Exim still accepting emails to nonexistent users
After adding the configuration bit:
deny message = invalid recipient domains = +local_domains !verify = recipient/callout=no_cache
from: http://wiki2.dovecot.org/LMTP/Exim http://wiki2.dovecot.org/LMTP/Exim running update-exim4.conf and service exim4 restart
the server is still accepting emails to recipients that do not exist in dovecot.
Any ideas?
Hi,
Marti Markov marti1234@gmail.com (Mi 16 Nov 2016 04:28:28 CET):
After adding the configuration bit:
deny message = invalid recipient domains = +local_domains !verify = recipient/callout=no_cache
from: http://wiki2.dovecot.org/LMTP/Exim http://wiki2.dovecot.org/LMTP/Exim running update-exim4.conf and service exim4 restart
the server is still accepting emails to recipients that do not exist in dovecot.
How is the router, targeting the messages to dovecot, configured? And how the transport, responsible for the delivery to dovecot?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Hi Heiko,
Here is the router:
virtual_aliases:
driver = redirect
debug_print = "R: Check address using virtual_aliases for $local_part@$domain"
allow_fail
allow_defer
hide data = CHECK_VIRTUAL_ALIASES
user = vmail
group = maillocal_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = +local_domains #Dovecot auth check # check_local_user local_parts = ! root transport = dovecot_lmtp cannot_route_message = Unknown user
And this is the transport:
dovecot_lmtp: driver = lmtp socket = /var/run/dovecot/lmtp #return_path_add #maximum number of deliveries per batch, default 1 batch_max = 200
This might also be helpful (this is with check_local_user commented out in the router) --------> local_user router <-------- local_part=nosuchuser domain=domainproblem.com checking domains cached yes match for +local_domains cached lookup data = NULL domainproblem.com in "+local_domains"? yes (matched "+local_domains" - cached) checking local_parts NoSuchUser in "! root"? yes (end of list) R: local_user for nosuchuser@domainproblem.com calling local_user router local_user router called for NoSuchUser@domainproblem.com domain = domainproblem.com queued for dovecot_lmtp transport: local_part = nosuchuser domain = domainproblem.com errors_to=NULL domain_data=NULL localpart_data=NULL routed by local_user router envelope to: NoSuchUser@domainproblem.com transport: dovecot_lmtp Cannot do callout: neither router nor transport provided a host list ----------- end verify ------------ deny: condition test failed in ACL "acl_check_rcpt" processing "accept" check domains = +relay_to_domains domainproblem.com in "empty"? no (end of list) domainproblem.com in "+relay_to_domains"? no (end of list) accept: condition test failed in ACL "acl_check_rcpt" processing "accept" accept: condition test succeeded in ACL "acl_check_rcpt" SMTP>> 250 Accepted 250 Accepted
This is when it’s not commented out: --------> local_user router <-------- local_part=m.markov domain=domainproblem.com checking domains cached yes match for +local_domains cached lookup data = NULL domainproblem.com in "+local_domains"? yes (matched "+local_domains" - cached) checking local_parts m.markov in "! root"? yes (end of list) checking for local user seeking password data for user "m.markov": using cached result getpwnam() returned NULL (user not found) local_user router skipped: m.markov is not a local user
I currently have check_local_user disabled because nobody will be able to receive emails.
On 17 Nov 2016, at 21:33, Heiko Schlittermann hs@schlittermann.de wrote:
Hi,
Marti Markov marti1234@gmail.com (Mi 16 Nov 2016 04:28:28 CET):
After adding the configuration bit:
deny message = invalid recipient domains = +local_domains !verify = recipient/callout=no_cache
from: http://wiki2.dovecot.org/LMTP/Exim http://wiki2.dovecot.org/LMTP/Exim running update-exim4.conf and service exim4 restart
the server is still accepting emails to recipients that do not exist in dovecot.
How is the router, targeting the messages to dovecot, configured? And how the transport, responsible for the delivery to dovecot?
Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann
SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Hi Marti,
(Please do not send CC to my private account)
Marti Markov marti1234@gmail.com (Mo 21 Nov 2016 03:52:54 CET):
Here is the router:
virtual_aliases:
…
hide data = CHECK_VIRTUAL_ALIASES
local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = +local_domains #Dovecot auth check # check_local_user local_parts = ! root transport = dovecot_lmtp
And this is the transport:
dovecot_lmtp: driver = lmtp socket = /var/run/dovecot/lmtp #return_path_add #maximum number of deliveries per batch, default 1 batch_max = 200
Ok, the router cannot check the existence of the user. check_local_user won't help you, as long as the $local_part is not a system user locally.
Basically you got 2 possibilities:
a) check in the routing stage by accessing the user database
-> testable with: exim -bv user@exampl.com
b) check in the transport stage by using a callout
-> testable with: swaks … --pipe 'exim -bhc i.i.i.i'a) Routing stage You need to interact with the user database dovecot uses. Either you access the user database directory (flat file, LDAP, whatever) or you use the ${readsocket…} feature of Exim to talk to dovecot.
b) Transport stage You need to configure the dovecot LMTP to refuse messages to unknown uses. This you can test using swaks (it's capable of talking LMTP). Once this LMTP works (refusing unknown users) you can use callouts for verification during SMTP time. (exim -bv … will still tell you, that the message is *routable*, but exim -bh and the pipe mode of swaks may help you.
Ha ….
transport: dovecot_lmtp Cannot do callout: neither router nor transport provided a host list
This can be 'fixed' if you use (not tested)
dovecot_lmtp: driver = smtp protocol = lmtp host = localhost port = 2525
and have the dovecot LMTP run on a local TCP port
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Hi,
Heiko Schlittermann hs@schlittermann.de (Mo 21 Nov 2016 11:50:13 CET):
a) Routing stage You need to interact with the user database dovecot uses. Either you access the user database directory (flat file, LDAP, whatever) or you use the ${readsocket…} feature of Exim to talk to dovecot.
The readsocket trick doesn't seem to work anymore.
Using $ socat STDIO UNIX:/run/dovecot/auth-master < VERSION 1 1 < SPID 16290
VERSION 1 1 USER 42 hs12 service=imap < USER 1 hs12 uid=500 gid=500 home=/var/vmail/home/h/hs12
(the spaces are tabs).
But using Exim
exim -be '${readsocket{/run/dovecot/auth-userdb}{VERSION\t1\t1\nUSER\t1\hs12\tservice=imap\n}}'does not work. Exim closes the sending side right after the final \n with shutdown(2). Dovecot seems to see this as if the connection should be closed now and closes the connection, w/o any response.
As it's not unusual to shutdown(2) the sender if the message is sent, I'd see this as a bug on the dovecot side. There is no reason to consider the connection as dead, just because the sender closed its sending side of the connection.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Hi Heiko,
Sorry for using your private email address. :/ I managed to get this working using local_user changes by adding ldap user verification there:
local_user:
debug_print = "R: local_user LDAP lookup for $local_part@$domain"
driver = accept
domains = +local_domains
condition = CHECK_VIRTUAL_USER
transport = dovecot_lmtp
cannot_route_message = Unknown user
Where CHECK_VIRTUAL_USER is:
# Query that tests the existence of the user
CHECK_VIRTUAL_USER = \
${lookup ldap{user="cn=exim4,ou=dsa,dc=mydomain,dc=com" pass=PASS \ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=$local_part@ $domain))}{$value}fail}
Thanks again for all the support. You pointed me in the right direction. :)
2016-11-21 11:16 GMT+00:00 Heiko Schlittermann hs@schlittermann.de:
Hi,
Heiko Schlittermann hs@schlittermann.de (Mo 21 Nov 2016 11:50:13 CET):
a) Routing stage You need to interact with the user database dovecot uses. Either you access the user database directory (flat file, LDAP, whatever) or you use the ${readsocket…} feature of Exim to talk to dovecot.
The readsocket trick doesn't seem to work anymore.
Using $ socat STDIO UNIX:/run/dovecot/auth-master < VERSION 1 1 < SPID 16290
VERSION 1 1 USER 42 hs12 service=imap < USER 1 hs12 uid=500 gid=500 home=/var/vmail/home/h/hs12
(the spaces are tabs).
But using Exim
exim -be '${readsocket{/run/dovecot/auth-userdb}{VERSION\t1\t1\nUSER\t1\hs12\tservice=imap\n}}'
does not work. Exim closes the sending side right after the final \n with shutdown(2). Dovecot seems to see this as if the connection should be closed now and closes the connection, w/o any response.
As it's not unusual to shutdown(2) the sender if the message is sent, I'd see this as a bug on the dovecot side. There is no reason to consider the connection as dead, just because the sender closed its sending side of the connection.
Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-- Marti Markov Pursuing a Bachelor Degree of Science in Computer Science at the University of Southampton Cell phone: +359886621454 Twitter: https://twitter.com/martimarkov Facebook: https://facebook.com/Marti.Markov
Hi Marti,
Marti Markov marti.markov@gmail.com (Mi 23 Nov 2016 09:21:07 CET):
Hi Heiko,
Sorry for using your private email address. :/
… the problem is the duplicat suppression on our mailsystem, normally it passes the 'unicasted' message and supresses the 'broadcasted' messages (as the unicasted message comes first). The unicasted message doesn't carry all the list headers.
That's one reason, why duplicate suppression is a bad thing.
I managed to get this working using local_user changes by adding ldap user verification there: … ldap:///dc=mydomain,dc=com?mail?sub?(&(objectClass=inetOrgPerson)(mail=$local_part@ $domain))}{$value}fail}
Thanks again for all the support. You pointed me in the right direction. :)
You're welcome.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann-- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
participants (3)
-
Heiko Schlittermann
-
Marti Markov
-
Marti Markov