Tristan Schmelcher | 17 Dec 00:24 2014

Verifying cert CN/SAN against hostname


When using TLS certificate verification on outgoing SMTP, is it
possible to enable verification of the remote server certificate's
Common Name or Subject Alternate Name against the server hostname
configured in the route_list ? It seems that even when
tls_verify_certificates is set there is no verification of the CN/SAN.

I am thinking there may be a way to achieve this verification with
$tls_out_peerdn but it's not clear to me how. Has anyone done this
before? My server requires authentication so I would like to do this
to prevent a MitM attack from stealing my auth credentials.


## List details at
## Exim details at
## Please use the Wiki with this list -

Bertrand Cherrier | 18 Dec 00:23 2014

Different auth validation fore relay and local domains


I’m in need for help !

My goal is to validate sender domain with auth domain for relay enabled domains (usually only one account is
used for theses users)
And also to validate sender address with auth address for local virtual domains 

I thought I could do it this way :

        domains         = +relay_domains
        authenticated   = *
        condition       = ${if eq{$sender_address_domain}{${domain:$authenticated_id}}{no}{yes}}
        message         = domaine authentifié et domaine mail non identiques
        log_message     = DENY RELAY : $sender_address_domain is not equal to {domain:$authenticated_id}

        domains         = +local_domains
        authenticated   = *
        condition       = ${if eq{$sender_address}{$authenticated_id}{no}{yes}}
        message         = adresse authentifiée et adresse mail non identiques
        log_message     = DENY : $sender_address is not equal to $authenticated_id

But if it passes the first (relay domain) it gets rejected by the second :(
Obviously it doesn’t care about the domains = directive and does exactly the same if I comment out authenticated

I must have missed something and/or I just don’t get how the domains directive works 
Can someone please explain it to me and point me in the right direction ? 

(Continue reading)

Juan Bernhard | 16 Dec 17:31 2014

How to be resilient to mysql server unreachable?

Hi list, im planning to implement a vacation message using a mysql
server, and i would like that when the mysql server were down, the exim
continues delivering messages and ignoring the vacation (failing the
lookup). The mysql server only has the vacation info, the rest are done
by local files and unix users.
I didnt find a clear answer in the documentation (section 9.5) about
what happens when a lookup can't reach the sql server (temporary errors?
its use the retry configuration? will drop messages or fail the look up?)

This is what I added to the configure file:

        driver = accept

        condition = ${lookup mysql \
{SELECT mailbox FROM vacation\
WHERE mailbox='${quote_mysql:$local_part}'} {true }{false}}

        transport = vacation_transport


        driver = autoreply

        from = ${lookup mysql \
{SELECT remitente FROM vacation\
 WHERE mailbox='${quote_mysql:$local_part}'}}
(Continue reading)

Sławomir Dworaczek | 15 Dec 13:39 2014

Save attachment to director

How to save attachemt mail to directory when sender address user <at> domain and 
delivery to user <at> main_domain



## List details at
## Exim details at
## Please use the Wiki with this list -

AC | 15 Dec 22:39 2014

Re: Send by smarthost then failover direct (Jeremy Harris)

Jeremy Harris wrote:
> Option 1:
> Typically a smarthost setup uses a manualroute router.
> These take a list of hosts, which unless you specify randomness
> are tried in order.
> The list is expanded before use, so you could build
> it using the domain of the mail recipient.  You will
> have to do the MX lookups...
> Option 2:
> Fiddle with "condition = ${if first_delivery}" on
> the smarthost router and the inverse on the
> backup.  Have a shortish initial retry time
> (see both Retry Rules *and* the queue-runner
> repeat time).

I currently have in one of the machines using a smarthost:

  debug_print = "R: smarthost for $local_part <at> $domain"
  driver = manualroute
  domains = ! +local_domains
  transport = remote_smtp_smarthost
  route_list = * DCsmarthost byname
(Continue reading)

AC | 15 Dec 00:17 2014

Send by smarthost then failover direct

I've searched many places but I can't seem to find a way to configure
exim to attempt to send mail first by a smarthost and then, if the
smarthost does not respond, send direct.

I see the reverse frequently using fallback_hosts to fail over from
direct to smarthost but I can't seem to find anything about going the
other way around.


## List details at
## Exim details at
## Please use the Wiki with this list -

Jonathan Gilpin | 12 Dec 22:27 2014

spam sent by non-existent users


I have found spam has been sent out through our server by authenticated users which don’t exist..

2014-12-08 22:37:08 1Xy6vT-0006KE-1y SA: Action: Not running SA because SAEximRunCond expanded to
false (Message-Id: 1Xy6vT-0006KE-1y). From <yelbigoldmines <at>
<mailto:yelbigoldmines <at>>> (host=NULL []) for tracy <at> <mailto:tracy <at>>
2014-12-08 22:37:08 1Xy6vT-0006KE-1y <= yelbigoldmines <at>
<mailto:yelbigoldmines <at>> H=( <>) [] P=esmtpa
A=fixed_login:info <at> <> S=2133
id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3 <at> <mailto:id=JNqmaVuylGLest4hVdxlRBJCQCkNgGpq2buEVdeOPkE3 <at>>
2014-12-08 22:37:10 1Xy6vT-0006KE-1y => tracy <at>
<mailto:tracy <at>> R=dnslookup T=remote_smtp
<> [] X=TLSv1:AES256-SHA:256 C="250 Email accepted
successfully (id=5486281510670000)"
2014-12-08 22:37:10 1Xy6vT-0006KE-1y Completed

2014-12-08 10:39:20 1Xxviq-000FQ9-Fz SA: Action: Not running SA because SAEximRunCond expanded to
false (Message-Id: 1Xxviq-000FQ9-Fz). From <mrsivonneemile <at>
<mailto:mrsivonneemile <at>>> (host=NULL []) for bantqueci <at>
<mailto:bantqueci <at>>, echezonaijoma74 <at>
<mailto:echezonaijoma74 <at>>, marcelinpagoua <at>
<mailto:marcelinpagoua <at>>, toscaca <at> <mailto:toscaca <at>>
2014-12-08 10:39:20 1Xxviq-000FQ9-Fz <= mrsivonneemile <at>
<mailto:mrsivonneemile <at>> H=(User) [] P=esmtpa
A=fixed_login:info <at> <> S=1688
2014-12-08 10:39:22 1Xxviq-000FQ9-Fz => marcelinpagoua <at>
<mailto:marcelinpagoua <at>> R=dnslookup T=remote_smtp
(Continue reading) | 12 Dec 11:54 2014

Block spoofed unauthenticated spam mail


I'm running exim on a cPanel server and I need to block all 
unauthenticated mail (sent from mail() function of php) only when the 
sender is setting up a from address with an external domain (not the 
local main domain)

There is a way to do this with exim rules? If yes, can you tell me the 
rules that I need to put into exim configuration?

Thanks a lot


## List details at
## Exim details at
## Please use the Wiki with this list -

Ted Cooper | 12 Dec 04:32 2014

Return the key from an lsearch instead of $value

I have a file which lists net ranges which I treat very differently as
they come into the mail server. The format is pretty much just keys and
comments - I don't care for the returned value, just that the lookup
succeeds, and hopefully what the key value was. I have comments in the
file to remind me why I decided to add the range to the list also.

From all that I have read in the docs, getting the hit key is not an option.

eg. file # Harvard University

The lookup is along the lines of:
condition = ${lookup {$sender_host_address} \
  iplsearch{LOOKUPFILES/listfile} \
  {yes}{no} }

I know $value will give me everything after the matched key, which in
this case is "# Harvard University", but is it possible to return the
matched key instead?

The only possible method I have hit upon is to use the format of <lookup
key>: <lookup key>: eg.

This gets me what I want, but I lose my comments on the same line. Or
perhaps using ${extract{<key>} ..} :	v= c="Harvard University"

(Continue reading)

Sławomir Dworaczek | 8 Dec 14:11 2014

Re: Deny send login name aliases

Sory, not working.
Panic log say:
Failed to expand "
${if eq{$authenticated_id}\
                            {$sender_address}}" while checking a list: 
failed to open /etc/exim/ for linear search . No such file or 



## List details at
## Exim details at
## Please use the Wiki with this list -

Rob Gunther | 9 Dec 12:51 2014

Garbage Characters In Log

I have Exim logging message subjects in messages.

Most of the time there is no issue, but some messages are using who know
what type of encoding and I end up with what looks like trash in the

T="SPAM: ���γɳΪӪŪЪ㪹�IJ�òŲֲ��ܲwphilbrick"


Anyone know of a way to figure out what these subjects are?

## List details at
## Exim details at
## Please use the Wiki with this list -