Не уходит почта от мобильного клиента

[ank0l0g]

День добрый!

Есть мобильный клиент.
У которого соответственно нет и не будет PTR записи.
При отправки им почты в логи сыплется следующее:
2016-03-14 13:18:42 H=([10.202.191.223]) [217.x.x.217] F=<ceo@xx.ru> rejected RCPT <Kuzn@yy.su>: relay not permitted
2016-03-14 13:19:22 H=([10.202.191.223]) [217.x.x.217] F=<ceo@xx.ru> rejected RCPT <Kuzn@yy.su>: relay not permitted

Пробовал добавлять:
добавляем acl

acl_smtp_connect = acl_check_connect
...
...
acl_check_connect:
accept hosts = localhost : 127.0.0.1 : 217.x.x.217
control = no_enforce_sync
accept

С указанием его IP.
Но проблема в том, что IP меняется. Конечно можно добавлять новые IP, но не уследишь за каждым изменением.
Помогите побороть.

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[ank0l0g]

Вот мой конфиг. Может дело в чем то другом.

Код: Выделить всё

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name. In many cases this does
# the right thing and you need not set anything explicitly.

# primary_hostname =

#domainlist local_domains = @
#domainlist relay_to_domains =
#hostlist   relay_from_hosts = localhost : 127.0.0.1

domainlist local_domains = ${lookup mysql{SELECT `domain` \
                            FROM `domain` WHERE \
                            `domain`='${domain}' AND \
                            `active`='1'}}
domainlist relay_to_domains = ${lookup mysql{SELECT `domain` \
                            FROM `domain` WHERE \
                            `domain`='${domain}' AND \
                            `active`='1'}}
hostlist   relay_from_hosts = localhost:127.0.0.0/8:10.0.0.0/8:@[]
#:178.155.43.214:217.118.81.217

hide mysql_servers = localhost::(/tmp/mysql.sock)/exim/exim/eximsql

acl_smtp_connect = acl_check_connect
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data


av_scanner = clamd:/var/run/clamav/clamd.sock

spamd_address = 127.0.0.1 783

# Allow any client to use TLS.

# tls_advertise_hosts = *
#tls_certificate = /usr/local/etc/dovecot/ssl/dovecot.crt
#cur_new
#tls_certificate = /usr/local/etc/dovecot/ssl/pizzacup.crt
#tls_privatekey = /usr/local/etc/dovecot/ssl/mail.key
#cur_end
#tls_certificate = /usr/local/etc/exim/ssl/eximssl.key
#tls_privatekey = /usr/local/etc/exim/ssl/eximssl.req
#tls_certificate = /usr/local/etc/exim/ssl/eximssl.req
#tls_privatekey = /usr/local/etc/exim/ssl/eximssl.key

#daemon_smtp_ports = 25 : 465 : 587
#tls_on_connect_ports = 465

# qualify_domain =

# qualify_recipient =

# allow_domain_literals
allow_domain_literals = true

exim_user = mailnull
exim_group = mail
never_users = root

host_lookup = *

#rfc1413_hosts = *
#rfc1413_query_timeout = 5s

# Enable an efficiency feature.  We advertise the feature; clients
# may request to use it.  For multi-recipient mails we then can
# reject or accept per-user after the message is received.
#
prdr_enable = true

log_selector = +smtp_protocol_error +smtp_syntax_error \
        +tls_certificate_verified

# percent_hack_domains =
#

ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d

# split_spool_directory = true


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl

acl_check_connect:
  accept hosts = localhost:127.0.0.1:178.155.43.214:10.0.0.0/8:nicmail.ru:217.118.81.217
  control = no_enforce_sync
  accept
#warn
#   hosts   = localhost : 127.0.0.1 : 178.155.43.214 : 10.3.0.0/24
#   control = no_enforce_sync
#   message = Protocol synchronization error


# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.

acl_check_rcpt:

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.

  accept  hosts = :
          control = dkim_disable_verify

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

  accept  local_parts   = postmaster
          domains       = +local_domains

  require verify        = sender

#  deny message         = Lokup Failed
#      !hosts          = +relay_from_hosts : +white_hosts
#      !verify          = reverse_host_lookup
#warn   !verify = reverse_host_lookup
# Запрещщаем тех, кто не обменивается приветственными
# сообщениями (HELO/EHLO)
#  deny    message       = "HELO/EHLO require by SMTP RFC"
#          condition     = ${if eq{$sender_helo_name}{}{yes}{no}}

  accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify

  accept  authenticated = *
          control       = submission/sender_retain
          control       = dkim_disable_verify

# Рубаем нах, тех, кто подставляет свой IP в HELO
#  deny    message       = "Your IP in HELO - access denied!"
#          hosts         =  * : !+relay_from_hosts
#          condition     = ${if eq{$sender_helo_name}\
#                          {$sender_host_address}{true}{false}}
# Рубаем тех, кто в HELO пихает мой IP (2500 мудаков за месяц!)
#  deny    condition     = ${if eq{$sender_helo_name}\
#        {$interface_address}{yes}{no}}
#          hosts         = !127.0.0.1 : !localhost : *
#          message       = "main IP in your HELO! Access denied!"

# Рубаем тех, кто в HELO пихает только цифры
# (не бывает хостов ТОЛЬКО из цифр)
#  deny    condition     = ${if match{$sender_helo_name}\
#          {\N^\d+$\N}{yes}{no}}
#          hosts         = !127.0.0.1 : !localhost : *
#          message       = "can not be only number in HELO!"

# Рубаем хосты типа *adsl*; *dialup*; *pool*;....
# Нормальные люди с таких не пишут. Если будут
# проблемы - уберёте проблемный пункт (у меня клиенты
# имеют запись типа asdl-1233.zone.su - я ADSL убрал...)
#  deny    message       = "your hostname is bad (adsl, poll, ppp & etc)."
#          condition     = ${if match{$sender_host_name} \
#                           {adsl|dialup|pool|peer|dhcp} \
#                           {yes}{no}}

# Проверка получателя в локальных доменах.
# Если не проходит, то проверяется следующий ACL,
# и если непрошёл и там - deny
  accept  domains       = +local_domains
          endpass
          message       = "In my mailserver not stored this user"
          verify        = recipient

# Проверяем получателя в релейных доменах
# Опять-таки если не проходит -> следующий ACL,
# и если непрошёл и там - deny
  accept  domains       = +relay_to_domains
          endpass
          message       = "main server not know how relay to this address"
          verify        = recipient

# Рубаем тех, кто в блэк-листах. Серваки перебираются
# сверху вниз, если не хост не найден на первом, то
# запрашивается второй, и т.д. Если не найден ни в одном
# из списка - то почта пропускается.
#  deny    message       = you in blacklist: $dnslist_domain \n $dnslist_text
#          dnslists      = opm.blitzed.org : \
#                          cbl.abuseat.org : \
#                          bl.csma.biz : \
#                          dynablock.njabl.org

# Разрешаем почту от доменов в списке relay_from_hosts
  accept  hosts         = +relay_from_hosts

  require message = relay not permitted
          domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept
# Если неподошло ни одно правило - чувак явно ищет
# открытый релей. Пшёл прочь. :)
#  deny    message       = "Homo hominus lupus est"


acl_check_data:

  # Deny if the message contains a virus. Before enabling this check, you
  # must install a virus scanner and set the av_scanner option above.
  #
  # deny    malware    = *
  #         message    = This message contains a virus ($malware_name).

  # Add headers to a message if it is judged to be spam. Before enabling this,
  # you must install SpamAssassin. You may also need to set the spamd_address
  # option above.
  #
  # warn    spam       = nobody
  #         add_header = X-Spam_score: $spam_score\n\
  #                      X-Spam_score_int: $spam_score_int\n\
  #                      X-Spam_bar: $spam_bar\n\
  #                      X-Spam_report: $spam_report

  # Accept the message.

  accept

######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################

begin routers

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
# ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
  no_more

system_aliases:
  driver = redirect
  allow_fail
  allow_defer
#  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  data = ${lookup mysql{SELECT `goto` FROM `alias` WHERE \
                  `address`='${quote_mysql:$local_part@$domain}' OR \
                  `address`='${quote_mysql:@$domain}'}}
  user = mailnull
  group = mail
  file_transport = address_file
  pipe_transport = address_pipe


userforward:
  driver = redirect
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  file = $home/.forward
# allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
  condition = ${if exists{$home/.forward} {yes} {no} }

localuser:
  driver = accept
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  transport = local_delivery
  cannot_route_message = Unknown user

dovecot_user:
  driver = accept
  condition = ${lookup mysql{SELECT `goto` FROM \
  `alias` WHERE \
  `address`='${quote_mysql:$local_part@$domain}' OR \
  `address`='${quote_mysql:@$domain}'}{yes}{no}}
  transport = dovecot_delivery

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports

remote_smtp:
  driver = smtp

local_delivery:
  driver = appendfile
  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  user = $local_part
  mode = 0660
  no_mode_fail_narrower

dovecot_delivery:
  driver = pipe
  command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
  message_prefix =
  message_suffix =
  delivery_date_add
  envelope_to_add
  return_path_add
  log_output
  user = mailnull

address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_reply:
  driver = autoreply

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################
begin retry

# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################

begin authenticators

#PLAIN:
#  driver                     = plaintext
#  server_set_id              = $auth2
#  server_prompts             = :
#  server_condition           = Authentication is not yet configured
#  server_advertise_condition = ${if def:tls_in_cipher }

# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

#LOGIN:
#  driver                     = plaintext
#  server_set_id              = $auth1
#  server_prompts             = <| Username: | Password:
#  server_condition           = Authentication is not yet configured
#  server_advertise_condition = ${if def:tls_in_cipher }

auth_login:
    driver = dovecot
    public_name = LOGIN
    server_socket = /var/run/dovecot/auth-client
    server_set_id = $auth1

auth_plain:
    driver = dovecot
    public_name = PLAIN
    server_socket = /var/run/dovecot/auth-client
    server_set_id = $auth1


auth_cram_md5:
    driver = dovecot
    public_name = CRAM-MD5
    server_socket = /var/run/dovecot/auth-client
    server_set_id = $auth1

######################################################################
#                   CONFIGURATION FOR local_scan()                   #
######################################################################

# begin local_scan


# End of Exim configuration file

Закоментарил различные проверки, не помогает.

2016-03-14 17:51:49 H=([10.202.191.223]) [217.118.81.217] F=<ceo@xx.ru> rejected RCPT <kassir@zz.su>: relay not permitted
И почему-то внесенный IP в разрешенные все равно почта не уходит.

[Alex Keda]

Авторизуйтесь при отправке-то....

[ank0l0g]

А разве у меня нет авторизации.
Это не то.
auth_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1

auth_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1


auth_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1

[xM]

А разве у меня нет авторизации.

На клиенте проверьте включённую SMTP авторизацию.