verify = sender/callout change?

ShaneK

Member
May 4, 2007
14
0
151
Today I update my cpanel from Release 18033 to the current Release 18430. As often happens I was notified exim has changed and I need to remove my custom acl's and reinstall them. (this is what prompted me to manually update instead of allowing auto updates)

One of the very important acl conditions I have custom is the sender/callout option. I prefer to keep this option on and control the bypass with a whitelist. Here is what I had previous to the update: (notice I only commented out the default acl for this)

Code:
[% ACL_RBL_BLOCK %]

############################################
# Sender Verification
############################################ 

#sender verifications are required for all messages that are not sent to lists
deny message = WSS560 - From email address must be valid (able to receive email).
log_message =  WSS560 - From email address must be valid (able to receive email).
!verify = sender/callout=60s,defer_ok
!hosts = +rv_sender_callout_ip_whitelist
!senders = +rv_sender_callout_email_whitelist
accept domains = +local_domains
           
########################### The old way ####
# require verify = sender/callout=60s
############################################
While looking to reinstate this little gem I found the following in it's place:

Code:
[% ACL_WHITELIST_BLOCK %]

[% ACL_RBL_BLOCK %]

[% ACL_TRUSTEDLIST_BLOCK %]

[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient
I would like to get my whitelist back in place, but I'm somewhat confused with the new terminology require verify = recipient. I dropped by exim.org and the cpanel change logs but I could find nothing about this.

Anyone know what I need to put in my ACL to acheive the same effect? I realize I could use the cpanel whitelist and whitelist against all the ACLs but I prefer to whitelist the sender/callout independantly.

Any guidance is greatly appreciated!
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
I don't think it would necessarily matter.

It looks like the new cPanel defaults into putting this after

Code:
#if it gets here it isn't mailman
One thing to note, in order to use callouts in the exim advanced configuration editor, you have to have the option checked for:

Sender Verification Callouts

In the Exim Configuration screen in the WHM.

If this is not checked, then the callouts will not be performed. The new Exim editor seems to do some type of internal audit after doing an advanced edit.
 

ShaneK

Member
May 4, 2007
14
0
151
I'm not sure what you mean when you say it wouldn't matter. Are you saying with the way exim is setup now a verify/callout whitelist is now impossible?

Has anyone else come up with a solution for this? Example code that would replace the new terminology would be greatly appreciated. It is important I re-instate the whitelist that already exists to keep my clients email flowing.

Could I simply do this?:

Code:
[% ACL_WHITELIST_BLOCK %]

[% ACL_RBL_BLOCK %]

[% ACL_TRUSTEDLIST_BLOCK %]

[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
#this was done at multiple users requests
############################################
# Sender Verification
############################################ 

#sender verifications are required for all messages that are not sent to lists
deny message = WSS560 - From email address must be valid (able to receive email).
log_message =  WSS560 - From email address must be valid (able to receive email).
!verify = recipient=60s,defer_ok
!hosts = +rv_sender_callout_ip_whitelist
!senders = +rv_sender_callout_email_whitelist
accept domains = +local_domains
           
########################### The old way ####
# require verify = recipient
############################################
 

sparek-3

Well-Known Member
Aug 10, 2002
2,114
254
388
cPanel Access Level
Root Administrator
What I mean is that it doesn't really matter where you put the callout in the exim configuration.

I guess thats not exactly true, but in regards to the examples given, you could put it there.

cPanel is putting the sender callouts after the line:

Code:
#if it gets here it isn't mailman
So you could just modify this to look like:

Code:
#if it gets here it isn't mailman
verify   = sender/callout=60s,defer_ok
Or you could put the sender callout after:

Code:
[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient
Just modify this segment to say:

Code:
[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient 

verify   = sender/callout=60s,defer_ok
 

SageBrian

Well-Known Member
Jun 1, 2002
413
2
318
NY/CT (US)
cPanel Access Level
Root Administrator
What I mean is that it doesn't really matter where you put the callout in the exim configuration.


Or you could put the sender callout after:


Code:
[% ACL_PRE_RECP_VERIFY_BLOCK %]

#recipient verifications are required for all messages that are not sent to the local machine
                        #this was done at multiple users requests
                        require verify = recipient 

verify   = sender/callout=60s,defer_ok
I like this one. It first checks if the recipient exists. If the recipient doesn't exist, why bother with the other checks?
Then, verify the sender. If not verified, no need to check run other tests.
Then spamhaus/spamcop.
And finally mailscanner (or just SA if you don't do MS)

Now, if someone could just put a definitive, working ACL, without, of course the fear of cPanel changing something yet again.

cPanel, I do appreciate the advances taken in ACL, etc. But perhaps there should be little 'cautions' listed in the changelog? Like 'Caution, this change may effect current settings"
Not a complaint, since I'm am very grateful we actually have a changelog... just a suggestion.
 

rvskin

Well-Known Member
PartnerNOC
Feb 19, 2003
399
1
168
One thing to note, in order to use callouts in the exim advanced configuration editor, you have to have the option checked for:

Sender Verification Callouts

In the Exim Configuration screen in the WHM.

If this is not checked, then the callouts will not be performed. The new Exim editor seems to do some type of internal audit after doing an advanced edit.
Above suggestion is very important. Don't forget it. And then you can add callout ACL, Below is mine. You should add it after RBL, dicitionary attack and recipient veirfication ACL.


##
# Callout (create SMTP connection to test the sender address
# Deny unless the sender address can be verified.
# Testing only the sender that not listed in the callout whitelist and dsn.rfc-ignorant.org
##
deny message = From email address must be valid
# do not check address for lists or bounces
# or people in our company contact database
!senders = ^.*[email protected]*:\
^bounce-.*@.*:\
^.*[email protected]*:\
^owner-.*@.*:\
^[email protected]*:\
^[email protected]*:\
^[email protected]*:\
^[email protected]*
!domains = +rv_callout_receiver_domain_whitelist
!sender_domains = +rv_callout_sender_domain_whitelist
# Do not check for DSN-ignorant domains
# those that don't accept MAIL FROM:<>
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
hosts = ! +senderverifybypass_hosts
!verify = sender/callout=10s,defer_ok


And don't forget to add domainlist below on the first box of exim configuration editor.

domainlist rv_callout_sender_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_sender_domain_whitelist
domainlist rv_callout_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_receiver_domain_whitelist