Exim / relaying to .... Problem

Postfix, QMail, Sendmail, Dovecot, Cyrus, Courier, Anti-Spam
mikeiv
Posts: 32
Joined: 2003-10-05 12:53

Exim / relaying to .... Problem

Post by mikeiv » 2003-10-09 17:04

Bin gerade dabei unseren Mailserver zu conf. und hab ein Problem das mit nicht ganz klar ist. also das empfangen von mails über qpopper geht 1A. das senden von mails (in einen mail programm auf einen client) von einer lokalen email adresse zu einer anderen lokalen auf dem server geht auch. aber sobald ich versuche eine mail an eine andere adresse zu schicken die nicht auf dem server ist kommt das:

relaying to <xxx@xx.xx> prohibited by administrator

kann mir da jemand helfen? einen tip was ich falsch gemacht habe.

captaincrunch
Userprojekt
Userprojekt
Posts: 7225
Joined: 2002-10-09 14:30
Location: Dorsten

Re: Exim / relaying to .... Problem

Post by captaincrunch » 2003-10-09 17:06

Da du nichts sagst, welche exim-Version du nutzt, hier die Erklärung für die (alte) 3.3er-Version

http://www.exim.org/exim-html-3.30/doc/ ... ml#IDX1817
DebianHowTo
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc

dodolin
RSAC
Posts: 4009
Joined: 2003-01-21 01:59
Location: Sinsheim/Karlsruhe

Re: Exim / relaying to .... Problem

Post by dodolin » 2003-10-10 03:04

Ich nehme an, du möchtest SMTP AUTH einrichten... meinte zumindest meine Glaskugel. ;)

mikeiv
Posts: 32
Joined: 2003-10-05 12:53

Re: Exim / relaying to .... Problem

Post by mikeiv » 2003-10-11 03:25

exim 3.3 ist mal gut geraten

deine glaskugel sagt viel wares. weis die auch noch mehr? :D
Last edited by mikeiv on 2003-10-11 03:37, edited 1 time in total.

mikeiv
Posts: 32
Joined: 2003-10-05 12:53

Re: Exim / relaying to .... Problem

Post by mikeiv » 2003-10-11 03:25

hier mal was zum lesen:


######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################

# Specify the domain you want to be added to all unqualified addresses
# here. Unqualified addresses are accepted only from local callers by
# default. See the receiver_unqualified_{hosts,nets} options if you want
# to permit unqualified addresses from remote sources. If this option is
# not set, the primary_hostname value is used for qualification.

qualify_domain = h1227.serverkompetenz.net

# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

# qualify_recipient =

# Specify your local domains as a colon-separated list here. If this option
# is not set (i.e. not mentioned in the configuration file), the
# qualify_recipient value is used as the only local domain. If you do not want
# to do any local deliveries, uncomment the following line, but do not supply
# any data for it. This sets local_domains to an empty string, which is not
# the same as not mentioning it at all. An empty string specifies that there
# are no local domains; not setting it at all causes the default value (the
# setting of qualify_recipient) to be used.

local_domains = localhost:hxxx.serverkompetenz.net

# Allow mail addressed to our hostname, or to our IP address.

local_domains_include_host = true
local_domains_include_host_literals = true

# Domains we relay for; that is domains that aren't considered local but we
# accept mail for them.

#relay_domains = *.hxxx.serverkompetenz.net

# If this is uncommented, we accept and relay mail for all domains we are
# in the DNS as an MX for.

#relay_domains_include_local_mx = true

# No local deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so gets changed so that it runs under the
# uid of "nobody" instead. This is a paranoic safety catch. Note the default
# setting means you cannot deliver mail addressed to root as if it were a
# normal user. This isn't usually a problem, as most sites have an alias for
# root that redirects such mail to a human administrator.

never_users = root

# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = *

# The setting below would, if uncommented, cause Exim to check the syntax of
# all the headers that are supposed to contain email addresses (To:, From:,
# etc). This reduces the level of bounced bounces considerably.

# headers_check_syntax

# Exim contains support for the Realtime Blocking List (RBL), and the many
# similar services that are being maintained as part of the DNS. See
# http://www.mail-abuse.org/ for background. The line below, if uncommented,
# will reject mail from hosts in the RBL, and add warning headers to mail
# from hosts in a list of dynamic-IP dialups. Note that MAPS may charge
# for this service.

#rbl_domains = rbl.mail-abuse.org/reject : dialups.mail-abuse.org/warn

# http://www.rfc-ignorant.org is another interesting site with a number of
# services you can use with the rbl_domains option

# The setting below allows your host to be used as a mail relay only by
# localhost: it locks out the use of your host as a mail relay by any
# other host. See the section of the manual entitled "Control of relaying"
# for more info.

host_accept_relay = 127.0.0.1 : ::::1

# 127.0.0.1
# This setting allows anyone who has authenticated to use your host as a
# mail relay. To use this you will need to set up some authenticators at
# the end of the file

host_auth_accept_relay = *

# If you want Exim to support the "percent hack" for all your local domains,
# uncomment the following line. This is the feature by which mail addressed
# to x%y@z (where z is one of your local domains) is locally rerouted to
# x@y and sent on. Otherwise x%y is treated as an ordinary local part

# percent_hack_domains=*

# If this option is set, then any process that is running as one of the
# listed users may pass a message to Exim and specify the sender's
# address using the "-f" command line option, without Exim's adding a
# "Sender" header.

trusted_users = mail

# If this option is true, the SMTP command VRFY is supported on incoming
# SMTP connections; otherwise it is not.

smtp_verify = true

# Some operating systems use the "gecos" field in the system password file
# to hold other information in addition to users' real names. Exim looks up
# this field when it is creating "sender" and "from" headers. If these options
# are set, exim uses "gecos_pattern" to parse the gecos field, and then
# expands "gecos_name" as the user's name. $1 etc refer to sub-fields matched
# by the pattern.

gecos_pattern = ^([^,:]*)
gecos_name = $1

# This sets the maximum number of messages that will be accepted in one
# connection. The default is 10, which is probably enough for most purposes,
# but is too low on dialup SMTP systems, which often have many more mails
# queued for them when they connect.

smtp_accept_queue_per_connection = 100

# Send a mail to the postmaster when a message is frozen. There are many
# reasons this could happen; one is if exim cannot deliver a mail with no
# return address (normally a bounce) another that may be common on dialup
# systems is if a DNS lookup of a smarthost fails. Read the documentation
# for more details: you might like to look at the auto_thaw option

freeze_tell_mailmaster = true

# This string defines the contents of the `Received' message header that
# is added to each message, except for the timestamp, which is automatically
# added on at the end, preceded by a semicolon. The string is expanded each
# time it is used.

received_header_text = "Received:
${if def:sender_rcvhost {from ${sender_rcvhost}nt}
{${if def:sender_ident {from ${sender_ident} }}
${if def:sender_helo_name {(helo=${sender_helo_name})nt}}}}
by ${primary_hostname}
${if def:received_protocol {with ${received_protocol}}}
${if def:tls_cipher {nt(Cipher ${tls_cipher}) }}
${if def:tls_peerdn {(PeerDN ${tls_peerdn}) }}
(Exim ${version_number} #${compile_number} (Debian))nt
id ${message_id}
${if def:received_for {ntfor <$received_for>}}"

# When Exim is built with support for TLS encrypted connections, the
# availability of the STARTTLS command to set up an encrypted session is
# advertised only to those client hosts that match this option. See chapter
# 38 for details of Exim's support for TLS.

tls_advertise_hosts = *

# The value of this option is expanded, and must then be the absolute path to
# a file which contains the server's certificate.

tls_certificate = /etc/exim/exim.crt

# The value of this option is expanded, and must then be the absolute path to
# a file which contains the server's private key.

tls_privatekey = /etc/exim/exim.key

# Paramter file for Diffie-Hellman parameters - see dhparam(1ssl)

#tls_dhparam = /etc/exim/cert/exim.dhparam

# Require use of TLS for use of SMTP AUTH for which hosts?

#auth_over_tls_hosts = *

# With this option is set, the cipher which was used to transmit a message is
# logged using the tag `X='. This applies to both incoming and outgoing
# messages.

tls_log_cipher = true

# With this option is set, the Distinguished Name of the server's certificate
# is logged, using the tag `DN=', for all outgoing messages delivered over
# TLS. For incoming messages, the DN from the client's certificate is logged
# if a certificate was requested from the client (see tls_verify_certificates).

tls_log_peerdn = true

# This would make exim advertise the 8BIT-MIME option. According to
# RFC1652, this means it will take an 8bit message, and ensure it gets
# delivered correctly. exim won't do this: it is entirely 8bit clean
# but won't do any conversion if the next hop isn't. Therefore, if you
# set this option you are asking exim to lie and not be RFC
# compliant. But some people want it.

#accept_8bitmime = true

# This will cause it to accept mail only from the local interface

#local_interfaces = 127.0.0.1

# If this next line is uncommented, any user can see the mail queue
# by using the mailq command or exim -bp.

#queue_list_requires_admin = false

#
end


######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
# ORDER DOES NOT MATTER #
# Only one appropriate transport is called for each delivery. #
######################################################################

# This transport is used for local delivery to user mailboxes. On debian
# systems group mail is used so we can write to the /var/spool/mail
# directory. (The alternative, which most other unixes use, is to deliver
# as the user's own group, into a sticky-bitted directory)

local_delivery:
driver = appendfile
group = mail
mode = 0660
mode_fail_narrower = false
envelope_to_add = true
return_path_add = true
file = /var/spool/mail/${local_part}

# This transport is used for handling pipe addresses generated by
# alias or .forward files. If the pipe generates any standard output,
# it is returned to the sender of the message as a delivery error. Set
# return_fail_output instead if you want this to happen only when the
# pipe fails to complete normally.

address_pipe:
driver = pipe
path = /usr/bin:/bin:/usr/local/bin
return_output

# This transport is used for handling file addresses generated by alias
# or .forward files.

address_file:
driver = appendfile
envelope_to_add = true
return_path_add = true

# This transport is used for handling file addresses generated by alias
# or .forward files if the path ends in "/", which causes it to be treated
# as a directory name rather than a file name. Each message is then delivered
# to a unique file in the directory. If instead you want all such deliveries to
# be in the "maildir" format that is used by some other mail software,
# uncomment the final option below. If this is done, the directory specified
# in the .forward or alias file is the base maildir directory.
#
# Should you want to be able to specify either maildir or non-maildir
# directory-style deliveries, then you must set up yet another transport,
# called address_directory2. This is used if the path ends in "//" so should
# be the one used for maildir, as the double slash suggests another level
# of directory. In the absence of address_directory2, paths ending in //
# are passed to address_directory.

address_directory:
driver = appendfile
no_from_hack
prefix = ""
suffix = ""
# maildir_format

# This transport is used for handling autoreplies generated by the filtering
# option of the forwardfile director.

address_reply:
driver = autoreply

# This transport is used for procmail

procmail_pipe:
driver = pipe
command = "/usr/bin/procmail"
return_path_add
delivery_date_add
envelope_to_add
# check_string = "From "
# escape_string = ">From "
suffix = ""


# This transport is used for delivering messages over SMTP connections.

remote_smtp:
driver = smtp
# authenticate_hosts = smarthost.isp.com

# To use SMTP AUTH when sending to a particular host, such as your ISP's
# smarthost, uncomment and edit the above line, and also the example
# client-side authenticators at the bottom of the file

end


######################################################################
# DIRECTORS CONFIGURATION #
# Specifies how local addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A local address is passed to each in turn until it is accepted. #
######################################################################

# This allows local delivery to be forced, avoiding alias files and
# forwarding.

real_local:
prefix = real-
driver = localuser
transport = local_delivery

# This director handles aliasing using a traditional /etc/aliases file.
# If any of your aliases expand to pipes or files, you will need to set
# up a user and a group for these deliveries to run under. You can do
# this by uncommenting the "user" option below (changing the user name
# as appropriate) and adding a "group" option if necessary.

system_aliases:
driver = aliasfile
file_transport = address_file
pipe_transport = address_pipe
file = /etc/aliases
search_type = lsearch
# user = list
# Uncomment the above line if you are running smartlist


# This director handles forwarding using traditional .forward files.
# It also allows mail filtering when a forward file starts with the
# string "# Exim filter": to disable filtering, uncomment the "filter"
# option. The check_ancestor option means that if the forward file
# generates an address that is an ancestor of the current one, the
# current one gets passed on instead. This covers the case where A is
# aliased to B and B has a .forward file pointing to A.

# For standard debian setup of one group per user, it is acceptable---normal
# even---for .forward to be group writable. If you have everyone in one
# group, you should comment out the "modemask" line. Without it, the exim
# default of 022 will apply, which is probably what you want.

userforward:
driver = forwardfile
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
no_verify
check_ancestor
check_local_user
file = .forward
modemask = 002
filter

# This director runs procmail for users who have a .procmailrc file

procmail:
driver = localuser
transport = procmail_pipe
require_files = ${local_part}:+${home}:+${home}/.procmailrc:+/usr/bin/procmail
no_verify

# This director matches local user mailboxes.

localuser:
driver = localuser
transport = local_delivery

end


######################################################################
# ROUTERS CONFIGURATION #
# Specifies how remote addresses are handled #
######################################################################
# ORDER DOES MATTER #
# A remote address is passed to each in turn until it is accepted. #
######################################################################

# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.

# This router routes to remote hosts over SMTP using a DNS lookup with
# default options.

lookuphost:
driver = lookuphost
transport = remote_smtp

# This router routes to remote hosts over SMTP by explicit IP address,
# given as a "domain literal" in the form [nnn.nnn.nnn.nnn]. The RFCs
# require this facility, which is why it is enabled by default in Exim.
# If you want to lock it out, set forbid_domain_literals in the main
# configuration section above.

literal:
driver = ipliteral
transport = remote_smtp

end


######################################################################
# RETRY CONFIGURATION #
######################################################################

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 2 hours and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 8 hours until 4 days have passed since the first
# failed delivery.

# Domain Error Retries
# ------ ----- -------

* * F,2h,15m; G,16h,2h,1.5; F,4d,8h

end


######################################################################
# REWRITE CONFIGURATION #
######################################################################


# There are no rewriting specifications in this default configuration file.


# This rewriting rule is particularly useful for dialup users who
# don't have their own domain, but could be useful for anyone.
# It looks up the real address of all local users in a file

*@hxxx.serverkompetenz.net ${lookup{$1}lsearch{/etc/email-addresses}
{$value}fail} frFs

end

######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################

# Look in the documentation (in package exim-doc or exim-doc-html for
# information on how to set up authenticated connections.

# The examples below are for server side authentication; they allow two
# styles of plain-text authentication against an /etc/exim/passwd file
# which should have user IDs in the first column and crypted passwords
# in the second.

plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $1
#
# login:
# driver = plaintext
# public_name = LOGIN
# server_prompts = "Username:: : Password::"
# server_condition = "${if crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}{1}{0}}"
# server_set_id = $1

# These examples below are the equivalent for client side authentication.
# They assume that you only use client side authentication to connect to
# one host (such as a smarthost at your ISP), or else use the same user
# name and password everywhere

plain:
driver = plaintext
public_name = PLAIN
client_send = "^username^password"

login:
driver = plaintext
public_name = LOGIN
client_send = ": username : password"

# cram_md5:
# driver = cram_md5
# public_name = CRAM-MD5
# client_name = username
# client_secret = password

# End of Exim configuration file

captaincrunch
Userprojekt
Userprojekt
Posts: 7225
Joined: 2002-10-09 14:30
Location: Dorsten

Re: Exim / relaying to .... Problem

Post by captaincrunch » 2003-10-11 08:59

Wenn's dir um SMTP-Auth geht, schau dir bitte erstmal folgendes an :
http://www.debianhowto.de/howtos/de/exi ... _auth.html
DebianHowTo
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc

dodolin
RSAC
Posts: 4009
Joined: 2003-01-21 01:59
Location: Sinsheim/Karlsruhe

Re: Exim / relaying to .... Problem

Post by dodolin » 2003-10-11 15:04

deine glaskugel sagt viel wares. weis die auch noch mehr?
Nö. Inzwischen ist die Fahnenstange erreicht. Wenn du mehr wissen willst, dann versuche dich mal in verständliche Fragen zu fassen... ;)
hier mal was zum lesen:
Was sollen wir mit dem ganzen Schrott?

mikeiv
Posts: 32
Joined: 2003-10-05 12:53

Re: Exim / relaying to .... Problem

Post by mikeiv » 2003-10-11 15:11

ich glaub echt ich bin zu blöd dafür. okay in der exim.conf sind fehler dürfe aber auch nur den zweiten admin sein der daran gearbeitet hat.

ich hab folgendes gemacht.

1. exim ohne tls (für den anfang mal)
2. smtp auth so:
plain:
driver = plaintext
public_name = PLAIN
server_condition = "
${if and {{!eq{$2}{}}{!eq{$3}{}}
{crypteq{$3}{${extract{1}{:}
{${lookup{$2}lsearch{/etc/exim/passwd}{$value}{*:*}}}}}}}{1}{0}}"
server_set_id = $2
3. passwd erstellt unverschlüsselt mit login:pw

wenn ich nun mit meinen mail client mails ohne ssl aber mit smtp auth (login/kennwort) verschicken will weiget er sich absolut dagegen.

dodolin
RSAC
Posts: 4009
Joined: 2003-01-21 01:59
Location: Sinsheim/Karlsruhe

Re: Exim / relaying to .... Problem

Post by dodolin » 2003-10-11 15:20

Wenn ich mit CC's Howto vergleiche, hast du vermutlich ein crypteq zuviel drin. Ansonsten wären genau Angaben zu Client, Einstellungen des Clients, Logfiles von Exim etc. pp. ganz hilfreich. Hint: Mal nen Blick auf den Link in meiner Signatur werfen...

mikeiv
Posts: 32
Joined: 2003-10-05 12:53

Re: Exim / relaying to .... Problem

Post by mikeiv » 2003-10-11 15:44

das crypteq is nicht drinn war mein copy and past fehler.

zum mail client du möchest gerne das hier sehen:
http://crap.insane-vision.com/mail

die logs sagen das:
535 Incorrect authentication data

was sagst uns das?

Mal nen Blick auf den Link in meiner Signatur werfen...
ja eh ich wer hier sicher schon als schwachsinig uns loser abgestempelt. denkt wir ihr wollt aber ich kenn das READ THE FUCKING MANUAL und was ist wenns nichts hilft?

captaincrunch
Userprojekt
Userprojekt
Posts: 7225
Joined: 2002-10-09 14:30
Location: Dorsten

Re: Exim / relaying to .... Problem

Post by captaincrunch » 2003-10-11 16:10

Welches Auth wird denn von deinem Mailprogramm verwendet ? Ich vermute sehr stark, dass es daran liegt, kenne mich mich dem Mailer unter MacOS nicht aus.
DebianHowTo
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc

majortermi
Userprojekt
Userprojekt
Posts: 930
Joined: 2002-06-17 16:09

Re: Exim / relaying to .... Problem

Post by majortermi » 2003-10-11 16:13

CaptainCrunch wrote:Welches Auth wird denn von deinem Mailprogramm verwendet ? Ich vermute sehr stark, dass es daran liegt, kenne mich mich dem Mailer unter MacOS nicht aus.
Also mein Apple Mail arbeitet problemlos mit Exim (PLAIN-Auth) zusammen.
Erst nachlesen, dann nachdenken, dann nachfragen... :)
Warum man sich an diese Reihenfolge halten sollte...

captaincrunch
Userprojekt
Userprojekt
Posts: 7225
Joined: 2002-10-09 14:30
Location: Dorsten

Re: Exim / relaying to .... Problem

Post by captaincrunch » 2003-10-11 16:15

Dann ist Punkt 3 (passwd erstellt unverschlüsselt mit login:pw) der Knackpunkt, da "crypteq" ein verschlüsseltes PW erwartet.
DebianHowTo
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc

mikeiv
Posts: 32
Joined: 2003-10-05 12:53

Re: Exim / relaying to .... Problem

Post by mikeiv » 2003-10-11 16:25

ähmm ich hab das schon geändert auf eq, das steht nur oben im post so.

captaincrunch
Userprojekt
Userprojekt
Posts: 7225
Joined: 2002-10-09 14:30
Location: Dorsten

Re: Exim / relaying to .... Problem

Post by captaincrunch » 2003-10-11 16:30

Warum probierst du es dann nicht einfach mal so, wie's im Howto beschrieben ist ? Ich wüsste keinen halbwegs sinnvollen Grund, warum du der einzige sein solltest, bei dem das nicht klappt.

Die Frage nach der im Client eingstellten Auth hast du übrigends immer noch nicht beantwortet.
DebianHowTo
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc

mikeiv
Posts: 32
Joined: 2003-10-05 12:53

Re: Exim / relaying to .... Problem

Post by mikeiv » 2003-10-11 16:35


captaincrunch
Userprojekt
Userprojekt
Posts: 7225
Joined: 2002-10-09 14:30
Location: Dorsten

Re: Exim / relaying to .... Problem

Post by captaincrunch » 2003-10-11 16:41

Sorry, aber wird das hier ein Frage- / Antwortspiel ? Ich dachte, du wolltest Hilfe, warum lässt du dir dann jedes kleinste bisschen Information aus der Nase ziehen ?

Was passiert, wenn du wie im Howto beschrieben vorgehst, und einfach mal sowohl PLAIN als auch LOGIN-Auth einrichtest ?
DebianHowTo
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc