Hi Jeremy,
thanks for picking this up.
On 03.12.22 19:05, Jeremy Harris via Exim-users wrote:
>> It fails on expanding the condition, which is part of the exim configuration from Ubuntu/Debian:
>>
>> deny
>>
>> condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
>> ${quote:$sender_host_address} --identity \
>> ${if def:sender_address_domain \
>> {--scope mfrom --identity ${quote:$sender_address}}\
>> {--scope helo --identity ${quote:$sender_helo_name}}}}\
>> {no}{${if eq {$runrc}{1}{yes}{no}}}}
>
> The docs for ${run } say:
>
> If the option preexpand is not used, the command string is
> split into individual arguments by spaces and then each argument is expanded.
>
> - so that expansion is questionable around the ${if }'s. But that doesn't explain
> the complaint about ${quote:$sender_host_address}.
That expansion worked for years in my setup.
> You could play with "exim -d -be" (replacing variables with suitable values,
> to trace the evaluation of the expansion.
Stripping down (removing the if and all quote) to following condition works:
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
As soon as one ${quote: ...} is added, the missing "}" error appears:
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
${quote:$sender_host_address} --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
Corresponding line in the log:
2022-12-03 21:41:55 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity --scope mfrom --identity sender_address}{no}{${if eq
{$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at
end of string
> Or you could just slam in a "preexpand" option to see what happens.
Adding option preexpand leads to another error:
2022-12-03 20:41:46 Attempt to exec tainted path: '/usr/bin/spfquery.mail-spf-perl'
2022-12-03 20:41:46 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run,preexpand{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom
--identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": couldn't create child process: Operation not permitted
> Either way, the maintainers of that config probably need to know (if they've not
> already made some modification which you've not picked up).
Checked default config from Ubuntu package (exim4-config, 4.96-3ubuntu1.1), that provides the condition as given earlier in the thread. I will file a bug in Ubuntus bug tracker, to let the
maintainers know.
Regards,
Thomas
