URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID1
Нить номер: 86754
[ Назад ]

Исходное сообщение
"exim + SMTP protocol synchronization error"

Отправлено Aess , 30-Сен-09 13:22 
Есть у меня ВПН сеть 10.8.0.0/24. Есть сервачек на екзиме. Вот такое чудо пишет в лог.

2009-09-30 08:42:12 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.82] input="QUIT\r\n"
2009-09-30 08:57:04 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.46] input="QUIT\r\n"
2009-09-30 09:03:43 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.26] input="QUIT\r\n"
2009-09-30 09:04:16 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.90] input="QUIT\r\n"
2009-09-30 09:05:19 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.30] input="QUIT\r\n"
2009-09-30 09:13:17 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.94] input="QUIT\r\n"
2009-09-30 09:23:54 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.34] input="QUIT\r\n"
2009-09-30 09:45:00 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.34] input="QUIT\r\n"
2009-09-30 11:13:03 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.66] input="QUIT\r\n"
2009-09-30 11:55:15 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[10.8.0.46] input="QUIT\r\n"

При чем часть хостов нормально отправляет а часть нет! Отправка почты идет 1с-кой. Погуглил нашел

warn    hosts   = 10.8.0.0/24
          control = no_enforce_sync

вставил его в
######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl

  acl_check_rcpt:
  accept  hosts = :

  warn    hosts   = 10.8.0.0/24
          control = no_enforce_sync

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


  accept  local_parts   = postmaster
          domains       = +local_domains


и так далее
#########################################################


ребутнул экзим и всеравно отлуп (((

Помогите, а?


Содержание

Сообщения в этом обсуждении
"exim + SMTP protocol synchronization error"
Отправлено ALex_hha , 30-Сен-09 17:35 
Что за MUA на проблемных клиентах?

Судя по "input sent without waiting for greeting" дело происходит явно до стадии rcpt. Думаю правило надо вставлять в acl_smtp_connect


"exim + SMTP protocol synchronization error"
Отправлено Aess , 02-Окт-09 11:41 
>Что за MUA на проблемных клиентах?

1c


>Судя по "input sent without waiting for greeting" дело происходит явно до
>стадии rcpt. Думаю правило надо вставлять в acl_smtp_connect

ЭЭЭЭммм даю весь конф тыкните пальцем куда.... плизззз.....


######################################################################
#                  Runtime configuration file for Exim               #
######################################################################


# This is a default configuration file which will operate correctly in
# uncomplicated installations. Please see the manual for a complete list
# of all the runtime configuration options that can be included in a
# configuration file. There are many more than are mentioned here. The
# manual is in the file doc/spec.txt in the Exim distribution as a plain
# ASCII file. Other formats (PostScript, Texinfo, HTML, PDF) are available
# from the Exim ftp sites. The manual is also online at the Exim web sites.


# This file is divided into several parts, all but the first of which are
# headed by a line starting with the word "begin". Only those parts that
# are required need to be present. Blank lines, and lines starting with #
# are ignored.


########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########
#                                                                          #
# Whenever you change Exim's configuration file, you *must* remember to    #
# HUP the Exim daemon, because it will not pick up the new configuration   #
# until you do. However, any other Exim processes that are started, for    #
# example, a process started by an MUA in order to send a message, will    #
# see the new configuration as soon as it is in place.                     #
#                                                                          #
# You do not need to HUP the daemon for changes in auxiliary files that    #
# are referenced from this file. They are read every time they are used.   #
#                                                                          #
# It is usually a good idea to test a new configuration for syntactic      #
# correctness before installing it (for example, by running the command    #
# "exim -C /config/file.new -bV").                                         #
#                                                                          #
########### IMPORTANT ########## IMPORTANT ########### IMPORTANT ###########

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################

# Specify your host's canonical name here. This should normally be the fully
# qualified "official" name of your host. If this option is not set, the
# uname() function is called to obtain the name. In many cases this does
# the right thing and you need not set anything explicitly.

primary_hostname = host.com


# The next three settings create two lists of domains and one list of hosts.
# These lists are referred to later in this configuration using the syntax
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:

# YOU HAVE TO EDIT THIS BLOCK TO SUIT YOUR NEED!!
domainlist local_domains = @ : localhost : host.com
domainlist relay_to_domains =
hostlist   relay_from_hosts = 127.0.0.1 : 192.168.10.0/24 : 10.8.0.0/24

# Most straightforward access control requirements can be obtained by
# appropriate settings of the above options. In more complicated situations, you
# may need to modify the Access Control List (ACL) which appears later in this
# file.

# The first setting specifies your local domains, for example:
#
#   domainlist local_domains = my.first.domain : my.second.domain
#
# You can use "@" to mean "the name of the local host", as in the default
# setting above. This is the name that is specified by primary_hostname,
# as specified above (or defaulted). If you do not want to do any local
# deliveries, remove the "@" from the setting above. If you want to accept mail
# addressed to your host's literal IP address, for example, mail addressed to
# "user@[192.168.23.44]", you can add "@[]" as an item in the local domains
# list. You also need to uncomment "allow_domain_literals" below. This is not
# recommended for today's Internet.

# The second setting specifies domains for which your host is an incoming relay.
# If you are not doing any relaying, you should leave the list empty. However,
# if your host is an MX backup or gateway of some kind for some domains, you
# must set relay_to_domains to match those domains. For example:
#
# domainlist relay_to_domains = *.myco.com : my.friend.org
#
# This will allow any host to relay through your host to those domains.
# See the section of the manual entitled "Control of relaying" for more
# information.

# The third setting specifies hosts that can use your host as an outgoing relay
# to any other host on the Internet. Such a setting commonly refers to a
# complete local network as well as the localhost. For example:
#
# hostlist relay_from_hosts = 127.0.0.1 : 192.168.0.0/16
#
# The "/16" is a bit mask (CIDR notation), not a number of hosts. Note that you
# have to include 127.0.0.1 if you want to allow processes on your host to send
# SMTP mail by using the loopback address. A number of MUAs use this method of
# sending mail.


# All three of these lists may contain many different kinds of item, including
# wildcarded names, regular expressions, and file lookups. See the reference
# manual for details. The lists above are used in the access control list for
# incoming messages. The name of this ACL is defined here:

acl_smtp_rcpt = acl_check_rcpt

# You should not change that setting until you understand how ACLs work.

# The following ACL entry is used if you want to do content scanning with the
# exiscan-acl patch. When you uncomment this line, you must also review the
# acl_check_content entry in the ACL section further below.

#acl_smtp_data = acl_check_content

# This configuration variable defines the virus scanner that is used with
# the 'malware' ACL condition of the exiscan acl-patch. If you do not use
# virus scanning, leave it commented. Please read doc/exiscan-acl-readme.txt
# for a list of supported scanners.

# av_scanner = sophie:/var/run/sophie
# av_scanner = cmdline:/usr/bin/antivir -v -z -allfiles -noboot -s -tmp %s:ALERT:\[(.+)\]
#av_scanner = clamd:/tmp/clamd

# The following setting is only needed if you use the 'spam' ACL condition
# of the exiscan-acl patch. It specifies on which host and port the SpamAssassin
# "spamd" daemon is listening. If you do not use this condition, or you use
# the default of "127.0.0.1 783", you can omit this option.

#spamd_address = 0.0.0.0 783

# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "caesar@rome.example" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local callers by
# default. See the recipient_unqualified_hosts option if you want to permit
# unqualified addresses from remote sources. If this option is not set, the
# primary_hostname value is used for qualification.

qualify_domain = host.com

# If you want unqualified recipient addresses to be qualified with a different
# domain to unqualified sender addresses, specify the recipient domain here.
# If this option is not set, the qualify_domain value is used.

qualify_recipient = host.com


# The following line must be uncommented if you want Exim to recognize
# addresses of the form "user@[10.11.12.13]" that is, with a "domain literal"
# (an IP address) instead of a named domain. The RFCs still require this form,
# but it makes little sense to permit mail to be sent to specific hosts by
# their IP address in the modern Internet. This ancient format has been used
# by those seeking to abuse hosts by using them for unwanted relaying. If you
# really do want to support domain literals, uncomment the following line, and
# see also the "domain_literal" router below.

# allow_domain_literals


# No deliveries will ever be run under the uids of these users (a colon-
# separated list). An attempt to do so causes a panic error to be logged, and
# the delivery to be deferred. This is a paranoic safety catch. Note that the
# default setting means you cannot deliver mail addressed to root as if it
# were a normal user. This isn't usually a problem, as most sites have an alias
# for root that redirects such mail to a human administrator.

never_users = root


# The setting below causes Exim to do a reverse DNS lookup on all incoming
# IP calls, in order to get the true host name. If you feel this is too
# expensive, you can specify the networks for which a lookup is done, or
# remove the setting entirely.

host_lookup = *


# The settings below, which are actually the same as the defaults in the
# code, cause Exim to make RFC 1413 (ident) callbacks for all incoming SMTP
# calls. You can limit the hosts to which these calls are made, and/or change
# the timeout that is used. If you set the timeout to zero, all RFC 1413 calls
# are disabled. RFC 1413 calls are cheap and can provide useful information
# for tracing problem messages, but some hosts and firewalls have problems
# with them. This can result in a timeout instead of an immediate refused
# connection, leading to delays on starting up an SMTP session.

rfc1413_hosts = *
rfc1413_query_timeout = 30s


# By default, Exim expects all envelope addresses to be fully qualified, that
# is, they must contain both a local part and a domain. If you want to accept
# unqualified addresses (just a local part) from certain hosts, you can specify
# these hosts by setting one or both of
#
# sender_unqualified_hosts =
# recipient_unqualified_hosts =
#
# to control sender and recipient addresses, respectively. When this is done,
# unqualified addresses are qualified using the settings of qualify_domain
# and/or qualify_recipient (see above).


# If you want Exim to support the "percent hack" for certain domains,
# uncomment the following line and provide a list of domains. The "percent
# hack" is the feature by which mail addressed to x%y@z (where z is one of
# the domains listed) is locally rerouted to x@y and sent on. If z is not one
# of the "percent hack" domains, x%y is treated as an ordinary local part. This
# hack is rarely needed nowadays; you should not enable it unless you are sure
# that you really need it.
#
# percent_hack_domains =
#
# As well as setting this option you will also need to remove the test
# for local parts containing % in the ACL definition below.


# When Exim can neither deliver a message nor return it to sender, it "freezes"
# the delivery error message (aka "bounce message"). There are also other
# circumstances in which messages get frozen. They will stay on the queue for
# ever unless one of the following options is set.

# This option unfreezes frozen bounce messages after two days, tries
# once more to deliver them, and ignores any delivery failures.

ignore_bounce_errors_after = 2d

# This option cancels (removes) frozen messages that are older than a week.

timeout_frozen_after = 7d

smtp_accept_queue_per_connection = 1000
smtp_accept_max_per_connection = 10000
extract_addresses_remove_arguments = false

#tls_certificate = /etc/exim/rsa.cert
#tls_privatekey = /etc/exim/rsa.key
#tls_dhparam = /etc/exim/dh.key
#tls_advertise_hosts=*

# Add verbose received-header:
received_header_text = Received: \
          ${if def:sender_fullhost {from ${sender_fullhost}\
          ${if def:sender_ident {(${sender_ident})}}}\
          {${if def:sender_ident {from ${sender_ident} }}}}\
          by ${primary_hostname}\
          ${if def:received_protocol {with ${received_protocol}}}\
          ${if def:tls_cipher {(tls_cipher ${tls_cipher})}}\
          ${if def:tls_peerdn {(tls_peerdn ${tls_peerdn})}}\
          (Exim ${version_number} #${compile_number} (Gentoo Linux 1.4))\
          id ${message_id}


######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################

begin acl

  acl_check_rcpt:
  accept  hosts = :

  warn    hosts   = 10.8.0.0/24
          control = no_enforce_sync  

  deny    message       = Restricted characters in address
          domains       = +local_domains
          local_parts   = ^[.] : ^.*[@%!/|]

  

  deny    message       = Restricted characters in address
          domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

  accept  local_parts   = postmaster
          domains       = +local_domains

  #equire verify        = sender


  accept  hosts         = +relay_from_hosts
          control       = submission
  
  deny    message       = "HELO/EHLO    SMTP RFC"
          condition     = ${if eq{$sender_helo_name}{}{yes}{no}}
        
  

  accept  authenticated = *
          control       = submission

  

#  deny    message       = "Host`s blacklists - $dnslist_domain"
#            dnslists      = relays.ordb.org : \
#                                  opm.blitzed.org : \
#                      proxies.blackholes.easynet.nl : \
#                      cbl.abuseat.org : \
#                      bl.spamcop.net : \
#                      bl.csma.biz : \
#                      dynablock.njabl.org : \
#                      relays.ordb.org
#  
  
  
  
  # require verify = csa

  ########################### Accept ##################################################

  accept  domains       = +local_domains
          endpass
          verify        = recipient

  

  accept  domains       = +relay_to_domains
          endpass
          verify        = recipient

  

  deny    message       = relay not permitted  


acl_check_data:


  
  #deny    malware   = *
    #      message   = This message contains a virus ($malware_name).


  #warn    spam      = nobody
    #      message   = X-Spam_score: $spam_score\n\
    #                  X-Spam_score_int: $spam_score_int\n\
    #                  X-Spam_bar: $spam_bar\n\
    #                  X-Spam_report: $spam_report

  # Accept the message.

  accept


######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
#     THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT!       #
# An address is passed to each router in turn until it is accepted.  #
######################################################################

begin routers


domain_literal:
   driver = ipliteral
   domains = ! +local_domains
   transport = remote_smtp


dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more


#system_aliases:
#  driver = redirect
#  allow_fail
#  allow_defer
#  data = ${lookup{$local_part}lsearch{/etc/aliases}}
#  user = root
#  file_transport = address_file
#  pipe_transport = address_pipe


userforward:
  driver = redirect
  check_local_user
  #local_part_suffix = +* : -*
  #local_part_suffix_optional
  file = $home/.forward
  allow_filter
  no_verify
  no_expn
  check_ancestor
  file_transport = address_file
  pipe_transport = address_pipe
  reply_transport = address_reply


localuser:
  driver = accept
  check_local_user
#  local_part_suffix = +* : -*
#  local_part_suffix_optional
  transport = local_delivery
  cannot_route_message = Unknown user

######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
#                       ORDER DOES NOT MATTER                        #
#     Only one appropriate transport is called for each delivery.    #
######################################################################

begin transports


remote_smtp:
driver = smtp

local_delivery:
driver = appendfile
delivery_date_add
directory = ${home}/.maildir
maildir_format
quota=50M
maildir_tag = ,S=$message_size
quota_size_regex = ,S=(\d+)
create_directory
envelope_to_add
return_path_add
address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

#address_reply:
#driver = autoreply


#local_delivery:
#  driver = lmtp
#  command = "/usr/lib/cyrus-imapd/deliver -l"
#  batch_max = 20
#  user = cyrus


######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################

begin retry

# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.

# Address or Domain    Error       Retries
# -----------------    -----       -------

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h

######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite

######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################

# There are no authenticator specifications in this default configuration file.

begin authenticators

######################################################################
#                   CONFIGURATION FOR local_scan()                   #
######################################################################

# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.

# begin local_scan


# End of Exim configuration file


"exim + SMTP protocol synchronization error"
Отправлено ALex_hha , 02-Окт-09 13:58 
Нафига выкладывать километровый конфиг с коментами?!!!

В документации ж есть описание

control = enforce_sync, control = no_enforce_sync
The effect of these two controls lasts for the remainder of the SMTP connection. They can appear in any ACL except the one for the non-SMTP messages. The most straightforward place to put them is in the ACL defined by acl_smtp_connect, which is run at the start of an incoming SMTP connection, before the first synchronization check. The expected use is to turn off the synchronization checks for badly-behaved hosts that you nevertheless need to work with.

Примерно так

acl_smtp_connect = acl_check_smtp_connect

...
...
...

begin acl

acl_check_smtp_connect:
warn    
   hosts   = 10.8.0.0/24
   control = no_enforce_sync
   message = Protocol synchronization error


"exim + SMTP protocol synchronization error"
Отправлено Aess , 02-Окт-09 14:44 
Огромное спасибо! Попробую отпишусь!