Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
exim failure
127 views
Skip to first unread message
pe...@easthope.ca
Mar 22, 2023, 5:10:07 PM3/22/23
to
Hi,
In case this message is duplicated, apology in advance.
After configuring exim for a new smarthost, message sending fails.
This might help to identify the problem.
root@dalton:/home/root# exim -bh 142.103.1m.1n
**** SMTP testing session as if from host 142.103.1m.1n
**** but without any ident (RFC 1413) callback.
**** This is not for real!
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 142.103.1m.1n
>>> IP address lookup yielded "dalton.invalid"
>>> checking addresses for dalton.invalid
>>> 142.103.1m.1n OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> host in pipelining_connect_advertise_hosts? yes (matched "*")
220 dalton.invalid ESMTP Exim 4.94.2 Wed, 22 Mar 2023 13:02:25 -0700
LOG: SMTP syntax error in "" H=dalton.invalid [142.103.1m.1n]
unrecognized com
mand
500 unrecognized command
LOG: SMTP command timeout on connection from dalton.invalid
[142.103.1m.1n]
421 dalton.invalid: SMTP command timeout - closing connection
root@dalton:/home/root#
A test message produces this in /var/log/exim4/mainlog
2023-03-22 13:39:10 1pf5Ek-0000gQ-Dk <= pe...@easthope.ca
H=localhost.localdomai
n (dalton) [127.0.0.1] P=smtp S=586
2023-03-22 13:39:10 1pf5Ek-0000gQ-Dk == pe...@easthope.ca R=smarthost
T=remote_s
mtp_smarthost defer (-53): retry time not reached for any host for
'easthope.ca'
How can the origin of "SMTP syntax error" be found?
Is the correction known already?
Thx, ... P.
In case this message is duplicated, apology in advance.
After configuring exim for a new smarthost, message sending fails.
This might help to identify the problem.
root@dalton:/home/root# exim -bh 142.103.1m.1n
**** SMTP testing session as if from host 142.103.1m.1n
**** but without any ident (RFC 1413) callback.
**** This is not for real!
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 142.103.1m.1n
>>> IP address lookup yielded "dalton.invalid"
>>> checking addresses for dalton.invalid
>>> 142.103.1m.1n OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> host in pipelining_connect_advertise_hosts? yes (matched "*")
220 dalton.invalid ESMTP Exim 4.94.2 Wed, 22 Mar 2023 13:02:25 -0700
LOG: SMTP syntax error in "" H=dalton.invalid [142.103.1m.1n]
unrecognized com
mand
500 unrecognized command
LOG: SMTP command timeout on connection from dalton.invalid
[142.103.1m.1n]
421 dalton.invalid: SMTP command timeout - closing connection
root@dalton:/home/root#
A test message produces this in /var/log/exim4/mainlog
2023-03-22 13:39:10 1pf5Ek-0000gQ-Dk <= pe...@easthope.ca
H=localhost.localdomai
n (dalton) [127.0.0.1] P=smtp S=586
2023-03-22 13:39:10 1pf5Ek-0000gQ-Dk == pe...@easthope.ca R=smarthost
T=remote_s
mtp_smarthost defer (-53): retry time not reached for any host for
'easthope.ca'
How can the origin of "SMTP syntax error" be found?
Is the correction known already?
Thx, ... P.
David Wright
Mar 22, 2023, 6:10:06 PM3/22/23
to
On Wed 22 Mar 2023 at 13:52:00 (-0700), pe...@easthope.ca wrote:
>
> After configuring exim for a new smarthost, message sending fails.
What are the contents of /etc/exim4/update-exim4.conf.conf, the
>
> After configuring exim for a new smarthost, message sending fails.
configuration file?
> This might help to identify the problem.
>
> root@dalton:/home/root# exim -bh 142.103.1m.1n
> **** SMTP testing session as if from host 142.103.1m.1n
> **** but without any ident (RFC 1413) callback.
> **** This is not for real!
>
> > > > host in hosts_connection_nolog? no (option unset)
> > > > host in host_lookup? yes (matched "*")
> > > > looking up host name for 142.103.1m.1n
> > > > IP address lookup yielded "dalton.invalid"
> > > > checking addresses for dalton.invalid
> > > > 142.103.1m.1n OK
> > > > host in host_reject_connection? no (option unset)
> > > > host in sender_unqualified_hosts? no (option unset)
> > > > host in recipient_unqualified_hosts? no (option unset)
> > > > host in helo_verify_hosts? no (option unset)
> > > > host in helo_try_verify_hosts? no (option unset)
> > > > host in helo_accept_junk_hosts? no (option unset)
> > > > host in pipelining_connect_advertise_hosts? yes (matched "*")
> 220 dalton.invalid ESMTP Exim 4.94.2 Wed, 22 Mar 2023 13:02:25 -0700
>
> LOG: SMTP syntax error in "" H=dalton.invalid [142.103.1m.1n]
So there's a syntax command in the empty string, which would
be a reasonable reaction from exim.
> unrecognized command
> 500 unrecognized command
> LOG: SMTP command timeout on connection from dalton.invalid
> [142.103.1m.1n]
> 421 dalton.invalid: SMTP command timeout - closing connection
> root@dalton:/home/root#
I assumed you just stared at the screen until this timeout appeared.
> LOG: SMTP command timeout on connection from dalton.invalid
> [142.103.1m.1n]
> 421 dalton.invalid: SMTP command timeout - closing connection
> root@dalton:/home/root#
From man exim:
-bh <IP address>
This option runs a fake SMTP session as if from the given IP
address, using the standard input and output. The IP address
may include a port number at the end, after a full stop.
For example:
exim4 -bh 10.9.8.7.1234
You've now got to type something. It will then talk back to you.
Try typing (ignore my indentation):
ehlo dalton.invalid ← that's not a typo
mail from: pe...@easthope.ca
rcpt to: pe...@easthope.ca
data
from: pe...@easthope.ca
to: pe...@easthope.ca
subject: hand written test 01
← that's a blank line
Hand written test 01
. ← that's nothing but a fullstop Return
quit
How far you get in this conversation depends what it says back.
You want to see several 250s, and a 354 after you type DATA.
> A test message produces this in /var/log/exim4/mainlog
>
> 2023-03-22 13:39:10 1pf5Ek-0000gQ-Dk <= pe...@easthope.ca
> H=localhost.localdomain (dalton) [127.0.0.1] P=smtp S=586
> T=remote_smtp_smarthost defer (-53): retry time not reached for any host for
> 'easthope.ca'
Cheers,
David.
pe...@easthope.ca
Mar 23, 2023, 2:50:07 PM3/23/23
to
Header lines not handled by Web interface.
In-reply-to: <ZBt73O0y...@axis.corp>
References: <5674e986a67af53a...@easthope.ca>
<ZBt73O0y...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Wed, 22 Mar 2023 17:06:20 -0500
> What are the contents of /etc/exim4/update-exim4.conf.conf, the
> configuration file?
# /etc/exim4/update-exim4.conf.conf
#
# Most of the heading comments removed.
#
# This is a Debian specific file
dc_eximconfig_configtype='smarthost'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost='dalton.invalid'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='hornby.islandhosting.com::465'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
> I assumed you just stared at the screen until this timeout appeared.
My thought was "broken configuration".
> You've now got to type something. It will then talk back to you.
> Try typing (ignore my indentation):
>
> ehlo dalton.invalid ← that's not a typo
> mail from: pe...@easthope.ca
> rcpt to: pe...@easthope.ca
> data
> from: pe...@easthope.ca
> to: pe...@easthope.ca
> subject: hand written test 01
> ← that's a blank line
> Hand written test 01
> . ← that's nothing but a fullstop
> Return
> quit
root@dalton:/home/root# exim -bh 142.103.107.137.465
**** SMTP testing session as if from host 142.103.107.137
>>> 142.103.107.137 OK
ehlo dalton.invalid
>>> host in dsn_advertise_hosts? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in auth_advertise_hosts? yes (matched "*")
>>> host in chunking_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? yes (matched "*")
>>> host in smtputf8_advertise_hosts? no (end of list)
250-dalton.invalid Hello dalton.invalid [142.103.107.137]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
mail from: pe...@easthope.ca
>>> using ACL "acl_check_mail"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 265)
>>> accept: condition test succeeded in ACL "acl_check_mail"
>>> end of ACL "acl_check_mail": ACCEPT
250 OK
rcpt to: pe...@easthope.ca
>>> using ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 277)
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 292)
>>> check domains = +local_domains
>>> easthope.ca in "@:localhost"? no (end of list)
>>> easthope.ca in "+local_domains"? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 301)
>>> check domains = !+local_domains
>>> easthope.ca in "!+local_domains"? yes (end of list)
>>> check local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
>>> peter in "^[./|] : ^.*[@%!`#&?] : ^.*/\.\./"? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 307)
>>> check local_parts = postmaster
>>> peter in "postmaster"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 322)
>>> check !acl = acl_local_deny_exceptions
>>> using ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 238)
>>> check hosts = ${if
>>> exists{/etc/exim4/host_local_deny_exceptions}{/etc/exim4/host_local_deny_exceptions}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 242)
>>> check senders = ${if
>>> exists{/etc/exim4/sender_local_deny_exceptions}{/etc/exim4/sender_local_deny_exceptions}{}}
>>> pe...@easthope.ca in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 246)
>>> check hosts = ${if
>>> exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelist}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 250)
>>> check senders = ${if
>>> exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whitelist}{}}
>>> pe...@easthope.ca in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> end of ACL "acl_local_deny_exceptions": implicit DENY
>>> check senders = ${if
>>> exists{/etc/exim4/local_sender_callout}{/etc/exim4/local_sender_callout}{}}
>>> pe...@easthope.ca in ""? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 333)
>>> check condition = ${if and
>>> {{>{$rcpt_count}{10}}{<{$recipients_count}{${eval:$rcpt_count/2}}} }}
>>> =
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 338)
>>> check hosts = +relay_from_hosts
>>> host in ": 127.0.0.1 : ::::1"? no (end of list)
>>> host in "+relay_from_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 343)
>>> check authenticated = *
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "require" (/var/lib/exim4/config.autogenerated 348)
>>> check condition = ${if def:sender_helo_name}
>>> = true
>>> message: nice hosts say HELO first
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "require" (/var/lib/exim4/config.autogenerated 352)
>>> message: relay not permitted
>>> check domains = +local_domains : +relay_to_domains
>>> easthope.ca in ""? no (end of list)
>>> easthope.ca in "+local_domains : +relay_to_domains"? no (end of list)
>>> require: condition test failed in ACL "acl_check_rcpt"
>>> end of ACL "acl_check_rcpt": not OK
550 relay not permitted
LOG: H=dalton.invalid [142.103.107.137] F=<pe...@easthope.ca> rejected
RCPT pe...@easthope.ca: relay not permitted
root@dalton:/home/root# head -n 3 /etc/hosts
# dalton:/etc/hosts
127.0.0.1 localhost.localdomain localhost
127.0.1.1 dalton.invalid dalton
Whereas above, exim says this.
>>> checking addresses for dalton.invalid
>>> 127.0.1.1
>>> 142.103.107.137 OK
Seems incorrect to mention 127.0.1.1 and not 127.0.0.1.
Eventually exim complains about relaying whereas the test is from
localhost.
Thx, ... P.
In-reply-to: <ZBt73O0y...@axis.corp>
References: <5674e986a67af53a...@easthope.ca>
<ZBt73O0y...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Wed, 22 Mar 2023 17:06:20 -0500
> What are the contents of /etc/exim4/update-exim4.conf.conf, the
> configuration file?
#
# Most of the heading comments removed.
#
# This is a Debian specific file
dc_eximconfig_configtype='smarthost'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost='dalton.invalid'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='hornby.islandhosting.com::465'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
> I assumed you just stared at the screen until this timeout appeared.
> You've now got to type something. It will then talk back to you.
> Try typing (ignore my indentation):
>
> ehlo dalton.invalid ← that's not a typo
> mail from: pe...@easthope.ca
> rcpt to: pe...@easthope.ca
> data
> from: pe...@easthope.ca
> to: pe...@easthope.ca
> subject: hand written test 01
> ← that's a blank line
> Hand written test 01
> . ← that's nothing but a fullstop
> Return
> quit
**** SMTP testing session as if from host 142.103.107.137
**** but without any ident (RFC 1413) callback.
**** This is not for real!
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 142.103.107.137
**** This is not for real!
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> IP address lookup yielded "dalton.invalid"
>>> checking addresses for dalton.invalid
>>> 127.0.1.1
>>> checking addresses for dalton.invalid
>>> 142.103.107.137 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> host in pipelining_connect_advertise_hosts? yes (matched "*")
220 dalton.invalid ESMTP Exim 4.94.2 Thu, 23 Mar 2023 10:45:12 -0700
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
>>> host in pipelining_connect_advertise_hosts? yes (matched "*")
ehlo dalton.invalid
>>> host in dsn_advertise_hosts? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in auth_advertise_hosts? yes (matched "*")
>>> host in chunking_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? yes (matched "*")
>>> host in smtputf8_advertise_hosts? no (end of list)
250-dalton.invalid Hello dalton.invalid [142.103.107.137]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
mail from: pe...@easthope.ca
>>> using ACL "acl_check_mail"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 265)
>>> accept: condition test succeeded in ACL "acl_check_mail"
>>> end of ACL "acl_check_mail": ACCEPT
250 OK
rcpt to: pe...@easthope.ca
>>> using ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 277)
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 292)
>>> check domains = +local_domains
>>> easthope.ca in "@:localhost"? no (end of list)
>>> easthope.ca in "+local_domains"? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 301)
>>> check domains = !+local_domains
>>> easthope.ca in "!+local_domains"? yes (end of list)
>>> check local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
>>> peter in "^[./|] : ^.*[@%!`#&?] : ^.*/\.\./"? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 307)
>>> check local_parts = postmaster
>>> peter in "postmaster"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 322)
>>> check !acl = acl_local_deny_exceptions
>>> using ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 238)
>>> check hosts = ${if
>>> exists{/etc/exim4/host_local_deny_exceptions}{/etc/exim4/host_local_deny_exceptions}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 242)
>>> check senders = ${if
>>> exists{/etc/exim4/sender_local_deny_exceptions}{/etc/exim4/sender_local_deny_exceptions}{}}
>>> pe...@easthope.ca in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 246)
>>> check hosts = ${if
>>> exists{/etc/exim4/local_host_whitelist}{/etc/exim4/local_host_whitelist}{}}
>>> host in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 250)
>>> check senders = ${if
>>> exists{/etc/exim4/local_sender_whitelist}{/etc/exim4/local_sender_whitelist}{}}
>>> pe...@easthope.ca in ""? no (end of list)
>>> accept: condition test failed in ACL "acl_local_deny_exceptions"
>>> end of ACL "acl_local_deny_exceptions": implicit DENY
>>> check senders = ${if
>>> exists{/etc/exim4/local_sender_callout}{/etc/exim4/local_sender_callout}{}}
>>> pe...@easthope.ca in ""? no (end of list)
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "deny" (/var/lib/exim4/config.autogenerated 333)
>>> check condition = ${if and
>>> {{>{$rcpt_count}{10}}{<{$recipients_count}{${eval:$rcpt_count/2}}} }}
>>> =
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 338)
>>> check hosts = +relay_from_hosts
>>> host in ": 127.0.0.1 : ::::1"? no (end of list)
>>> host in "+relay_from_hosts"? no (end of list)
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "accept" (/var/lib/exim4/config.autogenerated 343)
>>> check authenticated = *
>>> accept: condition test failed in ACL "acl_check_rcpt"
>>> processing "require" (/var/lib/exim4/config.autogenerated 348)
>>> check condition = ${if def:sender_helo_name}
>>> = true
>>> message: nice hosts say HELO first
>>> require: condition test succeeded in ACL "acl_check_rcpt"
>>> processing "require" (/var/lib/exim4/config.autogenerated 352)
>>> message: relay not permitted
>>> check domains = +local_domains : +relay_to_domains
>>> easthope.ca in ""? no (end of list)
>>> easthope.ca in "+local_domains : +relay_to_domains"? no (end of list)
>>> require: condition test failed in ACL "acl_check_rcpt"
>>> end of ACL "acl_check_rcpt": not OK
550 relay not permitted
LOG: H=dalton.invalid [142.103.107.137] F=<pe...@easthope.ca> rejected
RCPT pe...@easthope.ca: relay not permitted
root@dalton:/home/root# head -n 3 /etc/hosts
# dalton:/etc/hosts
127.0.0.1 localhost.localdomain localhost
127.0.1.1 dalton.invalid dalton
Whereas above, exim says this.
>>> checking addresses for dalton.invalid
>>> 127.0.1.1
>>> 142.103.107.137 OK
Seems incorrect to mention 127.0.1.1 and not 127.0.0.1.
Eventually exim complains about relaying whereas the test is from
localhost.
Thx, ... P.
David Wright
Mar 25, 2023, 12:20:05 AM3/25/23
to
On Thu 23 Mar 2023 at 11:27:17 (-0700), pe...@easthope.ca wrote:
>
> # /etc/exim4/update-exim4.conf.conf
> #
> # Most of the heading comments removed.
> #
> # This is a Debian specific file
>
> dc_eximconfig_configtype='smarthost'
> dc_other_hostnames=''
> dc_local_interfaces='127.0.0.1'
> dc_readhost='dalton.invalid'
> dc_relay_domains=''
> dc_minimaldns='false'
> dc_relay_nets=''
> dc_smarthost='hornby.islandhosting.com::465'
> CFILEMODE='644'
> dc_use_split_config='false'
> dc_hide_mailname='true'
> dc_mailname_in_oh='true'
> dc_localdelivery='mail_spool'
That looks fine, and shows that you're going to send through their
>
> # /etc/exim4/update-exim4.conf.conf
> #
> # Most of the heading comments removed.
> #
> # This is a Debian specific file
>
> dc_eximconfig_configtype='smarthost'
> dc_other_hostnames=''
> dc_local_interfaces='127.0.0.1'
> dc_readhost='dalton.invalid'
> dc_relay_domains=''
> dc_minimaldns='false'
> dc_relay_nets=''
> dc_smarthost='hornby.islandhosting.com::465'
> CFILEMODE='644'
> dc_use_split_config='false'
> dc_hide_mailname='true'
> dc_mailname_in_oh='true'
> dc_localdelivery='mail_spool'
port 465, which will require TLS and authentication. So first you need
to encode your username and password with:
$ echo -e -n '\0username\0password' | base64
You'll need to cut and paste that string in a moment. Bear in mind
that you should not reveal or post that string as it's easily decoded.
Start your test session with something more like:
$ openssl s_client -starttls smtp -crlf -connect hornby.islandhosting.com:465
EHLO dalton.invalid
AUTH PLAIN encodedstring
where encodedstring is the output from running the echo…base64
command. Note that it's sent encrypted.
Unlike the test of exim that you conducted with:
> root@dalton:/home/root# exim -bh 142.103.107.137.465
recipient. This will be testing your new smarthost, and if it
doesn't like you, you should get the error message straightaway,
rather than having to decode what exim would have written in its
log. There's an example at the bottom.
> **** SMTP testing session as if from host 142.103.107.137
> **** but without any ident (RFC 1413) callback.
> **** This is not for real!
>
> > > > host in hosts_connection_nolog? no (option unset)
> > > > host in host_lookup? yes (matched "*")
> > > > looking up host name for 142.103.107.137
> > > > IP address lookup yielded "dalton.invalid"
> > > > checking addresses for dalton.invalid
> > > > 127.0.1.1
> > > > 142.103.107.137 OK
> > > > end of ACL "acl_check_rcpt": not OK
> 550 relay not permitted
> LOG: H=dalton.invalid [142.103.107.137] F=<pe...@easthope.ca> rejected
> RCPT pe...@easthope.ca: relay not permitted
the Internet: almost no sites allow relaying nowadays (spam).
(My exims are set up very differently from yours.)
> root@dalton:/home/root# head -n 3 /etc/hosts
> # dalton:/etc/hosts
> 127.0.0.1 localhost.localdomain localhost
> 127.0.1.1 dalton.invalid dalton
>
> Whereas above, exim says this.
>
> > > > checking addresses for dalton.invalid
> > > > 127.0.1.1
> > > > 142.103.107.137 OK
>
> Seems incorrect to mention 127.0.1.1 and not 127.0.0.1.
gets dalton.invalid (presumably with a local DNS server?). It then
looks up dalton.invalid and gets 127.0.1.1 from /etc/hosts.
You'd need to start exim with 127.0.0.1 to use localhost.
> Eventually exim complains about relaying whereas the test is from
> localhost.
$ openssl s_client -starttls smtp -crlf -connect hornby.islandhosting.com:465 ←
CONNECTED(00000003)
[certificate stuff]
---
250 OK
ehlo dalton.invalid ←
250-blablahornby.islandhosting.com hello [158.69.159.172], pleased to meet you
250-HELP
250-AUTH LOGIN PLAIN
250-SIZE 28672000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 OK
auth plain abcdefghijklmnopqrstuvwxyz== ←
235 2.7.0 ... authentication succeeded
mail from: pe...@easthope.ca ←
250 2.1.0 <pe...@easthope.ca> sender ok
rcpt to: pe...@easthope.ca ←
250 2.1.5 <pe...@easthope.ca> recipient ok
(blank line) ←
354 enter mail, end with "." on a line by itself
Hand written test 01 ←
. ←
250 2.0.0 iHxl1z00J2LfVNE01HycHK mail accepted for delivery
. ←
quit ←
221 2.0.0 blablahornby.islandhosting.com closing connection
read:errno=0
$
You type the lines indicated. The responses will differ in detail.
I EHLO with the fqdn of my computer as well, but it's just ahost.corp;
and I authenticate with my ISP credentials; but I also have to
MAIL FROM: with the ISP account's email address (which I never use).
OTOH the From: header relates to my hosting service, 3000 miles away.
These are the sort of things that can vary with different smarthosts.
When travelling, I typically -connect to my hosting service's
submissions port, authenticate with their credentials, and MAIL FROM:
with nob...@my.domain. (I could do that at home too.)
In case ports 465 and 587 are blocked, my email hosting service also
provides port 25025 as a workaround submissions port. Again, these
services vary from company to company.
Cheers,
David.
pe...@easthope.ca
Mar 25, 2023, 11:10:07 PM3/25/23
to
In-reply-to: <ZB52J1Ag...@axis.corp>
References: <9ef536feee6ec3ae...@easthope.ca>
<ZB52J1Ag...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Fri, 24 Mar 2023 23:18:47 -0500
> That looks fine, and shows that you're going to send through their
> port 465, which will require TLS and authentication. So first you need
> to encode your username and password with:
>
> $ echo -e -n '\0username\0password' | base64
> ...
I logged in at https://islandhosting.com/login , dug down a few layers
and lucked onto this.
"Mail Client Manual Settings
...
Secure SSL/TLS Settings (Recommended)
Username: pe...@easthope.ca
Password: Use the email account¶s password.
Incoming Server: mail.easthope.ca
IMAP Port: 993 POP3 Port: 995
Outgoing Server: mail.easthope.ca
SMTP Port: 465
IMAP, POP3, and SMTP require authentication."
No mention of STARTTLS or TLS on connect. Tried this
interactive run.
$ openssl s_client -starttls smtp -crlf -connect mail.easthope.ca:465
CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 341 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
$
The server is using TLS on connect rather than STARTTLS?
TLS is seriously broken here?
================================================
Before trying the interactive process, checked a bunch of details
including instructions in https://wiki.debian.org/Exim. Generated
fresh /etc/exim4/exim.crt and /etc/exim4/exim.key.
Requested delivery of the last message in the queue.
$ exim -M 1pgCEl-00010a-4l
$ tail -n 1 /var/log/exim4/mainlog
2023-03-25 16:59:30 1pgCEl-00010a-4l == pe...@easthope.ca R=smarthost
T=remote_s
mtp_smarthost defer (-37) H=easthope.ca [158.69.159.172]: TLS session:
(certific
ate verification failed)
==============================================
Notes from reviewing additional details.
Noticed that dnsmasq was absent. =8~/ Installed it.
Also found this.
root@imager:/home/root# cat /etc/resolv.conf
domain hitronhub.home
search hitronhub.home
nameserver 192.168.0.1
https://wiki.debian.org/dnsmasq gave a hint to add
127.0.0.1 as first line. So now this.
root@imager:/home/root# cat /etc/resolv.conf
nameserver 127.0.0.1
domain hitronhub.home
search hitronhub.home
nameserver 192.168.0.1
I didn't submit "hitronhub.home".
https://en.wikipedia.org/wiki/Top-level_domain#Rejected_domains
suggests, to me, that hitronhub.home is a contrivance of the Hitron
manufacturer. Came to resolv.conf during system installation? From
DHCP? Allows the Hitron box to intercept name resolution requests?
Necessary? A source of confusion? Isn't "nameserver 192.168.0.1"
enough?
Checked a few lookups for interest.
$ nslookup easthope.ca
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: easthope.ca
Address: 158.69.159.172
$ nslookup mail.easthope.ca
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
mail.easthope.ca canonical name = easthope.ca.
Name: easthope.ca
Address: 158.69.159.172
$ nslookup islandhosting.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: islandhosting.com
Address: 192.99.111.180
Name: islandhosting.com
Address: 2607:5300:60:925e::
$ nslookup hornby.islandhosting.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: hornby.islandhosting.com
Address: 158.69.159.172
Name: hornby.islandhosting.com
Address: 2607:5300:203:66b5::
$ whois 192.99.111.180 | grep island
$ whois 158.69.159.172 | grep island
$
Neither IP gets islandhosting.com?
Thx, ... P.
References: <9ef536feee6ec3ae...@easthope.ca>
<ZB52J1Ag...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Fri, 24 Mar 2023 23:18:47 -0500
> That looks fine, and shows that you're going to send through their
> port 465, which will require TLS and authentication. So first you need
> to encode your username and password with:
>
> $ echo -e -n '\0username\0password' | base64
I logged in at https://islandhosting.com/login , dug down a few layers
and lucked onto this.
"Mail Client Manual Settings
...
Secure SSL/TLS Settings (Recommended)
Username: pe...@easthope.ca
Password: Use the email account¶s password.
Incoming Server: mail.easthope.ca
IMAP Port: 993 POP3 Port: 995
Outgoing Server: mail.easthope.ca
SMTP Port: 465
IMAP, POP3, and SMTP require authentication."
No mention of STARTTLS or TLS on connect. Tried this
interactive run.
$ openssl s_client -starttls smtp -crlf -connect mail.easthope.ca:465
CONNECTED(00000003)
Didn't find STARTTLS in server response, trying anyway...
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 341 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
$
The server is using TLS on connect rather than STARTTLS?
TLS is seriously broken here?
================================================
Before trying the interactive process, checked a bunch of details
including instructions in https://wiki.debian.org/Exim. Generated
fresh /etc/exim4/exim.crt and /etc/exim4/exim.key.
Requested delivery of the last message in the queue.
$ exim -M 1pgCEl-00010a-4l
$ tail -n 1 /var/log/exim4/mainlog
2023-03-25 16:59:30 1pgCEl-00010a-4l == pe...@easthope.ca R=smarthost
T=remote_s
mtp_smarthost defer (-37) H=easthope.ca [158.69.159.172]: TLS session:
(certific
ate verification failed)
==============================================
Notes from reviewing additional details.
Noticed that dnsmasq was absent. =8~/ Installed it.
Also found this.
root@imager:/home/root# cat /etc/resolv.conf
domain hitronhub.home
search hitronhub.home
nameserver 192.168.0.1
https://wiki.debian.org/dnsmasq gave a hint to add
127.0.0.1 as first line. So now this.
root@imager:/home/root# cat /etc/resolv.conf
nameserver 127.0.0.1
domain hitronhub.home
search hitronhub.home
nameserver 192.168.0.1
I didn't submit "hitronhub.home".
https://en.wikipedia.org/wiki/Top-level_domain#Rejected_domains
suggests, to me, that hitronhub.home is a contrivance of the Hitron
manufacturer. Came to resolv.conf during system installation? From
DHCP? Allows the Hitron box to intercept name resolution requests?
Necessary? A source of confusion? Isn't "nameserver 192.168.0.1"
enough?
Checked a few lookups for interest.
$ nslookup easthope.ca
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: easthope.ca
Address: 158.69.159.172
$ nslookup mail.easthope.ca
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
mail.easthope.ca canonical name = easthope.ca.
Name: easthope.ca
Address: 158.69.159.172
$ nslookup islandhosting.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: islandhosting.com
Address: 192.99.111.180
Name: islandhosting.com
Address: 2607:5300:60:925e::
$ nslookup hornby.islandhosting.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
Name: hornby.islandhosting.com
Address: 158.69.159.172
Name: hornby.islandhosting.com
Address: 2607:5300:203:66b5::
$ whois 192.99.111.180 | grep island
$ whois 158.69.159.172 | grep island
$
Neither IP gets islandhosting.com?
Thx, ... P.
David Wright
Mar 26, 2023, 12:40:06 AM3/26/23
to
On Sat 25 Mar 2023 at 19:47:35 (-0700), pe...@easthope.ca wrote:
> > That looks fine, and shows that you're going to send through their
> > port 465, which will require TLS and authentication. So first you need
> > to encode your username and password with:
> >
> > $ echo -e -n '\0username\0password' | base64
> > ...
>
> I logged in at https://islandhosting.com/login , dug down a few layers
> and lucked onto this.
>
> "Mail Client Manual Settings
> ...
> Secure SSL/TLS Settings (Recommended)
> Username: pe...@easthope.ca
> Password: Use the email account¶s password.
> Incoming Server: mail.easthope.ca
>
> IMAP Port: 993 POP3 Port: 995
>
> Outgoing Server: mail.easthope.ca
>
> SMTP Port: 465
>
> IMAP, POP3, and SMTP require authentication."
Yes, I got similar but unpersonalised information at:
> > That looks fine, and shows that you're going to send through their
> > port 465, which will require TLS and authentication. So first you need
> > to encode your username and password with:
> >
> > $ echo -e -n '\0username\0password' | base64
> > ...
>
> I logged in at https://islandhosting.com/login , dug down a few layers
> and lucked onto this.
>
> "Mail Client Manual Settings
> ...
> Secure SSL/TLS Settings (Recommended)
> Username: pe...@easthope.ca
> Password: Use the email account¶s password.
> Incoming Server: mail.easthope.ca
>
> IMAP Port: 993 POP3 Port: 995
>
> Outgoing Server: mail.easthope.ca
>
> SMTP Port: 465
>
> IMAP, POP3, and SMTP require authentication."
https://islandhosting.com/knowledgebase/21/How-do-I-configure-my-email-client.html
> No mention of STARTTLS or TLS on connect.
> Tried this
> interactive run.
>
> $ openssl s_client -starttls smtp -crlf -connect mail.easthope.ca:465
commands I gave, except starting off with:
$ openssl s_client -crlf -connect mail.easthope.ca:465
After the certificate stuff, you should then see lines like:
---
No client certificate CA names sent
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5093 bytes and written 409 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: EFD2B3AEAA0931063329DA3A26017182365DAA6C5EDC7298FBBB291B8A02752E
Session-ID-ctx:
Master-Key:
+89062342EF919B2EA24ABCBB5C66D643553A888C430BC18E5B764431F31BAC4B949E72DE0910ACB367ADC6B0F9337133
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1679801072
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
220 hornby.islandhosting.com ESMTP server ready at Sat, 25 Mar 2023 21:33:16 -0700
→ EHLO dalton.invalid
250-hornby.islandhosting.com Hello ip12-345-678-90.ks.ks.cox.net [12.345.678.90]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPECONNECT
250-AUTH PLAIN LOGIN
250-SMTPUTF8
250 HELP
And you carry on from there with:
AUTH PLAIN encodedstring
and so on.
Cheers,
David.
pe...@easthope.ca
Mar 26, 2023, 4:10:06 PM3/26/23
to
In-reply-to: <ZB/Lbgn/3OE2...@axis.corp>
References: <ZB52J1Ag...@axis.corp>
<5319ac62b1294b22...@easthope.ca>
<ZB/Lbgn/3OE2...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Sat, 25 Mar 2023 23:34:54 -0500
> In the first instance, just try sending a test message using the
> commands I gave, except starting off with:
>
> $ openssl s_client -crlf -connect mail.easthope.ca:465
>
> After the certificate stuff, you should then see lines like:
> ...
(1) Section 1. in
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
has "email submission but with TLS immediately upon connect instead of
using STARTTLS" is officially blessed by the IETF, and recommended by
them in preference to STARTTLS.
From the tests, my conclusion is that Island Hosting requires
TLS-on-connect & STARTTLS won't work. Consistent with the IETF
recommendation.
Now all that's needed is to configure exim properly.
/usr/share/doc/exim4-base/README.Debian.gz should be a good starting
point for documentation but leaves several questions.
(2) 2.1.1. The Debconf questions
"Since you can usually read this file only after having answered the
questions ..." What file?
I infer as central concept of the paragraph, "Command 'dpkg-reconfigure
exim4-config' takes as input
/usr/share/doc/exim4-base/exim4.conf.template and responses from the
user and produces as output
/usr/share/doc/exim4-base/update-exim4.conf.conf."
(3) "Both exim4-daemon-heavy and exim4-daemon-light support TLS/SSL
using the GnuTLS library." Isn't openssl the default in Debian? What
is the purpose of this sentence about GnuTLS?
(4) "TLS on connect is not natively supported." OK but the test
confirmed that it can work. Documentation could tell how to
configure. Otherwise link to instructions at least.
(5)
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
states "There is also a -tls-on-connect command line option. This
overrides tls_on_connect_ports; it forces the TLS-only behaviour for
all ports." Connection from the local MUA to exim isn't encrypted.
The command line option will block that?
What ideas are there to configure TLS-on-connect for localhost to
smarthost and leave MUA to localhost unencrypted on port 25?
Thanks, ... P.
References: <ZB52J1Ag...@axis.corp>
<5319ac62b1294b22...@easthope.ca>
<ZB/Lbgn/3OE2...@axis.corp>
From: David Wright <deb...@lionunicorn.co.uk>
Date: Sat, 25 Mar 2023 23:34:54 -0500
> In the first instance, just try sending a test message using the
> commands I gave, except starting off with:
>
> $ openssl s_client -crlf -connect mail.easthope.ca:465
>
> After the certificate stuff, you should then see lines like:
> And you carry on from there with:
>
> AUTH PLAIN encodedstring
The test message was transmitted. Good!
>
> AUTH PLAIN encodedstring
(1) Section 1. in
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
has "email submission but with TLS immediately upon connect instead of
using STARTTLS" is officially blessed by the IETF, and recommended by
them in preference to STARTTLS.
From the tests, my conclusion is that Island Hosting requires
TLS-on-connect & STARTTLS won't work. Consistent with the IETF
recommendation.
Now all that's needed is to configure exim properly.
/usr/share/doc/exim4-base/README.Debian.gz should be a good starting
point for documentation but leaves several questions.
(2) 2.1.1. The Debconf questions
"Since you can usually read this file only after having answered the
questions ..." What file?
I infer as central concept of the paragraph, "Command 'dpkg-reconfigure
exim4-config' takes as input
/usr/share/doc/exim4-base/exim4.conf.template and responses from the
user and produces as output
/usr/share/doc/exim4-base/update-exim4.conf.conf."
(3) "Both exim4-daemon-heavy and exim4-daemon-light support TLS/SSL
using the GnuTLS library." Isn't openssl the default in Debian? What
is the purpose of this sentence about GnuTLS?
(4) "TLS on connect is not natively supported." OK but the test
confirmed that it can work. Documentation could tell how to
configure. Otherwise link to instructions at least.
(5)
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
states "There is also a -tls-on-connect command line option. This
overrides tls_on_connect_ports; it forces the TLS-only behaviour for
all ports." Connection from the local MUA to exim isn't encrypted.
The command line option will block that?
What ideas are there to configure TLS-on-connect for localhost to
smarthost and leave MUA to localhost unencrypted on port 25?
Thanks, ... P.
David Wright
Mar 26, 2023, 11:20:07 PM3/26/23
to
On Sun 26 Mar 2023 at 12:47:45 (-0700), pe...@easthope.ca wrote:
>
> (4) "TLS on connect is not natively supported." OK but the test
> confirmed that it can work. Documentation could tell how to
> configure. Otherwise link to instructions at least.
>
> (5) https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
> states "There is also a -tls-on-connect command line option. This
> overrides tls_on_connect_ports; it forces the TLS-only behaviour for
> all ports." Connection from the local MUA to exim isn't encrypted.
> The command line option will block that?
>
> What ideas are there to configure TLS-on-connect for localhost to
> smarthost and leave MUA to localhost unencrypted on port 25?
Just above that paragraph is the example for tls_on_connect_ports, ie
>
> (4) "TLS on connect is not natively supported." OK but the test
> confirmed that it can work. Documentation could tell how to
> configure. Otherwise link to instructions at least.
>
> (5) https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html
> states "There is also a -tls-on-connect command line option. This
> overrides tls_on_connect_ports; it forces the TLS-only behaviour for
> all ports." Connection from the local MUA to exim isn't encrypted.
> The command line option will block that?
>
> What ideas are there to configure TLS-on-connect for localhost to
> smarthost and leave MUA to localhost unencrypted on port 25?
tls_on_connect_ports = 465
I assume this goes into the configuration rather than the command
line. I've never had to configure at this level without the benefit
of a MACRO_PARAMETER to set. For example, I turn off certificate
stuff on my LAN with:
$ cat /etc/exim4/exim4.conf.localmacros
# /etc/exim4/exim4.conf.localmacros
MAIN_TLS_ADVERTISE_HOSTS =
#
$
Lacking a macro, you could try editing either
/var/lib/exim4/config.autogenerated (rather like editing grub.cfg, in
that reconfiguring Grub will overwrite it), or
/etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost
which is more permanent (keep a backup of original).
You might try adding the setting after the first active line in
30_exim4-config_remote_smtp_smarthost, or test it by adding it
after line 857 in config.autogenerated (the same text). That
assumes that the exim in bullseye supports what's documented
for the latest version.
Cheers,
David.
0 new messages