backscatter issue with exim config??

[nobaloney]

The real question is what does exim look for as the sender? Since they use the plural, senders, I'm just not sure and will try to find out today.

So far all I've found is here; if you search for mailer daemon you'll read:

MAILER-DAEMON is used by Exim as the sender address in bounce messages. It is also recommended that root be set up as an alias for an administrator, especially when deliveries are being run under the permissions of the recipient users, in order to avoid running any delivery as root.

I've always taken this to mean that when you check for senders in an acl you'll find Mailer-Daemon. Maybe I'm wrong.

Also note lines 836 through 849 and 851 through 863 in my exim.conf file found here.

I didn't write this code; it may have been written by John or Mark as original DirectAdmin code. It also presumes that you can identify mailer-daemon sent email by looking at the sender.

Also look at paragraph A.12.12, here.

I'm going to ask on the exim-users list. In the meantime, since the ACL does no harm, there's no reason to make any change.

Jeff

 

[nieuwhier]

Hi. I implemented the newest spamblocker3 on my servers a few weeks ago.
Reason was the increasing number of times that one of my ip's was listed on backscatterer.org.

I thought the problem was solved but this week more ip's came on that list. (with
This week however more ip's became listed so the problem is growing I guess.

I will try to find some answer myself too.

 

[nieuwhier]

PCreate:
/usr/local/directadmin/scripts/domain_create_post.sh

Shouldn't this be:

/usr/local/directadmin/scripts/custom/domain_create_post.sh

 

[nieuwhier]

echo "*: :fail:" >> $FILE.tmp

This should not be in this script I think, it removes all catch-all addresses?

 

[nobaloney]

I'm going to test a backscatter solution which may work for us. I've been delayed because I had our main office system fail, and I've been busy restoring it.

Jeff

 

[ClayRabbit]

Also note lines 836 through 849 and 851 through 863 in my exim.conf file found here.

I believe those sender checks inside routers is useless (and incorrect) since commonly server is generating bounces and auto-replies to regular email-addresses but not to "mailer-daemon@.*" and etc, since return-path (and $sender_adddress) for such messages is <> - empty.

Also look at paragraph A.12.12, here.

Example in A.12.2 is pretty correct.
Condition

!senders       = : postmaster@*

means sender is not empty (sic!) and not postmaster@.

 

[ClayRabbit]

Last few days I have worked on solution to cover issues I have stated before.
Here is the example
1) To prevent bounces about quota overusage, I have created folowing ACL ruleset:

  # User quota check
  warn  domains = +local_domains
        set acl_m_dontcare = ${if eq{$domain}{$primary_hostname} {$local_part} {${lookup{$domain}lsearch{/etc/virtual/domainowners}}}}
        condition = ${if !eq{$acl_c_rcptuser}{$acl_m_dontcare}}
        set acl_c_rcptuser = $acl_m_dontcare
        set acl_c_quotauser = ${if and{{def:acl_c_rcptuser}{exists{/home/$acl_c_rcptuser/}}} \
                                {${run{/usr/bin/quota "-f/home/$acl_c_rcptuser/" -q "$acl_c_rcptuser"}{}{1}}}{0}}

  defer domains = +local_domains
        condition = $acl_c_quotauser
        message = User quota exceeded
        log_reject_target = reject

  # Virtual mailbox quota check
  warn  domains = +local_domains
        condition = ${if !eq{$acl_c_rcpt}{$local_part@$domain}}
        set acl_m_dontcare = /home/$acl_c_rcptuser/imap/$domain/$local_part/Maildir/maildirsize
        set acl_c_rcpt = $local_part@$domain
        set acl_c_quotavirtual = ${if eq{$domain}{$primary_hostname} {no} \
                                {${if exists{$acl_m_dontcare} {${perl{check_maildirsize}{$acl_m_dontcare}}}{false}}}}

  deny  domains = +local_domains
        condition = $acl_c_quotavirtual
        condition = ${if >{${eval:$tod_epoch-$acl_c_quotavirtual}}{432000}}
        message =  Mailbox quota exceeded for a long time
        log_reject_target = reject

  defer domains = +local_domains
        condition = $acl_c_quotavirtual
        message = Mailbox quota exceeded
        log_reject_target = reject

Also

  quota_is_inclusive = false
  maildir_use_size_file

should be added to virtual_localdelivery: router inside exim.conf

check_maildirsize function inside exim.pl:

sub check_maildirsize
{
    my $quota;
    my $limit;
    my ($sizefile) = @_;
    if ($sizefile) {
        open (FILE, $sizefile) || return 0;
        $_=readline (FILE);
        ($limit) = (/^(\d+)S/);
        if ($limit){
            $quota=0;
            while (<FILE>) { ($_) = split(/\s/); $quota+=$_; }
            if ($quota >= $limit) {
                $quota = (stat(FILE))[9];
                close (FILE);
                return $quota;
            }
        }
        close (FILE);
    }

    return 0;
}

dovecot.conf modifications needed for maildirsize file handling:

--- dovecot.conf      2007-10-23 05:22:56.000000000 +0400
+++ dovecot.conf      2009-10-30 00:46:55.000000000 +0300
@@ -65,6 +65,8 @@

 protocol imap {

+  mail_plugins = quota imap_quota
+
   # Maximum IMAP command line length in bytes. Some clients generate very long
   # command lines with huge mailboxes, so you may need to raise this if you get
   # "Too long argument" or "IMAP command line too large" errors often.
@@ -107,6 +109,8 @@

 protocol pop3 {

+  mail_plugins = quota
+
   # Don't try to set mails non-recent or seen with POP3 sessions. This is
   # mostly intended to reduce disk I/O. With maildir it doesn't move files
   # from new/ to cur/, with mbox it doesn't write Status-header.
@@ -230,3 +234,6 @@
   #count = 1
 }

+plugin {
+  quota = maildir:ignore=Trash
+}

Quota file should be readable by exim uid/gid (or by world) for user quota check to work.

Oh. Almost forgotten... Virtual mailbox quota checking implemented above still wouldn't work for a while since exim creates "maildirsize" file with 600 permissions and it's not readable from exim.pl (http://bugs.exim.org/show_bug.cgi?id=727) On my machine I have patched my exim to fix that.

 

[ClayRabbit]

2. To prevent bounces from failed remote deliveries i have added

errors_to = ${if eq{$original_domain}{$domain} {fail}{}}

inside "lookuphost:" router and

return_path = ${sender_address}

inside "remote_smtp:" transport.

 

[nobaloney]

I have some code that should work but we had a failure of our main office system which required an update of our office systems (old libraries, software wouldn't work, etc) so I haven't had time to implement it. I'm going to look at your code (above) and mine, and bring out another release candidate ... BUT ...

I can't require changes that force a rebuild of exim, in anything I deliver, unless I can work together with John at JBMC (the publishers of DirectAdmin) so everything will just work.

Jeff

 

[nieuwhier]

Did you get any further on this ?

 

[nobaloney]

There's a new RC on my download site now (I put it there last evening); you can find it here.

The specific code is:

# RC 3.2.4  09-nov-2009
  # Mailer-Daemon messages must be for us
  deny senders = :
       message = We don't host the recipient domain
       hosts   = !+relay_hosts
       domains = !+local_domains
       !authenticated = *

It looks good to me, but it hasn't caught anything for me in about 24 hours on the active server on which I'm testing it.

Care to try it?

Jeff

 

[nieuwhier]

I put the code in serval servers. I will let you know the results.

4 of my servers were listed again at backscatterer.org. 3 DA and one windows plesk server.

These 4 servers have not sent much mail in that period and the windows servers is configured totaly different than the DA servers, I am beginning to doubt the quality of that backscatterer list.

Some say that you should use that list reversed; that IF you are listed everything is OK.

 

[nobaloney]

If you just inserted the code into your current file, please check the new file; some positions have changed.

Thanks.

Jeff

 

[nieuwhier]

I compared the new file with mine....

 

[nobaloney]

Great. I'm sure the file does no harm, but I have no convincing proof it does good, either.

Anyone else care to try it? If so, see the new thread for the new version.

Jeff

 

[nieuwhier]

I have it implemented on 8 servers with each a load of at least 100.000 mails each day and have not seen one entry in the logfiles yet (after 12 hours).

 

[nieuwhier]

It is not working.

what I see in my mail queue is undeliverable mails with this:

049 X-Failed-Recipients: [email protected]
029 Auto-Submitted: auto-replied
063F From: Mail Delivery System <[email protected]>

I guess this is the problem, this one cannot be sent be the ones that were sent are not in the queue of course.

The problem is that the recipient is [email protected]. This recipient does not exist on the server and there is no catch all active.

So it should have been refused in the recipient phase instead of accepted and then send back ?

 

[nobaloney]

Our latest code does check for it when mail is first received, and it checks for a blank sender.

And I've finally seen it. So I don't know why it's not working for you.

The only problem I've found (working on it tonight) is that valid mailer-daemon mail is being rejected if the server sends mail for a domain, but the mx record points elsewhere. I should be able to fix this and have a new RC up tomorrow.

Please do some investigating to see why you're not catching the email.

Jeff

 

[nieuwhier]

And I've finally seen it. So I don't know why it's not working for you.
Please do some investigating to see why you're not catching the email.
Jeff

I did a compare and the only thing I have different is this:
#accept local_parts = postmaster
# domains = +local_domains

# accept mail to abuse in any local domain, regardless of source
#accept local_parts = abuse
# domains = +local_domains

# accept mail to hostmaster in any local domain, regardless of source
#accept local_parts = hostmaster
# domains =+local_domains

I have created blackholes for current and new domains so I do not need those.

This still happens when I look into a queue:
036T To: [email protected]
058F From: Mailer Daemon <[email protected]>

The use address does not exist; no catch all, no forwarders, no vacation messages etc.

Weird.

 

[nobaloney]

I've thought about it; I've never said it worked; only that it did no harm.

But, moving on ...

Is [email protected] a real email address on your server?

If not, is customerdomain.com a real domain name on your server. My code does not block mailer-daemon for non-existent users, only for non-existent domains.

Perhaps I have to rewrite it, but I'm awaiting resolution of an issue I brought up in my SpamBlocker 3.2.4-RC now ready for testing thread; I'm not going to spend any more time on it until I know I can get the help I need to include it at all.

Help if you can .

Jeff