Hello All, long time reader first time poster. We have, I believe, a major problem with mail attempting to be relayed from within exim4. I have double checked and we are not acting as an open relay (we were a week or so ago). The open relay was closed and tested. Now I see activity in the exim4 logs indicating that mail is 'attempting' to be relayed to external addresses that are foreign (or not known) to us. Especially such as .hinet.net (in China?). I am a novice, and so if anyone can point me in the right direction to resolving this issue I would be most appreciative. And it may assist others. Here is a snippet from most recent /var/log/exim4/rejectlog Code: 2011-04-27 14:53:07 H=(pc-3dd5088c1c2b) [211.44.183.97] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted 2011-04-27 14:53:07 H=(pc-3dd5088c1c2b) [211.44.183.97] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted 2011-04-27 14:54:16 H=(mail.olcs.com.au) [203.38.32.100] F=<> rejected RCPT <[email protected]>: 2011-04-27 15:03:20 H=(tommy-1a18f45e0) [125.166.92.100] F=<[email protected]> rejected RCPT <[email protected]>: 2011-04-27 15:04:12 H=(hai-8f8838d2ca3) [118.71.26.150] F=<[email protected]> rejected RCPT <[email protected]>: And here is a snippet from my mainlog: Code: 2011-04-27 14:53:07 H=(pc-3dd5088c1c2b) [211.44.183.97] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted 2011-04-27 14:53:07 H=(pc-3dd5088c1c2b) [211.44.183.97] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted 2011-04-27 14:54:16 H=(mail.olcs.com.au) [203.38.32.100] F=<> rejected RCPT <[email protected]>: 2011-04-27 15:03:20 H=(tommy-1a18f45e0) [125.166.92.100] F=<[email protected]> rejected RCPT <[email protected]>: 2011-04-27 15:04:12 H=(hai-8f8838d2ca3) [118.71.26.150] F=<[email protected]> rejected RCPT <[email protected]>: gateway2:/var/log/exim4# tail mainlog 2011-04-27 15:10:52 H=218-167-74-40.dynamic.hinet.net (59.167.227.6) [218.167.74.40] F=<[email protected]> rejected RCPT <[email protected]>: relay not permitted 2011-04-27 15:10:52 unexpected disconnection while reading SMTP command from 218-167-74-40.dynamic.hinet.net (59.167.227.6) [218.167.74.40] 2011-04-27 15:10:54 no IP address found for host mm-165-150-57-86.static.mgts.by (during SMTP connection from [86.57.150.165]) 2011-04-27 15:11:28 1QEx27-0000xC-Jc SA: Debug: SAEximRunCond expand returned: '0' 2011-04-27 15:11:28 1QEx27-0000xC-Jc SA: Action: Not running SA because SAEximRunCond expanded to false (Message-Id: 1QEx27-0000xC-Jc). From <[email protected]> (host=mail172.messagelabs.com [216.82.254.3]) for [email protected] 2011-04-27 15:11:28 1QEx27-0000xC-Jc => [email protected] <[email protected]> R=dnslookup_relay_to_domains T=remote_smtp H=banquo.onereason.com.au [10.10.1.6] X=TLS1.0:RSA_AES_256_CBC_SHA1:32 DN="C=US,ST=N/A,O=Zimbra Collaboration Suite,OU=Zimbra Collaboration Suite,CN=banquo.onereason.com.au" 2011-04-27 15:11:28 1QEx27-0000xC-Jc Completed 2011-04-27 15:12:09 no host name found for IP address 213.108.21.37 2011-04-27 15:12:55 no host name found for IP address 213.108.21.37 I need to understand whether we do have a problem or not, how it may have occurred, and how I might address and resolve the issue ASAP. I am willing to supply any additional logs/configs that may be of assistance. Again, I thank you for your time and effort in assist me. Kind Regards, Edward.
mails in the queue Hi If your mail server has been an open relay for at time, it take time before "Spammer" figures out that the open relay is closed. what is the output off exim -bp / exim -bpc ( exim mail queue ? ) Make sure that on old spam - mails from when your were open relay is in the queue. Have you implementet Block lists in your exim configureation ? otherwise just drop these lines in before begin acl, in the 00_exim4-config_header file (if you are running split config) CHECK_RCPT_IP_DNSBLS = bl.spamcop.net:xbl.spamhaus.org:dnsbl.sorbs.net CHECK_RCPT_DOMAIN_DNSBLS = dnsbl.njabl.org : \ blackholes.five-ten-sg.com : \ cbl.abuseat.org : \ smtp.dnsbl.sorbs.net : \ spam.dnsbl.sorbs.net : \ zombie.dnsbl.sorbs.net I'm running debian and exim4 on my anti spam / Vira gateways, the last 5 years, It WORKS great.. I need to know a bit more about your IP / domain names, the look deeper into your question.
Excellent Thank you net help.dk, that is exactly what I need. Will implement today and see what happens. Regards, Edward
Back again.. Hi Again, Hope that you are still around. Block lists now done (thank you) in my split config. I'm unable to determine if this has helped or not. exim -bpc = 106 mailq (reflects same, including many valid frozen entries) unable to publish all exim -bp output due to obvious reasons. here's a snippet: Code: 60m 3.5K 1QH7uM-0000me-53 <> [email protected] 52m 3.9K 1QH827-0000oN-S6 <> *** frozen *** [email protected] 46m 3.6K 1QH87c-0000pd-1g <> *** frozen *** [email protected] 5m 2.1K 1QH8le-0000zk-Bl <> *** frozen *** [email protected] Here's some DNS info to shed some more light: mail.onereason.com.au MX 10 218.214..48.17 mail2.onereason.com.au MX 20 69.55.237.222 Our publicly visible server (Deb Lenny) is called gateway (original huh?), that's where mail comes in. It has exim4 running etc. We have a server, laertes, which is used to send legitimate bulk email from our paying clients accounts (via a very complex software stack). The domain name used to send ALL client newsletters or bulk mail is beaconbee.com (it resolves to laertes 69.55.231.168). My update-exim4.conf.conf on gateway (publicly accessible) has: Code: dc_eximconfig_configtype='internet' dc_other_hostnames='beaconbee.com:onereason.com.au:onlinenow.com.au:yoakeim.com:alorn.net:australianicons.com.au' dc_local_interfaces='' dc_readhost='' dc_relay_domains='mail.onereason.com.au:beaconbee.com:*.beaconbee.com.au:*.blubeez.com.au:*.beaconbee.com:*.blubeez.com:*.onereason.com.au:*.onlinenow.com.au:*.yoakeim.com:*.alorn.net:newsletter.adshel.onereason.com.au:newsletters.childfund.onereason.com.au' ok, comments on above relay domains, we own all domain names, config was in place prior to my joining, confused over mixing of wildcard (*) and specific hostnames included together? Does that provide you with a little more background? Maybe you can spot something obvious or incorrectly configured? Any and all assistance kindly appreciated. Thank you, E.
I'm still arround I just tested a bit against your mail server and see a issue.... Not as bad as open relay, but still an issue. Code: telnet mail2.onereason.com.au 25 Trying 69.55.237.222... Connected to mail2.onereason.com.au. Escape character is '^]'. 220 mail2.onereason.com.au ESMTP Exim 4.52 Tue, 03 May 2011 04:39:02 -0700 ehlo d 250-mail2.onereason.com.au Hello 0x5da2295a.cpe.ge-0-2-0-1110.hrnqu2.customer.tele.dk [93.162.41.90] 250-SIZE 52428800 250-PIPELINING 250 HELP mail from:[email protected] 250 OK rcpt to:[email protected] 250 Accepted data 354 Enter message, ending with "." on a line by itself subject:this might bee an issue test email, Im relaying over the mail server, using bounce emails to sendt mails test tgest test . 250 OK id=1QHDxc-000GGF-Ke quit 221 mail2.onereason.com.au closing connection Connection closed by foreign host. Few seconds later on my own mailserver: Code: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [email protected] ------ This is a copy of the message, including all the headers. ------ Return-path: <[email protected]> Received: from [69.55.237.222] (helo=mail2.onereason.com.au) by gateway2.onereason.com.au with esmtp (Exim 4.69) (envelope-from <[email protected]>) id 1QHDyc-0002Ul-2Q for [email protected]; Tue, 03 May 2011 21:41:14 +1000 Received: from 0x5da2295a.cpe.ge-0-2-0-1110.hrnqu2.customer.tele.dk ([93.162.41.90] helo=d) by mail2.onereason.com.au with esmtp (Exim 4.52 (FreeBSD)) id 1QHDxc-000GGF-Ke for [email protected]; Tue, 03 May 2011 04:41:08 -0700 subject:this might bee an issue Message-Id: <[email protected]> From: [email protected] Date: Tue, 03 May 2011 21:41:14 +1000 X-SA-Exim-Connect-IP: 69.55.237.222 X-SA-Exim-Mail-From: [email protected] X-SA-Exim-Scanned: No (on gateway2.onereason.com.au); SAEximRunCond expanded to false test email, Im relaying over the mail server, using bounce emails to sendt mails test tgest test I'm using the servers bounce feature to send email, by sending a mail to an invalide email address at your mail domain. if the sender emailaddress at my test was invalid, your mail server would try sending/bounce to an invalid email address and end up frozen... Please look at the message headers on the frozen emails at have a look where from the email is created and is it where you expect it ? exim -Mvh <message-id> ex. exim -Mvh 1QH7uM-0000me-53 Try look in the log /var/log/exim4/mainlog at see why the message is not delivered. Ex.. issue mail.ampol-tir.com not answaring when telnetting on port 25 to the server. More exim samples is found at this link: http://bradthemad.org/tech/notes/exim_cheatsheet.php alway good to have at hand... The bounce issue solution is only to accept email to valid internal users, this validation test can be created in may ways at your server, depending on the number of internal valid mail addresses. Fyi. I'm still arround but dont have much time these day about to do a major installation in my life: dont hope it ends this bad. http://www.lessaid.net/fun/apt-get-wife.png
Exim bounce sending goes on.. Hello Friend, first off I do hope that your big installation goes well and without repository down time. next, thank you again for your ongoing considerable assistance - I am so very appreciative (and learning heaps too). So, as you are correct - we are still experiencing exim bounced mail sening which now has apparently caused us to be blacklisted on 1 external IP with baracudacentral.org. We're addressing that. So, it would seem most if not all of the mail in exim -bp (150 messages) are frozen - and obvious SPAM. What I need to do, and I cannot find out how to achieve, is as you said to ONLY allow incoming mail to exxisting and valid email addresses in our domains (onereason.com.au, onlinenow.com.au). I have looked into my exim config (split) again and we have the Virtual files in place for those domains that contain the valid lists of email addresses. (i.e. edward: [email protected]) - banquo is our Zimbra ZCS mail server internal. So, I thought that with the virtual setup only known and valid email would be allowed IN and so, not bounce around and back out. Here's an example: Code: exim -Mvh 1QHrRN-00036T-Ou 1QHrRN-00036T-Ou-H Debian-exim 101 103 <> 1304574573 0 -ident Debian-exim -received_protocol local -body_linecount 64 -max_received_linelength 94 -allow_unqualified_recipient -allow_unqualified_sender -frozen 1304574575 -localerror XX 1 [email protected] 156P Received: from Debian-exim by gateway2.onereason.com.au with local (Exim 4.69) id 1QHrRN-00036T-Ou for [email protected]; Thu, 05 May 2011 15:49:33 +1000 060 X-Failed-Recipients: [email protected] 029 Auto-Submitted: auto-replied 069F From: Mail Delivery System <[email protected]> 022T To: [email protected] 059 Subject: Mail delivery failed: returning message to sender 058I Message-Id: <[email protected]> 038 Date: Thu, 05 May 2011 15:49:33 +1000 042 X-SA-Exim-Connect-IP: <locally generated> 022 X-SA-Exim-Mail-From: 086 X-SA-Exim-Scanned: No (on gateway2.onereason.com.au); SAEximRunCond expanded to false These lines worry me: Code: -allow_unqualified_recipient -allow_unqualified_sender You have my word that we don't send spam to poor people like [email protected]. So, what I need to know how to do - and quickly, is to tell exim ONLY to allow known and valid email addresses into our network. Can you point me in the right direction here?? (I've searched Google for days now..) And for completeness and probably overkill here is: # /etc/exim4/update-exim4.conf.conf dc_eximconfig_configtype='internet' dc_other_hostnames='beaconbee.comnereason.com.aunlinenow.com.au:yoakeim.com:alorn.net:australianicons.com.au' dc_local_interfaces='' dc_readhost='' dc_relay_domains='mail.onereason.com.au:beaconbee.com:*.beaconbee.com.au:*.blubeez.com.au:*.beaconbee.com:*.blubeez.com:*.onereason.com.au:*.onlinenow.com.au:*.yoakeim.com:*.alorn.net:newsletter.adshel.onereason.com.au:newsletters.childfund.onereason.com.au' dc_minimaldns='false' dc_relay_nets='218.214.48.17:10.10.1.0/24:69.55.237.222:69.55.231.26' dc_smarthost='' CFILEMODE='644' dc_use_split_config='true' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='maildir_home' Again, thank you - hope that you or someone can shed some light on this before I face the firing squad at work. Regards, Ed.
Sorry Hi I'm sorry that I vanished, the "installation went well", but work called hard on my since then. Hope your fixed your problem.. Just to help others, what I have done on my mini home hosting system, only friends and family, is to daily create at txt file including all valid mail accounts on my system. In my 30_exim4-config_check_rcpt I Have Exim are also able to use LDAP and mysql lookups to acomplish this aswell, but it's overkill for my purpuse.
