Mailing List Archive

Forward from external immediately without queue
Hello,

I noticed in my log files that I have situations where some mail is
received from externally which is supposed to be forwarded to externally
(with the 'redirect' driver, or 'remote_smtp' transport?). Now if my
spam filter didn't detect the message but it was rejected by the forward
recipient, Exim will generate a bounce message and try to send it to an
arbitrary sender which is mostly fake. This is causing backscatter,
which may cause issues with my mail server reputation in general. (I
know that the RFC requires that behaviour, but that RFC is broken and
not practical, for well-known reasons.) The same probably happens when
the remote mailbox is full.

I tried to understand what the 'errors_to' directive does but it's hard
to follow those descriptions. So I'm not sure whether it's useful in my
case.

So I had another idea. If queuing and bouncing is the problem, can I get
rid of that? If a message comes in from an unauthenticated sender, that
must be another mail server. Those have got time, there's nobody waiting
in front of a screen for the message to be submitted. So could Exim just
try to deliver the message immediately in this case? If that fails, it
could directly reject the message in the waiting original connection. No
need for bounces.

If the remote error is permanent, so should be Exim's. Same for
temporary errors. Passing back the remote error message is probably a
privacy concern as it might disclose the forward address or provider.

This must only apply to forwards for unauthenticated senders.
Authenticated senders are my users, they provided a password and I know
I can send them bounces safely. And they're waiting for completion of
the submission.

How would a configuration of this look like? Or where in the
documentation can I find more information about that?

-Yves

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Forward from external immediately without queue [ In reply to ]
Hi.

On Wed, Dec 23, 2020 at 08:25:26PM +0100, Yves Goergen via Exim-users wrote:
> So I had another idea. If queuing and bouncing is the problem, can I get rid
> of that? If a message comes in from an unauthenticated sender, that must be
> another mail server. Those have got time, there's nobody waiting in front of
> a screen for the message to be submitted. So could Exim just try to deliver
> the message immediately in this case? If that fails, it could directly
> reject the message in the waiting original connection. No need for bounces.

Use "control = cutthrough_delivery/<options>" in RCPT ACL.

> How would a configuration of this look like? Or where in the documentation
> can I find more information about that?

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Forward from external immediately without queue [ In reply to ]
This sounds a lot like the cutthough concept - see spec.txt chapter 44.22.

I have only heard of this being used when forwarding the message to
nearby friendly mail servers, and I see that you cannot use DKIM and
cutthough.

> I noticed in my log files that I have situations where some mail is received
> from externally which is supposed to be forwarded to externally (with the
> 'redirect' driver, or 'remote_smtp' transport?). Now if my spam filter didn't
> detect the message but it was rejected by the forward recipient, Exim will
> generate a bounce message and try to send it to an arbitrary sender which is
> mostly fake. This is causing backscatter, which may cause issues with my mail
> server reputation in general. (I know that the RFC requires that behaviour,
> but that RFC is broken and not practical, for well-known reasons.) The same
> probably happens when the remote mailbox is full.
>
> I tried to understand what the 'errors_to' directive does but it's hard to
> follow those descriptions. So I'm not sure whether it's useful in my case.
>
> So I had another idea. If queuing and bouncing is the problem, can I get rid
> of that? If a message comes in from an unauthenticated sender, that must be
> another mail server. Those have got time, there's nobody waiting in front of
> a screen for the message to be submitted. So could Exim just try to deliver
> the message immediately in this case? If that fails, it could directly reject
> the message in the waiting original connection. No need for bounces.
>
> If the remote error is permanent, so should be Exim's. Same for temporary
> errors. Passing back the remote error message is probably a privacy concern
> as it might disclose the forward address or provider.
>
> This must only apply to forwards for unauthenticated senders. Authenticated
> senders are my users, they provided a password and I know I can send them
> bounces safely. And they're waiting for completion of the submission.
>
> How would a configuration of this look like? Or where in the documentation
> can I find more information about that?
>
> -Yves
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Forward from external immediately without queue [ In reply to ]
On 23/12/2020 19:25, Yves Goergen via Exim-users wrote:
> So I had another idea. If queuing and bouncing is the problem, can I get rid of that?

Slight terminology diversion... "store-and-forward" is a better description
of the cause of your problem. Exim generally tries to deliver forwarded
messages as son as it can; they do live in the queue for that very short
period until the onward delivery completes - but barring errors we don't
generally regard it as queueing.

> If a message comes in from an unauthenticated sender, that must be another mail server. Those have got time, there's nobody waiting in front of a screen for the message to be submitted. So could Exim just try to deliver the message immediately in this case? If that fails, it could directly reject the message in the waiting original connection. No need for bounces.

What you're interested in is "cutthrough routing". It's in the docs.

> If the remote error is permanent, so should be Exim's. Same for temporary errors.

Yes

> Passing back the remote error message is probably a privacy concern as it might disclose the forward address or provider.

This could be a problem for you.
>
> This must only apply to forwards for unauthenticated senders. Authenticated senders are my users, they provided a password and I know I can send them bounces safely. And they're waiting for completion of the submission.

It'll work for either. But some MUAs don't like getting SMTP-level
rejects, so I tend to agree with you, assuming that your set
of authenticating senders as the same as the set of MUAs that
you're providing submission service for.

> How would a configuration of this look like? Or where in the documentation can I find more information about that?

Write ACL code that identifies suitable messages then requests cutthrough
routing for them.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Forward from external immediately without queue [ In reply to ]
Simple solution is to configure the server to not send any DSNs for forwards
at all.

Since DSNs do have a blank sender, a trick is to have a router which detects
a blank sender, and if receiver of the bounce isn't someone on the same
domain, then blackholes it. (use :blackhole: as redirect data)

-----Ursprungligt meddelande-----
Fr?n: Yves Goergen via Exim-users <exim-users@exim.org>
Skickat: den 23 december 2020 20:34
Till: List: exim <exim-users@exim.org>
?mne: [exim] Forward from external immediately without queue

Hello,

I noticed in my log files that I have situations where some mail is received
from externally which is supposed to be forwarded to externally (with the
'redirect' driver, or 'remote_smtp' transport?). Now if my spam filter
didn't detect the message but it was rejected by the forward recipient, Exim
will generate a bounce message and try to send it to an arbitrary sender
which is mostly fake. This is causing backscatter, which may cause issues
with my mail server reputation in general. (I know that the RFC requires
that behaviour, but that RFC is broken and not practical, for well-known
reasons.) The same probably happens when the remote mailbox is full.

I tried to understand what the 'errors_to' directive does but it's hard to
follow those descriptions. So I'm not sure whether it's useful in my case.

So I had another idea. If queuing and bouncing is the problem, can I get rid
of that? If a message comes in from an unauthenticated sender, that must be
another mail server. Those have got time, there's nobody waiting in front of
a screen for the message to be submitted. So could Exim just try to deliver
the message immediately in this case? If that fails, it could directly
reject the message in the waiting original connection. No need for bounces.

If the remote error is permanent, so should be Exim's. Same for temporary
errors. Passing back the remote error message is probably a privacy concern
as it might disclose the forward address or provider.

This must only apply to forwards for unauthenticated senders.
Authenticated senders are my users, they provided a password and I know I
can send them bounces safely. And they're waiting for completion of the
submission.

How would a configuration of this look like? Or where in the documentation
can I find more information about that?

-Yves

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Forward from external immediately without queue [ In reply to ]
Do I have a DSN at all? Exim is doing the second delivery (forward)
itself and fails itself, it is not sent a bounce back that it needs to
forward.

Also, what is "the same domain"?

-Yves


-------- Ursprüngliche Nachricht --------
Von: Sebastian Nielsen via Exim-users <exim-users@exim.org>
Gesendet: Donnerstag, 24. Dezember 2020, 10:22 MEZ
Betreff: [exim] Forward from external immediately without queue

Simple solution is to configure the server to not send any DSNs for forwards
at all.

Since DSNs do have a blank sender, a trick is to have a router which detects
a blank sender, and if receiver of the bounce isn't someone on the same
domain, then blackholes it. (use :blackhole: as redirect data)

-----Ursprungligt meddelande-----
Från: Yves Goergen via Exim-users <exim-users@exim.org>
Skickat: den 23 december 2020 20:34
Till: List: exim <exim-users@exim.org>
Ämne: [exim] Forward from external immediately without queue

Hello,

I noticed in my log files that I have situations where some mail is received
from externally which is supposed to be forwarded to externally (with the
'redirect' driver, or 'remote_smtp' transport?). Now if my spam filter
didn't detect the message but it was rejected by the forward recipient, Exim
will generate a bounce message and try to send it to an arbitrary sender
which is mostly fake. This is causing backscatter, which may cause issues
with my mail server reputation in general. (I know that the RFC requires
that behaviour, but that RFC is broken and not practical, for well-known
reasons.) The same probably happens when the remote mailbox is full.

I tried to understand what the 'errors_to' directive does but it's hard to
follow those descriptions. So I'm not sure whether it's useful in my case.

So I had another idea. If queuing and bouncing is the problem, can I get rid
of that? If a message comes in from an unauthenticated sender, that must be
another mail server. Those have got time, there's nobody waiting in front of
a screen for the message to be submitted. So could Exim just try to deliver
the message immediately in this case? If that fails, it could directly
reject the message in the waiting original connection. No need for bounces.

If the remote error is permanent, so should be Exim's. Same for temporary
errors. Passing back the remote error message is probably a privacy concern
as it might disclose the forward address or provider.

This must only apply to forwards for unauthenticated senders.
Authenticated senders are my users, they provided a password and I know I
can send them bounces safely. And they're waiting for completion of the
submission.

How would a configuration of this look like? Or where in the documentation
can I find more information about that?

-Yves

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Forward from external immediately without queue [ In reply to ]
DSN (Delivery Status Notification) is another name for the bounches. Basically, if the remote delivery fails, DONT send a bounce back to the sender.

Same domain = the domain the server is authorative for.

Basically, IF sender == "" and receiver != "*@yourdomain.com" then redirect to :blackhole:

-----Ursprungligt meddelande-----
Från: Yves Goergen via Exim-users <exim-users@exim.org>
Skickat: den 24 december 2020 10:45
Till: Sebastian Nielsen <sebastian@sebbe.eu>; 'Mailing List' <exim-users@exim.org>
Ämne: Re: [exim] Forward from external immediately without queue

Do I have a DSN at all? Exim is doing the second delivery (forward) itself and fails itself, it is not sent a bounce back that it needs to forward.

Also, what is "the same domain"?

-Yves


-------- Ursprüngliche Nachricht --------
Von: Sebastian Nielsen via Exim-users <exim-users@exim.org>
Gesendet: Donnerstag, 24. Dezember 2020, 10:22 MEZ
Betreff: [exim] Forward from external immediately without queue

Simple solution is to configure the server to not send any DSNs for forwards at all.

Since DSNs do have a blank sender, a trick is to have a router which detects a blank sender, and if receiver of the bounce isn't someone on the same domain, then blackholes it. (use :blackhole: as redirect data)

-----Ursprungligt meddelande-----
Från: Yves Goergen via Exim-users <exim-users@exim.org>
Skickat: den 23 december 2020 20:34
Till: List: exim <exim-users@exim.org>
Ämne: [exim] Forward from external immediately without queue

Hello,

I noticed in my log files that I have situations where some mail is received from externally which is supposed to be forwarded to externally (with the 'redirect' driver, or 'remote_smtp' transport?). Now if my spam filter didn't detect the message but it was rejected by the forward recipient, Exim will generate a bounce message and try to send it to an arbitrary sender which is mostly fake. This is causing backscatter, which may cause issues with my mail server reputation in general. (I know that the RFC requires that behaviour, but that RFC is broken and not practical, for well-known
reasons.) The same probably happens when the remote mailbox is full.

I tried to understand what the 'errors_to' directive does but it's hard to follow those descriptions. So I'm not sure whether it's useful in my case.

So I had another idea. If queuing and bouncing is the problem, can I get rid of that? If a message comes in from an unauthenticated sender, that must be another mail server. Those have got time, there's nobody waiting in front of a screen for the message to be submitted. So could Exim just try to deliver the message immediately in this case? If that fails, it could directly reject the message in the waiting original connection. No need for bounces.

If the remote error is permanent, so should be Exim's. Same for temporary errors. Passing back the remote error message is probably a privacy concern as it might disclose the forward address or provider.

This must only apply to forwards for unauthenticated senders.
Authenticated senders are my users, they provided a password and I know I can send them bounces safely. And they're waiting for completion of the submission.

How would a configuration of this look like? Or where in the documentation can I find more information about that?

-Yves

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Forward from external immediately without queue [ In reply to ]
On 23.12.20 20:25, Yves Goergen via Exim-users wrote:
> some mail is
> received from externally which is supposed to be forwarded to externally
> Now if my
> spam filter didn't detect the message but it was rejected by the forward
> recipient, Exim will generate a bounce message and try to send it to an
> arbitrary sender which is mostly fake. This is causing backscatter,

what do you think about changing envelope's from to original recipient
in case of forwarding?

same hint I already gave here in september. ;-) do forwarding in
dovecot's sieve and set sieve_redirect_envelope_from to orig_recipient.

gre3tings, Klaus

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/