Mailing List Archive

Callout cache causing rejects
Hello,

What is the meaning of "callout=unknown" in the callout db? What could
produce that cached output?

> $ sudo exim_dumpdb /var/spool/exim4 callout |grep -v @ |grep lists
> 07-May-2018 10:14:47 lists.example.fr callout=unknown
> postmaster=unknown random=unknown

I had to reduce "callout_domain_negative_expire" to 0s, because
otherwise, messages sent to our listserver are sometimes rejected by our
MTA Exim, and cached for 3h ("result of an earlier callout reused").

I struggle to find out why Exim thinks that, sometimes, messages to this
domain should be rejected.

Thanks for any hint.
--
Mathieu

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Callout cache causing rejects [ In reply to ]
On 07/05/18 16:44, Mathieu via Exim-users wrote:
> What is the meaning of "callout=unknown" in the callout db? What could
> produce that cached output?

"test hasn't been done".
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Callout cache causing rejects [ In reply to ]
Le 09/05/2018 à 13:39, Jeremy Harris via Exim-users a écrit :
>> What is the meaning of "callout=unknown" in the callout db? What could
>> produce that cached output?
>
> "test hasn't been done".

Why test wouldn't be done, but still saved in the callout db? Is a temp
status while the test is actually done?
AFAIK, I only have "accept" and "reject" entries in this db.

I hoped this could somehow help me understand why this domain was
rejected and then cached.


--
Mathieu

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Callout cache causing rejects [ In reply to ]
On 09/05/18 13:04, Mathieu via Exim-users wrote:
> Le 09/05/2018 à 13:39, Jeremy Harris via Exim-users a écrit :
>>> What is the meaning of "callout=unknown" in the callout db? What could
>>> produce that cached output?
>>
>> "test hasn't been done".
>
> Why test wouldn't be done, but still saved in the callout db?

The one verify potientially does a whole set of tests, of which
records are made.

Perhaps you could find the time in your logs when the verify was
done? It might have recorded some insights.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Callout cache causing rejects [ In reply to ]
Le 09/05/2018 à 15:03, Jeremy Harris via Exim-users a écrit :
> Perhaps you could find the time in your logs when the verify was
> done? It might have recorded some insights.

It brings this reject:

> 2018-05-07 10:14:47 H=([127.0.0.1]) [10.1.2.3]
> X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no
> F=<anonymous@example.com> A=plain_ldap:anonymous rejected RCPT
> <list@lists.example.com>: lists.example.com [192.0.2.1] : response
> to "MAIL FROM:<> SIZE=20266877" was: 552 Message size exceeds
> maximum permitted

Wich is the exact same time than the callout db entry:

> 07-May-2018 10:14:47 lists.example.fr callout=unknown
> postmaster=unknown random=unknown

But shouldn't have it been cached only for this specific address
(list@lists.example.com), and not for the whole domain
(lists.example.com)? Because during 3h after this reject, all mails sent
to lists.example.com addresses has been rejected by Exim's verify, with
the message "result of an earlier callout reused".

Which is why I reduced "callout_domain_negative_expire" to 0s, but it's
obviously not the solution.

Thanks for your hints.
--
Mathieu

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Callout cache causing rejects [ In reply to ]
On 09/05/18 14:53, Mathieu via Exim-users wrote:
> Le 09/05/2018 à 15:03, Jeremy Harris via Exim-users a écrit :
>> Perhaps you could find the time in your logs when the verify was
>> done? It might have recorded some insights.
>
> It brings this reject:
>
>> 2018-05-07 10:14:47 H=([127.0.0.1]) [10.1.2.3]
>> X=TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128 CV=no
>> F=<anonymous@example.com> A=plain_ldap:anonymous rejected RCPT
>> <list@lists.example.com>: lists.example.com [192.0.2.1] : response
>> to "MAIL FROM:<> SIZE=20266877" was: 552 Message size exceeds
>> maximum permitted

The MAIL FROM was rejected; we didn't get as far as the
RCPT TO, so the rejection would apply to any recipient.

I'm depending on your not having obfuscated that log (please
don't or I'll be much less use to you), and assume that
the null from indicates a sender verify (you didn't say).
You also didn't say what Exim version. The coding changed
in that area for 4.90 - commit 14de8063d8 for bug 2151 -
perhaps you are not running any that recent?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Callout cache causing rejects [ In reply to ]
Le 09/05/2018 à 16:23, Jeremy Harris via Exim-users a écrit :
> The MAIL FROM was rejected; we didn't get as far as the
> RCPT TO, so the rejection would apply to any recipient.
>
> I'm depending on your not having obfuscated that log (please
> don't or I'll be much less use to you),

Yes, I'm only replacing with anonymized similar values.

> and assume that
> the null from indicates a sender verify (you didn't say).

That's right, sorry!

So if I understand correctly, my problem here is that Exim sends the
SIZE, which the remote server rejects, and makes Exim caches the
blacklisting of this domain, rejecting all valid other messages until
cache expiration.

Is it possible to disable sending SIZE during verify?

> You also didn't say what Exim version. The coding changed
> in that area for 4.90 - commit 14de8063d8 for bug 2151 -
> perhaps you are not running any that recent?

No, we are still on 4.89.

But indeed, bug 2151 looks exactly like my bug!
https://bugs.exim.org/show_bug.cgi?id=2151

So, is the only way to fix it is to upgrade to 4.90? (4.91 is available
in Debian Backports)

Maybe the doc could mention that SIZE in the SMTP commands sent:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html#SECTcallver

Thanks
--
Mathieu

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Callout cache causing rejects [ In reply to ]
On 09/05/18 17:09, Mathieu via Exim-users wrote:
> So, is the only way to fix it is to upgrade to 4.90? (4.91 is available
> in Debian Backports)

Not the only, but probably the simplest for you.
--
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/