Help
Hi,
I installed the spam/virtus protection on all my servers, but now I'm getting emails from my customers about several emails not being delivered, upon investigation, I was able to see the following:
2006-11-24 10:44:42 SMTP command timeout on connection from (lnxsvr.rush.com.pe) [200.60.77.168]:2955 I=[69.65.106.226]:25 U=root
2006-11-24 11:39:07 H=(lnxsvr.rush.com.pe) [200.60.77.168]:3272 I=[69.65.106.226]:25 sender verify defer for <czapata@rush.com.pe>: Could not complete sender verify callout
2006-11-24 11:39:07 H=(lnxsvr.rush.com.pe) [200.60.77.168]:3272 I=[69.65.106.226]:25 F=<czapata@rush.com.pe> temporarily rejected RCPT <lpacheco@quickferr.com>: Could not complete
sender verify callout
2006-11-24 11:44:08 SMTP command timeout on connection from (lnxsvr.rush.com.pe) [200.60.77.168]:3272 I=[69.65.106.226]:25
2006-11-24 12:38:45 H=(lnxsvr.rush.com.pe) [200.60.77.168]:3664 I=[69.65.106.226]:25 U=root sender verify defer for <czapata@rush.com.pe>: Could not complete sender verify callout
2006-11-24 12:38:45 H=(lnxsvr.rush.com.pe) [200.60.77.168]:3664 I=[69.65.106.226]:25 U=root F=<czapata@rush.com.pe> temporarily rejected RCPT <lpacheco@quickferr.com>: Could not c
omplete sender verify callout
2006-11-24 12:43:45 SMTP command timeout on connection from (lnxsvr.rush.com.pe) [200.60.77.168]:3664 I=[69.65.106.226]:25 U=root
2006-11-24 13:52:59 H=(lnxsvr.rush.com.pe) [200.60.77.168]:4006 I=[69.65.106.226]:25 U=root sender verify defer for <czapata@rush.com.pe>: Could not complete sender verify callout
2006-11-24 13:52:59 H=(lnxsvr.rush.com.pe) [200.60.77.168]:4006 I=[69.65.106.226]:25 U=root F=<czapata@rush.com.pe> temporarily rejected RCPT <lpacheco@quickferr.com>: Could not c
omplete sender verify callout
2006-11-24 13:57:59 SMTP command timeout on connection from (lnxsvr.rush.com.pe) [200.60.77.168]:4006 I=[69.65.106.226]:25 U=root
2006-11-24 14:48:38 H=(lnxsvr.rush.com.pe) [200.60.77.168]:4402 I=[69.65.106.226]:25 U=root sender verify defer for <czapata@rush.com.pe>: Could not complete sender verify callout
2006-11-24 14:48:38 H=(lnxsvr.rush.com.pe) [200.60.77.168]:4402 I=[69.65.106.226]:25 U=root F=<czapata@rush.com.pe> temporarily rejected RCPT <lpacheco@quickferr.com>: Could not c
omplete sender verify callout
2006-11-24 14:53:38 SMTP command timeout on connection from (lnxsvr.rush.com.pe) [200.60.77.168]:4402 I=[69.65.106.226]:25 U=root
2006-11-24 15:39:29 H=(lnxsvr.rush.com.pe) [200.60.77.168]:4680 I=[69.65.106.226]:25 U=root sender verify defer for <czapata@rush.com.pe>: Could not complete sender verify callout
2006-11-24 15:39:29 H=(lnxsvr.rush.com.pe) [200.60.77.168]:4680 I=[69.65.106.226]:25 U=root F=<czapata@rush.com.pe> temporarily rejected RCPT <lpacheco@quickferr.com>: Could not c
omplete sender verify callout
2006-11-24 15:44:29 SMTP command timeout on connection from (lnxsvr.rush.com.pe) [200.60.77.168]:4680 I=[69.65.106.226]:25 U=root
2006-11-24 16:38:55 H=(lnxsvr.rush.com.pe) [200.60.77.168]:1040 I=[69.65.106.226]:25 U=root sender verify defer for <czapata@rush.com.pe>: Could not complete sender verify callout
2006-11-24 16:38:55 H=(lnxsvr.rush.com.pe) [200.60.77.168]:1040 I=[69.65.106.226]:25 U=root F=<czapata@rush.com.pe> temporarily rejected RCPT <lpacheco@quickferr.com>: Could not c
omplete sender verify callout
2006-11-24 16:43:55 SMTP command timeout on connection from (lnxsvr.rush.com.pe) [200.60.77.168]:1040 I=[69.65.106.226]:25 U=root
2006-11-24 17:38:31 H=(lnxsvr.rush.com.pe) [200.60.77.168]:1342 I=[69.65.106.226]:25 U=root sender verify defer for <czapata@rush.com.pe>: Could not complete sender verify callout
2006-11-24 17:38:31 H=(lnxsvr.rush.com.pe) [200.60.77.168]:1342 I=[69.65.106.226]:25 U=root F=<czapata@rush.com.pe> temporarily rejected RCPT <lpacheco@quickferr.com>: Could not c
omplete sender verify callout
What can I do to stop this?
Thanks!!
Sender Verify Callout Driving me crazy!!!
#2
pairote 
- Administrator
-
- Group: Admin
- Posts: 4,345
- Joined: 13-June 03
Posted 25 November 2006 - 03:07 PM
Operating sender verify callout is not easy. Either DNS or non-rfc of reciever server can cause this. You can disable sender verify callout in WHM/EXIM configuration. Uncheck the checkbox for sender verify callout.
#7
jameshsi
- Newbie
-
- Group: Members
- Posts: 3
- Joined: 25-February 04
Posted 28 November 2006 - 07:25 PM
QUOTE(pairote @ Nov 25 2006, 11:20 PM) <{POST_SNAPBACK}>
Use callouts to verify the existence of email senders.
Hi!
I don't quite understand, you mean we should not take these 2 option off, we should just take off the call out option, right ?
But after I check out the call out in WHM, I still see this in my Advanced Editor:
QUOTE
#if it gets here it isn't mailman
#sender verifications are required for all messages that are not sent to lists
require verify = sender/callout
accept domains = +local_domains
endpass
#sender verifications are required for all messages that are not sent to lists
require verify = sender/callout
accept domains = +local_domains
endpass
Is that means I still using callout ?
#9
pairote
- Administrator
-
- Group: Admin
- Posts: 4,345
- Joined: 13-June 03
Posted 28 November 2006 - 11:47 PM
QUOTE
Verify the existance of email senders
This option will verify if the MX record of the sender is valid.
QUOTE
Use callouts to verify the existance of email senders.
This option will SMTP back to the sender server and asking sender server if the sender is a valid email address. It is a good idea but some servers doesn't response even if the sender is valid. In that case, email will be rejected.
QUOTE
But after I check out the call out in WHM, I still see this in my Advanced Editor:
QUOTE
#if it gets here it isn't mailman
#sender verifications are required for all messages that are not sent to lists
require verify = sender/callout
accept domains = +local_domains
endpass
Is that means I still using callout ?
QUOTE
#if it gets here it isn't mailman
#sender verifications are required for all messages that are not sent to lists
require verify = sender/callout
accept domains = +local_domains
endpass
Is that means I still using callout ?
Not sure. It seems cPanel strip it later even it appear in EXIM GUI if the checkbox for callout is not checked. You may verify it by run
grep callout /etc/exim.conf
If no result, you don't run it.
#12
dev_cw
- Newbie
-
- Group: Members
- Posts: 9
- Joined: 05-November 06
Posted 26 January 2007 - 04:18 AM
I have been having the same problem. Is there a way to have a whitelist for this test as well. I don't really want to disable the verify function but I DO want to whitelist a few addresses/servers that are not getting through. Is this possible?
#13
dev_cw
- Newbie
-
- Group: Members
- Posts: 9
- Joined: 05-November 06
Posted 26 January 2007 - 07:40 AM
QUOTE
The main reason that the sender verify can fail is because the remote mail server does not conform to standard RFCs. They issue a RCPT TO command to our server but do not wait long enough for a response. RFC 2821 #4.5.3.2 states that the mail server should wait up to 5 minutes for a response. As part of our email harvesting protection system we sometimes perform a delay on incoming connections.
Could this be a solution? Where can we configure exim to wait a few minutes for a response? By watching the logs it looks like it is immediate.
#14
pairote
- Administrator
-
- Group: Admin
- Posts: 4,345
- Joined: 13-June 03
Posted 26 January 2007 - 11:34 AM
Replace your simple verify callout to something like this on your EXIM editor.
And add 3 new whitelist files at the first box of WHM/EXIM advanced editor. Don't forget to create these files in /usr/local/cpanel/base/eximacl/.
Last updated on March 12, 2007.
CODE
deny message = From email address must be valid
# do not check address for lists or bounces
# or people in our company contact database
!senders = ^.*-request@.*:\
^bounce-.*@.*:\
^.*-bounce@.*:\
^owner-.*@.*:\
^listmaster@.*:\
^root@.*:\
^anonymous@.*:\
^nobody@.*
!domains = +rv_callout_receiver_domain_whitelist
!sender_domains = +rv_callout_sender_domain_whitelist
# do not check for DSN-ignorant domains
# those that don't accept MAIL FROM:<>
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
!verify = sender/callout=10s,defer_ok
##
# Check that there is a MX record for those that do not
# meet the deny statement requirements - ie bounces
# No cost as previous lookup is cached if executed
##
deny !sender_domains = +rv_sender_verify_domain_whitelist
!verify = sender
# do not check address for lists or bounces
# or people in our company contact database
!senders = ^.*-request@.*:\
^bounce-.*@.*:\
^.*-bounce@.*:\
^owner-.*@.*:\
^listmaster@.*:\
^root@.*:\
^anonymous@.*:\
^nobody@.*
!domains = +rv_callout_receiver_domain_whitelist
!sender_domains = +rv_callout_sender_domain_whitelist
# do not check for DSN-ignorant domains
# those that don't accept MAIL FROM:<>
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
!verify = sender/callout=10s,defer_ok
##
# Check that there is a MX record for those that do not
# meet the deny statement requirements - ie bounces
# No cost as previous lookup is cached if executed
##
deny !sender_domains = +rv_sender_verify_domain_whitelist
!verify = sender
And add 3 new whitelist files at the first box of WHM/EXIM advanced editor. Don't forget to create these files in /usr/local/cpanel/base/eximacl/.
CODE
domainlist rv_callout_sender_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_sender_domain_whitelist
domainlist rv_callout_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_receiver_domain_whitelist
domainlist rv_sender_verify_domain_whitelist= lsearch;/usr/local/cpanel/base/eximacl/rv_sender_verify_domain_whitelist
domainlist rv_callout_receiver_domain_whitelist = lsearch;/usr/local/cpanel/base/eximacl/rv_callout_receiver_domain_whitelist
domainlist rv_sender_verify_domain_whitelist= lsearch;/usr/local/cpanel/base/eximacl/rv_sender_verify_domain_whitelist
Last updated on March 12, 2007.
#16
dazza
- Newbie
-
- Group: Members
- Posts: 6
- Joined: 03-March 07
Posted 03 March 2007 - 08:28 AM
QUOTE(dev_cw @ Jan 26 2007, 04:10 PM) <{POST_SNAPBACK}>
Thanks pairote, that is a cool setup. Plugged it right in and worked fine. I have not seen any messages beeing blocked yet but I have my eyes open.
so dev_cw,
I've recently been through "Sender Failure" hell myself and came across this post. It's been a month since your post, how's it looking? any issues?
Looks like a good solution, I just need to becareful not to block the wrong emails.
And would I replace the * with domains to whitelist or just leave as is? not sure how to decipher this.
Thanks,
daz
#17
dev_cw
- Newbie
-
- Group: Members
- Posts: 9
- Joined: 05-November 06
Posted 04 March 2007 - 06:18 AM
dazza,
I have been happy so far, no complaints from clients. I am still blocking hundreds (or thousands) of messages that do not pass sender verification and all my messages seem to be getting trough. It must be working since no one has called to complain about missed messages.
I would still like to have a main whitelist to bypass sender verification.
I have been happy so far, no complaints from clients. I am still blocking hundreds (or thousands) of messages that do not pass sender verification and all my messages seem to be getting trough. It must be working since no one has called to complain about missed messages.
I would still like to have a main whitelist to bypass sender verification.
#18
dazza
- Newbie
-
- Group: Members
- Posts: 6
- Joined: 03-March 07
Posted 04 March 2007 - 10:44 AM
cool, I'll give it a try.
I haven't tried this either, still all a bit new to me, but this may work as well. whitelist link
Thanks for the reply.
I haven't tried this either, still all a bit new to me, but this may work as well. whitelist link
Thanks for the reply.
#19
dazza
- Newbie
-
- Group: Members
- Posts: 6
- Joined: 03-March 07
Posted 05 March 2007 - 08:39 AM
I'm still getting the following through dnsstuff.com email check whether or not I have "use callouts to verify" checked or not:
Could not connect: Got an unknown RCPT TO response: 550-Verification failed for <TestedFrom-71.198.77.160@DNSreport.com>
550-Previous (cached) callout verification failure
550 From email address must be valid
I've replaced "require verify = sender/callout" in my exim file with pairote's code above. Email seems to be getting through, I'm just concerned about the 550 messages.
Could not connect: Got an unknown RCPT TO response: 550-Verification failed for <TestedFrom-71.198.77.160@DNSreport.com>
550-Previous (cached) callout verification failure
550 From email address must be valid
I've replaced "require verify = sender/callout" in my exim file with pairote's code above. Email seems to be getting through, I'm just concerned about the 550 messages.
#20
dazza
- Newbie
-
- Group: Members
- Posts: 6
- Joined: 03-March 07
Posted 05 March 2007 - 11:02 AM
Seems to be working now. Below is what I have done. Could you tell me if you think this looks ok? Much appreciated.
In WHM:
Verify the existence of email senders. <-- is checked
Use callouts to verify the existence of email senders. <--- is checked.
Modified exim file:
Removed: /callout from ---> require verify = sender/callout
Replaced: deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
With: deny message = From email address must be valid
# do not check address for lists or bounces
# or people in our company contact database
!senders = ^.*-request@.*:\
^bounce-.*@.*:\
^.*-bounce@.*:\
^owner-.*@.*:\
^listmaster@.*:\
^root@.*:\
^anonymous@.*:\
^nobody@.*
# do not check for DSN-ignorant domains
# iow those that don't accept MAIL FROM:<>
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
!verify = sender/callout=10s,defer_ok
root@xxx [~]# grep callout /etc/exim.conf
!verify = sender/callout=10s,defer_ok
In WHM:
Verify the existence of email senders. <-- is checked
Use callouts to verify the existence of email senders. <--- is checked.
Modified exim file:
Removed: /callout from ---> require verify = sender/callout
Replaced: deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP Authentication turned on in your email client.
With: deny message = From email address must be valid
# do not check address for lists or bounces
# or people in our company contact database
!senders = ^.*-request@.*:\
^bounce-.*@.*:\
^.*-bounce@.*:\
^owner-.*@.*:\
^listmaster@.*:\
^root@.*:\
^anonymous@.*:\
^nobody@.*
# do not check for DSN-ignorant domains
# iow those that don't accept MAIL FROM:<>
!dnslists = dsn.rfc-ignorant.org/$sender_address_domain
!verify = sender/callout=10s,defer_ok
root@xxx [~]# grep callout /etc/exim.conf
!verify = sender/callout=10s,defer_ok
