Mailing List Archive: exim: users

callout & defer_ok

Index | Next | Previous | View Threaded

P.A.Chambers at exeter

Oct 20, 2005, 1:54 AM

Post #1 of 7 (305 views)
Permalink

callout & defer_ok

Exim 4.50:

Is there a way of doing the opposite of defer_ok? I could use a "defer_fail"
option so that I could treat defer as a hard failure. I would then want to
check to see if a defer occurred.

I am using callout for sender verification in my RCPT ACLs. At the moment I do
callout without defer_ok. If it fails I record the failure in acl_m2 and then
check my whitelist to see if it should go through. Subsequently (in a filter)
I check acl_m2 to inhibit vacation messages where the verification failed. (I
see no point in generating vacation messages when I know they will fail and
clog up my queue with frozen bounces.)

The ACL is along the lines of:
deny ! verify = sender/callout=<timers>
set acl_m2 = no
condition = <no if sender is in my whitelist>
! dnslists = dsn.rfc-ignorant.org/$sender_address_domain

However, when the callout defers it does not get to check the whitelist to let
it through, it causes a temporary rejection to the RCPT and the sender just
keeps trying, with the same failure each time.

The only way I can see round this is to do callout twice, first with defer_ok
and then without. That is not good because the result is not cached when
defer_ok is present (as I understand it from the documentation).

What I would like is:
deny verify = sender/callout=<timers>,defer_fail
set acl_m2 = no
condition = <no if sender in my whitelist>
! dnslists = dsn.rfc-ignorant.org/$sender_address_domain
condition = <no if it deferred>

defer condition = <yes if it deferred>

Any suggestions?

Phil.
---------------------------------------
Phil Chambers (postmaster [at] exeter)
University of Exeter

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

jgh at wizmail

Oct 20, 2005, 2:18 AM

Post #2 of 7 (294 views)
Permalink

Re: callout & defer_ok [In reply to]

Phil Chambers wrote:
> Is there a way of doing the opposite of defer_ok? I could use a "defer_fail"
> option so that I could treat defer as a hard failure. I would then want to
> check to see if a defer occurred.

# Technique for explicitly seeing defers; credit andrew [at] supernews
sverify_callout:
warn set acl_c8 = defer
accept verify = sender/callout=60s,random
set acl_c8 = accept
warn set acl_c8 = deny
deny

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

P.A.Chambers at exeter

Oct 20, 2005, 2:34 AM

Post #3 of 7 (297 views)
Permalink

Re: callout & defer_ok [In reply to]

On Thu, 20 Oct 2005 10:18:14 +0100 Jeremy Harris <jgh [at] wizmail> wrote:

> Phil Chambers wrote:
> > Is there a way of doing the opposite of defer_ok? I could use a "defer_fail"
> > option so that I could treat defer as a hard failure. I would then want to
> > check to see if a defer occurred.
>
> # Technique for explicitly seeing defers; credit andrew [at] supernews
> sverify_callout:
> warn set acl_c8 = defer
> accept verify = sender/callout=60s,random
> set acl_c8 = accept
> warn set acl_c8 = deny
> deny

I must have mis-understood something. As I see it from what happens on my
server, unless defer_ok is present, if a verify defers the ACL defers (be it
accept or deny). Given that, the above example would not work. Am I mistaken?

Phil.
---------------------------------------
Phil Chambers (postmaster [at] exeter)
University of Exeter

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

jgh at wizmail

Oct 20, 2005, 2:44 AM

Post #4 of 7 (293 views)
Permalink

Re: callout & defer_ok [In reply to]

Phil Chambers wrote:
>>>Is there a way of doing the opposite of defer_ok? I could use a "defer_fail"
>>>option so that I could treat defer as a hard failure. I would then want to
>>>check to see if a defer occurred.
>>
>># Technique for explicitly seeing defers; credit andrew [at] supernews
>>sverify_callout:
>> warn set acl_c8 = defer
>> accept verify = sender/callout=60s,random
>> set acl_c8 = accept
>> warn set acl_c8 = deny
>> deny
>
>
> I must have mis-understood something. As I see it from what happens on my
> server, unless defer_ok is present, if a verify defers the ACL defers (be it
> accept or deny). Given that, the above example would not work. Am I mistaken?

No- but what you can do is to run the above as a subroutine:

acl_verify_sender:
warn acl = sverify_callout
accept condition = ${if eq {$acl_c8}{accept}}
deny condition = ${if eq {$acl_c8}{deny}}
accept acl = sverify_deferred

Cheers,
Jeremy

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

P.A.Chambers at exeter

Oct 21, 2005, 6:07 AM

Post #5 of 7 (291 views)
Permalink

Re: callout & defer_ok [In reply to]

On Thu, 20 Oct 2005 10:44:51 +0100 Jeremy Harris <jgh [at] wizmail> wrote:

> Phil Chambers wrote:
> >>>Is there a way of doing the opposite of defer_ok? I could use a "defer_fail"
> >>>option so that I could treat defer as a hard failure. I would then want to
> >>>check to see if a defer occurred.
> >>
> >># Technique for explicitly seeing defers; credit andrew [at] supernews
> >>sverify_callout:
> >> warn set acl_c8 = defer
> >> accept verify = sender/callout=60s,random
> >> set acl_c8 = accept
> >> warn set acl_c8 = deny
> >> deny
> >
> >
> > I must have mis-understood something. As I see it from what happens on my
> > server, unless defer_ok is present, if a verify defers the ACL defers (be it
> > accept or deny). Given that, the above example would not work. Am I mistaken?
>
> No- but what you can do is to run the above as a subroutine:
>
> acl_verify_sender:
> warn acl = sverify_callout
> accept condition = ${if eq {$acl_c8}{accept}}
> deny condition = ${if eq {$acl_c8}{deny}}
> accept acl = sverify_deferred
>
>
> Cheers,
> Jeremy

Ah, very neat! I have now re-worked my ACLs to use your technique. Its just a
question of testing it before replacing my service configuration - easier said
than done.

Thanks for your help.

Phil.
---------------------------------------
Phil Chambers (postmaster [at] exeter)
University of Exeter

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

P.A.Chambers at exeter

Oct 25, 2005, 9:52 AM

Post #6 of 7 (283 views)
Permalink

Re: callout & defer_ok [In reply to]

>
> No- but what you can do is to run the above as a subroutine:
>
> acl_verify_sender:
> warn acl = sverify_callout
> accept condition = ${if eq {$acl_c8}{accept}}
> deny condition = ${if eq {$acl_c8}{deny}}
> accept acl = sverify_deferred
>
>

Just a small quibble, now that I am using the avobe technique. Whenever the
callout results in a defer exim logs:

2005-10-25 17:36:33 H=xx.yy.com (zz.yy.com) [x.x.x.x] Warning: ACL "warn"
statement skipped: condition test deferred: Could not complete sender verify
callout

Given that I am specifically looking to handle this very situation and am
doing my own logwrite in the calling ACL, it is a shame to have this log entry
too. Is there a way of suppressing it? I can't see a suitable log_selector.

Phil.
---------------------------------------
Phil Chambers (postmaster [at] exeter)
University of Exeter

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

ph10 at cus

Oct 31, 2005, 3:50 AM

Post #7 of 7 (272 views)
Permalink

Re: callout & defer_ok [In reply to]

On Tue, 25 Oct 2005, Phil Chambers wrote:

> 2005-10-25 17:36:33 H=xx.yy.com (zz.yy.com) [x.x.x.x] Warning: ACL "warn"
> statement skipped: condition test deferred: Could not complete sender verify
> callout
>
> Given that I am specifically looking to handle this very situation and am
> doing my own logwrite in the calling ACL, it is a shame to have this log entry
> too. Is there a way of suppressing it? I can't see a suitable log_selector.

Point noted.

--
Philip Hazel University of Cambridge Computing Service,
ph10 [at] cus Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book

--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads