Auteur: Mike Tubby Date: À: exim-users Sujet: Re: [exim] Spurious DNS lookups during inbound mail processing ?
On 27/04/2020 20:21, Jeremy Harris via Exim-users wrote: > On 27/04/2020 20:09, Mike Tubby via Exim-users wrote:
>> 2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM START:
>> domain=bounce.wowcher.co.uk possible_signer=e.wowcher.co.uk status=pass
>> 2020-04-27 19:05:46 1jT88X-0003Qr-G5 no IP address found for host
>> localhost.localdomain
>> 2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM DEFAULT:
>> I don't understand where the spurious names are coming from but they
>> appear persistent across re-starts of Exim
>>
>> Any ideas?
> What do you do between DKIM_START and DKIM_DEFAULT? A dkim ACL
> is my guess. What do you do in there that might do a DNS lookup?
Well I do quite a lot of stuff in there:
###
### ack_check_dkim: this ACL is used for checking DKIM
###
#
# acl_m2 set to zero on start for normal/full checks, set to 1 if
white-listed
#
acl_check_dkim:
#
# start of DKIM debug message and clear macro
#
# Only do MySQL INSERT on Relay1 !!!
#
warn set acl_m2 = 0
set acl_m_dummy = ${lookup mysql{INSERT INTO dkim_log
(status,reason,host,domain,identity,selector,algo) VALUES
('${quote_mysql:$dkim_verify_status}',
'${quote_mysql:$dkim_verify_reason}','${quote_mysql:$sender_fullhost}',
'${quote_mysql:$dkim_domain}', '${quote_mysql:$dkim_identity}',
'${quote_mysql:$dkim_selector}', '${quote_mysql:$dkim_algo}' )}}
log_message = DKIM START: domain=$sender_address_domain
possible_signer=$dkim_cur_signer status=$dkim_verify_status ${if
def:dkim_verify_reason {(reason=$dkim_verify_reason) }}
#
# strict checking on known signers...
#
deny sender_domains = +dkim_known_signers
# dkim_signers = +dkim_known_signers
dkim_status = none:invalid:fail
message = Message from $sender_address_domain (known signer)
with invalid or missing signature
log_message = DKIM DENY: Rejected $sender_address_domain is
known signer (in database) but has invalid/missing signature
accept sender_domains = +dkim_known_signers
# dkim_signers = +dkim_known_signers
dkim_status = pass
log_message = DKIM PASS: Accepted $sender_address_domain is
known signer and has good signature
add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Good and Known Domain
#
# ignore noise where we have no signature
#
accept dkim_status = none
# log_message = DKIM SKIP: Skipping DKIM checks - no signature
for: $dkim_cur_signer
#
# skip DKIM if domain whitelisted for DKIM, i.e. known good domain
that has broken DKIM
#
accept sender_domains = +dkim_whitelist_domains
log_message = DKIM SKIP: Skipping DKIM checks for whitelisted
domain: $sender_address_domain
set acl_m2 = 1
#
# skip DKIM checks on hosts we relay for
#
accept hosts = +relay_from_hosts
log_message = DKIM SKIP: Skipping DKIM checks for relay host:
$sender_fullhost
#
# skip DKIM checks on authenticated hosts (that we also relay for)
#
accept authenticated = *
log_message = DKIM SKIP: Skipping DKIM checks for authenticated
host: $sender_fullhost
#
# defer when message not testable, e.g. can't get public key, etc.
#
defer dkim_status = invalid
message = Message from $sender_address_domain cannot be verified
log_message = DKIM DEFER: domain=$sender_address_domain cannot
obtain public key
#
# accept anything else (should never get here)
#
accept log_message = DKIM DEFAULT: domain=$sender_address_domain
- message accepted (at end of ACL)
but nothing really DNS based ... ?
There are many more of the spurious lookups elsewhere like in the
content checks but the only DNS-ful part really is the second half of
acl_check_rcpt which perform:
* Sender verify
* Sender policy frame work
* Local or callout recipient verify
deny spf = fail
sender_domains = +spf_strict_domains
message = Blocked by SPF\n$spf_smtp_comment
log_message = RCPT: SPF fail for: $sender_address_domain and
listed for strict checking
#
# get the scan profile and store in ACL macro zero, defer if we
# can't look it up
#
defer condition = ${if \
or {\
{!def:acl_m0} \
{eq { ${acl_m0} } \
{ LOOKUP_SCAN_PROFILE } \
} \
} {0}{1} \
}
message = try this address in the next batch
log_message = RCPT: Defer due to SCAN_PROFILE condition
#
# check if domain is in use
#
deny condition = ${if eq {LOOKUP_ACTIVE_FLAG}{0}{1}{0}}
message = Domain ($domain) is not in use for email
log_message = RCPT: Domain ($domain) is not active for email
# Accept if the address is in a local domain, but only if the
recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or
denying
# access (if tests below it fail).
#
# accept if the address is in a domain for which we are relaying,
but again,
# only if the recipient can be verified.
#
accept domains = +relay_to_domains
endpass
verify = recipient/callout=10s,defer_ok
set acl_m0 = LOOKUP_SCAN_PROFILE
#
# If control reaches this point, the domain is neither in
+local_domains
# nor in +relay_to_domains.
#
#
# accept if the message comes from one of the hosts for which we are an
# outgoing relay. Recipient verification is omitted here, because
in many
# cases the clients are dumb MUAs that don't cope well with SMTP error
# responses. If you are actually relaying out from MTAs, you should
probably
# add recipient verification here.
#
accept hosts = +relay_from_hosts
log_message = RCPT: accepted after sender verify and in
+relay_from_hosts
#
# accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.
#
accept authenticated = *
log_message = RCPT: accept for authenticated user:
$authenticated_id
#
# reaching the end of the ACL causes a "deny", but we might as well
give
# an explicit message.
#
deny message = Mail relay not permitted
log_message = RCPT: Denied mail relay (at end of ACL)
Mike
>
> Creative use of the debug facility might shed light.
> See the ACL "control=debug" modifier.
