Re: [exim] Spurious permission denied error

Top Page
Delete this message
Reply to this message
Author: Russell King
Date:  
To: exim-users
Subject: Re: [exim] Spurious permission denied error
On Tue, Apr 28, 2020 at 11:45:31AM +0100, Jeremy Harris via Exim-users wrote:
> On 28/04/2020 11:32, Russell King via Exim-users wrote:
> > I notice you set a Reply-to: header on your messages, were you
> > expecting me to reply to that address, or to the list? I've
> > chosen the list.
>
> I blame Thunderbird. List is preferred, as far as I'm concerned.


I'll try to remember, but I can't guarantee. As I say, all the other
mailing lists I'm on are mandatory reply-to-all, so hitting 'g' in mutt
has been highly ingrained in me over the last 20 years when replying
to mailing list email (and in fact almost all email.)

> > When exim chooses to use one of the addresses that results in
> > the 'REJECT' rule being hit on the firewall, the machine running exim
> > gives a "Permission denied" errno. I can trigger this via:
> >
> > # telnet xxxx:xxxx:xxxx:xxxx:214:fdff:fe10:1be6 25
> > ...
> > telnet: Unable to connect to remote host: Permission denied
>
> Oh, now _that_ is fun. Exim is merely reporting what the
> OS tells it. If you strace that telnet, is it actually
> the "connect" syscall that returns EPERM? That's the implication
> of the error message.


"Permission denied" is actually EACCES. EPERM is "Operation not
permitted".

But yes, strace returns EACCES for connect().

> The Linux connect(2) mapage offers EPERM for a local firewall
> rule, but yours is remote... I wonder what a packet capture
> shows?


"ICMP6, destination unreachable, unreachable prohibited".

There is a table in the Linux kernel source code in net/ipv6/icmp.c,
tab_unreach[], which maps the ICMPv6 unreachability code to a local
errno:

        {       /* ADM_PROHIBITED */
                .err    = EACCES,
                .fatal  = 1,
        },


It can also map to EACCES for POLICY_FAIL and REJECT_ROUTE
unreachability codes. Its use dates back as far as the modern git
history of the Linux kernel (back to 2.6.12-rc2, so 15 years) at
least.

It seems the connect(2) man page needs to be fixed with respect to
this too (I'll see if that can happen.)

However, it seems this use of EACCES in this way is nonstandard
according to POSIX, and I don't want to start a debate here about
the use of errno codes - it's not up to me.

--
Russell King