Значится есть связка exim4 + dovecot + mysql + roundcube + SA. Отлично работающая надо сказать через тот же веб - письма приходят и отправляются, спам режется. Ставим тундерберд, настраиваем, пишет «Неверный логин/пароль». В логах:
2013-05-09 13:37:04 [14148] SMTP connection from [IP_client]:45162 I=[IP_server]:587 (TCP/IP connection count = 1)
2013-05-09 13:37:04 [14189] no IP address found for host customer-IP_client.provider.ua (during SMTP connection from [IP_client]:45162 I=[IP_server]:587)
2013-05-09 13:37:04 [14189] SMTP connection from (we-guess.mozilla.org) [IP_client]:45162 I=[IP_server]:587 closed by QUIT
2013-05-09 13:37:04 [14189] no MAIL in SMTP connection from (we-guess.mozilla.org) [IP_client]:45162 I=[IP_server]:587 D=0s C=EHLO,QUIT
/etc/exim4/exim4.conf:
# Конфиг MTA Exim
primary_hostname = site.ua
hide mysql_servers = localhost/DB/user/password
daemon_smtp_ports = 25:465:587
disable_ipv6
domainlist local_domains = ${lookup mysql{SELECT domain FROM domain WHERE \
domain='${domain}' AND active='1'}}
domainlist relay_to_domains = ${lookup mysql{SELECT domain FROM domain WHERE \
domain='${domain}' AND active='1'}}
hostlist relay_from_hosts = localhost : 127.0.0.0/8
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_connect = acl_check_connect
av_scanner = clamd:/var/run/clamav/clamd.ctl
local_scan_path = /usr/lib/exim4/local_scan/sa-exim.so
spamd_address = 127.0.0.1 783
qualify_domain = site.ua
qualify_recipient = site.ua
exim_user = Debian-exim
exim_group = mail
never_users = root
host_lookup = *
rfc1413_query_timeout = 0s
recipient_unqualified_hosts = +relay_from_hosts
ignore_bounce_errors_after = 45m
timeout_frozen_after = 10d
freeze_tell = mail@site.ua
helo_accept_junk_hosts = 127.0.0.0/8
auto_thaw = 1h
smtp_banner = "MTA EXIM"
smtp_accept_max = 50
smtp_accept_max_per_connection = 100
smtp_accept_max_per_host = 20
smtp_connect_backlog = 50
split_spool_directory = true
remote_max_parallel = 50
return_size_limit = 70k
message_size_limit = 50M
helo_allow_chars = _
smtp_enforce_sync = true
log_selector = \
+all \
-arguments \
-lost_incoming_connection \
-queue_run
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
tls_advertise_hosts = *
tls_certificate = /etc/ssl/mail/exim.crt
tls_privatekey = /etc/ssl/mail/exim.key
tls_verify_certificates = /etc/ssl/certs/ca-certificates.crt
tls_on_connect_ports=465
###############
begin acl
# Проверка получателей
acl_check_rcpt:
accept authenticated = *
deny message = "Incorrect symbols in address"
domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept local_parts = postmaster
domains = +local_domains
require verify = sender
deny message = HELO/EHLO required by SMTP RFC
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
delay = 30s
deny message = We don't allow domain literals. Too much spam...
domains = !+local_domains
condition = ${if isip{$sender_helo_name}{yes}{no}}
delay = 30s
deny message = Message was delivered by ratware - own
condition = ${if match_domain{sender_helo_name}\
{$primary_hostname:+local_domains:+relay_to_domains}\
{true}{false}}
log_message = remote host used our name in EHLO/HELO.
delay = 30s
deny message = Go Away! You are spammer.
condition = ${if match{$sender_host_name} \
{bezeqint\\.net|net\\.il|dialup|dynamic|dsl|pool|peer|dhcp} \
{yes}{no}}
deny message = Hmmm... I think, this is bad host!
condition = ${if match{$sender_host_name}{\N((?>\w+[\.|\-]){6,})\N}{yes}{no}}
hosts = !+relay_from_hosts : *
!senders = :
deny message = Very long mailname. It`s bad, sorry, maybe you spammer.
condition = ${if >{${strlen:$sender_address}}{32}{yes}{no}}
hosts = !+relay_from_hosts : *
!senders = :
accept domains = +local_domains
endpass
verify = recipient
accept domains = +relay_to_domains
endpass
verify = recipient
accept hosts = +relay_from_hosts
deny message = relay not permitted
accept
###########
# Включил для тестирования - без этой опции шла ошибка
acl_check_connect:
accept hosts = IP_client
control = no_enforce_sync
accept
###########
acl_check_data:
warn message = It`s maybe spam. Add to ".Junk" directory.
condition = ${if and {{>{$spam_score_int}{5}}{<={$spam_score_int}{16}}}{yes}{no}}
domains = !+relay_from_hosts
spam = nobody
warn spam = nobody:true
hosts = !+relay_from_hosts
message = X-Spam-Level: $spam_bar
warn spam = nobody:true
hosts = !+relay_from_hosts
condition = ${if >{$spam_score_int}{25}{1}{0}}
message = X-Spam-Status: $spam_report
deny message = Message scored $spam_score spam points
spam = nobody:true
condition = ${if >{$spam_score_int}{16}{yes}{no}}
deny message = This is spam - denied
condition = ${if match{$message_body} \
{105[-_]*51[-_]*86|778[-_]*98[-_]*94}\
{yes}{no}}
deny message = contains $found_extension file (blacklisted).
demime = com:vbs:bat:pif:scr
deny message = This message contains a MIME error ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny malware = *
demime = *
logwrite = VIRUS from host $sender_host_name [$sender_host_address]. \
# Mail from $sender_address to $local_part@$domain.
deny message = This message contains NUL characters
log_message = NUL characters!
condition = ${if >{$body_zerocount}{0}{1}{0}}
deny message = Incorrect headers syntax
!hosts = +relay_from_hosts
!verify = header_syntax
accept
#############
begin routers
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = Debian-exim
group = mail
file_transport = address_file
pipe_transport = address_pipe
mysql_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup mysql{SELECT goto FROM alias WHERE address ='${quote_mysql:$local_part@$domain}' AND active='1'}}
user = Debian-exim
group = mail
file_transport = address_file
pipe_transport = address_pipe
spam_to_user:
driver = accept
condition = ${if and {{>{$spam_score_int}{5}}{<{$spam_score_int}{16}}}{yes}{no}}
domains = !+local_domains
transport = user_spam_delivery
vacation_autoreply:
driver = accept
domains = ${lookup mysql{SELECT domain FROM vacation WHERE \
domain='${quote_mysql:$domain}' AND \
email='${quote_mysql:$local_part@$domain}' AND \
active='1'}{$value}}
transport = vacation_autoreply
senders = " ! ^.*-request@.*:\
! ^owner-.*@.*:\
! ^postmaster@.*:\
! ^listmaster@.*:\
! ^mailer-daemon@.*\
! ^root@.*\
! ^noreply@.*"
no_expn
no_verify
unseen
mysql_localuser:
driver = accept
condition = ${lookup mysql{SELECT username from mailbox WHERE username='${quote_mysql:$local_part@$domain}' AND active='1'}}
transport = dovecot_delivery
localuser:
driver = accept
check_local_user
transport = dovecot_delivery
cannot_route_message = Unknown user
#############
begin transports
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_KEY_FILE = /etc/exim4/dkim/DKIM_DOMAIN.key
DKIM_PRIVATE_KEY = ${if exists{DKIM_KEY_FILE}{DKIM_KEY_FILE}{0}}
DKIM_SELECTOR = mail
remote_smtp:
driver = smtp
dkim_domain = DKIM_DOMAIN
dkim_selector = DKIM_SELECTOR
dkim_private_key = DKIM_PRIVATE_KEY
hosts_avoid_esmtp = ${lookup mysql{INSERT IGNORE INTO `sended_list` \
(`user_from`, `user_to`, `added_timestamp`, \
`last_mail_timestamp`, `mail_count`) VALUES \
(LCASE('${quote_mysql:$sender_address}'), \
LCASE('${quote_mysql:$local_part@$domain}'), \
UNIX_TIMESTAMP(), UNIX_TIMESTAMP(), '1') ON DUPLICATE \
KEY UPDATE `last_mail_timestamp` = UNIX_TIMESTAMP(), \
`mail_count` = `mail_count` + 1}}
dovecot_delivery:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda -e -d $local_part@$domain -f $sender_address -a $original_local_part@$original_domain
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
return_fail_output
log_output
umask = 077
group = 8
user = 106
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
user_spam_delivery:
driver = appendfile
maildir_format
create_directory
directory = /var/mail/$domain/$local_part/.Junk
delivery_date_add
directory_mode = 770
envelope_to_add
mode = 0660
quota = ${lookup mysql{SELECT quota FROM mailbox WHERE local_part='${local_part}' AND domain='${domain}'}{${value}B}}
return_path_add
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_direcroty:
driver = appendfile
directory_mode = 770
group = mail
maildir_format
mode = 0660
null_transport:
driver = appendfile
file = /dev/null
vacation_autoreply:
driver = autoreply
# headers = "Content-Type: text/plain; charset=utf-8\nContent-Transfer-Encoding: 7bit"
# headers = "Content-Type: text/plain; charset=utf-8\nContent-Transfer-Encoding: base64"
# user = Debian-exim
# group = mail
to = ${sender_address}
from = "${local_part}@${domain}"
log = /var/log/exim4/vacation.log
subject = Re: =?UTF-8?B?KNCw0LLRgtC+LdC+0YLQstC10YIpINCvINCyINC+0YLQv9GD0YE=?= \
=?UTF-8?B?0LrQtSBcIChhdXRvcmVwbHkpIEkgYW0gb24gdmFjYXRpb24=?=
text = "\
Здравствуйте, $h_from\n\n\
Это - автоматический ответ на Ваше письмо $original_local_part@$original_domain \n\
Владелец почтового ящика ${local_part}@${domain} в отпуске\n\n\n\
English version below\n\n\
Dear, $h_from\n\n\
This is an automatic reply to Your message for $original_local_part@$original_domain \n\
A mailbox owner ${local_part}@${domain} on vacation"
#subject = ${lookup mysql {SELECT subject FROM vacation \
# WHERE domain='${quote_mysql:$domain}' AND \
# email='${quote_mysql:$local_part@$domain}'}{$value}}
#subject = "=?UTF-8?B?${lookup mysql {SELECT subject FROM vacation \
# WHERE domain='${quote_mysql:$domain}' AND \
# email='${quote_mysql:$local_part@$domain}'}{$value}}?="
#text = ${lookup mysql {SELECT body FROM vacation \
# WHERE domain='${quote_mysql:$domain}' AND \
# email='${quote_mysql:$local_part@$domain}'}{$value}}
############
address_reply:
driver = autoreply
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
############
begin authenticators
auth_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $1
Несколько дней сижу над этим... Понимаю, что ответ где-то на поврехности, но туплю.
Авторизация - только CRAM-MD5, проходит через dovecot (сделано для фильтров sieve в roundcube)
P.S. Неавторизированый релей делать нельзя - локалка большая, есть вирусня, были прецеденты попыток рассылки спама.
P.P.S. Если кто подскажет, как еще вылечить «A TLS fatal alert has been received.: CA is unknown» при попытке использовать 465-й порт - буду благодарен.
Сертификаты есть, права на них тоже:
ls -la /etc/ssl/mail/
итого 24
drwxr-xr-x 2 root root 224 Май 9 12:55 .
drwxr-xr-x 5 root root 152 Апр 11 15:48 ..
-rw-r--r-- 1 root root 757 Май 9 12:55 dovecot.crt
-r--r----- 1 dovecot mail 912 Май 9 12:55 dovecot.key
-rw-r--r-- 1 root root 757 Май 9 12:55 exim.crt
-r--r----- 1 Debian-exim mail 916 Май 9 12:55 exim.key
-rw-r--r-- 1 root root 753 Май 9 12:55 site.ua.crt
-r--r----- 1 root root 916 Май 9 12:55 site.ua.key
Решено. Проблема была в dovecot`е - SSLv3 в ssl_cipher_list (10-ssl.conf) был лишний.