Re: [exim] hole in acl_smtp_mail

Top Page
Delete this message
Reply to this message
Author: Dean Brooks
Date:  
To: exim-users
Subject: Re: [exim] hole in acl_smtp_mail
On Mon, Aug 02, 2010 at 10:24:12PM +0200, Axel Rau wrote:
> I have this acl, to refuse local senders, not coming from local
> outgoing relays:
> ----------
>   deny        message         = "We don't like spoofed sender addresses"
>       log_message     = $sender_host_name [$sender_host_address] attempts to
> spoof local sender
>       sender_domains  = +local_domains
>       hosts           = !+own_outgoing_relay_hosts
>       delay           = 3m

>
> [snip]
>
> The definition of + local_domains is:
> -----------
> domainlist local_domains      = \
>          ${lookup pgsql {SELECT name FROM localdomain \
>          WHERE name ='${lc:$domain}' }}
> -----------

>
> No doubt: a bug.


The documentation for the sender_domains ACL condition states:

    This condition tests the domain of the sender of the message against the
    given domain list. Note: The domain of the sender address is in
    $sender_address_domain. It is not put in $domain during the testing of this
    condition. This is an exception to the general rule for testing domain
    lists. It is done this way so that, if this condition is used in an ACL for
    a RCPT command, the recipient's domain (which is in $domain) can be used to
    influence the sender checking.


In section 11.9, under the definition of the $domain variable, it states:

    With one important exception, whenever a domain list is being scanned,
    $domain contains the subject domain. Exception: When a domain list in a
    sender_domains condition in an ACL is being processed, the subject
    domain is in $sender_address_domain and not in $domain. It works this
    way so that, in a RCPT ACL, the sender domain list can be dependent on
    the recipient domain (which is what is in $domain at this time).


When using the sender_domains ACL condition, it doesn't look like you'll
be able to use +localhosts written the way that it is because of
the above described behavior.

You'll need to create a separate domain list that uses $sender_address_domain
instead of $domain.

At least it looks that way, I haven't tested any of this.

--
Dean Brooks
dean@???