Re: [exim] BATV and closed mailing lists

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: bd
CC: exim-users
Subject: Re: [exim] BATV and closed mailing lists
On 2012-08-22 at 12:01 +0200, bd@??? wrote:
>     http://www.exim.org/exim-html-current/doc/html/spec_html/ch49.html

>
> However one member's mail provider uses BATV, which changes his return-path to
> something like
>
>     Return-path: <prvs=123456=foo@???>

>
> while his email address is really:
>
>     foo@???

>
> With that the
>
>     senders = ${if exists {/usr/lists/$local_part}\
>                  {lsearch;/usr/lists/$local_part}{*}}

>
> fails, and he can not send mail to the list.
>
> How can I solve this?


I have this in an ACL:

#----------------------------8< cut here >8------------------------------
# For the sender address, handle:
#  BATV PRVS: prvs=<ignore>=email
#    ${sg{$sender_address_local_part}{\N^prvs=.+?=([^=]+)$\N}{\$1}}
#  Yahoo Groups: sentto-<ignore-with:->-rcptlocal=rcptdomain@senderdomain
#  nb: rcptdomain can contain hyphen, as can rcptlocal; can fix latter easily
#      and can fix former if restrict to [0-9-]+? but let's keep it generic
#      and accept whitelist-slip-through for varying $foo in $foo-$bar.
#    ${sg{$sender_address_local_part}{\N^sentto-.+?-([^=-]+=[^=]+)$\N}{\$1}}
#  Nanog: LISTNAME-bounces+USERID
#    ${sg{$sender_address_local_part}{\N^([^+]+-bounces)\+.+$\N}{\$1}}
#  Zsh / ezmlm: LISTNAME-return-NNNN-USER=DOMAIN
#    ${sg{$sender_address_local_part}{\N(.+)-return-\d+-([^=-]+=[^=]+)$\N}{\$1-\$2}}
#  Nested substitutions risk dropping too much, and get harder to read
  warn    set acl_m_core_sender = ${if or{\
                {match {$sender_address_local_part}{\N^prvs=.+?=([^=]+)$\N}}\
                {match {$sender_address_local_part}{\N^sentto-.+?-([^=-]+=[^=]+)$\N}}\
                {match {$sender_address_local_part}{\N^([^+]+-bounces)\+.+$\N}}\
                {match {$sender_address_local_part}{\N^(.+)-return-\d+-.+$\N}}\
                }{$1}{$sender_address_local_part}}@$sender_address_domain
# SRS: note that there is - and # encoding in SRS; we ignore it, for purposes of
# canonicalisation.  See http://www.openspf.org/SRS for one spec, but note that
# there are variances.
  warn    condition = ${if match{$sender_address_local_part}{\N^SRS[01]\N}}
          set acl_m_core_sender = ${if match {$sender_address_local_part}\
                {\N^(?i)SRS[01][=+](?:[^=]+=){2}([^=]+)=(.+)$\N}\
                {$2@$1}\
                {$sender_address_local_part@$sender_address_domain}}
#----------------------------8< cut here >8------------------------------


After this, anything where I might check $sender_address, I instead
check the $acl_m_core_sender variable.

For a "senders" check, you might rewrite that to something like this
(untested):

  condition = ${if and{\
                {exists {/usr/lists/$local_part}}\
                {bool{${lookup{$acl_m_core_sender}lsearch{/usr/lists/$local_part}{yes}{no}}}}\
                }}


It's tempting to try match_address for a simpler third line there, but
in Exim 4.77 I disabled string expansion of the right-hand-side by
default, because folks kept writing configs with security holes.

Note that these examples assume that your RCPT ACL still has the default
checks in it, to restrict the allowed patterns, so that
"../../etc/passwd" can't be used as a local part.

-Phil