Exim4 whitelist/blacklist

It seems exim4 whitelist does not work. Does it?
Here is the log:

2019-09-05 16:07:44 H=(bad.remote.addr.net) [195.195.25.95] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=[[email protected]](mailto:[email protected]) rejected RCPT [[email protected]](mailto:[email protected]): Sender verify failed

Then I added the email address and IP of the sender server to the whitelist /etc/exim4/white-blocks.conf
Unfortunately, this didn’t help.
I know that this e-mail address is incorrect, the mail domain is incorrect, but I really need to receive mail from it.
The admin on the other side is unavailable and it is impossible to reconfigure sending mail.
Yesterday, before migrating to hestiacp, the whitelist worked fine.
What am I doing wrong?
Thanks a lot!

Looks like the issue is basicly the sender verification which is set in exim4 configuration: https://github.com/hestiacp/hestiacp/blob/55551036006853c831798a49f7c666690a295785/install/deb/exim/exim4.conf.template#L142

The whitelist function itself is for spam detection or/and blacklists, the sender verify will be triggered always. You could now rewrite this function to also honor the ip whitelist for sender verification, a short google search gave me a lot of results, here a untested example: http://bohwaz.net/p/Exim-whitelist-senders-to-pass-the-sender-verify-callout

It looks but…
On the old server running ispmanager 5, the config also has this line.
require verify = sender
And everything worked fine there.
Well, thank you.

I did it!

Below this acl_check_rcpt: replace accept hosts = : with this code:

    accept  hosts = +relay_from_hosts
            !authenticated = *
            set acl_m6 = whitelisted

    accept  domains = +local_domains : +relay_to_domains
            condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/whitelist}{yes}{no}}
            set acl_m6 = whitelisted
            logwrite = Accepted from $sender_address to [email protected]$domain by whitelist.

    accept  domains = +local_domains : +relay_to_domains
            hosts = net-lsearch;/etc/exim4/whitelist
            set acl_m6 = whitelisted
            logwrite = Accepted from $sender_address to [email protected]$domain by whitelist.

    deny    condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/blacklist}{yes}{no}}
            set acl_m6 = blacklisted
            logwrite = Rejected from $sender_address to [email protected]$domain by blacklist.

    deny    hosts = net-lsearch;/etc/exim4/blacklist
            set acl_m6 = blacklisted
            logwrite = Rejected from $sender_address to [email protected]$domain by blacklist.
3 Likes

Hello. I have tried this configuration with no results.

I have edited: /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt

and changed “accept hosts = :” with the code above.

Then restarted exim4.

Then created /etc/exim4/blacklist with two lines:
[email protected]
*@externalunrelateddomain.com

Then tried to send an email from [email protected] to an account on the server.

The email got in.

What’s wrong?

A couple of things suggest themselves. First of all, shouldn’t you be making edits in /etc/exim4/exim4.conf.template, rather than in conf.d/ ? At least thats where I make all my config changes.

Secondly, just a vague memory that if you add an address to an exim filter, and its a regex search, you’d have to backslash the dots in the domain name. So your examples above might have to be

[email protected]\.com
.*@externalunrelateddomain\.com

Just a couple of things to try …

Thank you very much. I will try later tonight.

That was it. It worked like charm!

Thank you very much!

Great. I see the forum editor removed the backslashes from my previous post, so that might have been a bit confusing. I’ve added them back in now. But it looks like it wasn’t the regexs, but the other reason anyway … glad it worked out.

1 Like