Re: [exim] Temporary reject when random sender verification …

Pàgina inicial
Delete this message
Reply to this message
Autor: Andrew C Aitchison
Data:  
A: exim-users
Assumpte: Re: [exim] Temporary reject when random sender verification should succeed
On Wed, 30 May 2018, Ian Zimmerman via Exim-users wrote:

> I just turned on callout sender verify with the random option.
> Strangely, the first (and only the first) connect from many domains
> after that is temporarily rejected, although the callout seems to
> succeed with a 250 status code. The log lines look like this:
>
> 2018-05-29 12:25:26 acl_check_connect: connect from 23.253.242.70
> 2018-05-29 12:25:28 acl_check_connect: host geoip us
> 2018-05-29 12:25:34 acl_check_connect: 23.253.242.70 accepted
> 2018-05-29 12:25:34 acl_check_mail: mail from haskell-cafe-bounces@???
> 2018-05-29 12:25:40 [23.253.242.70] SSL verify error: depth=0 error=certificate has expired cert=/OU=Domain Control Validated/CN=*.haskell.org
> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 sender verify defer for <haskell-cafe-bounces@???>: Could not complete sender verify callout: mail.haskell.org [23.253.242.70] : response to "RCPT TO:<mymx.com-1527621934-testing@???>" was: 250 2.1.5 Ok
> 2018-05-29 12:25:40 H=haskell.org [23.253.242.70]:51176 F=<haskell-cafe-bounces@???> temporarily rejected RCPT <itz@???>: Could not complete sender verify callout
> 2018-05-29 12:25:40 SMTP connection from haskell.org [23.253.242.70]:51176 closed by QUIT
>
> I obfuscated my mx hostname and my domain name, and only these two
> items.
>
> Why exim "Could not complete" the callout when it got a success code?
> Again, this only happened for the first time for each domain after the
> configuration change. Subsequent connections work normally and log
> nothing about the callout.


Sorry. The first time that you posted this,
I didn't notice the certificate expiry error (which
openssl s_client -connect mail.haskell.org:25 -starttls smtp -verify 0
confirms for me
).

I *think* that the wire callout is succeeding, but the expired certificate
means that exim considers the callout verify to have failed.

Once that callout has failed, exim caches the result and doesn't bother
to callout verify subsequent connections, hence the successful connections
with no callouts logged (again assuming that I have correctly understood
exim).

-- 
Andrew C. Aitchison                    Cambridge, UK
             andrew@???