[exim-dev] [Bug 2267] New: Contradictory error/no error logg…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2267] New: Contradictory error/no error logged to paniclog for ratelimit options in QUIT/NOTQUIT ACLs
https://bugs.exim.org/show_bug.cgi?id=2267

            Bug ID: 2267
           Summary: Contradictory error/no error logged to paniclog for
                    ratelimit options in QUIT/NOTQUIT ACLs
           Product: Exim
           Version: 4.86
          Hardware: x86
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: ACLs
          Assignee: jgh146exb@???
          Reporter: mike.brudenell@???
                CC: exim-dev@???


I have both acl_smtp_quit and acl_smtp_notquit ACLs defined. These check
whether authentication failed and, if it did, use ratelimit to update a count
with a view to throttling or blocking clients trying repeated AUTH attempts.

In each of the ACLs the ratelimit line reads:
    ratelimit = 5 / 1h / strict / BadAuth:$sender_host_address


This is accepted without error and the associated rate limiting worked for a
long time.

Realising I hadn't explicitly named a "per_XXX" option I explicitly added the
"per_mail" option that until now the ratelimit condition had been defaulting to
using:
    ratelimit = 5 / 1h / per_mail / strict / BadAuth:$sender_host_address


This now causes Exim to log an entry in paniclog whenever the ACL runs
complaining with either
    ACL for QUIT returned ERROR: error in arguments to "ratelimit" condition:
"per_mail" must not have /leaky or /strict option in QUIT ACL
or
    ACL for not-QUIT returned ERROR: error in arguments to "ratelimit"
condition: "per_mail" must not have /leaky or /strict option in NOTQUIT ACL
depending which ACL triggered.


This seems inconsistent and wrong because:

1) If I explicitly include the "per_mail" option in the ratelimit condition
Exim paniclogs an error saying I MUST NOT use either strict or leaky with
"per_mail" in that ACL.

2) If I omit all "per_XXX" options but still include "strict" or "leaky" then
the ratelimit defaults to use "per_mail" but DOES NOT paniclog an error.

Surely you can't have it both ways?! :-)
Either strict/leaky can be used with per_mail in these ACLs (in which case (1)
is wrong, or cannot be used (in which case (2) is wrong).

--
You are receiving this mail because:
You are on the CC list for the bug.