Hello Phil,
On Mon, Oct 7, 2013 at 11:06 PM, Phil Pennock <exim-users@???> wrote:
> On 2013-10-07 at 12:13 +0200, Peter Gervai wrote:
>> > ${if match_ip{$sender_host_address}{ ${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=$sender_address_domain}}}} } {no}{yes}}
>
> We had too many people creating security holes through misconfiguration
> so I introduced EXPAND_LISTMATCH_RHS and defaulted it off; this is in
> the second-last paragraph of the description of match_ip in The Exim
> Specification.
Ah, you're right. My bad.
> You fell afoul of the one place where Exim behaves inconsistently; it
> does so because the right-hand-side is a list.
What I was thinking is maybe the error message could hint this
possibility, but I'm not sure it can be separated from the normal
parameter error cases. Just mentioning, maybe.
> Thus if the dnsdb string were slightly different and looked up something
> which could return a TXT record or a hostname, then you would have an
> injection attack against the configuration using DNS as a vector.
Indeed, I agree with the move.
> Since you found a way which works, and which I hope is simpler to read,
> understand and debug, I think you're good?
Yes thank you, I'm good. It was originally about the nice fragments on the wiki:
https://github.com/Exim/exim/wiki/Verification
where the ADSL examples actually won't work under the new regime since
they're using the condition with match_ip and a lookup. The rewrite is
tougher since the acl already contains a '!hosts' predicament so I
only attached a comment at the end and let the end user find a
solution. Evil. :-)
(A hack would be to expand the string first into a variable I guess,
or to combine teh existing hosts check with the new one, but it
doesn't look to be simple.)
In my case I had no previous hosts check so for me it was easy.
Thanks,
Peter
