Exim doesn't reject at SMTP time invalid local recipients when sender is also local

[dezignguy]

In my testing, it seems that local users are allowed to send mail to invalid local recipients and Exim will accept it and bounce it later. It looks like this behavior probably changed in v54, and continues through v56.

However, this change really doesn't work for me since I have a local spam filter proxy sitting in front of Exim. Internet -> port 25 (filter) -> port 2525 (exim). So the new result is that all incoming mail with invalid recipients is now seen as local by Exim and ends up filling my mail queue with frozen bounces to external mail servers.

Previously, I used the Only-verify-recipient option (/etc/trustedmailhosts) to put my local ips and hostnames into so all Exim spam checks/rate limiting/etc would be bypassed for my spam filter proxy, except for recipient verification. This is no longer how it works though!

I did a quick diff compare of an old exim.conf backup, and the current one, and didn't see any particularly obvious config changes that would affect that. But I would assume that the routing is now different to make this change for local users.

Can anyone shed any light into the newer config changes that affect this area? And if I can possibly override them so I can get the old behavior for rejecting invalid recipients for everyone back?

 

[cPanelMichael]

In my testing, it seems that local users are allowed to send mail to invalid local recipients and Exim will accept it and bounce it later. It looks like this behavior probably changed in v54, and continues through v56.

Hello,

I'm unable to reproduce the issue when sending from an email account on the same cPanel server. I created two email accounts on the same cPanel server on different accounts. I setup the "Default Address" on one account to "Discard the email while your server processes it by SMTP time with an error message". Upon sending an email from the other account on the same server, it rejected the message right away with the "No such person at this address." message. Do you notice different behavior?

Thank you.

 

[dezignguy]

Yes, I do notice different behavior... as I said, I have a local spam filter proxy (ASSP) sitting in front of exim, and proxying mail connections to exim.

When I do what you did, the mail apparently goes through... and then I get a bounce message in my inbox shortly afterwards. It used to reject at SMTP time, but apparently the exim config has changed since to allow local mail through the recipient checks. I wonder if that was done so that the mail wouldn't get stuck in the user's outbox? But I want an option or workaround so I can have the previous reject behavior for invalid local recipients.

 

[cPanelMichael]

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[dezignguy]

Yes, even after an upgrade to v58, this issue is still causing me problems with backscatter, and I finally got around to getting a support ticket setup.
#7855523

 

[dezignguy]

Well, I now have a works-for-me solution for this issue.

We found that this probably started for me when CPANEL-1958 was fixed for cPanel version 11.52.

For anyone else that is experiencing a similar issue - which you will have if you have any type of local smtp proxy that is sending connections to Exim, and you will know it is so as Exim won't reject any invalid recipients in the exim_rejectlog - I simply removed the condition which calls the identify_local_connection function that considers all my local ips as local senders.

What I did was, in the Exim Advanced Config Manager, disable the entire default ACL that included the condition block that includes the identify_local_connection check. And then, to avoid losing all the rest of the acl functions, I copied back in the other parts of the acls, but without that specific condition block, into the custom ACL block above the default acl.

That seems to work for what I need, and invalid recipients are now being rejected at SMTP time as they should be, and as far as I can tell, no other mail handling is negatively affected.

I should review that condition block and see if I can add it back in, but rewritten so that it doesn't use the specific identify_local_connection function, but I'm not so used to the Exim syntax here and can't fully parse what exactly its doing there. So it will have to wait til I get the time to read up on the docs and change it properly.

 

[cPanelMichael]

I'm happy to see you were able to find a suitable solution. Thank you for updating this thread with the outcome.