Re: [exim] Exim-users Digest, Vol 177, Issue 19

Top Page
Delete this message
Reply to this message
Author: Neil Youngman
Date:  
To: exim-users
Subject: Re: [exim] Exim-users Digest, Vol 177, Issue 19
On 26/02/2019 12:00, Jeremy Harris <jgh@???> wrote:
> On 25/02/2019 18:43, Neil Youngman via Exim-users wrote:
>> Is this expected behaviour from nwildlsearch?
>>
>> Example 1: It finds a match forneil.youngman@??? but a look
>> up of bad.example.com returns NXDOMAIN. The condition fails, in spite of
>> having a match.
> We can't tell where your nwildsearch start and ends, nor what else
> your acl was doing. Show the full source, and don't obfuscate
> the debug.



I've cut this down quite a lot to (hopefully) focus on the issue in
question.

Here's the config, I'm testing:


$ cat /tmp/example.cfg

exim_path=/usr/local/exim/exim

# %s differentiates the logs, i.e. main. reject or panic
log_file_path=/wasp/logs/exim_%s.log : syslog
syslog_timestamp=false

chunking_advertise_hosts =

primary_hostname = mail-test.wirefast.net

acl_smtp_rcpt = acl_allowed_rcpts

host_lookup = *


begin acl

# Wirefast: ACL for IM and Newslink domains
acl_allowed_rcpts:

accept hosts = :

   accept  domains = wirefast.net
           hosts   = 
${lookup{$sender_address}nwildlsearch{/tmp/test_emails.txt}}


   deny    message       = relay not permitted



begin routers

dnslookup:
driver = dnslookup
transport = remote_smtp
# ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
# if ipv6-enabled then instead use:
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
no_more


begin transports

remote_smtp:
driver = smtp

begin retry

*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h


begin rewrite


begin authenticators

# End of Exim configuration file



I test it initially with the Google mail servers as the first pattern to
match (the IP address given is for a Google mail server) and it finds
the match and accepts the condition.

$ echo 'neil.youngman@???
^^mail-.*\.google\.com$:bad.example.com' > /tmp/test_emails.txt
$ /usr/local/exim/exim -C/tmp/example.cfg -bh 209.85.208.53

**** SMTP testing session as if from host 209.85.208.53
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 209.85.208.53
>>> IP address lookup yielded "mail-ed1-f53.google.com"
>>> checking addresses for mail-ed1-f53.google.com
>>> 209.85.208.53 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 mail-test.wirefast.net ESMTP Exim 4.91_RC4 Tue, 26 Feb 2019 12:38:21
+0000
HELO test.wirefast.net
250 mail-test.wirefast.net Hello mail-ed1-f53.google.com [209.85.208.53]
MAIL FROM:<neil.youngman@???>
250 OK
RCPT TO:<test@???>
>>> using ACL "acl_allowed_rcpts"
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_allowed_rcpts"
>>> processing "accept"
>>> check domains = wirefast.net
>>> wirefast.net in "wirefast.net"? yes (matched "wirefast.net")
>>> check hosts =

${lookup{$sender_address}nwildlsearch{/tmp/test_emails.txt}}
>>> neil.youngman@??? in "neil.youngman@???"? yes

(matched "neil.youngman@???")
>>> host in "^^mail-.*\.google\.com$:bad.example.com"? yes (matched

"^^mail-.*\.google\.com$")
>>> accept: condition test succeeded in ACL "acl_allowed_rcpts"
>>> end of ACL "acl_allowed_rcpts": ACCEPT

250 Accepted
quit
221 mail-test.wirefast.net closing connection




For the second test it has bad.example.com as the first possible match.
It still matched "neil.youngman@???", but that match seems to
be overridden by the NXDOMAIN from bad.example.com and this time it does
not accept the condition.


$ echo 'neil.youngman@???
bad.example.com:^^mail-.*\.google\.com$' > /tmp/test_emails.txt
$ /usr/local/exim/exim -C/tmp/example.cfg -bh 209.85.208.53

**** SMTP testing session as if from host 209.85.208.53
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 209.85.208.53
>>> IP address lookup yielded "mail-ed1-f53.google.com"
>>> checking addresses for mail-ed1-f53.google.com
>>> 209.85.208.53 OK
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 mail-test.wirefast.net ESMTP Exim 4.91_RC4 Tue, 26 Feb 2019 12:39:50
+0000
MAIL FROM:<neil.youngman@???>
250 OK
RCPT TO:<test@???>
>>> using ACL "acl_allowed_rcpts"
>>> processing "accept"
>>> check hosts = :
>>> host in ":"? no (end of list)
>>> accept: condition test failed in ACL "acl_allowed_rcpts"
>>> processing "accept"
>>> check domains = wirefast.net
>>> wirefast.net in "wirefast.net"? yes (matched "wirefast.net")
>>> check hosts =

${lookup{$sender_address}nwildlsearch{/tmp/test_emails.txt}}
>>> neil.youngman@??? in "neil.youngman@???"? yes

(matched "neil.youngman@???")
>>> no IP address found for host bad.example.com (during SMTP

connection from mail-ed1-f53.google.com [209.85.208.53])
LOG: no IP address found for host bad.example.com (during SMTP
connection from mail-ed1-f53.google.com [209.85.208.53])
>>> host in "bad.example.com:^^mail-.*\.google\.com$"? no (failed to

find IP address for bad.example.com)
>>> accept: condition test failed in ACL "acl_allowed_rcpts"
>>> processing "deny"
>>> message: relay not permitted
>>> deny: condition test succeeded in ACL "acl_allowed_rcpts"
>>> end of ACL "acl_allowed_rcpts": DENY

550 relay not permitted
LOG: H=mail-ed1-f53.google.com [209.85.208.53]
F=<neil.youngman@???> rejected RCPT <test@???>:
relay not permitted
quit
221 mail-test.wirefast.net closing connection


I hope that is sufficient to answer whether that is expected behaviour.
I couldn't see anything in the manual that suggested to me that the
second test should have a different result to the first.

Neil Youngman