Hi,
after updating to Ubuntu 22.10 (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), SPF checks (via spf-tools-perl) are failing with "failed to expand ACL string" (which leads to a temp
reject):
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity
${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command
"/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
It fails on expanding the condition, which is part of the exim configuration from Ubuntu/Debian:
--cut exim configuration
deny
message = [SPF] $sender_host_address is not allowed to send mail from \
${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
Please see \
http://www.openspf.org/Why?scope=${if def:sender_address_domain \
{mfrom}{helo}};identity=${if def:sender_address_domain \
{$sender_address}{$sender_helo_name}};ip=$sender_host_address
log_message = SPF check failed.
!acl = acl_local_deny_exceptions
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
${quote:$sender_host_address} --identity \
${if def:sender_address_domain \
{--scope mfrom --identity ${quote:$sender_address}}\
{--scope helo --identity ${quote:$sender_helo_name}}}}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
--cut
I double checked parentheses and can't find any missing. Logged all variables used in the query, everything is defined and set properly (I could run spfquery.mail-spf-perl with the params
provided without any issues. I am not able to find a syntax error (especially not the missing "}" mentioned in the error message). Use of tainted $sender_address and $sender_helo_name in run
should not be an issue (according to
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#vi382).
Is there something I miss/overlook? Any help appreciated.
Regards,
Thomas