Omit Sender verify for certain mails?

[lizardo]

i have the same problem

When i use the whitelist, spamAssasin dont work.

How can i do to solve that??


i use Cpanel 11

 

[trevHCS]

Still trying to work it out. One working version noted in the comments of the MrBrando blog (link above) was using the old style transport system, but that doesn't seem to work for everyone (not tried it myself).

One slight sidenote to this I've discovered is a possible problem with those using Greylisting as the whole callback thing might not be compatible. Just a comment from the head techie of my ISP.

If we have to turn it off, the Spamhaus option seems to reject a vast amount itself.

Trev

 

[Danny_T]

Would be better to have a whitelist option inside WHM at exim configurator.
I read everywhere do this do that.. that person "it works", other person "it is not working".

Damn i need a whitelist

 

[dev_cw]

Yes that would be great. Very surprised to see this missing in 11.

 

[myusername]

This definately needs to be an option in the Exim config editor. There is too much margin for breakage on updates and human error.

Is there a bugzilla on this? If not, I will make one.

 

[cPanelDavidG]

This definately needs to be an option in the Exim config editor. There is too much margin for breakage on updates and human error.

Is there a bugzilla on this? If not, I will make one.

Here's a relevant bugzilla entry I dug up:

- Removed Outdated -

 

[myusername]

Thanks for doing the hard work for us Dave

I put a vote in on that one. If the rest of you want to see something like this in the Exim conf editor, voting on this bug might improve your chances of getting it done someday.

 

[JamieW]

For cPanel 11

Okay, I have cPanel 11 and here's what I did that appears to work:

via ssh:

touch /etc/exim_whitelist_senders

in whm first box:

addresslist whitelist_senders = wildlsearch;/etc/exim_whitelist_senders

after [% ACL_RBL_BLOCK %], replaced:

require verify = sender/callout=60s

with:

deny
    !verify = sender/callout=30s,defer_ok,maxwait=60s
    !senders = +whitelist_senders

And saved. I did NOT alter or add any of the other lines, as my +local_domains uses more complex code in my config than in the examples (e.g. "warn domains = ! ${primary_hostname} : +local_domains" ... etc.), and it already has the +relay_domains and other checks that follow as well.

Also, I did NOT switch it to old style transport.

Testing, it is still doing SA checks, and it is still doing sender verify checks, according to the exim logs. I added an email address to my new exim_whitelist_senders file and it allowed that email to come through sucessfully.

I hope this helps other cPanel 11 users!

Jamie

 

[leighj]

check/enable the sender verify checkbox

Thanks JamieW but it may sound stupid but with the above solution do you check/enable the sender verify check box on the Configuration page

 

[leighj]

Errors and no emails seem to flow

I'm also getting the following when I change the

require verify = sender/callout=60s

2007-09-03 11:22:30 H=XXXXXXXXX [XXXXXXXXX] F=<XXXXXXXXX> temporarily rejected RCPT <XXXXXXXXX>: expected "sender[=address]", "recipient", "helo", "header_syntax", "header_sender" or "reverse_host_lookup" at start of ACL condition "verify sender,defer_ok,maxwait=60s"

I've commented and removed it and cannot find it in the exim advanced configuration editor ANY other place.

Any ideas?

 

[JamieW]

Thanks JamieW but it may sound stupid but with the above solution do you check/enable the sender verify check box on the Configuration page

Yes, I leave the boxes checked in their default settings on that screen (which includes "Use callouts to verify the existence of email senders. Basiclly, exim will connect to the mail exchanger for a given address to make sure it exists before accepting mail from it." and "Verify the existence of email senders." both being checked).

And checking my exim logs, I haven't gotten the "ACL condition" error you mentioned so far. Though double check yours is typed right. I don't know if it gets changed when displayed as an error, but yours is showing "verify sender,defer_ok,maxwait=60s" in that error message, but the one I used in my config is "!verify = sender/callout=30s,defer_ok,maxwait=60s". And if that is how you have it and still not working, maybe your version needs it left as "!verify = sender/callout=60s".

Here is a quote of the entire ACL_RBL_BLOCK as in my WHM 11.2.0 advanced exim config (including my modifications), in case it might help:

[% ACL_RBL_BLOCK %]


  #require verify = sender/callout=60s 

  deny
      !verify = sender/callout=30s,defer_ok,maxwait=60s
      !senders = +whitelist_senders


  # The only problem with this setup is that if the message is for multiple users on the same server
  # and they are on different unix accounts, the settings for the first recipient which has spamassassin enabled will be used.
  # This shouldn't be a problem 99.9% of the time, however its a very small price to pay for a massive speed increase.
  
  warn  domains = ! ${primary_hostname} : +local_domains
    condition = ${if eq {${acl_m0}}{1}{0}{${perl{acl_checksa_deliver}{$domain}{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}}}}}
    set acl_m0    = 1
    set acl_m1    = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}

  warn  domains = ${primary_hostname}
    condition = ${if eq {${acl_m0}}{1}{0}{${perl{acl_checkusersa}{$local_part}{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}}}}}
    set acl_m0    = 1
    set acl_m1    = $local_part

  accept  domains = +relay_domains

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
#  Enabling this will make the server non-rfc compliant
#  require verify = header_sender
 accept  hosts = 127.0.0.1 : +relay_hosts

  accept  hosts = *
          authenticated = *

  warn
    condition = ${if eq {${acl_m0}}{1}{1}{0}}
    spam =  ${acl_m1}/defer_ok
    log_message = "SpamAssassin as ${acl_m1} detected message as spam"
    add_header = X-Spam-Subject: [% ACL_SPAM_HEADER %] $h_subject
    add_header = X-Spam-Status: Yes, score=$spam_score
    add_header = X-Spam-Score: $spam_score_int
    add_header = X-Spam-Bar: $spam_bar
    add_header = X-Spam-Report: $spam_report
    add_header = X-Spam-Flag: YES
    set acl_m2 = 1

  warn
     condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
     add_header = X-Spam-Status: No, score=$spam_score
     add_header = X-Spam-Score: $spam_score_int
     add_header = X-Spam-Bar: $spam_bar
     add_header = X-Spam-Flag: NO
     log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam"

deny message = This message contains a virus or other harmful content ($malware_name)
    malware = *

A note, Mike here thinks I need to add "accept domains = +local_domains" to that, but I haven't found out what doing so would do yet. I've been talking with him about that on his forum about it. So just something to keep in mind maybe.

My logic though is that I want everything to do what it was before, except allow those on the whitelist through.

"require verify = sender/callout=60s" says only let through those that can verify the sender, period.

"deny !verify = sender/callout=30s,defer_ok,maxwait=60s !senders = +whitelist_senders" says (if I understand it right) deny those that can't verify the sender (with the suggested modification) and are not on the whitelist.

That seems to me to be all I should need, unless someone can tell me why anything else is needed. I'm definitely open to input and suggestions; that's why I was looking for answers here to begin.

I hope that helps.

--
Jamie

 

[leighj]

[SOLVED] Check both options

Ok I put the changes in and had BOTH items checked and everything worked. I believe I didn't have the call-out option checked.

The mail is working and all seems right with the world

Thanks JamieW

 

[trevHCS]

Can also confirm this has worked on a couple of our servers with JamieW's step by step post. Nice to see SA working and even being able to accept AOL e-mails.

Of course when Cpanel wants to update Exim again, things could get interesting.

Trev

 

[JamieW]

That's great! And quite welcome! I'm glad to see some others have it working as well.

And yeah, when it wants to update, that will be annoying. But at least with keeping the changes small and simple, it hopefully won't be hard to reset to default and re-add the changes. Just keep note of what you did.

 

[JIKOmetrix]

Hi Jamie,

I made the changes as you described in your post. They do work and SA is checking mail. However, I am not getting any mail that is marked as SPAM point over 5 below 10 delivered to inboxes with sibjects being re-written with *****SPAM*****.

Are you getting SPAMMY email delivered with subjects re-written?

Mike