On Mon, 2011-02-07 at 12:33 -0500, Phil Pennock wrote:
> On 2011-02-07 at 12:08 +0000, John Horne wrote:
> > Hello,
> >
> > Using Exim 4.74, in the ACL checking the sender address I have the
> > following snippet:
> >
> > accept senders = :
> > deny set acl_m_spf_dns = ${lookup dnsdb {>\n; txt=
> > $sender_address_domain}}
> >
> > (The above 'deny' is all one line.) However in my log file I am getting
> > error messages about this. For example:
> >
> > 2011-02-07 11:37:15 H=(mail.aston.ro) [95.64.115.74]:35564
> > temporarily rejected MAIL <alert@???>: failed to
> > expand ACL string "${lookup dnsdb {>\n; txt=
> > $sender_address_domain}}": lookup of ">
> >
> > From the docs, the use of '>\n;' seems to be correct, so I am a little
> > unsure what the problem is. Anyone any ideas?
>
> Any chance of getting the non-truncated error message, perhaps by
> replicating at the { exim -be } command-prompt, or doing so with
> debugging turned on?
>
> Running exim -be:
> > ${lookup dnsdb {>\n; txt=95.64.115.74}}
>
exim -be
> ${lookup dnsdb {>\n; txt=hsbc-online.co.uk}}
Failed: lookup of ">
; txt=accountupgrade.com" gave DEFER:
>
I did run exim in 'debug mode' and could see that the whole message
would be: lookup of ">\n; txt=accountupgrade.com" gave DEFER:
> The only way I've managed to get close to an error message is by trying:
> > ${lookup dnsdb {>\\n; txt=95.64.115.74}}
> Failed: lookup of ">\n; txt=95.64.115.74" gave DEFER: unsupported DNS record type
>
> Is it possible that the snippet you provided has different quoting in
> the actual configuration than you cited above?
>
Nope, the quote is correct.
I've been taking a look at this on and off this afternoon. It seems that
in expand.c the lookup is expanded, and the '\n' is expanded to a
newline. To that extent exim works fine in that working TXT DNS lookups
are handled correctly. The problem is when something goes wrong, and
exim tries to display/log the problem. By that time the relevant
variable ('key' in expand.c) has been expanded, so all we see is the
text up to the newline (lookup of ">).
In order to get a more meaningful message I can only think that an
unexpanded key should be kept, and displayed when necessary (I tried
this but it always seemed to display the expanded key, so I made a
mistake somewhere. Possibly need to use the var 'filename' in expand.c).
The problem then, of course, is that we *do* want part of the key
expanded - in this instance the $sender_address_domain.
I suspect a bit of jiggling with both the expanded and unexpanded keys
could produce the correct value.
John.
--
John Horne, University of Plymouth, UK
Tel: +44 (0)1752 587287 Fax: +44 (0)1752 587001