Re: [exim-dev] generalized $acl_verify_message

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Tony Finch at <-
MMPhilip Hazel at ->
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: exim-dev
Subject: Re: [exim-dev] generalized $acl_verify_message
On Thu, 31 Mar 2005, Tony Finch wrote:

> This patch makes $acl_verify_message work usefully in more places.
> I'm not sure if it's the Right Thing, though.

I've done some more testing and concluded that I can't quite get the
behaviour I want, which is to handle callout failures more gracefully.

At the moment, after various exemption checks, we do 

  require
    verify         = sender/callout=CALLTIME,defer_ok


I'm planning to change this to 

  deny
  ! verify         = sender/callout=CALLTIME,defer_ok
  ! condition      = ${if eq{mail}{$sender_verify_failure} }


However this means that Exim no longer logs the callout failures for these
problem addresses, so my script for adding them to our exemption lists
becomes less useful (though I suppose I can rely on cacheing to take the
strain instead).

With my patch you can't add another clause after the "deny" I quoted above
such as the following, because $acl_verify_message becomes unset between
the clauses. 

  warn
    log_message    = sender verify fail for <$sender_address>: $acl_verify_message
    condition      = ${if eq{mail}{$sender_verify_failure} }


You can, however, augment the "deny" clause like this: 

LOG_RUBRIC = H=$sender_fullhost I=[$interface_address]:$interface_port
  deny
  ! verify         = sender/callout=CALLTIME,defer_ok
    logwrite       = LOG_RUBRIC sender verify fail for <$sender_address>: $acl_verify_message
  ! condition      = ${if eq{mail}{$sender_verify_failure} }


This works mostly OK, but it means that when the "deny" triggers you get
three (!) log lines corresponding to the rejection: one from the logwrite,
one corresponding to the sender verify failure, and one for the rejected
RCPT. (I'm not sure why Exim doesn't just log one line in this situation.)

From my point of view I'd be happy if the sender verification failure was
always logged (even if it doesn't cause the RCPT (etc) to be rejected);
this would also provide a post-hoc rationalization of Exim's double
logging when a rejection does occur.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}


This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] [Debian #299743] exim4: Only try configured mechs in cyrus_sasl authenticatorRe: [exim-dev] generalized $acl_verify_message->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)