Autor: Phil Pennock Data: A: Peter Gervai CC: exim-users Assumpte: Re: [exim] string expansion fail with missing } at end of string
On 2013-10-07 at 12:13 +0200, Peter Gervai wrote: > > ${if match_ip{$sender_host_address}{ ${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=$sender_address_domain}}}} } {no}{yes}}
We had too many people creating security holes through misconfiguration
so I introduced EXPAND_LISTMATCH_RHS and defaulted it off; this is in
the second-last paragraph of the description of match_ip in The Exim
Specification.
So Exim has split the contents of string2 on the colons present therein,
with unpleasant results.
> I fail to see why the first two fail expansion. I have replaced it
> with a hosts= check but wondering what's going on.
You fell afoul of the one place where Exim behaves inconsistently; it
does so because the right-hand-side is a list. Lists can contain
arbitrary other lookups. Notably, this can involve talking to databases
and so forth.
Thus if the dnsdb string were slightly different and looked up something
which could return a TXT record or a hostname, then you would have an
injection attack against the configuration using DNS as a vector.
You're actually safe, because you are only going to get out IPs by the
time match_ip is called, but I hope this clarifies why the lookups are
so dangerous that we disabled them by default.
You could rebuild Exim with EXPAND_LISTMATCH_RHS defined, but I suggest
that this would be optimising for "ability to write clever configs", not
"resilience against security-hole-introducing misconfiguration".
Since you found a way which works, and which I hope is simpler to read,
understand and debug, I think you're good?