Exim sender verify fail when using ldap dovecot auth

I have a cheeky little question; I have modified the dovecot configuration to use ldap for authentication - and it successfully authenticates and creates mailboxes, (exim as well since that uses dovecot for authentication) However when I try and send email I keep getting:

2020-10-01 10:42:10 H=localhost (webmail.yvbakker.eu) [127.0.0.1] sender verify fail for <[email protected]>: Unrouteable address
2020-10-01 10:42:10 H=localhost (webmail.yvbakker.eu) [127.0.0.1] F=<[email protected]> A=dovecot_login:[email protected] rejected RCPT <[email protected]>: Sender verify failed

And on smtp over telnet:

235 Authentication succeeded
MAIL FROM:[email protected]
250 OK
RCPT TO:[email protected]
550-Verification failed for <[email protected]>
550-Unrouteable address
550 Sender verify failed

“sender verify failed” - now, I don’t ask blindly and I have checked mailing lists, forums etc. but I just can’t find what I’m missing here. Any clues? Btw, this is a fresh install of the latest hestia, and the only changes are in the dovecot-ldap.conf.ext, auth-ldap.conf.ext and 10-auth.conf - everything else functions as expected.

Update: I know it is most likely caused by

# Deny unless the sender address can be verified.
#
# This is disabled by default so that DNSless systems don't break. If
# your system can do DNS lookups without delay or cost, you might want
# to enable this feature.
#
# This feature does not work in smarthost and satellite setups as
# with these setups all domains pass verification. See spec.txt section
# "Access control lists" subsection "Address verification" with the added
# information that a smarthost/satellite setup routes all non-local e-mail
# to the smarthost.
.ifdef CHECK_RCPT_VERIFY_SENDER
deny
message = Sender verification failed
!acl = acl_local_deny_exceptions
!verify = sender
.endif

In

/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt

on line 131
but sender verification does sound like something I want turned on and I just have no clue how changing an auth mechanism alone can break this.

Update 2:
I commented out the above acl rule but it still gave me the same error, I haven’t been able to identify where the ‘Sender verify failed’ comes from

Another addition:
I have confirmed that if I change the last line of

/etc/dovecot/conf.d/10-auth.conf

back to

!include auth-passwdfile.conf.ext

exim is fine with sending out email

but if I change it back to

!include auth-ldap.conf.ext

it gives me the same error all over again

I’m using the following configuration in auth-ldap.conf.ext (where yvbakker is the home of the test account the email domain is under, and this is exactly where Hestia stores it through the passwd file)

passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
  driver = static
  args = uid=yvbakker gid=mail home=/home/yvbakker
}
1 Like

Okay so I narrowed it down further, some ACL in exim is using the passwd file to check if mail accounts exist before sending. It literally fails on the local mail account, since it wasn’t in the passwd file, since I’m using ldap for authentication. I just don’t know which ACL it is.
I would like to either disable or modify this ACL to check in ldap instead of the passwd file. Any clues?

I found the culprit! It was in /etc/exim4/exim4.conf.template all along.
Here there are multiple ACLs checking the passwd file for data still, I just need to replace those checks with LDAP lookups and I’m set.

I don’t expect anyone here to know how to do that, I’ll ask around. If you know though, a pointer in the right direction would be more than welcome!

I’ll close this topic now, but it might be useful for future reference in case anyone else wants to swap out authentication backends for email.

2 Likes