Re: [exim] ACL log_reject_target bug?

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Tony Finch
Fecha:  
A: Russell Wilton
Cc: exim-users
Asunto: Re: [exim] ACL log_reject_target bug?
On Mon, 2 Jun 2008, Russell Wilton wrote:
>
> OK, here is the section of my acl_smtp_rcpt ACL where the problem occurs:


Thanks.

> # Reject if sender is listed with Spamhaus DNSBL
>
>   deny  message = $sender_host_address is listed at $dnslist_domain; See $dnslist_text
>         log_message = BLOCKED - Spamhaus: $sender_host_address -> $dnslist_value
>         log_reject_target = reject
>         dnslists = zen.spamhaus.dnsbl
>         delay = 30s

>
> # Reject if sender HELOed with an invalid name: it must have one or more
> # non-dot characters, a dot and another one or more non-dots.
>
>   deny  message = Invalid hostname detected in HELO: $sender_helo_name
>         log_message = BLOCKED - Invalid hostname
>         condition = ${if match{$sender_helo_name}{\N^[^.].*\.[^.]+$\N} {0} {1}}
>         delay = 30s

>
> # Reject if sender HELOed as our uleth.ca domain name
>
>   deny  message = Forged hostname detected in HELO: $sender_helo_name
>         log_message = BLOCKED - Forged hostname
>         condition = ${if eq{$sender_helo_name}{uleth.ca} {1} {0}}
>         delay = 30s

>
> If the sender is listed with Spamhaus the rejection is logged only in
> the reject log file, as specified by the log_reject_target modifier.
>
> If the sender is not listed with Spamhaus but does HELO with an invalid
> name, it is also logged only in the reject log even though there is no
> log_reject_target in that stanza.


That makes sense.

> If both of those fall through, but the sender HELOs with my domain name,
> it is logged in both the main and reject logs as expected.


But I don't understand how that can happen.

> So, it seems that the value of log_reject_target does not get reset to
> the default at the start of the second deny stanza. Am I supposed to
> set it back to the default with a log_reject_target modifier in that
> stanza? I haven't tried that.


The way it works is that the log_reject_target is reset to the default at
the start of each whole ACL. The setting gets changed only when a
log_reject_target ACL modifier is executed. This means that if you put the
modifier at the start of an ACL clause then it will always take effect -
which is why yours is unexpectedly altering your "invalid hostname"
blocks. I don't know why it isn't altering your "forged hostname" blocks.

ACL message and log_message modifiers are the only ones that are best put
out-of-order at the start of an acl clause, because executing them just
involves making note of the string to use if the clause has an effect, and
it's easier to avoid confusion with different ACL verb shortcutting
behaviour if you always put message modifiers first.

Hope this (partial) explanation helps.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}