Re: [exim] Spurious DNS lookups during inbound mail processi…

Góra strony
Delete this message
Reply to this message
Autor: Mike Tubby
Data:  
Dla: exim-users
Temat: Re: [exim] Spurious DNS lookups during inbound mail processing ?


On 27/04/2020 20:21, Jeremy Harris via Exim-users wrote:
> On 27/04/2020 20:09, Mike Tubby via Exim-users wrote:
>> 2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM START:
>> domain=bounce.wowcher.co.uk possible_signer=e.wowcher.co.uk status=pass
>> 2020-04-27 19:05:46 1jT88X-0003Qr-G5 no IP address found for host
>> localhost.localdomain
>> 2020-04-27 19:05:46 1jT88X-0003Qr-G5 DKIM DEFAULT:
>> I don't understand where the spurious names are coming from but they
>> appear persistent across re-starts of Exim
>>
>> Any ideas?
> What do you do between DKIM_START and DKIM_DEFAULT? A dkim ACL
> is my guess. What do you do in there that might do a DNS lookup?


Well I do quite a lot of stuff in there:

###
### ack_check_dkim: this ACL is used for checking DKIM
###

#
# acl_m2 set to zero on start for normal/full checks, set to 1 if
white-listed
#

acl_check_dkim:

    #
    # start of DKIM debug message and clear macro
    #
    # Only do MySQL INSERT on Relay1 !!!
    #
    warn    set acl_m2 = 0
        set acl_m_dummy = ${lookup mysql{INSERT INTO dkim_log
(status,reason,host,domain,identity,selector,algo) VALUES
('${quote_mysql:$dkim_verify_status}',
'${quote_mysql:$dkim_verify_reason}','${quote_mysql:$sender_fullhost}',
'${quote_mysql:$dkim_domain}', '${quote_mysql:$dkim_identity}',
'${quote_mysql:$dkim_selector}', '${quote_mysql:$dkim_algo}' )}}
        log_message = DKIM START: domain=$sender_address_domain
possible_signer=$dkim_cur_signer status=$dkim_verify_status ${if
def:dkim_verify_reason {(reason=$dkim_verify_reason) }}

    #
    # strict checking on known signers...
    #
    deny    sender_domains = +dkim_known_signers
#        dkim_signers = +dkim_known_signers
        dkim_status = none:invalid:fail
        message = Message from $sender_address_domain (known signer)
with invalid or missing signature
        log_message = DKIM DENY: Rejected $sender_address_domain is
known signer (in database) but has invalid/missing signature

    accept    sender_domains = +dkim_known_signers
#        dkim_signers = +dkim_known_signers
        dkim_status = pass
        log_message = DKIM PASS: Accepted $sender_address_domain is
known signer and has good signature
        add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Good and Known Domain

    #
    # ignore noise where we have no signature
    #
    accept    dkim_status = none
#        log_message = DKIM SKIP: Skipping DKIM checks - no signature
for: $dkim_cur_signer

    #
    # skip DKIM if domain whitelisted for DKIM, i.e. known good domain
that has broken DKIM
    #
    accept    sender_domains = +dkim_whitelist_domains
        log_message = DKIM SKIP: Skipping DKIM checks for whitelisted
domain: $sender_address_domain
        set acl_m2 = 1

    #
    # skip DKIM checks on hosts we relay for
    #
    accept    hosts = +relay_from_hosts
        log_message = DKIM SKIP: Skipping DKIM checks for relay host:
$sender_fullhost

    #
    # skip DKIM checks on authenticated hosts (that we also relay for)
    #
    accept    authenticated = *
        log_message = DKIM SKIP: Skipping DKIM checks for authenticated
host: $sender_fullhost


    #
    # defer when message not testable, e.g. can't get public key, etc.
    #
    defer    dkim_status = invalid
        message = Message from $sender_address_domain cannot be verified
        log_message = DKIM DEFER: domain=$sender_address_domain cannot
obtain public key

    #
    # accept the message (correctly signed)
    #
    accept    dkim_status = pass
        sender_domains = $sender_address_domain
        dkim_signers = $sender_address_domain
        log_message = DKIM PASS: domain=$sender_address_domain
signer=$dkim_cur_signer status=$dkim_verify_status
        add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=Signature OK

    #
    # accept the message EVEN IF the signature FAILS! due to white listing
    #
    accept    condition = ${if eq {$acl_m2}{1}}
        dkim_status = fail
        sender_domains = $sender_address_domain
        dkim_signers = $sender_address_domain
        log_message = DKIM FAIL (WHITELISTED):
domain=$sender_address_domain status=$dkim_verify_status - DKIM failed
but message accepted
        add_header = :after_received:X-DKIM-Result:
Domain=$sender_address_domain Result=FAIL (but whitelisted)

    #
    # deny (strict) when message fails signature test *and* acl_m2 = 0
(not whitelisted)
    #
    deny    condition = ${if eq {$acl_m2}{0}}
        dkim_status = fail
        sender_domains = $sender_address_domain
        dkim_signers = $sender_address_domain
        message = Message from has invalid DKIM signature
        log_message = DKIM FAIL (DENY): domain=$sender_address_domain -
message rejected!

    #
    # accept anything else (should never get here)
    #
    accept    log_message = DKIM DEFAULT: domain=$sender_address_domain
- message accepted (at end of ACL)



but nothing really DNS based ... ?

There are many more of the spurious lookups elsewhere like in the
content checks but the only DNS-ful part really is the second half of
acl_check_rcpt which perform:

    * Sender verify
    * Sender policy frame work
    * Local or callout recipient verify


like this:


    #
    # perform sender verify
    #
    require    verify = sender

    #
    # Sender Policy Framework
    #
    warn    spf = !none
        log_message = RCPT: SPF Result2=$spf_result
($sender_address_domain / $sender_fullhost)

    warn    set acl_m9 = 0

    warn    sender_domains = +spf_whitelist_domains
        spf = pass
        set acl_m9 = 1

    deny    spf = fail
        sender_domains = +spf_strict_domains
        message = Blocked by SPF\n$spf_smtp_comment
        log_message = RCPT: SPF fail for: $sender_address_domain and
listed for strict checking

    #
    # get the scan profile and store in ACL macro zero, defer if we
    # can't look it up
    #
    defer    condition = ${if \
                  or {\
                     {!def:acl_m0} \
                     {eq { ${acl_m0} } \
                         { LOOKUP_SCAN_PROFILE } \
                    } \
                                  } {0}{1} \
        }
        message = try this address in the next batch
        log_message = RCPT: Defer due to SCAN_PROFILE condition

    #
    # check if domain is in use
    #
    deny    condition = ${if eq {LOOKUP_ACTIVE_FLAG}{0}{1}{0}}
        message = Domain ($domain) is not in use for email
        log_message = RCPT: Domain ($domain) is not active for email


    # Accept if the address is in a local domain, but only if the
recipient can
    # be verified. Otherwise deny. The "endpass" line is the border between
    # passing on to the next ACL statement (if tests above it fail) or
denying
    # access (if tests below it fail).

    accept  domains = +local_domains
            endpass
            verify = recipient

    #
    # accept if the address is in a domain for which we are relaying,
but again,
    # only if the recipient can be verified.
    #
    accept    domains = +relay_to_domains
        endpass
        verify = recipient/callout=10s,defer_ok
        set acl_m0 = LOOKUP_SCAN_PROFILE

    #
    # If control reaches this point, the domain is neither in
+local_domains
    # nor in +relay_to_domains.
    #


    #
    # accept if the message comes from one of the hosts for which we are an
    # outgoing relay. Recipient verification is omitted here, because
in many
    # cases the clients are dumb MUAs that don't cope well with SMTP error
    # responses. If you are actually relaying out from MTAs, you should
probably
    # add recipient verification here.
    #
    accept    hosts = +relay_from_hosts
        log_message = RCPT: accepted after sender verify and in
+relay_from_hosts

    #
    # accept if the message arrived over an authenticated connection, from
    # any host. Again, these messages are usually from MUAs, so recipient
    # verification is omitted.
    #
    accept    authenticated = *
        log_message = RCPT: accept for authenticated user:
$authenticated_id

    #
    # reaching the end of the ACL causes a "deny", but we might as well
give
    # an explicit message.
    #
    deny    message = Mail relay not permitted
        log_message = RCPT: Denied mail relay (at end of ACL)



Mike


>
> Creative use of the debug facility might shed light.
> See the ACL "control=debug" modifier.


Ok, might be worth a go ...