27 23:35:56 [7011] 1cBGTi-0001p3-8e **
honeycutt_otis@??? <Honeycutt_Otis@???> F=<>
P=<> R=dnslookup T=remote_smtp H=mx.pachijimenez.com [66.96.140.93]:25
I=[w.x.y.z]:56602 X=TLS1.0:RSA_AES_128_CBC_SHA1:128 CV=no
DN="C=US,O=Sample\, Inc.,OU=IT Team,CN=Server": SMTP error from remote
mail server after MAIL FROM:<> SIZE=35963: 550 <> Sender rejected.
2016-11-27 23:35:56 [7011] 1cBGTi-0001p3-8e Frozen (delivery error message)
"require verify = recipient/callout" should have prevented this message
from being accepted at all, yet it was. It was not from a
locally-generated message, to postmaster, from a relay_from_hosts, or
authenticated, so how was it ultimately accepted? Other messages appear
to correctly use recipient/callout, but there are some that don't (this
is one of 3 or so over the last few days).
I can provide whatever configuration information you need, any requested
test output (-bh, etc.), the message, etc., but am not dumping it all
here because it gets very verbose, and I'm not sure what's relevant.
Thank you,
Rical
