The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

verify = sender/callout change?

Discussion in 'E-mail Discussions' started by ShaneK, Dec 14, 2007.

  1. ShaneK

    ShaneK Member

    Joined:
    May 4, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Today I update my cpanel from Release 18033 to the current Release 18430. As often happens I was notified exim has changed and I need to remove my custom acl's and reinstall them. (this is what prompted me to manually update instead of allowing auto updates)

    One of the very important acl conditions I have custom is the sender/callout option. I prefer to keep this option on and control the bypass with a whitelist. Here is what I had previous to the update: (notice I only commented out the default acl for this)

    Code:
    [% ACL_RBL_BLOCK %]
    
    ############################################
    # Sender Verification
    ############################################ 
    
    #sender verifications are required for all messages that are not sent to lists
    deny message = WSS560 - From email address must be valid (able to receive email).
    log_message =  WSS560 - From email address must be valid (able to receive email).
    !verify = sender/callout=60s,defer_ok
    !hosts = +rv_sender_callout_ip_whitelist
    !senders = +rv_sender_callout_email_whitelist
    accept domains = +local_domains
               
    ########################### The old way ####
    # require verify = sender/callout=60s
    ############################################
    While looking to reinstate this little gem I found the following in it's place:

    Code:
    [% ACL_WHITELIST_BLOCK %]
    
    [% ACL_RBL_BLOCK %]
    
    [% ACL_TRUSTEDLIST_BLOCK %]
    
    [% ACL_PRE_RECP_VERIFY_BLOCK %]
    
    #recipient verifications are required for all messages that are not sent to the local machine
                            #this was done at multiple users requests
                            require verify = recipient 
    I would like to get my whitelist back in place, but I'm somewhat confused with the new terminology require verify = recipient. I dropped by exim.org and the cpanel change logs but I could find nothing about this.

    Anyone know what I need to put in my ACL to acheive the same effect? I realize I could use the cpanel whitelist and whitelist against all the ACLs but I prefer to whitelist the sender/callout independantly.

    Any guidance is greatly appreciated!
     
  2. JasonJPN

    JasonJPN Registered

    Joined:
    Jun 7, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Did you get this figured out? I would like to know how also.
     
  3. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Also interested in the answer.

    - Scott
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    I don't think it would necessarily matter.

    It looks like the new cPanel defaults into putting this after

    Code:
    #if it gets here it isn't mailman
    One thing to note, in order to use callouts in the exim advanced configuration editor, you have to have the option checked for:

    Sender Verification Callouts

    In the Exim Configuration screen in the WHM.

    If this is not checked, then the callouts will not be performed. The new Exim editor seems to do some type of internal audit after doing an advanced edit.
     
  5. ShaneK

    ShaneK Member

    Joined:
    May 4, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I'm not sure what you mean when you say it wouldn't matter. Are you saying with the way exim is setup now a verify/callout whitelist is now impossible?

    Has anyone else come up with a solution for this? Example code that would replace the new terminology would be greatly appreciated. It is important I re-instate the whitelist that already exists to keep my clients email flowing.

    Could I simply do this?:

    Code:
    [% ACL_WHITELIST_BLOCK %]
    
    [% ACL_RBL_BLOCK %]
    
    [% ACL_TRUSTEDLIST_BLOCK %]
    
    [% ACL_PRE_RECP_VERIFY_BLOCK %]
    
    #recipient verifications are required for all messages that are not sent to the local machine
    #this was done at multiple users requests
    ############################################
    # Sender Verification
    ############################################ 
    
    #sender verifications are required for all messages that are not sent to lists
    deny message = WSS560 - From email address must be valid (able to receive email).
    log_message =  WSS560 - From email address must be valid (able to receive email).
    !verify = recipient=60s,defer_ok
    !hosts = +rv_sender_callout_ip_whitelist
    !senders = +rv_sender_callout_email_whitelist
    accept domains = +local_domains
               
    ########################### The old way ####
    # require verify = recipient
    ############################################ 
     
  6. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What I mean is that it doesn't really matter where you put the callout in the exim configuration.

    I guess thats not exactly true, but in regards to the examples given, you could put it there.

    cPanel is putting the sender callouts after the line:

    Code:
    #if it gets here it isn't mailman
    So you could just modify this to look like:

    Code:
    #if it gets here it isn't mailman
    verify   = sender/callout=60s,defer_ok
    Or you could put the sender callout after:

    Code:
    [% ACL_PRE_RECP_VERIFY_BLOCK %]
    
    #recipient verifications are required for all messages that are not sent to the local machine
                            #this was done at multiple users requests
                            require verify = recipient
    Just modify this segment to say:

    Code:
    [% ACL_PRE_RECP_VERIFY_BLOCK %]
    
    #recipient verifications are required for all messages that are not sent to the local machine
                            #this was done at multiple users requests
                            require verify = recipient 
    
    verify   = sender/callout=60s,defer_ok
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,382
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  8. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    I like this one. It first checks if the recipient exists. If the recipient doesn't exist, why bother with the other checks?
    Then, verify the sender. If not verified, no need to check run other tests.
    Then spamhaus/spamcop.
    And finally mailscanner (or just SA if you don't do MS)

    Now, if someone could just put a definitive, working ACL, without, of course the fear of cPanel changing something yet again.

    cPanel, I do appreciate the advances taken in ACL, etc. But perhaps there should be little 'cautions' listed in the changelog? Like 'Caution, this change may effect current settings"
    Not a complaint, since I'm am very grateful we actually have a changelog... just a suggestion.
     
  9. rvskin

    rvskin Well-Known Member
    PartnerNOC

    Joined:
    Feb 19, 2003
    Messages:
    400
    Likes Received:
    1
    Trophy Points:
    18
    Above suggestion is very important. Don't forget it. And then you can add callout ACL, Below is mine. You should add it after RBL, dicitionary attack and recipient veirfication ACL.


    ##
    # Callout (create SMTP connection to test the sender address
    # Deny unless the sender address can be verified.
    # Testing only the sender that not listed in the callout whitelist and dsn.rfc-ignorant.org
    ##
    deny message = From email address must be valid
    # do not check address for lists or bounces
    # or people in our company contact database
    !senders = ^.*-request@.*:\
    ^bounce-.*@.*:\
    ^.*-bounce@.*:\
    ^owner-.*@.*:\
    ^listmaster@.*:\
    ^root@.*:\
    ^anonymous@.*:\
    ^nobody@.*
    !domains = +rv_callout_receiver_domain_whitelist
    !sender_domains = +rv_callout_sender_domain_whitelist
    # Do not check for DSN-ignorant domains
    # those that don't accept MAIL FROM:<>
    !dnslists = dsn.rfc-ignorant.org/$sender_address_domain
    hosts = ! +senderverifybypass_hosts
    !verify = sender/callout=10s,defer_ok


    And don't forget to add domainlist below on the first box of exim configuration editor.

    domainlist rv_callout_sender_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_sender_domain_whitelist
    domainlist rv_callout_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_receiver_domain_whitelist
     
Loading...

Share This Page