Probleme Exim

[mogruith]

Bonjour à tous,

J'ai un petit probleme avec un serveur Exim que je viens de mettre en place. Ce serveur doit réceptionner tous les mails provenant de l'extèrieur de ma société pour dans un premier temps les traiter (antivirus, sapm) puis les relayer vers le serveur de messagerie en interne. Il ne fait pas de pop, juste du smtp.

Her, il était encore en dchp et je pouvais donc m'y connecter en telnet, puis envoyer un mail à l'interieur de ma société. D'aileurs au passage, il ne relais que vers ma société. Et puis, une fois mes différents tests réalisés, je l'ai mis dans la DMZ. Et maintenant, je peux toujours m'y connecter mais dès que je souhaite envoyer un mail, il me sort l'erreur suivante : 550 Administrative prohibition.

Il n'a que changé d'IP. Pour information, j'ai récupéré mon fichier de configuration d'exim3 puis mis à jour en 4, dans un fichier unique, exim4.conf.

Quelq'un aurait il une idée car je bloque et je ne trouve pas de solution ?

Merci

[mogruith]

Voici ce que me donne les logs:

2005-02-22 11:03:33 exim 4.34 daemon started: pid=670, -q30m, listening for SMTP on port 25 (IPv4)
2005-02-22 11:03:33 Start queue run: pid=672
2005-02-22 11:03:33 End queue run: pid=672
2005-02-22 11:04:23 1D3Wtw-0000Ar-JJ H=smtp002 (smtp001) [10.2.4.20] U=root F=<mogruith@XXXX> rejected after DATA: there is no valid sender in any header line
2005-02-22 11:09:23 SMTP command timeout on connection from smtp002 (smtp001) [10.2.4.20] U=root


En fait, il y a deux serveurs SMTP branché derrière un alteon.

[Gandalf]

Bonjour à tous,
Et puis, une fois mes différents tests réalisés, je l'ai mis dans la DMZ. Et maintenant, je peux toujours m'y connecter mais dès que je souhaite envoyer un mail, il me sort l'erreur suivante : 550 Administrative prohibition.

Ca veut dire qu'avant il était dans un lan ? Si c'est le cas la DMZ sert à vérouiller une zone, ce qui expliquerait l'interdiction en SMTP ! Dis nous en plus sur ton architecture !

[mogruith]

En effet mon serveur (deux smtp en fait loadbalancés via un alteon) était dans un lan en DHCP.

A priori d'apres l'équipe réseau, les flux sont autorisés depuis l'extèrieur vers mes stmp. puis a nouveau autorisés vers le mx en intene.

J'ai donc plusieurs cas de figure :
- ils se sont plantés
- j'ai dans mon exim4.conf un truc qui bloque du genre , je ne relais pas vers mon mx, ou je ne relais pas vers le LAN. Sachant que bien sur, les réseaux sont différents.

Ma DMZ est en 10.2.4.0, mon lan en 10.3.245.0. Je rappelle que les mails externes viennent sur mes deux smtp. Apres traitement ceux ci seront renvoyés vers mon mx en interne. Le traitement consiste en unscan antispam et antivirus. De plus, avec le system_filter, j'interdis certaines pieces jointes (exe, pif, src etc ...)

Voci mon fichier de conf (désolé si je pollue) :


#!!# This file is output from the convert4r4 script, which tries
#!!# to convert Exim 3 configurations into Exim 4 configurations.
#!!# However, it is not perfect, especially with non-simple
#!!# configurations. You must check it before running it.


#!!# These options specify the Access Control Lists (ACLs) that
#!!# are used for incoming SMTP messages - after the RCPT and DATA
#!!# commands, respectively.

acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message

#!!# This setting defines a named domain list called
#!!# local_domains, created from the old options that
#!!# referred to local domains. It will be referenced
#!!# later on by the syntax "+local_domains".
#!!# Other domain and host lists may follow.

domainlist local_domains = @ : \
@[] : \
localhost : \
smtp001.XXXX.fr

domainlist relay_domains = XXXX.fr : \
XXXX.com
hostlist rbl_hosts = !10.0.0.0 : \ 0.0.0.0/0
hostlist relay_hosts = 127.0.0.1 : \
::::1
hostlist auth_relay_hosts = *

# This is the main exim configuration file.
# It was originally generated by `eximconfig', part of the exim package
# distributed with Debian, but it may edited by the mail system administrator.
# This file originally generated by eximconfig at Fri Feb 11 20:19:07 CET 2005
# See exim info section for details of the things that can be configured here.

# Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file.

# This file is divided into several parts, all but the last of which are
# terminated by a line containing the word "end". The parts must appear
# in the correct order, and all must be present (even if some of them are
# in fact empty). Blank lines, and lines starting with # are ignored.

######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################

#!!# message_filter renamed system_filter
system_filter = /etc/exim4/system_filter.exim
message_body_visible = 5000
#!!# message_filter_reply_transport renamed system_filter_reply_transport
system_filter_reply_transport = address_reply

av_scanner = clamd:/usr/local/sbin/clamd

# Specify the domain you want to be added to all unqualified addresses
# here. Unqualified addresses are accepted only from local callers by
# default. See the receiver_unqualified_{hosts,nets} options if you want
# to permit unqualified addresses from remote sources. If this option is
# not set, the primary_hostname value is used for qualification.

qualify_domain = smtp001.XXXX.fr

# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

# qualify_recipient =

# Specify your local domains as a colon-separated list here. If this option
# is not set (i.e. not mentioned in the configuration file), the
# qualify_recipient value is used as the only local domain. If you do not want
# to do any local deliveries, uncomment the following line, but do not supply
# any data for it. This sets local_domains to an empty string, which is not
# the same as not mentioning it at all. An empty string specifies that there
# are no local domains; not setting it at all causes the default value (the
# setting of qualify_recipient) to be used.


# Allow mail addressed to our hostname, or to our IP address.


# Domains we relay for; that is domains that aren't considered local but we
# accept mail for them.


# If this is uncommented, we accept and relay mail for all domains we are
# in the DNS as an MX for.

#relay_domains_include_local_mx = false

# No local deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so gets changed so that it runs under the
# uid of "nobody" instead. This is a paranoic safety catch. Note the default
# setting means you cannot deliver mail addressed to root as if it were a
# normal user. This isn't usually a problem, as most sites have an alias for
# root that redirects such mail to a human administrator.

never_users = root

# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = *

# The setting below would, if uncommented, cause Exim to check the syntax of
# all the headers that are supposed to contain email addresses (To:, From:,
# etc). This reduces the level of bounced bounces considerably.

# headers_check_syntax

# Exim contains support for the Realtime Blocking List (RBL), and the many
# similar services that are being maintained as part of the DNS. See
# http://www.mail-abuse.org/ for background. The line below, if uncommented,
# will reject mail from hosts in the RBL, and add warning headers to mail
# from hosts in a list of dynamic-IP dialups. Note that MAPS may charge
# for this service.


# http://www.rfc-ignorant.org is another interesting site with a number of
# services you can use with the rbl_domains option

# The setting below allows your host to be used as a mail relay only by
# localhost: it locks out the use of your host as a mail relay by any
# other host. See the section of the manual entitled "Control of relaying"
# for more info.


# This setting allows anyone who has authenticated to use your host as a
# mail relay. To use this you will need to set up some authenticators at
# the end of the file


# If you want Exim to support the "percent hack" for all your local domains,
# uncomment the following line. This is the feature by which mail addressed
# to x%y@z (where z is one of your local domains) is locally rerouted to
# x@y and sent on. Otherwise x%y is treated as an ordinary local part

# percent_hack_domains=*

# If this option is set, then any process that is running as one of the
# listed users may pass a message to Exim and specify the sender's
# address using the "-f" command line option, without Exim's adding a
# "Sender" header.

trusted_users = mail

# If this option is true, the SMTP command VRFY is supported on incoming
# SMTP connections; otherwise it is not.


# Some operating systems use the "gecos" field in the system password file
# to hold other information in addition to users' real names. Exim looks up
# this field when it is creating "sender" and "from" headers. If these options
# are set, exim uses "gecos_pattern" to parse the gecos field, and then
# expands "gecos_name" as the user's name. $1 etc refer to sub-fields matched
# by the pattern.

gecos_pattern = ^([^,:]*)
gecos_name = $1

# This sets the maximum number of messages that will be accepted in one
# connection and immediately delivered. If one connection sends more
# messages than this, any further ones are accepted and queued but not
# delivered. The default is 10, which is probably enough for most purposes,
# but is too low on dialup SMTP systems, which often have many more mails
# queued for them when they connect.

smtp_accept_queue_per_connection = 100

# Send a mail to the postmaster when a message is frozen. There are many
# reasons this could happen; one is if exim cannot deliver a mail with no
# return address (normally a bounce) another that may be common on dialup
# systems is if a DNS lookup of a smarthost fails. Read the documentation
# for more details: you might like to look at the auto_thaw option

#!!# freeze_tell_mailmaster replaced by freeze_tell
freeze_tell = postmaster

# This string defines the contents of the \`Received' message header that
# is added to each message, except for the timestamp, which is automatically
# added on at the end, preceded by a semicolon. The string is expanded each
# time it is used.

received_header_text = "Received: \
${if def:sender_rcvhost {from ${sender_rcvhost}\n\t}\
{${if def:sender_ident {from ${sender_ident} }}\
${if def:sender_helo_name {(helo=${sender_helo_name})\n\t}}}}\
by ${primary_hostname} \
${if def:received_protocol {with ${received_protocol}}} \
(Exim ${version_number} #${compile_number} (Debian))\n\t\
id ${message_id}\
${if def:received_for {\n\tfor <$received_for>}}"

# Attempt to verify recipient address before receiving mail, so that mails
# to invalid addresses are rejected rather than accepted and then bounced.
# Apparently some spammers are abusing servers that accept and then bounce
# to send bounces containing their spam to people.


# This would make exim advertise the 8BIT-MIME option. According to
# RFC1652, this means it will take an 8bit message, and ensure it gets
# delivered correctly. exim won't do this: it is entirely 8bit clean
# but won't do any conversion if the next hop isn't. Therefore, if you
# set this option you are asking exim to lie and not be RFC
# compliant. But some people want it.

#accept_8bitmime = true

# This will cause it to accept mail only from the local interface

#local_interfaces = 127.0.0.1

# If this next line is uncommented, any user can see the mail queue
# by using the mailq command or exim -bp.

#queue_list_requires_admin = false

#

#!!#######################################################!!#
#!!# This new section of the configuration contains ACLs #!!#
#!!# (Access Control Lists) derived from the Exim 3 #!!#
#!!# policy control options. #!!#
#!!#######################################################!!#

#!!# These ACLs are crudely constructed from Exim 3 options.
#!!# They are almost certainly not optimal. You should study
#!!# them and rewrite as necessary.

begin acl

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
deny hosts = +rbl_hosts
message = host is listed in $dnslist_domain
dnslists = rbl.mail-abuse.org
warn hosts = +rbl_hosts
message = X-Warning: $sender_host_address is listed at $dnslist_domain
dnslists = dialups.mail-abuse.org
accept domains = +local_domains
accept domains = +relay_domains
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
deny message = relay not permitted

# OLD SECTION
#!!# ACL that is used after the DATA command
#check_message:
# accept
#########


#!!# ACL that is used after the DATA command
check_message:
require verify = header_sender

##### clamav ACL, reject virus infected mails with proper error

deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

deny message = This message contains a virus or other harmful content \
($malware_name)
demime = *
malware = *

deny message = Potentially executable content. If you meant to send this file \
then please package it up as a zip file and resend it.
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:s
cr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

# Add X-Scanned Header

warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

##### end clamav ACL
accept

######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################

# Look in the documentation (in package exim-doc or exim-doc-html for
# information on how to set up authenticated connections.

# The examples below are for server side authentication; they allow two
# styles of plain-text authentication against an /etc/exim/passwd file
# which should have user IDs in the first column and crypted passwords
# in the second.

# plain:
# driver = plaintext
# public_name = PLAIN
# server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}
}{1}{0}}"
# server_set_id = $1
#
# login:
# driver = plaintext
# public_name = LOGIN
# server_prompts = "Username:: : Password::"
# server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}
}{1}{0}}"
# server_set_id = $1

# These examples below are the equivalent for client side authentication.
# They assume that you only use client side authentication to connect to
# one host (such as a smarthost at your ISP), or else use the same user
# name and password everywhere

# plain:
# driver = plaintext
# public_name = PLAIN
# client_send = "^username^password"
#
# login:
# driver = plaintext
# public_name = LOGIN
# client_send = ": username : password"
#
# cram_md5:
# driver = cram_md5
# public_name = CRAM-MD5
# client_name = username
# client_secret = password



######################################################################
# REWRITE CONFIGURATION #
######################################################################


# There are no rewriting specifications in this default configuration file.


# This rewriting rule is particularly useful for dialup users who
# don't have their own domain, but could be useful for anyone.
# It looks up the real address of all local users in a file


begin rewrite

*@smtp001.XXXX.fr ${lookup{$1}lsearch{/etc/email-addresses}\
{$value}fail} frFs


#!!#######################################################!!#
#!!# Here follow routers created from the old routers, #!!#
#!!# for handling non-local domains. #!!#
#!!#######################################################!!#

begin routers

######################################################################
# ROUTERS CONFIGURATION #
# Specifies how remote addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A remote address is passed to each in turn until it is accepted. #
######################################################################

# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.

# Send all mail to a smarthost

smarthost:
driver = manualroute
domains = ! +local_domains
route_list = * mail-001.XXXX.fr bydns
transport = remote_smtp
no_more

# Spam Assassin
spamcheck_router:
no_verify
check_local_user
# When to scan a message :
# - it isn't already flagged as spam
# - it isn't already scanned
condition = \
"${if and { {!def:h_X-Spam-Flag:} \
{!eq {$received_protocol}{spam-scanned}} \
}\
{1}{0}\
}"
driver = accept
transport = spamcheck

#!!#######################################################!!#
#!!# Here follow routers created from the old directors, #!!#
#!!# for handling local domains. #!!#
#!!#######################################################!!#

######################################################################
# DIRECTORS CONFIGURATION #
# Specifies how local addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A local address is passed to each in turn until it is accepted. #
######################################################################

# This allows local delivery to be forced, avoiding alias files and
# forwarding.

real_local:
#!!# prefix renamed local_part_prefix
driver = accept
check_local_user
local_part_prefix = real-
transport = local_delivery

# This director handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary.

system_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
retry_use_local_part
# user = list
# Uncomment the above line if you are running smartlist


# This director handles forwarding using traditional .forward files.
# It also allows mail filtering when a forward file starts with the
# string "# Exim filter": to disable filtering, uncomment the "filter"
# option. The check_ancestor option means that if the forward file
# generates an address that is an ancestor of the current one, the
# current one gets passed on instead. This covers the case where A is
# aliased to B and B has a .forward file pointing to A.

# For standard debian setup of one group per user, it is acceptable---normal
# even---for .forward to be group writable. If you have everyone in one
# group, you should comment out the "modemask" line. Without it, the exim
# default of 022 will apply, which is probably what you want.

userforward:
#!!# filter renamed allow_filter
# driver = redirect
# allow_filter
# check_ancestor
# check_local_user
# file = $home/.forward
# file_transport = address_file
# modemask = 002
# pipe_transport = address_pipe
# reply_transport = address_reply
# no_verify

# This director runs procmail for users who have a .procmailrc file

#procmail:
driver = accept
check_local_user
require_files = ${local_part}:+${home}:+${home}/.procmailrc:+/usr/bin/procmail
transport = procmail_pipe
no_verify

# This director matches local user mailboxes.

#localuser:
#driver = accept
#check_local_user
#transport = local_delivery



######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################

# This transport is used for local delivery to user mailboxes. On debian
# systems group mail is used so we can write to the /var/spool/mail
# directory. (The alternative, which most other unixes use, is to deliver
# as the user's own group, into a sticky-bitted directory)

begin transports

local_delivery:
driver = appendfile
envelope_to_add
file = /var/spool/mail/${local_part}
group = mail
mode = 0660
no_mode_fail_narrower
return_path_add

# This transport is used for handling pipe addresses generated by
# alias or .forward files. If the pipe generates any standard output,
# it is returned to the sender of the message as a delivery error. Set
# return_fail_output instead if you want this to happen only when the
# pipe fails to complete normally.

address_pipe:
driver = pipe
path = /usr/bin:/bin:/usr/local/bin
return_output

# This transport is used for handling file addresses generated by alias
# or .forward files.

address_file:
driver = appendfile
envelope_to_add
return_path_add

# This transport is used for handling file addresses generated by alias
# or .forward files if the path ends in "/", which causes it to be treated
# as a directory name rather than a file name. Each message is then delivered
# to a unique file in the directory. If instead you want all such deliveries to
# be in the "maildir" format that is used by some other mail software,
# uncomment the final option below. If this is done, the directory specified
# in the .forward or alias file is the base maildir directory.
#
# Should you want to be able to specify either maildir or non-maildir
# directory-style deliveries, then you must set up yet another transport,
# called address_directory2. This is used if the path ends in "//" so should
# be the one used for maildir, as the double slash suggests another level
# of directory. In the absence of address_directory2, paths ending in //
# are passed to address_directory.

address_directory:
#!!# prefix renamed message_prefix
#!!# suffix renamed message_suffix
#!!# no_from_hack replaced by check_string
driver = appendfile
check_string =
message_prefix = ""
message_suffix = ""
# maildir_format

# This transport is used for handling autoreplies generated by the filtering
# option of the forwardfile director.

address_reply:
driver = autoreply

# This transport is used for procmail

procmail_pipe:
#!!# suffix renamed message_suffix
driver = pipe
command = "/usr/bin/procmail"
delivery_date_add
envelope_to_add
message_suffix = ""
return_path_add
# check_string = "From "
# escape_string = ">From "


# This transport is used for delivering messages over SMTP connections.

remote_smtp:
driver = smtp
# authenticate_hosts = smarthost.isp.com

# To use SMTP AUTH when sending to a particular host, such as your ISP's
# smarthost, uncomment and edit the above line, and also the example
# client-side authenticators at the bottom of the file

# Spam Assassin
spamcheck:
driver = pipe
command = /usr/exim/bin/exim -oMr spam-scanned -bS
use_bsmtp = true
transport_filter = /usr/bin/spamc
home_directory = "/tmp"
current_directory = "/tmp"
# must use a privileged user to set $received_protocol on the way
# back in!
user = mail
group = mail
log_output = true
return_fail_output = true
return_path_add = false
message_prefix =
message_suffix =

######################################################################
# RETRY CONFIGURATION #
######################################################################


# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 2 hours and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 8 hours until 4 days have passed since the first
# failed delivery.

# Domain Error Retries
# ------ ----- -------


begin retry

* * F,2h,15m; G,16h,2h,1.5; F,4d,8h


# End of Exim 4 configuration



Voila

[Gandalf]

Je ne peux pas te répondre sur ton fichier de conf qui fait des kms car je en connais pas assez Exim ( a vue de nez la conf ressemble à d'autres produits rien ne m'a l'air anormal ), mais je pencherai pour le pb d'architecture ( puisque tout fonctionnait dans le lan c'est ça hein ? ).
Au niveau de l'adresse IP du serveur tu dois avoir un truc en 10.2.4.x ( 255.255.255.0 je déduis le masque tu ne le donnes pas ! ) avec comme passerelle par défaut l'IP de la patte DMZ du firewall ! Ensuite les flux SMTP doivent être autorisé du wan vers la DMZ et de la DMZ vers le LAN ; vérifies tout ça sur le firewall, et regardes dans les logs de ce dernier, si c'est lui qui bloque entre la DMZ et le LAN il doit avoir des traces !

[mogruith]

Bon, j'ai fouillé les logs : aucune trace.
J'ai remis une des machines dans le lan DHCP et là, O pas miracle : j'ai à nouveau mon erreur 550 Admministrative Prohibition.


Donc il y a un truc dans mon fichier de configuration.

Koc'h !


Là je comprends plus rien ...

[Gandalf]

Ouch c'est strange ton truc !
Je laisse la place à des spécialistes Exim s'il yen a ! Peut-être qu'un admin ou un modo Ixus pourrait déplacer ce post dans la bonne section pour que plus de personnes le voient ?

Merci @+

[mogruith]

Je te remercie en tout cas pour ton aide.
J'ai déjà avancé en vérifiant les logs du firewall et cela élimine donc déjà certaines choses.