Re: [exim] Recipient Verification Bypassed

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Recipient Verification Bypassed
Hi Rical,

Rical Jasan <ricaljasan@???> (Di 29 Nov 2016 08:21:11 CET):
> On 11/28/2016 03:19 AM, Drav Sloan wrote:
> >> 2016-11-27 23:35:54 [7002] cwd=/var/local/spool/exim 3 args:
> >> /usr/local/sbin/exim -Mc 1cBGTh-0001ou-9V
> >> 2016-11-27 23:35:54 [7002] 1cBGTh-0001ou-9V ** user@???
> >> F=<Honeycutt_Otis@???> P=<Honeycutt_Otis@???>
> >> R=dovecot T=lmtp: LMTP error after RCPT TO:<user@???> 550 5.1.1
> >> <user@???> User doesn't exist: user@???
> >
> > Given that the final delivery point is LMTP, I assume you are delivering
> > onto something like Cyrus IMAP?
>
> Dovecot's LMTP server, over a UNIX socket. Works fine, when it's
> actually used, as you can see above. :)



> > In which case, your router which delivers onto the LMTP process will probably
> > not do local_part verification, which causes the recipient/callout to work
> > for any local_part.
> >
> > You can verify that by doing:
> > exim -bt somefakelocal_part@???


Using `exim -bt` or `exim -bv` you can verify the routing, that is,
you're checking, if there a chance for a successfull delivery. This
approach works, if your routers are able to verify the existence of a
given user (works for any kind of lookups (passwd, ldap, *sql, …).

    verify = recipient


in some ACL asks for "static" verification, that is, it's roughly
equivalent to `exim -bv`. It doesn't help, if you can't do some kind of
lookup.

    verify = recipient/callout


checks the routing (probaly quite useless, if you can't access a user
database) and then does a delivery attempt (EHLO, MAIL FROM, RCPT TO,
QUIT) to the final destination.

For ACL testing `-bv`, `-bt` doesn't help. You need

    `exim -bhc <sender/ip>` 


Best used with swaks:

    swaks -f … -t … --pipe 'exim -bhc <sender-ip>'



> I guess my question is now, is there a way to make Exim use the
> transport and actually follow-through with the callout? See my response
> to Jeremy on the list (sorry, I should have CC'd you), where another


In your case callout verification probably doesn't work, as long as you
use driver=lmtp, because callouts are done only for *remote* deliveries,
and LMTP isn't considered remote. Though, there is some trick

    lmtp_transport:
        driver = smtp
        protocol = lmtp
        socket = /run/dovecot/lmtp # or whatever
        …



BTW …
> > # Get the local part minus any suffixes
> > warn set acl_m9 = ${sg{${lc:$local_part}}{[+-].+\$}{}}


We have named acl variables meanwhile: set acl_m_foo = …

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -