On Fri, Apr 15, 2005 at 02:46:26PM +0400, Alexander V Alekseev wrote:
> Some message is in queue. At the time of delivery
> if we
> have router like this:
> ---------------------------------------------------------------------
> SOME_LDAP_LOOKUP = ${ lookup ldap { user="<username>"
> pass=<pass> ldap:///<lookup text>}}
>
> some_aliases:
> driver = redirect
> allow_fail = false
> allow_defer = false
> allow_filter = false
> allow_freeze = false
> forbid_blackhole = true
> forbid_file = true
> hide data = SOME_LDAP_LOOKUP
> ---------------------------------------------------------------------
>
> Exim generates bounce message to sender:
> ---------------------------------------------------------------------
> Delay reason: failed to expand "${ lookup ldap {
> user="<username>" pass=<pass> ldap:///<lookup text>}} ":
> lookup of "user="<username>" pass=<pass> ldap:///<lookup
> text>" gave DEFER: failed to bind the LDAP connection to
> server <IP>:<Port> - LDAP error 81: Can't contact LDAP
> server
> ---------------------------------------------------------------------
> So, anyone can see username and password to LDAP
> server.
>
> Another example (transport):
> ---------------------------------------------------------------------
> some_mailboxes:
> driver = appendfile
> create_directory = true
> create_file = anywhere
> hide directory = LDAP_MBX_LOOKUP
> maildir_format = true
> quota = LDAP_QUOTA_LOOKUP
> ---------------------------------------------------------------------
> And Exim includes the same hidden data in bounce message
> if quota lookup fails.
Hmm. Yes, that looks like a real problem.
Looking in src/deliver.c, I see the reason is included if:
- the address itself is not hidden; and
- the error is not just "retry time not reached"
However, this sort of information is useful for debugging generally, so I
guess you just want to suppress it if the expansion is for a configuration
item explicitly marked 'hide'.
That depends on the string expansion knowing that at that time, that it is
within the context of an item tagged as 'hide'.
If so, I guess it could report
Delay reason: failed to expand item in 'data': LDAP error 81: Can't contact LDAP server
or
Delay reason: failed to expand item in 'data'
or just not give a reason at all (forcing the sysadmin to check logs)
Regards,
Brian.