[exim] EXIM Timeout on tcp required ports

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Ryan McClung
Datum:  
To: exim-users
Betreff: [exim] EXIM Timeout on tcp required ports
Greetings,

Please see config below:
(Hidden sections are just LDAP queries)

### LDAP
###Default LDAP servers
ldap_default_servers = <hidden>
#####SEARCH MACROS
EXIM_DIR=/etc/exim
SYSTEM_ALIASES_FILE = /etc/aliases
BLACKHOLE = <hidden>
INACTIVEDOMAINS = <hidden>
USER_ALIASES = <hidden>
USER_FORWARDS = <hidden>
USER_HOST = <hidden>
USERS = <hidden>
DISTRIBUTION_LISTS = <hidden>
CUSTOMER_SUPPORT = <hidden>
GAPPS = <hidden>
EXTERNAL_LISTS_HOSTS = <hidden>
EXTERNAL_LISTS = <hidden>
INTERNAL_LISTS_HOSTS = <hidden>
INTERNAL_LISTS = <hidden>
INBOXES_HOSTS = <hidden>
INBOXES = <hidden>
MANUALROUTES = <hidden>

primary_hostname = <hidden hostname>

smtp_banner = $primary_hostname ESMTP NO UCE/UBE
localhost_number = 1

###Extra Logging
log_selector = +all -pid
hosts_connection_nolog = 10.109.0.72 : 66.132.220.205
recipients_max = 200
recipients_max_reject = false
smtp_accept_queue_per_connection = 200
smtp_accept_max = 200

domainlist relay_to_domains =
hostlist relay_from_hosts = 127.0.0.1 : 10.108.0.0/20 : 10.109.8.0/20 :
10.100.8.0/20 : 10.100.40.0/20 : 207.219.45.62 : 216.217.55.254 :
65.22.252.4 : 69.46.107.12 : 69.46.107.10 : 203.190.138.68 : 149.17.192.10
: 67.200.48.3 : 149.17.192.212 : 149.17.192.211 : 69.46.107.211 :
69.46.107.212 : 203.119.49.211 : 203.119.49.212 : 203.119.49.4 :
149.17.192.73 : 207.219.45.45 : 203.119.50.211 : 203.119.50.212 :
74.200.1.4 : 74.200.1.240 : 74.200.1.241 : 199.15.80.0/21 : 199.15.88.0/24
: 216.235.12.0/27 : 67.215.198.218 : 67.215.198.219 : 67.215.198.217 :
199.19.48.217 : 199.19.49.217 : 199.19.50.217 : 199.19.51.217 :
199.19.52.217 : 199.19.48.218 : 199.19.49.218 : 199.19.50.218 :
199.19.51.218 : 199.19.52.218 : 199.19.48.219 : 199.19.49.219 :
199.19.50.219 : 199.19.51.219 : 199.19.52.219 : 216.239.32.0/19 :
64.233.160.0/19 : 66.249.80.0/20 : 72.14.192.0/18 : 209.85.128.0/17 :
66.102.0.0/20 : 74.125.0.0/16 : 64.18.0.0/20 : 207.126.144.0/20 :
173.194.0.0/16 : 66.199.183.4 : 70.33.207.118 : 66.199.180.0/22 :
199.15.80.0/21 : 199.15.88.0/24 : 199.19.49.200 : 199.19.49.201 :
69.46.124.26 : 66.110.56.34 : 10.109.0.72 : 115.248.100.96/28 :
69.31.30.48/28 : 198.47.117.64/26 : 66.199.183.10 : 65.22.252.10 :
203.119.49.91 : 54.209.77.168 : 54.209.3.58 : 78.152.50.192/27 :
54.72.108.13 : 54.72.131.20 : 65.22.252.6 : 65.22.252.7 : 54.85.134.193 :
54.85.149.3 : 185.62.165.0/24 : 173.161.228.33 : 10.133.0.0/24 :
13.211.220.31 : 13.211.65.137 : 13.210.21.155 : 13.236.16.155

openssl_options = +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
disable_ipv6=true
acl_smtp_rcpt = acl_check_rcpt
tls_advertise_hosts = *

tls_certificate = /etc/pki/tls/certs/****.pem
tls_privatekey = /etc/pki/tls/private/***.key.pem
tls_require_ciphers =
HIGH:MEDIUM:@STRENGTH:+RC4:!MD5:!SRP:!PSK:!aDSS:!kECDH:!kDH:!SEED:!IDEA:!RC2:!RC5

daemon_smtp_ports = 25 : 465 : 587
tls_on_connect_ports = 465 : 587
qualify_domain = <hidden domain>

never_users = root

host_lookup = *

rfc1413_hosts = *
rfc1413_query_timeout = 5s

ignore_bounce_errors_after = 2d

timeout_frozen_after = 7d

auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
#auth_advertise_hosts = *

###Freeze Emails System Filter
system_filter = /etc/exim/freezeFilter
system_filter_user = exim


begin acl

acl_check_rcpt:

accept hosts = :

  deny    message       = Restricted characters in address
          domains       = ${lookup ldap DOMAINS}
          local_parts   = ^[.] : ^.*[@%!/|]


  deny    message       = Restricted characters in address
          domains       = !${lookup ldap DOMAINS}
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


#  accept  local_parts   = postmaster
#          domains       = ${lookup ldap DOMAINS}


  accept  hosts         = +relay_from_hosts
          control       = submission


  accept authenticated = *
          control       = submission
      add_header    = X-Authenticated: True


#jeanne commented out
#  require message = relay not permitted
#          domains = ${lookup ldap DOMAINS}


#jeanne commented out
# require verify = recipient

deny
# accept

acl_check_data:

  deny    malware        = *
    message        = This message contains a virus ($malware_name).
    condition    = ${lookup {${lc:$recipients}}
lsearch{EXIM_DIR/skipMalware}{false}{true}}


accept



begin routers

postmaster:
  driver = redirect
  allow_fail
  allow_defer
  domains       = ${lookup ldap DOMAINS}
  condition     = "${if \
                        eqi {${quote_local_part:$local_part}}{postmaster} \
                        {1}{0}}"
  data          = <hidden email address>


abuse:
  driver = redirect
  allow_fail
  allow_defer
  domains       = ${lookup ldap DOMAINS}
  condition     = "${if \
                        eqi {${quote_local_part:$local_part}}{abuse} \
                        {1}{0}}"
  data          = <hidden abuse email>


removeheader:
  driver        = redirect
  condition     = ${if eqi {True}{$header_X-Authenticated:}}
  data          = $local_part@$domain
  headers_remove        = Received


dev_null_these_domains:
driver = redirect
domains = ${lookup ldap BLACKHOLE}
data = :blackhole:

cs_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup ldap CUSTOMER_SUPPORT}

system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup ldap DISTRIBUTION_LISTS}

#gapps:
# driver = redirect
# allow_fail
# allow_defer
# data = ${lookup ldap GAPPS}

ext_mailman_router:
  driver        = manualroute
  domains       = ${lookup ldap DOMAINS}
  condition     = ${lookup ldap EXTERNAL_LISTS}
  route_data    = ${if eqi {<hidden>} {${lookup ldap EXTERNAL_LISTS_HOSTS
{$value}}} {mailman-ext1.on1.afilias-ops.info} {<hidden>} }
  transport     = remote_smtp
  local_part_suffix_optional
  local_part_suffix = -admin : -bounces : -bounces+* : -confirm :
-confirm+* \
                : -join : -leave : -owner : -request : -subscribe :
-unsubscribe
  cannot_route_message = No Such List


int_mailman_router:
  driver        = manualroute
  domains       = ${lookup ldap DOMAINS}
  condition     = ${lookup ldap INTERNAL_LISTS}
  route_data    = ${if eqi {<hidden>} {${lookup ldap INTERNAL_LISTS_HOSTS
{$value}}} {<hidden>} {<hidden>} }
  transport     = remote_smtp
  local_part_suffix_optional
  local_part_suffix = -admin : -bounces : -bounces+* : -confirm :
-confirm+* \
                : -join : -leave : -owner : -request : -subscribe :
-unsubscribe
  cannot_route_message = No Such List


user_aliases:
  driver        = redirect
  domains       = ${lookup ldap DOMAINS}
  allow_fail
  allow_defer
  data = ${lookup ldap USER_ALIASES}


localuser:
  driver        = manualroute
  domains       = ${lookup ldap DOMAINS}
  condition     = ${if eqi {""} {${lookup ldap USERS {$value} fail}} {no}
{yes} }
  route_data    = <hidden mail server>
  transport     = remote_smtp
  cannot_route_message = Unknown user


inboxes:
  driver        = manualroute
  domains       = ${lookup ldap DOMAINS}
  condition     = ${if eqi {""} {${lookup ldap INBOXES {$value} fail}} {no}
{yes} }
  route_data    = <hidden mail server>
  transport     = remote_smtp


manual_ldap_routes:
  driver        = manualroute
  domains       = ${lookup ldap MANUALROUTES}
  route_data    = <hidden mailserver>
  transport     = remote_smtp


smarthost:
driver = manualroute
domains = !${lookup ldap DOMAINS} : !${lookup ldap INACTIVEDOMAINS} :
!${lookup ldap BLACKHOLEDOMAINS}
transport = remote_smtp
route_data = <hidden mail server>

begin transports

#Only one transport is needed, SMTP, to send to the next hop.
remote_smtp:
driver = smtp
rcpt_include_affixes

begin retry

*                      *           F,2h,1m; G,16h,1h,1.5; F,4d,6h


begin rewrite

#########################################
## Available flags:
# E       rewrite all envelope fields
# F       rewrite the envelope From field
# T       rewrite the envelope To field
# b       rewrite the Bcc: header
# c       rewrite the Cc: header
# f       rewrite the From: header
# h       rewrite all headers
# r       rewrite the Reply-To: header
# s       rewrite the Sender: header
# t       rewrite the To: header


*@*  "${if eq {smtp.afilias.info}{$domain} {$local_part@???}fail}"
bctT
*@loghost.int.libertyrms.com    $1@??? T
*@*.afilias-int.info        $1@???
#*@gapps.afilias.info        $1@???
#########################################


begin authenticators

SASL_PLAIN:
driver = cyrus_sasl
public_name = PLAIN
server_set_id = $auth1
server_advertise_condition = ${if eq {$tls_cipher}{}{}{*}}

SASL_LOGIN:
driver = cyrus_sasl
public_name = LOGIN
server_set_id = $auth1
server_advertise_condition = ${if eq {$tls_cipher}{}{}{*}}

When using the openssl connect agents on both TLS required ports it times
out. If the lines are commented out it is successful. I am at a loss as to
why.

Version is 4.91-1 upgraded from 4.72-14.1

Only error I can find when testing it is this:
2019-03-04 18:28:20.857 TLS error on connection from
42.1.73.34.bc.googleusercontent.com [34.73.1.42]:58107 I=[10.100.8.9]:587
(SSL_accept): error:00000000:lib(0):func(0):reason(0)


Willing to take any suggestions.

--

Ryan McClung
Systems Administrator @ Afilias Canada
A. 204-4141 Yonge Street, Toronto, ON, Canada, M2P 2A8
<https://maps.google.com/?q=4141+Yonge+Street,+Toronto,+ON,+Canada,+M2P+2A8&entry=gmail&source=g>
W. www.afilias.info
T. +1.416.646.3304 x4186