Re: [exim] Weird domain matching

Top Page
Delete this message
Reply to this message
Author: Peter Thomassen
Date:  
To: exim-users
Subject: Re: [exim] Weird domain matching
On 03/28/2011 02:08 AM, Dave Evans wrote:
> On Mon, Mar 28, 2011 at 12:04:02AM -0400, Peter Thomassen wrote:
>> I was testing around with exim4 -d -bh, sending an e-mail from some
>> @physik.uni-wuerzburg.de address to myself. I coincidentally saw the
>> following debugging output:
>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>> Verifying<...>@physik.uni-wuerzburg.de
>>> address match: subject=<...>@physik.uni-wuerzburg.de pattern=*@+local_domains


>>> physik.uni-wuerzburg.de in "@:localhost:localhost.a4a.de:a4a.de:mail.a4a.de:mysql;SELECT DISTINCT full_domain FROM mail_alias WHERE full_domain='peter-thomassen.de'"? yes (matched "mysql;SELECT DISTINCT full_domain FROM mail_alias WHERE full_domain='peter-thomassen.de'")
>>> physik.uni-wuerzburg.de in "+local_domains"? yes (matched "+local_domains")
>>> <...>physik.uni-wuerzburg.de in "*@+local_domains"? yes (matched "*@+local_domains")


>
> $domain means different things in different contexts. Sometimes it's the
> sender's domain, sometimes it's that of the recipient. It all depends on your
> config, which of course we don't yet know. For example, you tell us how
> MAIN_LOCAL_DOMAINS is defined, but you don't tell us why you think that's
> relevant, e.g. where it's used.
>
> If you need a more concrete explanation, I think you'll need to show us rather
> more of your config.


Sure:
> MAIN_LOCAL_DOMAINS = @:localhost:localhost.a4a.de:a4a.de:mail.a4a.de:mysql;SELECT DISTINCT full_domain FROM mail_alias WHERE full_domain='${quote_mysql:$domain}'
> domainlist local_domains = MAIN_LOCAL_DOMAINS


As said, a testing session was done for sending mail from
<...>@physik.uni-wuerzburg.de to my address.

The problem occurs from the usual sender verify stanza in the RCPT ACL:
   deny
     message = Sender verification failed
     !acl = acl_local_deny_exceptions
     !verify = sender


The debug log output from my original post is exactly what comes after
this !verify = sender. The debug log says
> Verifying jdittmann@???
> address match: subject=<...>@physik.uni-wuerzburg.de pattern=*@+local_domains

as it makes sense to verify the sender.

However, the following lookup does not lookup the
physik.uni-wuerzburg.de domain, but peter-thomassen.de. So it comes that
the check whether or not the domain is in +local_domains yields "true",
because the domain peter-thomassen.de is a local domain. However,
physik.uni-wuerzburg.de is not. It seems wrong to me that the recipient
domain is checked here.

Note that it claims to check for physik.uni-wuerzburg.de but in fact
matches against peter-thomassen.de, in the same debug line.


This happens right before routing is done at the verification stage
(thus, before "Considering <...>@physik.uni-wuerzburg.de). So, is the
matching against *@+local_domains a check that is always performed
during sender verification, independently of the routing?

I wondered whether a broken router might cause this, but actually the
debug output is before the routing is done. Also, I could not find
suspicious routers. Additionally, when the verification routing is done
after the "Considering <...>@physik.uni-wuerzburg.de" line in the debug
log, physik.uni-wuerzburg.de is in fact matched against +local_domains,
and it does not match, as expected.


I hope you can somehow deduce what's going on. In case you need further
information, I'd be happy to provide it.

Best,
Peter