Exim4 whitelist/blacklist

vitich · September 5, 2019, 7:02pm

It seems exim4 whitelist does not work. Does it?
Here is the log:

2019-09-05 16:07:44 H=(bad.remote.addr.net) [195.195.25.95] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=[[email protected]](mailto:[email protected]) rejected RCPT [[email protected]](mailto:[email protected]): Sender verify failed

Then I added the email address and IP of the sender server to the whitelist /etc/exim4/white-blocks.conf
Unfortunately, this didn’t help.
I know that this e-mail address is incorrect, the mail domain is incorrect, but I really need to receive mail from it.
The admin on the other side is unavailable and it is impossible to reconfigure sending mail.
Yesterday, before migrating to hestiacp, the whitelist worked fine.
What am I doing wrong?
Thanks a lot!

github.com/hestiacp/hestiacp

exim4 whitelist does not work

opened 06:59PM - 05 Sep 19 UTC

closed 07:25PM - 05 Sep 19 UTC

vitich

It seems exim4 whitelist does not work. Does it? Here is the log: 2019-09-05 1…6:07:44 H=(bad.remote.addr.net) [195.195.25.95] X=TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 CV=no F=<[email protected]> rejected RCPT <[email protected]>: Sender verify failed Then I added the email address and IP of the sender server to the whitelist /etc/exim4/white-blocks.conf Unfortunately, this didn't help. I know that this e-mail address is incorrect, the mail domain is incorrect, but I really need to receive mail from it. The admin on the other side is unavailable and it is impossible to reconfigure sending mail. Yesterday, before migrating to hestiacp, the whitelist worked fine. What am I doing wrong? Thanks a lot!

Raphael · September 5, 2019, 7:39pm

Looks like the issue is basicly the sender verification which is set in exim4 configuration: https://github.com/hestiacp/hestiacp/blob/55551036006853c831798a49f7c666690a295785/install/deb/exim/exim4.conf.template#L142

The whitelist function itself is for spam detection or/and blacklists, the sender verify will be triggered always. You could now rewrite this function to also honor the ip whitelist for sender verification, a short google search gave me a lot of results, here a untested example: http://bohwaz.net/p/Exim-whitelist-senders-to-pass-the-sender-verify-callout

vitich · September 5, 2019, 8:13pm

It looks but…
On the old server running ispmanager 5, the config also has this line.
require verify = sender
And everything worked fine there.
Well, thank you.

vitich · September 5, 2019, 10:14pm

I did it!

Below this acl_check_rcpt: replace accept hosts = : with this code:

    accept  hosts = +relay_from_hosts
            !authenticated = *
            set acl_m6 = whitelisted

    accept  domains = +local_domains : +relay_to_domains
            condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/whitelist}{yes}{no}}
            set acl_m6 = whitelisted
            logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.

    accept  domains = +local_domains : +relay_to_domains
            hosts = net-lsearch;/etc/exim4/whitelist
            set acl_m6 = whitelisted
            logwrite = Accepted from $sender_address to $local_part@$domain by whitelist.

    deny    condition = ${lookup{$sender_address}wildlsearch{/etc/exim4/blacklist}{yes}{no}}
            set acl_m6 = blacklisted
            logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.

    deny    hosts = net-lsearch;/etc/exim4/blacklist
            set acl_m6 = blacklisted
            logwrite = Rejected from $sender_address to $local_part@$domain by blacklist.

jlguerrero · October 11, 2021, 1:30pm

Hello. I have tried this configuration with no results.

I have edited: /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt

and changed “accept hosts = :” with the code above.

Then restarted exim4.

Then created /etc/exim4/blacklist with two lines:
[email protected]
*@externalunrelateddomain.com

Then tried to send an email from [email protected] to an account on the server.

The email got in.

What’s wrong?

pluto · October 13, 2021, 4:05am

A couple of things suggest themselves. First of all, shouldn’t you be making edits in /etc/exim4/exim4.conf.template, rather than in conf.d/ ? At least thats where I make all my config changes.

Secondly, just a vague memory that if you add an address to an exim filter, and its a regex search, you’d have to backslash the dots in the domain name. So your examples above might have to be

name@externalunrelateddomain\.com
.*@externalunrelateddomain\.com

Just a couple of things to try …

jlguerrero · October 13, 2021, 12:44pm

Thank you very much. I will try later tonight.

jlguerrero · October 13, 2021, 11:15pm

That was it. It worked like charm!

Thank you very much!

pluto · October 14, 2021, 3:57am

Great. I see the forum editor removed the backslashes from my previous post, so that might have been a bit confusing. I’ve added them back in now. But it looks like it wasn’t the regexs, but the other reason anyway … glad it worked out.

Slagroom · August 2, 2023, 9:55am

Can anyone explain this? I’d like to whitelist an MX that keeps getting refused to deliver mail to my hestia controlled exim server.

It’s truly amazing how bad exim’s documentation is. It’s just completely unclear how to even whitelist anything. Why did you pick exim? Please, change back to postfix if or whenever possible. Exim is really disasters waiting to happen.