Omit Sender verify for certain mails?

gflamerich

Well-Known Member
Jul 21, 2003
122
0
166
Hi
This should sound extrange, but we have a client who needs to receive emails from a couple of addresses that doesn't pass sender verification.
We alredy tryed to talk to the other end to correct the problem, but there are huge Companies and wont' change their policy ..... so here we are......
We have sender verification activated (and want to keep it htat way), so want to know if its possible to bypass sender verification for some addresses. Don't know witch is better, a whole domain, IP address, individual email address, but at this point, any option may help.
Thanks
 

nisse

Well-Known Member
Nov 11, 2003
87
0
156
You could do it like this in exim.conf:

addresslist whitelist_senders = wildlsearch;/etc/whitelist_senders

Then put the sender addresses in the file /etc/whitelist_senders, one per line, e.g.

[email protected]
*@domain2.tld

Then add the following line to your sender verify statement:

!senders = +whitelist_senders
 

gflamerich

Well-Known Member
Jul 21, 2003
122
0
166
Thank you for you reply,
Could you be so kind and be a little more spcecific on where should I put the
!senders = +whitelist_senders

Here is our config

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

# Always accept mail to postmaster & abuse for any local domain
accept domains = +local_domains
local_parts = postmaster:abuse

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender/callout=5s,defer_ok
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
verify = recipient

accept domains = +relay_domains

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender
accept
 

nisse

Well-Known Member
Nov 11, 2003
87
0
156
It should go here:

Code:
#sender verifications are required for all messages that are not sent to lists

require verify   = sender/callout=5s,defer_ok
        !senders = +whitelist_senders

accept domains = +local_domains
endpass
 

gflamerich

Well-Known Member
Jul 21, 2003
122
0
166
Doesn't seems to be working properly....
Here is the log. We sent an email to test and had this at the mail log. Now, after accepting the sender as valid, rejects the local address ...

H=(mail.inwhitelist.net) [##.###.###.###] F=<[email protected]> rejected RCPT <[email protected]>
 

nisse

Well-Known Member
Nov 11, 2003
87
0
156
Ah, sorry about that - it's because of the way the "require" verb works. Give me a few minutes and I'll come up with something.
 

nisse

Well-Known Member
Nov 11, 2003
87
0
156
Ok, change it to this:

Code:
deny
  !verify   = sender/callout=5s,defer_ok
  !senders  = +whitelist_senders
  
accept domains = +local_domains
endpass
Something I missed the first time round; you also need to change this at the bottom:

Code:
check_message:
deny
  !verify   = header_sender
  !senders  = +whitelist_senders
accept
Hope this works! :)
 

wkdwich

Well-Known Member
Apr 11, 2005
105
0
166
nisse said:
You could do it like this in exim.conf:

addresslist whitelist_senders = wildlsearch;/etc/whitelist_senders
I totally get the rest of this repair.. but is this line also being added to the exim conf file?? If so where??
 

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
nisse said:
Ok, change it to this:

Code:
deny
  !verify   = sender/callout=5s,defer_ok
  !senders  = +whitelist_senders
  
accept domains = +local_domains
endpass
Something I missed the first time round; you also need to change this at the bottom:

Code:
check_message:
deny
  !verify   = header_sender
  !senders  = +whitelist_senders
accept
Hope this works! :)
Does not work from my side.
1. I create whitelist_senders file in the /etc dir:
Code:
ls -l /etc/whitelist_senders 
-rw-r--r--    1 root     root           19 Aug 31 14:19 /etc/whitelist_senders
2. I put such instructions in the exim configuration via WHM.

Then my exim_mainlog contains the following:
Code:
2006-08-31 14:19:19 1GIkZr-0002CD-Tn unknown named address list "+whitelist_senders"
2006-08-31 14:19:22 1GIkZs-0002Cq-1D unknown named address list "+whitelist_senders"
2006-08-31 14:19:22 1GIkZq-0002Cm-L2 unknown named address list "+whitelist_senders"
2006-08-31 14:19:23 1GIkZu-0002Cp-ND unknown named address list "+whitelist_senders"
2006-08-31 14:19:24 1GIkZr-0002Co-Oi unknown named address list "+whitelist_senders"
2006-08-31 14:19:27 1GIkZx-0002Cz-Cp unknown named address list "+whitelist_senders"
...
Could you please advice, where the problem is?
Thank you.
 

AlexAT

Well-Known Member
PartnerNOC
May 23, 2003
202
0
166
Ukraine
cPanel Access Level
Root Administrator
I already found an answer.
I forgot to create alias:
Code:
addresslist whitelist_senders = wildlsearch;/etc/whitelist_senders
Now all works like a charm.
Thank you !
 

GPH

Member
May 15, 2006
6
0
151
Hi, I tried to implement this but got a syntax error on !senders = +whitelist_senders

Is there any info you require?


Thanks
 

GPH

Member
May 15, 2006
6
0
151
Just tried again and still get the error...

error in ACL: unknown ACL verb in "!senders = +whitelist_senders"

And this is what i have in the config..

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack
!hosts = /etc/exim_deny_whitelist
!hosts = +relay_hosts
!authenticated = *

drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient
!hosts = /etc/exim_deny_whitelist
!hosts = +relay_hosts
!authenticated = *

# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}


# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
{yes}{no}}

#if it gets here it isn't mailman

#sender verifications are required for all messages that are not sent to lists

require verify = sender/callout
accept domains = +local_domains
endpass

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests

message = "The recipient cannot be verified. $acl_verify_message"
verify = recipient

accept domains = +relay_domains : certapay.com

warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
hosts = +relay_hosts
accept hosts = +relay_hosts

warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
condition = ${perl{checkrelayhost}{$sender_host_address}}
accept condition = ${perl{checkrelayhost}{$sender_host_address}}

accept hosts = +auth_relay_hosts
endpass
message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
authenticated = *

deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
# Enabling this will make the server non-rfc compliant
# require verify = header_sender
accept

Thanks
 

furquan

Well-Known Member
Jul 27, 2002
473
4
168
Hi,

I am also getting the same error, and m not sure how to get this resolved :

2006-10-14 18:36:20 unknown named address list "+whitelist_senders"
2006-10-14 18:36:20 unknown named address list "+whitelist_senders"

Has any one found a solution yet ?


Thanks
 

furquan

Well-Known Member
Jul 27, 2002
473
4
168
AlexAT said:
I already found an answer.
I forgot to create alias:
Code:
addresslist whitelist_senders = wildlsearch;/etc/whitelist_senders
Now all works like a charm.
Thank you !

Pardon my ignorance, But how did you create that alias. Where do i need to enter that ?

Thanks
 
Feb 22, 2003
16
0
151
In the first section of your exim configuration file where all the other lists are declared. It's the first editable section in WHM.

Terry
 

furquan

Well-Known Member
Jul 27, 2002
473
4
168
Terry :

Thanks for the response. Reconfirm again .....

Is it the very first blank box in the Advnace mode of "Exim Configuration Editor"

Coz that is blank at the moment.

Thanks
 
Feb 22, 2003
16
0
151
Yes, the very first section.

This is a sample of what I have in my first section.

Code:
## sender address lists
addresslist sender_whitelist= lsearch*@;/etc/exim/sender_whitelist
addresslist sender_blacklist= lsearch*@;/etc/exim/sender_blacklist
I have customized my configuration to use different lists for various things in my ACLs. The first section is where the lists are put and other types of customisations. You;d need to look at the exim docs to see what else can be customised there. Other sections of exim.conf (the ACLs) refer to the first section when I reference a list. You reference a list as +listname - example if I wanted to use /etc/exim/sender_whitelist I'd refer to it in an ACL as +sender_whitelist. If you haven't used any lists or customised anything else, it's not uncommon to have a blank first section.

Terry
 

furquan

Well-Known Member
Jul 27, 2002
473
4
168
Thanks a lot for your response Terry.

I had this issue for the whole last week...and i did not realise that the Alias was missing.

Thanks a lot.