Exim, 465, внешние пользователи

EXIM, sendmail, postfix, Dovecot и прочие. Решение проблем связанных с работой электронной почты

Модератор: xM

Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
100matolog
ст. сержант
Сообщения: 309
Зарегистрирован: 2008-05-30 12:11:16
Откуда: kiev
Контактная информация:

Exim, 465, внешние пользователи

Непрочитанное сообщение 100matolog » 2011-06-13 21:47:24

Возможно сабж поднимался - но не нашел
Есть задача - разрешить командировочным сотрудникам слать почту через офисный сервер через 465.
Поставил exim + saslauth + dovecot

Код: Выделить всё

[root@gate /usr/local/etc]# cat  /usr/local/etc/exim/configure      
######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################


primary_hostname = mail.domen.com

domainlist local_domains = mail.domen.com
domainlist relay_to_domains =

hostlist    relay_from_hosts = localhost : 127.0.0.1 : 192.168.0.0/16

hostlist auth_relay_hosts = *

acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

av_scanner = clamd:/var/run/clamav/clamd.sock

spamd_address = 127.0.0.1 783


daemon_smtp_ports = 25:465:587

exim_user = mailnull
exim_group = mail
never_users = root
smtp_accept_max = 500
smtp_accept_max_per_connection = 30
smtp_accept_max_per_host = 40
smtp_enforce_sync = true

message_size_limit = 100M


#acl_smtp_helo = acl_check_helo

qualify_domain = mail.tynnyi.com
qualify_recipient = mail.tynnyi.com
sender_unqualified_hosts = +relay_from_hosts
recipient_unqualified_hosts = +relay_from_hosts
helo_accept_junk_hosts = 192.168.0.0/16


#host_lookup = *

rfc1413_hosts = *
rfc1413_query_timeout = 5s

ignore_bounce_errors_after = 10m

timeout_frozen_after = 7d

log_selector = \
    +all_parents \
    +connection_reject \
    +incoming_interface \
    +lost_incoming_connection \
    +received_sender \
    +received_recipients \
    +smtp_confirmation \
    +smtp_syntax_error \
    +smtp_protocol_error \
    -queue_run

syslog_timestamp = no



######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl



acl_check_rcpt:

  accept  hosts = : +relay_from_hosts

 control = dkim_disable_verify



  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]



  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


  #############################################################################

  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.

  accept  local_parts   = postmaster
          domains       = +local_domains

  # Deny unless the sender address can be verified.

  require verify        = sender


#  accept  hosts         = +relay_from_hosts
#
#          control       = submission
#          control       = dkim_disable_verify

  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted, and submission mode is set. And again, we do this
  # check before any black list tests.

  accept  authenticated = *
            control       = submission
          control       = dkim_disable_verify

 
 deny    message       = "HELO/EHLO require by SMTP RFC"
       condition     = ${if eq{$sender_helo_name}{}{yes}{no}}

deny    message       = "Your IP in HELO - access denied!"
          hosts         =  * : !+relay_from_hosts : !81-196.lissyara.su
        condition     = ${if eq{$sender_helo_name}\
        {$sender_host_address}{true}{false}}

deny    condition     = ${if eq{$sender_helo_name}\
    {$interface_address}{yes}{no}}
     hosts         = !127.0.0.1 : !localhost : *
    message       = "main IP in your HELO! Access denied!"

deny    message       = "your hostname is bad (adsl, poll, ppp & etc)."
          condition     = ${if match{$sender_host_name}{adsl|dialup|pool|peer|dhcp}{yes}{no}}



  require message = relay not permitted
          domains = +local_domains : +relay_to_domains

  require verify = recipient

  accept




acl_check_data:


warn  message         = X-Quarantine-Me-Malware: $malware_name
        log_message     = malware: $malware_name
        demime          = *
        malware         = */defer_ok

    warn    message       = X-Quarantine-Me-Spam: SA score $spam_score\n\
    X-SA-Report: $spam_report
    log_message   = Spam score $spam_score > 5
    spam          = spamd/defer_ok
    condition     = ${if >{$spam_score_int}{50}{1}{0}}


  # Accept the message.

  accept



######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################

begin routers

check_malware:
    driver                = redirect
    condition             = ${if def:h_X-Quarantine-Me-Malware: {1}{0}}
    headers_add           = X-Quarantined-Malware: $h_X-Quarantine-Me-Malware:
    headers_remove        = X-Quarantine-Me-Malware
    data                  = /var/quarantine/malware/malware.$tod_logfile
    file_transport        = address_file

check_spam:
    driver                = redirect
    condition             = ${if def:h_X-Quarantine-Me-Spam: {1}{0}}
    headers_add           = X-Quarantined-Spam: $h_X-Quarantine-Me-Spam:
    headers_remove        = X-Quarantine-Me-Spam
    data                  = /var/quarantine/spam/spam.$tod_logfile
    file_transport        = address_file
    no_more

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more



system_aliases:
  driver = redirect
  allow_fail
  allow_defer
  data = ${lookup{$local_part}lsearch{/etc/aliases}}
  user = mailnull
  group = mail
  file_transport = address_file
  pipe_transport = address_pipe




userforward:
  driver = redirect
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  file = $home/.forward
# allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply
  condition = ${if exists{$home/.forward} {yes} {no} }


# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".

# If you want this router to treat local parts with suffixes introduced by "-"
# or "+" characters as if the suffixes did not exist, uncomment the two local_
# part_suffix options. Then, for example, xxxx-foo@your.domain will be treated
# in the same way as xxxx@your.domain by this router.

localuser:
  driver = accept
  check_local_user
# local_part_suffix = +* : -*
# local_part_suffix_optional
  transport = local_delivery
  cannot_route_message = Unknown user



######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

# A transport is used only when referenced from a router that successfully
# handles an address.

begin transports


# This transport is used for delivering messages over SMTP connections.

remote_smtp:
  driver = smtp


local_delivery:
  driver = appendfile
  file = /var/mail/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  user = $local_part
  mode = 0660
  no_mode_fail_narrower



address_pipe:
  driver = pipe
  return_output


# This transport is used for handling deliveries directly to files that are
# generated by aliasing or forwarding.

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add


# This transport is used for handling autoreplies generated by the filtering
# option of the userforward router.

address_reply:
  driver = autoreply



######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################

begin retry


# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h



######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite



######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


begin authenticators

plain:
driver = plaintext
public_name = PLAIN
#server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_condition = ${if saslauthd{{$auth2}{$auth3}}{1}{0}}
server_set_id = $auth2 

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
#server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}

server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}}
server_set_id = $auth1



#PLAIN:
#  driver                     = plaintext
#  server_set_id              = $auth2
#  server_prompts             = :
#  server_condition           = Authentication is not yet configured
#  server_advertise_condition = ${if def:tls_cipher }

# LOGIN authentication has traditional prompts and responses. There is no
# authorization ID in this mechanism, so unlike PLAIN the username and
# password are $auth1 and $auth2. Apart from that you can use the same
# server_condition setting for both authenticators.

#LOGIN:
#  driver                     = plaintext
#  server_set_id              = $auth1
#  server_prompts             = <| Username: | Password:
#  server_condition           = Authentication is not yet configured
#  server_advertise_condition = ${if def:tls_cipher }


######################################################################
#                   CONFIGURATION FOR local_scan()                   #
######################################################################

# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.

# begin local_scan


# End of Exim configuration file
С локалки на 465 порт уходит нормально письма без авторизации по смтп.

Извне при попытке соединится просит пароль - ввожу %user% : %password% - не канает. Ввожу %user@mail.domen.com% : %password% тоже не катит. В логе

Код: Выделить всё

2011-06-13 21:35:59 plain authenticator failed for ([127.0.0.1]) [212.26.222.22] I=[195.177.222.222]:465: 535 Incorrect authentication data (set_id=user)
2011-06-13 21:35:59 login authenticator failed for ([127.0.0.1]) [212.26.222.22] I=[195.177.222.222]:465: 535 Incorrect authentication data (set_id=user)
testsaslauthd -u user -p pass - тест проходит нормально без ошибок
Почем 465 порт - сотрудники частенько попадают в сети где 25 порт заблокирован.
Подскажите пожалуйста - как решить проблему?

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2520 рублей (8 CPU, 8Gb RAM, 2x500Gb HDD, RAID 3ware 9750):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
schizoid
подполковник
Сообщения: 3228
Зарегистрирован: 2007-03-03 17:32:31
Откуда: Украина, Чернигов
Контактная информация:

Re: Exim, 465, внешние пользователи

Непрочитанное сообщение schizoid » 2011-06-13 21:59:44

посмотри тут, у меня тоже была проблема похожая
http://forum.lissyara.su/viewtopic.php? ... 8F#p294924
ядерный взрыв...смертельно красиво...жаль, что не вечно...

100matolog
ст. сержант
Сообщения: 309
Зарегистрирован: 2008-05-30 12:11:16
Откуда: kiev
Контактная информация:

Re: Exim, 465, внешние пользователи

Непрочитанное сообщение 100matolog » 2011-06-13 22:08:49

schizoid писал(а):посмотри тут, у меня тоже была проблема похожая
http://forum.lissyara.su/viewtopic.php? ... 8F#p294924
гм.. у вас в мускле аккаунты хранятся. Я же беру системных юзеров.

100matolog
ст. сержант
Сообщения: 309
Зарегистрирован: 2008-05-30 12:11:16
Откуда: kiev
Контактная информация:

Re: Exim, 465, внешние пользователи

Непрочитанное сообщение 100matolog » 2011-06-13 22:09:22

Код: Выделить всё

Jun 13 21:58:50 gate saslauthd[1145]: in openpam_read_chain(): /etc/pam.d/(0): invalid facility '^Q^T^A' (ignored)
Jun 13 21:58:50 gate saslauthd[1145]: do_auth         : auth failure: [user=maxim] [service=] [realm=] [mech=pam] [reason=PAM start error]

100matolog
ст. сержант
Сообщения: 309
Зарегистрирован: 2008-05-30 12:11:16
Откуда: kiev
Контактная информация:

Re: Exim, 465, внешние пользователи

Непрочитанное сообщение 100matolog » 2011-06-13 22:14:06

с авторизацией решил
поправил блок авторизации на

Код: Выделить всё

begin authenticators

plain:
driver = plaintext
public_name = PLAIN
#server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_condition = ${if saslauthd{{$1}{$2}{smtp}}{1}{0}}
#server_set_id = $auth2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
#server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_condition = ${if saslauthd{{$1}{$2}{smtp}}{1}{0}}
#server_set_id = $auth1
теперь вылезла другая проблема

Код: Выделить всё

2011-06-13 22:03:12 1QWCPo-00034i-BK <= user@mail.domen.com H=([127.0.0.1]) [212.26.222.22] I=[195.177.222.222]:465 P=esmtpa A=login S=729 id=4DF660E3.1050709@mail.domen.com from <user@mail.domen.com> for user@pma.net.ua
2011-06-13 22:03:12 1QWCPo-00034i-BK == user@pma.net.ua R=dnslookup defer (-1): host lookup did not complete

100matolog
ст. сержант
Сообщения: 309
Зарегистрирован: 2008-05-30 12:11:16
Откуда: kiev
Контактная информация:

Re: Exim, 465, внешние пользователи

Непрочитанное сообщение 100matolog » 2011-06-13 22:31:11

100matolog писал(а):с авторизацией решил
поправил блок авторизации на

Код: Выделить всё

begin authenticators

plain:
driver = plaintext
public_name = PLAIN
#server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_condition = ${if saslauthd{{$1}{$2}{smtp}}{1}{0}}
#server_set_id = $auth2

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
#server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_condition = ${if saslauthd{{$1}{$2}{smtp}}{1}{0}}
#server_set_id = $auth1
теперь вылезла другая проблема

Код: Выделить всё

2011-06-13 22:03:12 1QWCPo-00034i-BK <= user@mail.domen.com H=([127.0.0.1]) [212.26.222.22] I=[195.177.222.222]:465 P=esmtpa A=login S=729 id=4DF660E3.1050709@mail.domen.com from <user@mail.domen.com> for user@pma.net.ua
2011-06-13 22:03:12 1QWCPo-00034i-BK == user@pma.net.ua R=dnslookup defer (-1): host lookup did not complete
разобрался с последним. Забыл на фаере открыть 53 порт :oops:

так..теперь. авторизация проходит, письмо уходит но неприходит получателю

в логе вот такое

Код: Выделить всё

2011-06-13 22:20:06 plain authenticator failed for ([127.0.0.1]) [212.26.157.11] I=[195.177.73.203]:465: 535 Incorrect authentication data
2011-06-13 22:20:08 1QWCgA-0000T4-9t SA: Debug: SAEximRunCond expand returned: '0'
2011-06-13 22:20:08 1QWCgA-0000T4-9t SA: Action: Not running SA because SAEximRunCond expanded to false (Message-Id: 1QWCgA-0000T4-9t). From <maxim@mail.tynnyi.com> (host=NULL [212.26.222.222]) for 100matolog@gmail.com
2011-06-13 22:20:08 1QWCgA-0000T4-9t <= maxim@mail.tynnyi.com H=([127.0.0.1]) [212.26.222.2222] I=[195.177.222.222]:465 P=esmtpa A=login S=737 id=4DF664D9.6000908@mail.tynnyi.com from <maxim@mail.tynnyi.com> for 100matolog@gmail.com
2011-06-13 22:20:08 1QWCgA-0000T4-9t gmail-smtp-in.l.google.com [74.125.39.27] Permission denied
2011-06-13 22:20:08 1QWCgA-0000T4-9t alt1.gmail-smtp-in.l.google.com [72.14.213.27] Permission denied
2011-06-13 22:20:08 1QWCgA-0000T4-9t alt2.gmail-smtp-in.l.google.com [74.125.47.27] Permission denied
2011-06-13 22:20:08 1QWCgA-0000T4-9t alt3.gmail-smtp-in.l.google.com [74.125.93.27] Permission denied
2011-06-13 22:20:08 1QWCgA-0000T4-9t alt4.gmail-smtp-in.l.google.com [209.85.143.27] Permission denied
2011-06-13 22:20:08 1QWCgA-0000T4-9t == 100matolog@gmail.com R=dnslookup T=remote_smtp defer (13): Permission denied

Аватара пользователя
schizoid
подполковник
Сообщения: 3228
Зарегистрирован: 2007-03-03 17:32:31
Откуда: Украина, Чернигов
Контактная информация:

Re: Exim, 465, внешние пользователи

Непрочитанное сообщение schizoid » 2011-06-13 23:14:03

днс смотрите
ядерный взрыв...смертельно красиво...жаль, что не вечно...