verify = sender/callout change?

[ShaneK]

Today I update my cpanel from Release 18033 to the current Release 18430. As often happens I was notified exim has changed and I need to remove my custom acl's and reinstall them. (this is what prompted me to manually update instead of allowing auto updates)

One of the very important acl conditions I have custom is the sender/callout option. I prefer to keep this option on and control the bypass with a whitelist. Here is what I had previous to the update: (notice I only commented out the default acl for this)

Code:

[% ACL_RBL_BLOCK %]

############################################
# Sender Verification
############################################ 

#sender verifications are required for all messages that are not sent to lists
deny message = WSS560 - From email address must be valid (able to receive email).
log_message =  WSS560 - From email address must be valid (able to receive email).
!verify = sender/callout=60s,defer_ok
!hosts = +rv_sender_callout_ip_whitelist
!senders = +rv_sender_callout_email_whitelist
accept domains = +local_domains
           
########################### The old way ####
# require verify = sender/callout=60s
############################################

While looking to reinstate this little gem I found the following in it's place:

Code:

[% ACL_WHITELIST_BLOCK %]

[% ACL_RBL_BLOCK %]

[% ACL_TRUSTEDLIST_BLOCK %]

[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient

I would like to get my whitelist back in place, but I'm somewhat confused with the new terminology require verify = recipient. I dropped by exim.org and the cpanel change logs but I could find nothing about this.

Anyone know what I need to put in my ACL to acheive the same effect? I realize I could use the cpanel whitelist and whitelist against all the ACLs but I prefer to whitelist the sender/callout independantly.

Any guidance is greatly appreciated!

[JasonJPN]

Did you get this figured out? I would like to know how also.

[sneader]

Also interested in the answer.

- Scott

[sparek-3]

I don't think it would necessarily matter.

It looks like the new cPanel defaults into putting this after

Code:

#if it gets here it isn't mailman

One thing to note, in order to use callouts in the exim advanced configuration editor, you have to have the option checked for:

Sender Verification Callouts

In the Exim Configuration screen in the WHM.

If this is not checked, then the callouts will not be performed. The new Exim editor seems to do some type of internal audit after doing an advanced edit.

[ShaneK]

I'm not sure what you mean when you say it wouldn't matter. Are you saying with the way exim is setup now a verify/callout whitelist is now impossible?

Has anyone else come up with a solution for this? Example code that would replace the new terminology would be greatly appreciated. It is important I re-instate the whitelist that already exists to keep my clients email flowing.

Could I simply do this?:

Code:

[% ACL_WHITELIST_BLOCK %]

[% ACL_RBL_BLOCK %]

[% ACL_TRUSTEDLIST_BLOCK %]

[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests
############################################
# Sender Verification
############################################ 

#sender verifications are required for all messages that are not sent to lists
deny message = WSS560 - From email address must be valid (able to receive email).
log_message =  WSS560 - From email address must be valid (able to receive email).
!verify = recipient=60s,defer_ok
!hosts = +rv_sender_callout_ip_whitelist
!senders = +rv_sender_callout_email_whitelist
accept domains = +local_domains
           
########################### The old way ####
# require verify = recipient
############################################

[sparek-3]

What I mean is that it doesn't really matter where you put the callout in the exim configuration.

I guess thats not exactly true, but in regards to the examples given, you could put it there.

cPanel is putting the sender callouts after the line:

Code:

#if it gets here it isn't mailman

So you could just modify this to look like:

Code:

#if it gets here it isn't mailman
verify   = sender/callout=60s,defer_ok

Or you could put the sender callout after:

Code:

[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient

Just modify this segment to say:

Code:

[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient 

verify   = sender/callout=60s,defer_ok

[sparek-3]

As for whitelisting, it looks like this is being added directly into cPanel builds:

http://forums.cpanel.net/showthread.php?t=73997

[SageBrian]

What I mean is that it doesn't really matter where you put the callout in the exim configuration.


Or you could put the sender callout after:

Code:

[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient 

verify   = sender/callout=60s,defer_ok

I like this one. It first checks if the recipient exists. If the recipient doesn't exist, why bother with the other checks?
Then, verify the sender. If not verified, no need to check run other tests.
Then spamhaus/spamcop.
And finally mailscanner (or just SA if you don't do MS)

Now, if someone could just put a definitive, working ACL, without, of course the fear of cPanel changing something yet again.

cPanel, I do appreciate the advances taken in ACL, etc. But perhaps there should be little 'cautions' listed in the changelog? Like 'Caution, this change may effect current settings"
Not a complaint, since I'm am very grateful we actually have a changelog... just a suggestion.

[rvskin]

One thing to note, in order to use callouts in the exim advanced configuration editor, you have to have the option checked for:

Sender Verification Callouts

In the Exim Configuration screen in the WHM.

If this is not checked, then the callouts will not be performed. The new Exim editor seems to do some type of internal audit after doing an advanced edit.

Above suggestion is very important. Don't forget it. And then you can add callout ACL, Below is mine. You should add it after RBL, dicitionary attack and recipient veirfication ACL.


##
# Callout (create SMTP connection to test the sender address
# Deny unless the sender address can be verified.
# Testing only the sender that not listed in the callout whitelist and dsn.rfc-ignorant.org
##
deny message = From email address must be valid
# do not check address for lists or bounces
# or people in our company contact database
!senders = ^.*-request@.*:\
^bounce-.*@.*:\
^.*-bounce@.*:\
^owner-.*@.*:\
^listmaster@.*:\
^root@.*:\
^anonymous@.*:\
^nobody@.*
!domains = +rv_callout_receiver_domain_whitelist
!sender_domains = +rv_callout_sender_domain_whitelist
# Do not check for DSN-ignorant domains
# those that don't accept MAIL FROM:<>
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
hosts = ! +senderverifybypass_hosts
!verify = sender/callout=10s,defer_ok


And don't forget to add domainlist below on the first box of exim configuration editor.

domainlist rv_callout_sender_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_sender_domain_whitelist
domainlist rv_callout_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_receiver_domain_whitelist