Re: [exim] failed to expand ACL string after upgrade

Top Page
Delete this message
Reply to this message
Author: exim-users
Date:  
To: exim-users
Subject: Re: [exim] failed to expand ACL string after upgrade
Hi Jeremy,

thanks for picking this up.

On 03.12.22 19:05, Jeremy Harris via Exim-users wrote:

>> It fails on expanding the condition, which is part of the exim configuration from Ubuntu/Debian:
>>
>>    deny
>>
>>      condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
>>                     ${quote:$sender_host_address} --identity \
>>                     ${if def:sender_address_domain \
>>                         {--scope mfrom  --identity ${quote:$sender_address}}\
>>                         {--scope helo --identity ${quote:$sender_helo_name}}}}\
>>                     {no}{${if eq {$runrc}{1}{yes}{no}}}}
>
> The docs for ${run } say:
>
>      If the option preexpand is not used, the command string is
>      split into individual arguments by spaces and then each argument is expanded.
>
> - so that expansion is questionable around the ${if }'s.  But that doesn't explain
> the complaint about ${quote:$sender_host_address}.


That expansion worked for years in my setup.

> You could play with "exim -d -be" (replacing variables with suitable values,
> to trace the evaluation of the expansion.


Stripping down (removing the if and all quote) to following condition works:

     condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                      $sender_host_address --identity \
                      --scope mfrom  --identity sender_address}\
                      {no}{${if eq {$runrc}{1}{yes}{no}}}}


As soon as one ${quote: ...} is added, the missing "}" error appears:

     condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                      ${quote:$sender_host_address} --identity \
                      --scope mfrom  --identity sender_address}\
                      {no}{${if eq {$runrc}{1}{yes}{no}}}}


Corresponding line in the log:
2022-12-03 21:41:55 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity --scope mfrom --identity sender_address}{no}{${if eq
{$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at
end of string

> Or you could just slam in a "preexpand" option to see what happens.


Adding option preexpand leads to another error:
2022-12-03 20:41:46 Attempt to exec tainted path: '/usr/bin/spfquery.mail-spf-perl'
2022-12-03 20:41:46 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run,preexpand{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom
--identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": couldn't create child process: Operation not permitted

> Either way, the maintainers of that config probably need to know (if they've not
> already made some modification which you've not picked up).


Checked default config from Ubuntu package (exim4-config, 4.96-3ubuntu1.1), that provides the condition as given earlier in the thread. I will file a bug in Ubuntus bug tracker, to let the
maintainers know.

Regards,

Thomas