headers
Jasper Wallace | 18 May 2013 06:25
Favicon

exim 4.80 and dovecot auth with dovecot 2.1.7 and alpine


Hi,

I had a working dovecot auth setup with exim 4.72 and then upgraded to 
4.80 (debian squeeze to wheezy upgrade), auth attempts with alpine now 
fail with exim saying:

2013-05-18 04:10:00 +0100 dovecot_plain authenticator failed for 
boole.london.hackspace.org.uk (limpit.dhcp.lan.london.hackspace.org.uk) 
[82.69.229.6]:51109: 501 Authentication cancelled
2013-05-18 04:10:00 +0100 SMTP syntax error in "[base64 encoded username 
+ password]" H=boole.london.hackspace.org.uk (limpit.dhcp.lan.london.hackspace.org.uk) 
[82.69.229.6]:51109 unrecognized command

and dovecot saying:

May 18 04:10:00 monstrosity dovecot: auth: Warning: auth client 0 
disconnected with 1 pending requests: EOF

stracing the dovecot auth process (this is a 2nd connection, i might not 
of caught the whole conversation), fd 16 is the conversation with exim:

accept(9, {sa_family=AF_FILE, NULL}, [2]) = 16
fcntl(16, F_GETFL)                      = 0x2 (flags O_RDWR)
fcntl(16, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
write(5, "\347\24\0\0=\5\0\0\347\3\0\0", 12) = 12
read(4, "Mu\244f\30\231\215\365\232\367\22\261~\214\266,", 16) = 16
fstat(16, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
lseek(16, 0, SEEK_CUR)                  = -1 ESPIPE (Illegal seek)
getsockname(16, {sa_family=AF_FILE, path="/var/run/dovecot/auth-clie\227\177"}, [31]) = 0
(Continue reading)

Permalink | Reply | 0 comments |
headers
Marc Perkel | 18 May 2013 06:38

settiing spamd_address variable

I'd like to be able to do this:

spamd_address = 184.105.182.5${eval:${substr{-2}{1}{$tod_zulu}}%3} 783

But it doesn't work. I want to do load balancing between 3 spamd servers.

Thanks in advance

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply | 1 comment |
headers
David Grant | 18 May 2013 00:58
Picon

Re: Exim appears to stop handling mail via the localuser router after a while

On 5/17/13 11:49 AM, Cyborg wrote:
> 
> That indicates usually, that something like a cache or a quota gets
> cleared and slowly filling back until up.
> 
> My last suggestion is: strace  ,  my most loved debug tool ;)
> 
> just filter it to "open" and "stat" onlymode, that will show fails very
> quickly.

Interesting... I narrowed down the problem message:

2013-05-17 14:15:10 [1495] 1UdRza-0000Nv-7W unable to set gid=1005 or
uid=1005 (euid=101): userforward router (recipient is user <at> eff.org)
2013-05-17 14:15:10 [1493] 1UdRza-0000Nv-7W internal problem in
userforward router (recipient is user <at> eff.org): failure to transfer data
from subprocess: status=0100 readerror='Success'

Which makes my problem look precisely like this old thread:

http://www.gossamer-threads.com/lists/exim/users/6620

However, I have both no_verify and the exim binary sticky bit set.

Any suggestions on further troubleshooting much appreciated.

Thanks,
Starchy

--

--
(Continue reading)

Permalink | Reply | 3 comments |
headers
David Grant | 17 May 2013 19:33
Picon

Re: Exim appears to stop handling mail via the localuser router after a while

On 5/17/13 4:16 AM, Cyborg wrote:
> 
> This is all you need to do (simpliest setup):
> 
> spamd_address = 127.0.0.1 783
> ....
> acl_check_data:
> ...
> 
>   # Run SpamAssassin, but allow for it to fail or time out. Add a
> warning message
>   # and accept the mail if that happens. Add an X-Spam-Flag: header if
> the SA
>   # score exceeds the SA system threshold.
> 
> warn    condition  = ${if eq{$authenticated_id}{} {1}{0}}
>               spam       = nobody/defer_ok
>               add_header = X-Spam-Flag: YES
> 
> warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
>                                       X-Spam-Report: $spam_report
> 
> deny    condition = ${if >{$spam_score_int}{${.....yourscore here.....}}
> {1}}
>             message = Your message scored $spam_score SpamAssassin
> points. Report follows:\n\
>                                  $spam_report
> 
> 
> It performs way better than your setup in high traffic environments,
(Continue reading)

Permalink | Reply | 0 comments |
headers
soumya tr | 17 May 2013 17:42
Picon

Discard mails via exim filter

Hi,

Is there any way I can discard mails via exim filter?

Context: I am trying to discard mails on the basis of spam keywords.
Something like as shown below:

-------------------
if $header_subject: contains "Viagra"
then
  <discard mail with message Mail rejected due to spam keywords>
fi
---------------------

I tried with 'fail text' and 'logwrite'.

* With fail text: a bounce back mail is as well sent, which is not required
in my setup
* With 'logwrite' : The permission of exim mainlog file is to be changed
[/var/log/exim_mainlog] to 0644 [now its 0640].

Please let me know how I can discard the message [with just a message be
written to log and no bounce back].

In exim configuration we can use " discard message = xyz ". Is there any
similar way which we can use in exim filter file as well.

--

-- 
Regards,
Soumya
(Continue reading)

Permalink | Reply | 1 comment |
headers
David Grant | 17 May 2013 02:36
Picon

Exim appears to stop handling mail via the localuser router after a while

Hello,

Our exim config passes mail to spamassassin with a spamcheck_router router:

spamcheck_router:
   no_verify
   check_local_user
   # When to scan a message :
   #   -   it isn't already flagged as spam
   #   -   it isn't already scanned
   condition = "${if and { {!def:h_X-Spam-Flag:} {!eq
{$received_protocol}{spam-scanned}}} {1}{0}}"
   driver = accept
   transport = spamcheck

The spamcheck transport feeds the scanned email back to exim as protocol
spam-scanned:

spamcheck:
   debug_print = "T: spamassassin_pipe for $local_part <at> $domain"
   driver = pipe
   command = /usr/sbin/exim4 -oMr spam-scanned -bS
   use_bsmtp
   transport_filter = /usr/bin/spamc -u $local_part
   home_directory = "/tmp"
   current_directory = "/tmp"
   user = Debian-exim
   group = Debian-exim
   log_output = true
   return_fail_output
(Continue reading)

Permalink | Reply | 0 comments |
headers
Marc Perkel | 17 May 2013 06:38

Sending information from Exim to SpamAssassin

Since Exim doesn't include messages headers that were added by ACLs when 
passing messages to SpamAssassin I was wondering if there were any 
tricks that anyone has to send information between Exim and SA?

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply | 6 comments |
headers
Lena | 14 May 2013 18:08
Picon
Favicon

Re: detection of "<>" in case of spam.

> From: Cyborg <cyborg2 <at> benderirc.de>

> how can i detect the usage of "<>" as sender of an email 
> in the smtp commands ?
> 
> this spam wasn't a bounce mail, just normal spam. Any way of deciding on 
> acl levels if it's a true bounce or just a spam ?

For slightly different spam:

acl_check_data:
  discard message = discarded because recognized as Ukrainian spam (type 2)
        senders = :
        condition = ${if eq{$received_protocol}{smtp}}
        condition = ${if !match{${local_part:$header_From:}}{(?i)daemon}}
        condition = ${if match{$message_headers_raw}\
                {\N\AReceived:(?:.+\n\t)+.+\n\
                Received: from unknown \(HELO localhost\) \
                \(([a-z._-]+ <at> [a-z.-]+) <at> ([\d.]+)\)\n\
                \tby \S+ with ESMTPA;.+\n\
                X-Originating-IP: \2\n\
                From: \1\n\
                To: \S+\n\
                Subject: [\x80-\xff ]+\n\
                Date:\N}}
# The second Received is fake.

> 
> 
> Spoolfileheader:
(Continue reading)

Permalink | Reply | 0 comments |
headers
adam | 13 May 2013 23:30
Picon
Favicon

how do I tls advertise to all hosts but not 1.2.3.4?

1) how do I tls_advertise to all hosts but not 1.2.3.4?
2) how do I tls advertise hosts only during outgoing exim deliveries and
not incoming smtp sessions?
--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Permalink | Reply | 1 comment |
headers
QC | 13 May 2013 20:51
Picon

SOLVED: Re: All of a sudden mailing stops working, with msg "failed to expand helo_data..."

My DNS is configured properly.

I've solved the issue for now, by doing an end run around it. I've removed
exim4 and installed Postfix.

I'd still like to know what caused the issue. I first suspected a break-in,
and can't rule it out, but have confirmed cdorked is not running on the
server, and I wasn't really in the "at risk" group anyway (no cpanel).
Still the only logical answer is a backdoor attack, since "I" didn't change
anything to make it break. No updates, no modifications of files in or
close to the date range. The system had been running with a 100% (or nearly
so) uptime for 15 months (last time a HW upgrade was done) and the last
change occurred over a month ago.

DNS issues would have happened right away, or immediately after an
update/change.

Strange it was working, then 10 hours later it was not.

Thanks for responding,
Jack

On Mon, May 13, 2013 at 7:24 AM, Jeremy Harris <jgh <at> wizmail.org> wrote:

> On 11/05/2013 06:39, QC wrote:
>
>> 2013-05-08 10:38:35 Received from myid <at> myhost.com H=localhost (
>> www.myhost.com) [127.0.0.1] P=esmtp S=2462 id=
>> ecf6982263527ad20c5258c9ac102a**fa.squirrel <at> www.myhost.com<ecf6982263527ad20c5258c9ac102afa.squirrel <at> www.myhost.com>
>> 2013-05-08 10:41:40 failed to expand helo_data: lookup of
(Continue reading)

Permalink | Reply | 0 comments |
headers
Cyborg | 13 May 2013 18:16
Picon

detection of "<>" in case of spam.


Hi all,

small question, how can i detect the usage of "<>" as sender of an email 
in the smtp commands ?

this spam wasn't a bounce mail, just normal spam. Any way of deciding on 
acl levels if it's a true bounce or just a spam ?

Spoolfileheader:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1Ubv3c-0005Vw-QO-H
exim 93 93
<>
1368460380 0
-helo_name 213.227.201.41
-host_address 213.227.201.41.29058
-host_name 213-227-201-41.static.vega-ua.net
-interface_address XXXXXXXXXXXXXXXXXXXXXXXXXXX
-received_protocol smtp
-aclm _fromaddress 26
----RECIPIENT----
-aclm _greylistreasons 51
Message lacks Message-Id: header. Consult RFC2822.

-body_linecount 27
-max_received_linelength 82
-frozen 1368460381
XX
1
(Continue reading)

Permalink | Reply | 6 comments |

Gmane