I have confirmed it is my old android email client causing the error messages.

I had to change my tls_advertise_hosts to this (i know i coule leave the trailing ' : *' out):

tls_advertise_hosts =�� ${if eq {$interface_port}{587} {*}{}} : !/etc/exim/notlshosts : *

somehow it seems the list in the file I am using (over 20 hosts) was interpreting that my tmobile ip belonged in that list somehow...

my goal with that statement is all incoming mail on the submission port uses tls, but on port 25 the hosts in my list are excluded as they do not perform tls properly (empirical evidence!), but all others on port 25 are supported if they do TLS.

i am still clean and clear by mxtoolbox, whereas i was not supporting TLS, if available on the other host, yesterday.

i now need to look for a newer android email client and hopefully can disable tls 1 as well (my old client only supports tls 1, hopefully it is not an android os version thing) as well as have proper smtp funtionalty.

FWIW, here is the error message caused by my (old) android email client after which the message goes through encrypted (evidenced by TLSv1). ��note the client makes two connections, one of which never seems to get used and just times out (but that is not the connection that causes the error message). ��I added a hyphen at the beginning of each new line for readability.

-2018-03-12 18:51:13 SMTP connection from [172.56.16.103]:41697 I=[10.10.0.150]:587 (TCP/IP connection
count = 1)
-2018-03-12 18:51:13 SMTP connection from [172.56.16.103]:38267 I=[10.10.0.150]:587 (TCP/IP connection
count = 2)
-2018-03-12 18:51:13 no host name found for IP address 172.56.16.103
-2018-03-12 18:51:13 no host name found for IP address 172.56.16.103
-2018-03-12 18:51:14 plain_login_exim4u authenticator failed for ([IPv6:::2607:fb90:563:3ab3:aa06:5349]) [172.56.16.103]:38267 I=[10.10.0.150]:587: 535 Incorrect authentication data
-2018-03-12 18:51:14 1evZ5u-000CpS-LC SA: Debug: SAEximRunCond expand returned: '1'
-2018-03-12 18:51:14 1evZ5u-000CpS-LC SA: Debug: check succeeded, running spamc
-2018-03-12 18:51:15 1evZ5u-000CpS-LC SA: Action: scanned but message isn't spam: score=-0.9 required=0.0 (scanned in 1/1 secs | Message-Id: 000f4242.42f985cd1c974d71@sub.domain.com). From <user@sub.domain.com> (host=NULL [172.56.16.103]) for myemailaddress@gmail.com
-2018-03-12 18:51:15 1evZ5u-000CpS-LC <=��user@sub.domain.com��H=([IPv6:::2607:fb90:563:3ab3:aa06:5349])[172.56.16.103]:38267 I=[10.10.0.150]:587 P=esmtpsa X=TLSv1:RC4-MD5:128 CV=no A=fixed_login_exim4u:user@sub.domain.com��KS=1997��id=000f4242.42f985cd1c974d71@sub.domain.com��T="Testing smtp" from <user@sub.domain.com> for myemailaddress@gmail.com
-2018-03-12 18:51:15 cwd=/var/spool/exim 3 args: /usr/local/sbin/exim -Mc 1evZ5u-000CpS-LC
-2018-03-12 18:51:15 SMTP connection from ([IPv6:::2607:fb90:563:3ab3:aa06:5349]) [172.56.16.103]:38267��I=[10.10.0.150]:587 closed by QUIT
-2018-03-12 18:54:13 SMTP command timeout on connection from [172.56.16.103]:41697 I=[10.10.0.150]:587



------ Original Message ------
From: "Helmut Fritz" <helmut@fritz.us.com>
To: "Odhiambo Washington" <odhiambo@gmail.com>
Cc: "Exim4U General Discussion" <users@exim4u.org>
Sent: 3/12/2018 3:52:46 PM
Subject: Re: [Exim4U]

Here you go (attached - I believe I have sufficiently scrubbed it). ��I am currently working on determining if it this error message is only my cell phone client. ��I am now advertising startssl and auth properly it seems, and mxtoolbox reveals I am not an open relay (somebody please tell me if it is not reliable to test from mxtoolbox).

I will have more information within a few hours about cell phone client - I do have a relatively old phone and that could be the crux of my error messages.

Thx Odhiambo.


Helmut

------ Original Message ------
From: "Odhiambo Washington" <odhiambo@gmail.com>
To: "Helmut Fritz" <helmut@fritz.us.com>
Cc: "Exim4U General Discussion" <users@exim4u.org>
Sent: 3/12/2018 2:50:35 AM
Subject: Re: [Exim4U] DNSBL question

Hi Helmut,

Let's see the output of����'exim��-bP config' ??

On 10 March 2018 at 22:00, Helmut Fritz <helmut@fritz.us.com> wrote:
Odhiambo,
Thx.�� By messing with things I did not mean changing the config files, sorry.�� Testing with telnet, etc. ��telnet tests demonstrated I was not advertising auth or startssl properly when connected over these particular wireless/cell connections.�� I am NOT an open relay, never have been (went through that many, many years ago as a newbie).�� I just checked with mxtoolbox and I am good.

My concerns are the oddness with those particular cell/wireless connections and the error message from the server, even though the email goes through.

But I will check the original config files as you suggest - I have never changed anything with auth previously and all I did was change:

#auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}

to:

auth_advertise_hosts = *

and corrected my 'tls_advertise_hosts = ' ��statement.

i will replay again after I check orig vs. my config files.

------ Original Message ------
From: "Odhiambo Washington" <odhiambo@gmail.com>
To: "Helmut Fritz" <helmut@fritz.us.com>; "Exim4U General Discussion" <users@exim4u.org>
Sent: 3/10/2018 6:51:32 AM
Subject: Re: [Exim4U] DNSBL question

I suggest you start all over again and craft the config files.

Ideally, at the beginning, you only need to change TWO files:

1.��exim4u_local.conf.inc - a few obvious and important params at the top
2. exim.conf - you just want to change the line with relay_from_hosts

If you have changed more than that from the defaults, then you need to get the original distro files and run a diff against the original files and see what you changed.

AUTH in Exim is advertised from the settings in file [1] above. If AUTH fails then relay too should fail and as such you must be an "open relay" already, which is BAD!!

Start afresh.

We'll help.



On 10 March 2018 at 11:08, Helmut Fritz <helmut@fritz.us.com> wrote:
OK - I may need to ask a different question. ��let me give some more particulars and some additional information.

after messing with things a bunch, i figured out I was not advertising tls properly nor was i advertising auth properly (telneting in and not seeing auth and not seeing starttls). ��i got that rectified, i think. ��this seemed to manifest itself only on cell networks - even using a pc on a cell phone hot spot! - and at least one wifi network (datacenter) that I know of. ��if i connected that same pc to my home or work wifi it would work fine, the same applies to the actual cell phones as well, they worked fine on my home or work wifi. ��also all other connections work fine from other locations, just a client was in the same condition by working at home on his wifi from his cell but not when out and about on the cell network which prompted me to set up my own to reproduce the issue.

i still get an error on the server even though the email goes through:

2018-03-10 00:01:08 plain_login_exim4u authenticator failed for 162-238-133-48.lightspeed.sndgca.sbcglobal.net ([192.168.1.85]) [162.238.133.48]:44056 I=[10.10.0.150]:587: 535 Incorrect authentication data

any ideas here? ��maybe i need to set up more auth types?

below is what i had typed up to send following my initial email this evening:

I had a user on the T-mobile cell network get all outgoing smtp emails rejected.�� The message in the server is "relay not permitted".�� The reason I thought it might be aDNSBL is that the IP trying to connect with that smtp session is listed in the Zen DNSBL.�� However, it seems I have all DNSBL entries commected out in exim4u_local_conf.inc.�� I also dug around in the exim.conf and the message for a DNSBL reject is "Spammer rejected. DNSBL listed at $dnslist_domain at $dnslist_text. Ratelimit inc
remented.".

When I searched for the reject message "relay not permitted" I find it in this section:

# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.
# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.

�� deny�� �� message�� ���� ���� = relay not permitted

I see authenticated users is accepted above this in the acl's, so I am not sure why the message would get this far without being accepted.




------ Original Message ------
From: "Helmut Fritz" <helmut@fritz.us.com>
Sent: 3/9/2018 8:47:57 PM
Subject: [Exim4U] DNSBL question

I hope everyone is well, it has been a long while.

I am wondering if others use DNSBL and what they might do about random ip addresses that show up on the Zen DNSBL such as cell phone provider IP's that get used for people to send email from their cell phones?

I have run into it twice now, once with ATT and again with T-mobile.

Also, how to ensure that DNSBL lookups are turned off?�� And what provides the functionality?�� I think it is exim directly, and within the acl's? ��or does exim4U do it a bit differently?

Thx for any and all info/answers.

Helmut

_______________________________________________
users mailing list
users@exim4u.org
https://exim4u.org/mailman/listinfo/users




--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."