Tristan Schmelcher | 17 Dec 00:24 2014
Picon

Verifying cert CN/SAN against hostname

Hello,

When using TLS certificate verification on outgoing SMTP, is it
possible to enable verification of the remote server certificate's
Common Name or Subject Alternate Name against the server hostname
configured in the route_list ? It seems that even when
tls_verify_certificates is set there is no verification of the CN/SAN.

I am thinking there may be a way to achieve this verification with
$tls_out_peerdn but it's not clear to me how. Has anyone done this
before? My server requires authentication so I would like to do this
to prevent a MitM attack from stealing my auth credentials.

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Bertrand Cherrier | 18 Dec 00:23 2014

Different auth validation fore relay and local domains

Greetings,

I’m in need for help !

My goal is to validate sender domain with auth domain for relay enabled domains (usually only one account is
used for theses users)
And also to validate sender address with auth address for local virtual domains 

I thought I could do it this way :

  deny
        domains         = +relay_domains
        authenticated   = *
        condition       = ${if eq{$sender_address_domain}{${domain:$authenticated_id}}{no}{yes}}
        message         = domaine authentifié et domaine mail non identiques
        log_message     = DENY RELAY : $sender_address_domain is not equal to {domain:$authenticated_id}

  deny
        domains         = +local_domains
        authenticated   = *
        condition       = ${if eq{$sender_address}{$authenticated_id}{no}{yes}}
        message         = adresse authentifiée et adresse mail non identiques
        log_message     = DENY : $sender_address is not equal to $authenticated_id

But if it passes the first (relay domain) it gets rejected by the second :(
Obviously it doesn’t care about the domains = directive and does exactly the same if I comment out authenticated

I must have missed something and/or I just don’t get how the domains directive works 
Can someone please explain it to me and point me in the right direction ? 

(Continue reading)

Juan Bernhard | 16 Dec 17:31 2014
Picon

How to be resilient to mysql server unreachable?


Hi list, im planning to implement a vacation message using a mysql
server, and i would like that when the mysql server were down, the exim
continues delivering messages and ignoring the vacation (failing the
lookup). The mysql server only has the vacation info, the rest are done
by local files and unix users.
I didnt find a clear answer in the documentation (section 9.5) about
what happens when a lookup can't reach the sql server (temporary errors?
its use the retry configuration? will drop messages or fail the look up?)

This is what I added to the configure file:

vacation_router:
        driver = accept
        check_local_user

        condition = ${lookup mysql \
{SELECT mailbox FROM vacation\
WHERE mailbox='${quote_mysql:$local_part}'} {true }{false}}

        transport = vacation_transport
        unseen

vacation_transport:

        driver = autoreply

        from = ${lookup mysql \
{SELECT remitente FROM vacation\
 WHERE mailbox='${quote_mysql:$local_part}'}}
(Continue reading)

Sławomir Dworaczek | 15 Dec 13:39 2014

Save attachment to director

Helo
How to save attachemt mail to directory when sender address user <at> domain and 
delivery to user <at> main_domain

Thanks
Slawek

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

AC | 15 Dec 22:39 2014
Picon

Re: Send by smarthost then failover direct (Jeremy Harris)

Jeremy Harris wrote:
> Option 1:
> 
> Typically a smarthost setup uses a manualroute router.
> These take a list of hosts, which unless you specify randomness
> are tried in order.
> 
> The list is expanded before use, so you could build
> it using the domain of the mail recipient.  You will
> have to do the MX lookups...
> 
> http://exim.org/exim-html-current/doc/html/spec_html/ch-the_manualroute_router.html
> 
> 
> Option 2:
> 
> Fiddle with "condition = ${if first_delivery}" on
> the smarthost router and the inverse on the
> backup.  Have a shortish initial retry time
> (see both Retry Rules *and* the queue-runner
> repeat time).

I currently have in one of the machines using a smarthost:

smarthost:
  debug_print = "R: smarthost for $local_part <at> $domain"
  driver = manualroute
  domains = ! +local_domains
  transport = remote_smtp_smarthost
  route_list = * DCsmarthost byname
(Continue reading)

AC | 15 Dec 00:17 2014
Picon

Send by smarthost then failover direct

I've searched many places but I can't seem to find a way to configure
exim to attempt to send mail first by a smarthost and then, if the
smarthost does not respond, send direct.

I see the reverse frequently using fallback_hosts to fail over from
direct to smarthost but I can't seem to find anything about going the
other way around.

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jonathan Gilpin | 12 Dec 22:27 2014
Picon

spam sent by non-existent users


Hi,

I have found spam has been sent out through our server by authenticated users which don’t exist..

e.g
2014-12-08 22:37:08 1Xy6vT-0006KE-1y SA: Action: Not running SA because SAEximRunCond expanded to
false (Message-Id: 1Xy6vT-0006KE-1y). From <yelbigoldmines <at> gmail.com
<mailto:yelbigoldmines <at> gmail.com>> (host=NULL [195.154.199.164]) for tracy <at> intersport.com.hk <mailto:tracy <at> intersport.com.hk>
2014-12-08 22:37:08 1Xy6vT-0006KE-1y <= yelbigoldmines <at> gmail.com
<mailto:yelbigoldmines <at> gmail.com> H=(web.de <http://web.de/>) [195.154.199.164] P=esmtpa
A=fixed_login:info <at> e-comlaw.com <http://e-comlaw.com/> S=2133
id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3 <at> gmail.com <mailto:id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3 <at> gmail.com>
2014-12-08 22:37:10 1Xy6vT-0006KE-1y => tracy <at> intersport.com.hk
<mailto:tracy <at> intersport.com.hk> R=dnslookup T=remote_smtp H=mta1b.swcm.zscloud.net
<http://mta1b.swcm.zscloud.net/> [195.65.152.39] X=TLSv1:AES256-SHA:256 C="250 Email accepted
successfully (id=5486281510670000)"
2014-12-08 22:37:10 1Xy6vT-0006KE-1y Completed

2014-12-08 10:39:20 1Xxviq-000FQ9-Fz SA: Action: Not running SA because SAEximRunCond expanded to
false (Message-Id: 1Xxviq-000FQ9-Fz). From <mrsivonneemile <at> gmail.com
<mailto:mrsivonneemile <at> gmail.com>> (host=NULL [62.210.205.210]) for bantqueci <at> financier.com
<mailto:bantqueci <at> financier.com>, echezonaijoma74 <at> hotmail.com
<mailto:echezonaijoma74 <at> hotmail.com>, marcelinpagoua <at> yahoo.com
<mailto:marcelinpagoua <at> yahoo.com>, toscaca <at> yahoo.com <mailto:toscaca <at> yahoo.com>
2014-12-08 10:39:20 1Xxviq-000FQ9-Fz <= mrsivonneemile <at> gmail.com
<mailto:mrsivonneemile <at> gmail.com> H=(User) [62.210.205.210] P=esmtpa
A=fixed_login:info <at> e-comlaw.com <http://e-comlaw.com/> S=1688
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => marcelinpagoua <at> yahoo.com
<mailto:marcelinpagoua <at> yahoo.com> R=dnslookup T=remote_smtp H=mta7.am0.yahoodns.net
(Continue reading)

davide.galax@gmail.com | 12 Dec 11:54 2014
Picon

Block spoofed unauthenticated spam mail

Hello,

I'm running exim on a cPanel server and I need to block all 
unauthenticated mail (sent from mail() function of php) only when the 
sender is setting up a from address with an external domain (not the 
local main domain)

There is a way to do this with exim rules? If yes, can you tell me the 
rules that I need to put into exim configuration?

Thanks a lot

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Ted Cooper | 12 Dec 04:32 2014
Picon

Return the key from an lsearch instead of $value

I have a file which lists net ranges which I treat very differently as
they come into the mail server. The format is pretty much just keys and
comments - I don't care for the returned value, just that the lookup
succeeds, and hopefully what the key value was. I have comments in the
file to remind me why I decided to add the range to the list also.

From all that I have read in the docs, getting the hit key is not an option.

eg. file
128.103.0.0/16 # Harvard University

The lookup is along the lines of:
condition = ${lookup {$sender_host_address} \
  iplsearch{LOOKUPFILES/listfile} \
  {yes}{no} }

I know $value will give me everything after the matched key, which in
this case is "# Harvard University", but is it possible to return the
matched key instead?

The only possible method I have hit upon is to use the format of <lookup
key>: <lookup key>: eg.

128.103.0.0/16:	128.103.0.0/16

This gets me what I want, but I lose my comments on the same line. Or
perhaps using ${extract{<key>} ..} :

128.103.0.0/16:	v=128.103.0.0/16 c="Harvard University"

(Continue reading)

Sławomir Dworaczek | 8 Dec 14:11 2014

Re: Deny send login name aliases

Heloo
Sory, not working.
Panic log say:
Failed to expand "
${if eq{$authenticated_id}\
                              {${lookup{$sender_address}lsearch{/etc/exim/$domain}}}\
                            {$sender_address}}" while checking a list: 
failed to open /etc/exim/gmail.com for linear search . No such file or 
direstory

Thanks 

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Rob Gunther | 9 Dec 12:51 2014
Picon

Garbage Characters In Log

I have Exim logging message subjects in messages.

Most of the time there is no issue, but some messages are using who know
what type of encoding and I end up with what looks like trash in the
subjects.

T="SPAM: ���γɳΪӪŪЪ㪹�IJ�òŲֲ��ܲwphilbrick"

T="\033$B!Z4|4V8BDj!*%]%$%s%H\033(B10\033$BG\\\033(B\033$B!y![?)$NJu8K!Z6e=#![$N?):`$r87A*!*!V\033(B\033$BGnB?IgMV!W4F=$!*!VC"

Anyone know of a way to figure out what these subjects are?
--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Gmane