Bug#244724: [exim] [Debian issue #244724] exim 4 uses double reverselookupforindexing into client password file

Eli <eli-list@experthost.com>, 244724@bugs.debian.org
Sat, 26 Feb 2005 23:38:38 -0500 

Marc wrote: 
> On Sat, 26 Feb 2005 14:03:16 -0500, "Eli" <eli-list@experthost.com>
> wrote:
> >Marc wrote: 
> >> Our outbound SMTP smarthost transport has
> >> |hosts_try_auth = ${if exists
> >> |{CONFDIR/passwd.client}{smarthost.fqdn.example}
> >
> >Ok...  What router did this come through?  I bet it came through a 
> >"dnslookup" router, correct?
> 
> Most probably a manualroute one. We're talking smarthosts 
> here. I suspect that the bug reporter is using something along
> smarthost:
>   debug_print = "R: smarthost for $local_part@$domain"
>   driver = manualroute
>   domains = ! +local_domains
>   transport = remote_smtp_smarthost
>   route_list = * smarthost.fqdn.example byname
>   host_find_failed = defer
>   same_domain_copy_routing = yes
>   no_more

Answer is quite simple unfortunately - I didn't notice this at first since
I've had a headache the past few days, and an obnoxious cat pissing me off
all day to add to the headache.

"hosts_try_auth" expects a *HOST* list.  Unfortunately for lack of better
choices, a "host" list is in fact a list of IPs.  You cannot specify a
hostname in a hostlist.  You're specifying a hostname in the hosts_try_auth
variable when it wants an IP.  I will explain why it wants an IP now...

The file "passwd.client" is being used to store the name of the smarthost
(as a hostname), and the user/pass used for authentication.

Your problem is that Exim does a dns lookup to retrieve the IP of the
smarthost server you specify in route_list.  This means when you specify
"smarthost.fqdn.example", it looks that up (no way to stop this unless you
specify an IP) to get an IP (or in this case a list of IPs) to deliver to.
Exim now knows it's going to deliver the email to one of:

> authmailonline.kundenserver.de. 808 IN  A       212.227.15.164
> authmailonline.kundenserver.de. 808 IN  A       212.227.15.180
> authmailonline.kundenserver.de. 808 IN  A       212.227.15.132
> authmailonline.kundenserver.de. 808 IN  A       212.227.15.148

It then passes control to the transport, which sets up delivery and checks
host_try_auth.  The problem is that Exim cares not about the hostname of the
server at this point, it wants an IP to deliver to.  Your config does an
"exists" test on the "passwd.client" file, sees it and expands the ${if...}
test to "smarthost.fqdn.example" which is illegal in a hostlist, so Exim
ignores it.  You then fail in SMTP auth since there's no confirmation of an
IP and thus the problem.

To fix, quite simple.  You specify an entry per *IP* of your mail server in
the "passwd.client" file each with the same SMTP auth credentials, and it
should work just fine (depending how your lookup is done for the SMTP auth
user/pass).

If you want a better fix, you need to redo your whole "smarthosts"
implementation, as it is not implemented correctly apparently - if you want
it to work the way the user is trying.

Eli.