Linux – How to test non-smtp ACLs in exim

access-control-listeximlinux

Exim provides the option to test your ACLs via CLI using exim -bh. However, this method opens an SMTP connection and you can only test SMTP ACLs. I wish to debug and test the acl_not_smtp ACL – is there any similar way of doing this?

Alternatively, if anybody knows why this does not work in acl_not_smtp:

deny
      message = Outgoing email is blocked for this domain. Please contact support for assistance.
      senders = /etc/exim_blacklist_users

That would be extremely helpful. This does work in acl_smtp_rcpt.

Best Answer

Exim does not have a testing mode for local the way that the -bh mode simulates an smtp connection. So you'll have to do it with a real message.

I would create a sample message with full headers and body, "sample.eml". Make it to an address that you control, a test mailbox or something. Make it from the address that you want it to reject. Pass the message to Exim using the simple commandline:

# No real output
exim -bm -t < "sample.eml"
# Get verbose output, but still not much
exim -v -bm -t < "sample.eml"
# Here's where we figure things out: debug
exim -d+all -bm -t < "sample.eml"

That last one will product a LOT of output, so maybe redirect it to a text file and view that file. Look to see how it's processing that non-smtp acl when it processes this message. You'll find the answer there. Or update the question with that debug output for that ACL and we'll refine our answer.

Another option would be to configure your app that is sending those messages to send using SMTP to 127.0.0.1 port 25, instead of passing a message to /usr/sbin/sendmail (which is the sendmail compatibility wrapper for exim). Then it would use the smtp rcpt acl.

Related Solutions

Can’t connect to smtp (Exim)

Sounds like Exim is configured to deny incoming connections from 127.0.0.1 to me. Does tailing your "exim-main" log tell you anything? (This file is likely located in /var/log/exim/exim-main, but it doesn't have to be.)

A connect ACL in the exim.conf could be doing this, as could a TCP wrapper configuration. Have a look at /etc/hosts.allow and see if there are any "exim" lines. Likewise, have a look at your exim.conf and see if there's a acl_smtp_connect entry. If you are comfortable with it, post your exim.conf and we'll look at it.

How to configure Exim to drop non-authenticated connections on alternate SMTP port

We use the following rules in acl_check_rcpt, but I suspect they would work better in acl_check_helo

deny
   condition      = ${if and{{eq{$interface_port}{587}} {eq{$tls_cipher}{}} } }
   message        = All port 587 connections must use TLS

deny condition    = ${if eq{$interface_port}{587}}
   !authenticated = *
   message        = All port 587 connections must be Authenticated

Obviously you only want the second of the two rules, but the first shows how to reject non-TLS connections. You may want to think about disallowing plaintext authentication methods if you aren't going to enforce TLS.

Best Answer

Related Solutions

Can’t connect to smtp (Exim)

How to configure Exim to drop non-authenticated connections on alternate SMTP port

Related Topic