Bug#289458: marked as done (callout verification and synchronization checks bite each other)

Debian Bug Tracking System owner@bugs.debian.org
Sun, 09 Jan 2005 04:03:09 -0800 

Your message dated Sun, 9 Jan 2005 12:46:35 +0100
with message-id <20050109114635.GB3768@downhill.at.eu.org>
and subject line Bug#289458: callout verification and synchronization checks bite each other
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Jan 2005 10:00:49 +0000
>From aba@not.so.argh.org Sun Jan 09 02:00:49 2005
Return-path: <aba@not.so.argh.org>
Received: from mail-out.m-online.net [212.18.0.9] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CnZsP-0006js-00; Sun, 09 Jan 2005 02:00:49 -0800
Received: from mail.m-online.net (svr20.m-online.net [192.168.3.148])
	by mail-out.m-online.net (Postfix) with ESMTP id B6DD452B2
	for <submit@bugs.debian.org>; Sun,  9 Jan 2005 11:00:47 +0100 (CET)
Received: from sol.so.argh.org (ppp-62-245-161-19.mnet-online.de [62.245.161.19])
	by mail.m-online.net (Postfix) with ESMTP id DDB5A33580
	for <submit@bugs.debian.org>; Sun,  9 Jan 2005 10:59:44 +0100 (CET)
Received: from aba by sol.so.argh.org with local (Exim 4.22 #1 (Debian) [+prerelease])
	id 1CnZsJ-0004Hc-DW
	for <submit@bugs.debian.org>; Sun, 09 Jan 2005 11:00:43 +0100
Date: Sun, 9 Jan 2005 11:00:43 +0100
From: Andreas Barth <aba@not.so.argh.org>
To: submit@bugs.debian.org
Subject: callout verification and synchronization checks bite each other
Message-ID: <20050109100043.GE19722@mails.so.argh.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Editor: Vim http://www.vim.org/
User-Agent: Mutt/1.5.6i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: exim4
Severity: important
Version: 4.34-8/4.43-1

Hi,


the following problem occurs to me when I want to send mail to costa
(arch.debian.org): The callout verification fails on costa, so delaying
/ rejecting my mail.

The callout on costa has in acl_check_rcpt:
        deny condition = ${extract{calloutsender}{${lookup{$domain}lsearch{DOMAINPOLICY}}}{$value}{no}}                                         
                message = Sender callout failed: Sender adress can't be verified trough SMTP check.
                ! verify = sender/callout=20s

        deny condition = ${extract{calloutrecipient}{${lookup{$domain}lsearch{DOMAINPOLICY}}}{$value}{no}}
                message = Recipient callout failed: Recipient adress can't be verified trough SMTP check.
                ! verify = recipient/callout=20s

and in acl_check_data:
        # callouts and header checks
        require !condition = $header_X-WhitelistedRCPT-nohdrfromcallback:
                verify = header_sender/callout=20s
                verify = header_syntax


On my system, errors like this are logged:
2005-01-09 09:27:12 SMTP protocol violation: synchronization error (input sent without waiting for greeting): rejected connection from H=costa.debian.org [217.196.43.131]


Costa is running exim4-daemon-heavy version 4.34-8, my MX is running
exim4-daemon-heavy version 4.43-1.



Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

---------------------------------------
Received: (at 289458-done) by bugs.debian.org; 9 Jan 2005 11:46:46 +0000
>From ametzler@downhill.at.eu.org Sun Jan 09 03:46:46 2005
Return-path: <ametzler@downhill.at.eu.org>
Received: from m26s25.vlinux.de [83.151.30.59] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CnbWw-0002QY-00; Sun, 09 Jan 2005 03:46:46 -0800
Received: from m-134-246.adsl.univie.ac.at ([131.130.134.246])
	by m26s25.vlinux.de with asmtp (Exim 4.34)
	id 1CnbXd-00014V-UM
	for 289458-done@bugs.debian.org; Sun, 09 Jan 2005 11:47:35 +0000
Received: from ametzler by downhill.univie.ac.at with local (cert-ver=0) (Exim 4.34)
	id 1CnbWl-0006dF-Qh
	for 289458-done@bugs.debian.org; Sun, 09 Jan 2005 12:46:35 +0100
Date: Sun, 9 Jan 2005 12:46:35 +0100
From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: 289458-done@bugs.debian.org
Subject: Re: Bug#289458: callout verification and synchronization checks bite each other
Message-ID: <20050109114635.GB3768@downhill.at.eu.org>
References: <20050109100043.GE19722@mails.so.argh.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050109100043.GE19722@mails.so.argh.org>
X-GPG-Fingerprint: BCF7 1345 BE42 B5B8 1A57  EE09 1D33 9C65 8B8D 7663
User-Agent: Mutt/1.5.6+20040907i
X-Spam-Score: 0.0 (/)
Delivered-To: 289458-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

On 2005-01-09 Andreas Barth <aba@not.so.argh.org> wrote:
> Package: exim4
> Severity: important
> Version: 4.34-8/4.43-1

> the following problem occurs to me when I want to send mail to costa
> (arch.debian.org): The callout verification fails on costa, so delaying
> / rejecting my mail.

> The callout on costa has in acl_check_rcpt:
>         deny condition = ${extract{calloutsender}{${lookup{$domain}lsearch{DOMAINPOLICY}}}{$value}{no}}                                         
>                 message = Sender callout failed: Sender adress can't be verified trough SMTP check.
>                 ! verify = sender/callout=20s
[...]

Hello,
This has been diagnosed as configuration error on costa:. Costa uses a
callout timeout of 20s and drops indentd/auth-connections (forcing
them to timeout). Now if a exim with

rfc1413_hosts = *
rfc1413_query_timeout = 30s

tries to deliver a mail to costa this happens:

1) costa receives a mail.
2) costa connects back to the sending machine trying to verify the
sender address.
3) sending-machine makes a auth connect to costa for 30s.
4) costas callout timeout hits before the auth-connect timeout hits and
costa closes the callout connection.
5) costa gives temporary error on the initial connection.

The proper fix is for costa('s firewall) to not DROP auth (rfc1413)
with iptables, but to either let them pass (which will yieald either a
immeidiate "connection denied" or a successful lookup, depending on
whether costa runs a identd) or REJECT instead of DROP them.

costa is going to be fixed, Wichert Akkerman is going to request to
change the configuration of the firewall.

A temporary hotfix for machines having problems to send mail to costa
is to exempt costa from rfc1413_hosts or to lower
rfc1413_query_timeout to a shorter value.
              cu andras
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
                                           http://downhill.aus.cc/