On 11/08/2019 09:55, Frank Elsner via Exim-users wrote:
> for alias processing the config contains
> the RCPT ACL
>
> | warn domains = +local_domains
> | set acl_m_rcpt = ${sg{${run{/usr/local/bin/lookup_alias $local_part@$domain}}}{\\n}{}}
1) You may have a security problem. Think carefully about what an
attacker could do with a crafted local_part.
2) You are overwriting acl_m_rcpt for every new recipient. The routing
only happens after the message is accepted.
In more general terms for this sort of problem, you could have tested
using "-bh" and "-d". This makes the processing flow visible.
It fits better in exim if you do the alias lookup in the routers. To
enforce SMTP-time actions on problems such as your ERROR_NO_CONNECTION,
use an ACL condition "verify = recipient"; that runs the routing to see
if the address is acceptable.
--
Cheers,
Jeremy
