[volunteers] Renewal reminder mails from joker.com

Marc MERLIN marc_news at merlins.org
Mon Aug 1 22:23:16 PDT 2016


On Mon, Aug 01, 2016 at 06:08:25PM -0700, Rick Moen wrote:
> Marc, can you spot what ACL needs tweaking?  Thanks for any help.
 
sadly I can't even log in anymore, no idea what my password was.

But without looking, exim thinks svlug.org is not a local domain so it
refuses to relay for it.
You can probably add it to 
/etc/mail/domains/localdomains or somesuch

This likely broke because the hostname probably isn't svlug.svlug.org so
svlug.org isn't a default domain anymore
(totally guessing since I can't look)

Marc
 
> svlug.org was due to expire on Aug. 6th.  As mentioned, I was on the
> ball and renewed it.  Joker.com's renewal reminders were supposed to go to
> 'president at svlug.org', which resolves locally to this mailing list.  We
> didn't get them.
> 
> 
> NOTE:  Never rely on reminder e-mails.  As if that weren't obvious.
> 
> 
> On lists.svlug.org, in the chroot, in /var/log/exim4/rejectlog, one
> sees:
> 
> 2016-08-01 17:22:04 H=mailout1.joker.csl.de [194.245.148.146]:58759 I=[71.19.144.13]:25 F=<joker-bounce at joker.com> rejected RCPT <president at svlug.org>: authentication required
> 2016-08-01 17:22:04 H=mailout1.joker.csl.de [194.245.148.146]:58761 I=[71.19.144.13]:25 F=<joker-bounce at joker.com> rejected RCPT <president at svlug.org>: authentication required
> 
> Earlier, in rejectlog.6.gz, we see:
> 
> 2016-07-27 03:50:40 H=mailout1.joker.csl.de [194.245.148.146]:36968 I=[71.19.144.13]:25 F=<donotreplyerrp-president=svlug.org at bounce.joker.com> rejected RCPT <president at svlug.org>: authentication required
> 
> 
> mainlog has:
> 
> 
> 2016-08-01 17:22:04 H=mailout1.joker.csl.de [194.245.148.146]:58759 I=[71.19.144.13]:25 F=<joker-bounce at joker.com> rejected RCPT <president at svlug.org>: authentication required
> 2016-08-01 17:22:04 H=mailout1.joker.csl.de [194.245.148.146]:58761 I=[71.19.144.13]:25 F=<joker-bounce at joker.com> rejected RCPT <president at svlug.org>: authentication required
> 
> 
> Can be verified manually:
> 
> 
> [rick at linuxmafia] 
> ~ $ telnet lists.svlug.org 25
> Trying 71.19.144.13...
> Connected to lists.svlug.org.
> Escape character is '^]'.
> 220 mail.svlug.org ESMTP Exim 4.44 #1 Mon, 01 Aug 2016 17:43:51 -0700 - mm9
> HELO joker.com
> 250 mail.svlug.org Hello linuxmafia.com [198.144.195.186]
> MAIL FROM: <joker-bounce at joker.com>
> 250 OK
> RCPT TO: <president at svlug.org>
> 550 authentication required
> quit
> 221 mail.svlug.org closing connection
> Connection closed by foreign host.
> [rick at linuxmafia]
> ~ $ 
> 
> 
> The 'authentication required' SMTP 550 refusal is somewhat generic.  The
> receiving MTA is basically just saying it doesn't like the claimed
> sender and isn't really saying why.
> 
> 
> As a scattershot (because I haven't taken the time to dig deeper), I've
> tried adding the sending MTA's IP or hostname (as appropriate) to a
> bunch of the Exim ACL files in /etc/exim4/acls, but made no improvement.
> (I just backed out those additions, as they didn't help.)
> 
> 
> The check in question appears to be:
> 
> lists:/etc/exim4/acls# cd ..
> lists:/etc/exim4# grep -r 'authentication required' *
> conf.d/acl/29_check_rcpt_end:          message	= authentication required
> lists:/etc/exim4# 
> 
> 
> That rules file contains:
> 
>   # Accept if the address is in a local domain, but only if the recipient can
>   # be verified. Otherwise deny. The "endpass" line is the border between
>   # passing on to the next ACL statement (if tests above it fail) or denying
>   # access (if tests below it fail).
>   accept  domains       = +local_domains
>           endpass
>           message       = unknown user
>           verify        = recipient
> 
>   # Accept if the address is in a domain for which we are relaying, but again,
>   # only if the recipient can be verified (this saves your secondary
>   # MXes from accepting mail that they then can't send to your primary
>   # MX)
>   accept  domains       = +relay_to_domains
>           endpass
>           message       = unrouteable address
>           verify        = recipient/callout=30s/callout_defer_ok
> 
>   # If control reaches this point, the domain is neither in +local_domains
>   # nor in +relay_to_domains.
> 
>   # Accept if the message comes from one of the hosts for which we are an
>   # outgoing relay. Recipient verification is omitted here, because in many
>   # cases the clients are dumb MUAs that don't cope well with SMTP error
>   # responses. If you are actually relaying out from MTAs, you should probably
>   # add recipient verification here.
>   accept  hosts         = +localadds:+relay_from_hosts
>           verify        = recipient
> 
> 
>   accept  hosts         = +auth_relay_hosts
>           endpass
>           message       = authentication required
>           authenticated = *
> 
>   warn    message       = X-Broken-Reverse-DNS: no host name found for IP addres
> s $sender_host_address
>          !verify        = reverse_host_lookup
> 
> 
>   # Reaching the end of the ACL causes a "deny", but we might as well give
>   # an explicit message.
>   deny    message       = relay not permitted
>           delay         = TEERGRUBE
> 

-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/                         | PGP 1024R/763BE901



More information about the volunteers mailing list