dovecot - Nov 2016 - Exim still accepting emails to nonexistent users

Hi Heiko,

Here is the router:

    virtual_aliases:
        driver = redirect
        debug_print = "R: Check address using virtual_aliases for
$local_part@$domain"
        allow_fail
        allow_defer
        hide data = CHECK_VIRTUAL_ALIASES
        user = vmail
        group = mail




local_user:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
#Dovecot auth check
#  check_local_user
  local_parts = ! root
  transport = dovecot_lmtp
  cannot_route_message = Unknown user


And this is the transport:

dovecot_lmtp:
   driver = lmtp
   socket = /var/run/dovecot/lmtp
   #return_path_add
   #maximum number of deliveries per batch, default 1
   batch_max = 200

This might also be helpful (this is with check_local_user commented out in the
router)
--------> local_user router <--------
local_part=nosuchuser domain=domainproblem.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
domainproblem.com in "+local_domains"? yes (matched
"+local_domains" - cached)
checking local_parts
NoSuchUser in "! root"? yes (end of list)
R: local_user for nosuchuser at domainproblem.com
calling local_user router
local_user router called for NoSuchUser at domainproblem.com
  domain = domainproblem.com
queued for dovecot_lmtp transport: local_part = nosuchuser
domain = domainproblem.com
  errors_to=NULL
  domain_data=NULL localpart_data=NULL
routed by local_user router
  envelope to: NoSuchUser at domainproblem.com
  transport: dovecot_lmtp
Cannot do callout: neither router nor transport provided a host list
----------- end verify ------------
deny: condition test failed in ACL "acl_check_rcpt"
processing "accept"
check domains = +relay_to_domains
domainproblem.com in "empty"? no (end of list)
domainproblem.com in "+relay_to_domains"? no (end of list)
accept: condition test failed in ACL "acl_check_rcpt"
processing "accept"
accept: condition test succeeded in ACL "acl_check_rcpt"
SMTP>> 250 Accepted
250 Accepted


This is when it?s not commented out:
--------> local_user router <--------
local_part=m.markov domain=domainproblem.com
checking domains
cached yes match for +local_domains
cached lookup data = NULL
domainproblem.com in "+local_domains"? yes (matched
"+local_domains" - cached)
checking local_parts
m.markov in "! root"? yes (end of list)
checking for local user
seeking password data for user "m.markov": using cached result
getpwnam() returned NULL (user not found)
local_user router skipped: m.markov is not a local user


I currently have check_local_user disabled because nobody will be able to
receive emails.
> On 17 Nov 2016, at 21:33, Heiko Schlittermann <hs at
schlittermann.de> wrote:
> 
> Hi,
> 
> Marti Markov <marti1234 at gmail.com> (Mi 16 Nov 2016 04:28:28 CET):
>> After adding the configuration bit:
>> 
>> deny
>>        message = invalid recipient
>>        domains = +local_domains
>>        !verify = recipient/callout=no_cache
>> 
>> from: http://wiki2.dovecot.org/LMTP/Exim
<http://wiki2.dovecot.org/LMTP/Exim> running update-exim4.conf and service
exim4 restart
>> 
>> the server is still accepting emails to recipients that do not exist in
dovecot.
> 
> How is the router, targeting the messages to dovecot, configured? And
> how the transport, responsible for the delivery to dovecot?
> 
>    Best regards from Dresden/Germany
>    Viele Gr??e aus Dresden
>    Heiko Schlittermann
> -- 
> SCHLITTERMANN.de ---------------------------- internet & unix support -
> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> gnupg encrypted messages are welcome --------------- key ID: F69376CE -
> ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Hi Marti,

(Please do not send CC to my private account)

Marti Markov <marti1234 at gmail.com> (Mo 21 Nov 2016 03:52:54
CET):
> 
> Here is the router:
> 
>     virtual_aliases:
?
>         hide data = CHECK_VIRTUAL_ALIASES
> local_user:
>   debug_print = "R: local_user for $local_part@$domain"
>   driver = accept
>   domains = +local_domains
> #Dovecot auth check
> #  check_local_user
>   local_parts = ! root
>   transport = dovecot_lmtp
> 
> And this is the transport:
> 
> dovecot_lmtp:
>    driver = lmtp
>    socket = /var/run/dovecot/lmtp
>    #return_path_add
>    #maximum number of deliveries per batch, default 1
>    batch_max = 200
Ok, the router cannot check the existence of the user. check_local_user
won't help you, as long as the $local_part is not a system user locally.

Basically you got 2 possibilities: 

    a) check in the routing stage by accessing the user database
       -> testable with: exim -bv user at exampl.com
    b) check in the transport stage by using a callout
       -> testable with: swaks ? --pipe 'exim -bhc i.i.i.i'

a) Routing stage
You need to interact with the user database dovecot uses.
Either you access the user database directory (flat file, LDAP,
whatever) or you use the ${readsocket?} feature of Exim to talk to
dovecot.

b) Transport stage
You need to configure the dovecot LMTP to refuse messages to unknown
uses. This you can test using swaks (it's capable of talking LMTP).
Once this LMTP works (refusing unknown users) you can use callouts for
verification during SMTP time. (exim -bv ? will still tell you, that the
message is *routable*, but exim -bh and the pipe mode of swaks may help
you.



Ha ?.
>   transport: dovecot_lmtp
> Cannot do callout: neither router nor transport provided a host list
This can be 'fixed' if you use (not tested)

dovecot_lmtp:
    driver = smtp
    protocol = lmtp
    host = localhost
    port = 2525

and have the dovecot LMTP run on a local TCP port

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20161121/e0c21988/attachment.sig>

Hi,

Heiko Schlittermann <hs at schlittermann.de> (Mo 21 Nov 2016 11:50:13
CET):
> a) Routing stage
> You need to interact with the user database dovecot uses.
> Either you access the user database directory (flat file, LDAP,
> whatever) or you use the ${readsocket?} feature of Exim to talk to
> dovecot.
The readsocket trick doesn't seem to work anymore.

Using 
    $ socat STDIO UNIX:/run/dovecot/auth-master 
 <  VERSION 1   1
 <  SPID    16290
 >  VERSION 1   1
 >  USER    42  hs12 service=imap
 <  USER    1   hs12    uid=500 gid=500 home=/var/vmail/home/h/hs12

(the spaces are tabs).

But using Exim

    exim -be
'${readsocket{/run/dovecot/auth-userdb}{VERSION\t1\t1\nUSER\t1\hs12\tservice=imap\n}}'

does not work. Exim closes the sending side right after the final \n
with shutdown(2). Dovecot seems to see this as if the connection should
be closed now and closes the connection, w/o any response.

As it's not unusual to shutdown(2) the sender if the message is sent,
I'd see this as a bug on the dovecot side. There is no reason to
consider the connection as dead, just because the sender closed
its sending side of the connection.

    Best regards from Dresden/Germany
    Viele Gr??e aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20161121/ce9b50c2/attachment.sig>