Question about a few options

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,773
Location
Maastricht
I was thinking about entirely going over from the original 2.x exim.conf to spamblocker 4.
So I was looking for things which were present in my 2.x version and not in spamblocker 4 and I was surprised that it were only a few lines.

1.)no_local_from_check
I don't remember why I put that in there every time. I guess because some scripts were causing troubles if this line was not present.

2.) trusted_groups = apache
I'm missing that line in SB 4. I'm using mod_ruid2 and I remember having to put this line in the configuration for webmail to work correctly.
Is that still necessary or can this safely be left out like it is in SB 4?

3.) smtp_max_unknown_commands = 10
I read this on a forum about mail security and that it was a good idea to implement this.
Why is this not in SB 4? Wouldn't it be a good idea to put it in? And if not, why not?
 
Richard G said:
1.)no_local_from_check
I don't remember why I put that in there every time. I guess because some scripts were causing troubles if this line was not present.
Click to expand...
Google has no helpful information on no_local_from so I'm not even sure what it does. Is it a misspelling? I did find this in the exim documentation (Chapter 14 - Main Configuration).
local_from_check Use: main Type: boolean Default: true
When a message is submitted locally (that is, not over a TCP/IP connection) by an untrusted user, Exim removes any existing Sender: header line, and checks that the From: header line matches the login of the calling user and the domain specified by qualify_domain.
Click to expand...

2.) trusted_groups = apache
I'm missing that line in SB 4. I'm using mod_ruid2 and I remember having to put this line in the configuration for webmail to work correctly.
Is that still necessary or can this safely be left out like it is in SB 4?
Only if you need it. From the same documentation:
[quot]etrusted_groups Use: main Type: string list† Default: unset
This option is expanded just once, at the start of Exim’s processing. If this option is set, any process that is running in one of the listed groups, or which has one of them as a supplementary group, is trusted. The groups can be specified numerically or by name. See section 5.2 for details of what trusted callers are permitted to do. If neither trusted_groups nor trusted_users is set, only root and the Exim user are trusted.
Click to expand...
But my gut feeling is that it isn't needed, because most of us aren't sending email as user apache or as a user in the apache group. I know I'm not because I use mod_ruid2.
3.) smtp_max_unknown_commands = 10
I read this on a forum about mail security and that it was a good idea to implement this.
Why is this not in SB 4? Wouldn't it be a good idea to put it in? And if not, why not?
Click to expand...
It's not in there because I never put it in. Maybe it should be. Up to you.

Any comments on whether or not it should be a part of exim.conf?

Jeff
 
Hello Jeff.
Did you make a typo when searching Google about the no_local_from_check? It's there, even in the Exim documentation:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
And this why sometime's it's done:
http://www.electrictoolbox.com/prevent-sender-header-exim/
Easy to find with Google and Directadmin even has a help file on it:
http://help.directadmin.com/item.php?id=257
Maybe I put it in there to make it possible for root to send out mails.

2.) The trusted_groups = apache
I've searched and found in a thread of mine on another forum that it was indeed for mod_ruid2 so scripts sending mail out as [email protected] instead of [email protected] would not be refused because @server.domain.com is not an existing domain.

So I think those are solved.

3.) Just found by accident that it does not need to be present in Exim 4.
smtp_max_unknown_commands Use: main Type: integer Default: 3
Click to expand...
The default value is 3. The line is only necessary to give in a lower or higher value, which normally should not be needed.
So this issue is solved too.

In this case you can also remove the smtp_accept_max_nonmail = 10 from SB4 because since Exim for this is also the default value:
smtp_accept_max_nonmail Use: main Type: integer Default: 10
Click to expand...

According to the docs:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html
 
Hi Richard,

this was the thread i was supposed to had reply with the "send suggestions to john" reply :)

But apparently are not adds needed.

I do use mod_ruid2 and exim SB and there is no edits need, neither for truster_groups.

Regarding the no_local_from_check well, that would actually be useful, maybe you should talk to John about this.

More specific, is to add no_local_from_check in #EDIT#6: right after the already present "untrusted_set_sender = *"

Regards
 
Yes i had but just for my services (nagios), never actually bored about that and always sayd my customers to use smtp for outgoing mails :)

Regards
 
With shared hosting, we'd be very hesitant to trust everyone by default.
By adding that, unless I'm mistaken, it allows the sending script to set whatever they want, making tracking much more tricky.
The newer exim.conf files (from 4.2.3+) allows for script-based counting/blocking, so as long as the script sends as the User, it might be possible to loosen the knot slightly.. but more testing is still needed on these versions before we could consider that, to ensure that the other scanning/blocking mechanisms are working. (If you do want to try it, use 4.3.0, but it's still alpha. 4.2.3 was just a step towards 4.3.0, but is in the same boat)

FYI, the setting has been documented here for a while:
http://help.directadmin.com/item.php?id=257

John
 
I know that documentation, I quoted it on my reply to Jeff too.

Problem is however, that it's best that scripts do not send out mail with the hostname of the server like @server.domain.com but because then it would be rejected by Exim because it's @server.domain.com is not a valid domain. Next to that one want's to send out mail as @domain.com and not as @server.domain.com.
On some scripts, if users don't fill in what they need to fill in, mail is send as @server.domain.com instead of @theirdomain.com which is undesirable behaviour.
Since php has the mail.add_x_header active by default since 5.3, it should be fairly easy to find the script which is causing trouble when something goes wrong.
 
I've added that option for test but it fail cause already in use in SB 4.3

Code: 
>/etc/init.d/exim restart
Shutting down exim: /etc/init.d/exim: line 40: kill: (3433) - No such process

Starting exim: 2014-12-01 11:17:05 Exim configuration error in line 95 of /etc/exim.conf:
  "local_from_check" option set for the second time

I've checked the config and actually there is something similary that i suppose do the same thing

#EDIT#8:
local_from_check = false

So, maybe is already default in SB 4.3 that option, am i right?

Regards
 
You might be correct.
I'm not sure what's the difference between local_from_check and no_local_from_check.

I tried to use the 4.3 exim.conf and set eximconf=yes and eximconf_release=4.3 but I did not get the 4.3 exim.conf spamblocker thing.
Was I doing something wrong?
 
Oh LoL, no I did ./build exim because I thought it would be placed there automatically like with php.ini when the conf setting is set to yes.

However, afterwards I did a ./build all d and it wasn't placed either, but I'm not sure, when doing that the conf setting might have been to "no" again.
I will try that later. The exim part is runnig correctly for now.
Still very very confused about the other problem (webmail).
 
Thanks for solving my problems, and adding some nice features! :)

Back to spambocker 4.3. A while ago somewhere on several forums about usefull extended exim logging Put these lines under log_selector which I don't see:
+address_rewrite \
+all_parents \
+connection_reject \

I don't know exactly what +all_parents does, but connection_rejects and address_rewrite would be usefull wouldn't they?
 
I'm getting back at this issue because I found some nice info on:
2.) trusted_groups = apache
Click to expand...

I just checked and some email got the wrong return path, in spite of the fact that phpBB does set a correct return path.
However, phpBB (and many other scripts, also SMF forums) do not use sendmail's -f flag, and this is what's going to happen:

Processes running as root or the Exim user are always trusted. Other trusted users are defined by the trusted_users or trusted_groups options. In the absence of -f, or if the caller is not trusted, the sender of a local message is set to the caller’s login name at the default qualify domain.
Click to expand...
So if the correct return-path is set, but the -f flag is not used, the return-path is set to the users system account. Which we don't want.
We want the correct return-path.

I don't know of any other possibility to achieve this, please let me know if you do.
But I don't want to get all users via cron's in a list with trusted users and I don't want to use the -f flag in php.ini because in that case you get those "in behalve of" messages in Outlook.

In older exim.conf's I see also this:
Code: 
trusted_users = mail:majordomo:apache:diradmin
Which is missing in the newer spamblocker.conf also. This is not needed anymore?
 
4.3.X moved it to /etc/exim.variables.conf. (#EDIT#22)
To change it, add it to exim.variables.conf.custom, and see this guide:
http://help.directadmin.com/item.php?id=576

The CB code will merge the exim.variables.conf.custom and exim.variables.conf.default, into the exim.variables.conf. (exim doesn't allow variables to be set twice, hence the need for this)

John
 
You must log in or register to reply here.
Back
Top