~bohwaz/blog/

Avec de vrais morceaux de 2.0 !

Exim: whitelist senders to pass the sender verify callout

Some mail servers don't comply with the RFC, and as a result you won't be able to receive mails from them, because your mail server is too well-configured. Exim is one of those good mail servers, and nichandle.ovh.net is one those ill-configured mail servers.

nichandle.ovh.net is used by OVH (french ISP) to send important e-mails to its clients, like your password for your new xDSL connection. But if you use exim, since some time you won't receive OVH mails anymore, because of this:

H=xx.mail-out.ovh.net [XX] sender verify defer for <xxxx-ovh@nichandle.ovh.net>: could not connect to robot.ovh.net [XX]: Connection refused
H=xx.mail-out.ovh.net [XX] F=<xxxx-ovh@nichandle.ovh.net> rejected RCPT <root@mailserver>: relay not permitted
H=xx.mail-out.ovh.net [XX] incomplete transaction (QUIT) from <xxxx-ovh@nichandle.ovh.net>

As you can see, Exim tries to check that xxxx-ovh@nichandle.ovh.net is a real email address by connecting to nichandle.ovh.net and doing this simple stuff :

EHLO mailserver
MAIL FROM: <>
RCPT TO: <xxxx-ovh@nichandle.ovh.net>

It won't really send a mail to the sender, it will just check on the senders mail server if the address exists. This is a simple but effective idea to fight against spam, and it's well known and implemented. You can read more on wikipedia on this subject: Callback verification.

For OVH, there's a problem: nichandle.ovh.net (who is in fact an alias for robot.ovh.net) is not a mail server. It's SMTP port 25 isn't even open. So that will be hard for Exim to connect and check if the senders address exists, because nichandle.ovh.net doesn't appear to be a mail server at all, so it rejects the mail.

I opened a ticket on OVH tracking interface but meanwhile I wanted to receive the OVH emails so I added a sender verify whitelist to Exim. For that you'll have to add to the beginning to your exim configuration:

addresslist whitelist_senders = wildlsearch;/etc/exim4/whitelist_senders

Then replace:

require verify = sender

(Note that it might also be require verify = sender/callout.) With this:

 deny !verify = sender
 senders = +whitelist_senders
 deny !verify = sender/defer_ok/callout=10s
 !senders = +whitelist_senders

Then you'll have to edit /etc/exim4/whitelist_senders and add whitelisted senders. It can be a single email address, or a wildcard:

*@nichandle.ovh.net
bohwaz@othermailserver.tld
abuse@*
Write a comment
(optional)
(optional)
(mandatory)
     _ _                          //\ _            
  __| (_)___ _ __   __ _ _ __ __ |/_\| |_ _ __ ___ 
 / _` | / __| '_ \ / _` | '__/ _` | || __| '__/ _ \
| (_| | \__ \ |_) | (_| | | | (_| | || |_| | |  __/
 \__,_|_|___/ .__/ \__,_|_|  \__,_|_| \__|_|  \___|
            |_|                                    
(mandatory)

URLs will create links automatically.
Allowed HTML tags: <blockquote> <cite> <pre> <code> <var> <strong> <em> <del> <ins> <kbd> <samp> <abbr>

Mike

There needs to be an ! infront of the 2nd line down on the first deny statment I think. Otherwise it would block the senders in the white list.
Thus:

deny !verify = sender
!senders = +whitelist_senders

deny !verify = sender/defer_ok/callout=10s
!senders = +whitelist_senders

Mike