Package: exim4-config Version: 4.93-13ubuntu1.5 Severity: normal Tags: patch
Dear Maintainer, * What led up to the situation? I noticed that exim accepted an email with invalid header syntax, yet I had previously configured an exim macro to work with debian's exim config to reject those emails. * What exactly did you do (or not do) that was effective (or ineffective)? I was confused, because the header syntax check had become the default in a package upgrade, yet it still wasn't working. I eventually figured out the cause. The issue is in the following commit, from https://salsa.debian.org/exim-team/exim4: commit b561c99ba7edd94891bfc66257823f79178ece62 (tag: experimental/4.91--RC1-1) Author: Andreas Metzler <ametz...@bebt.de> Date: Sat Mar 17 17:40:50 2018 +0100 verify = header_syntax by default Upstream now enables verify = header_syntax check in default config, mirror this change in Debian, introduce NO_CHECK_DATA_VERIFY_HEADER_SYNTAX macro to override this. diff --git a/debian/changelog b/debian/changelog index 7a8ebc40..0f7126ca 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,13 +3,15 @@ exim4 (4.91~RC1-1) experimental; urgency=medium * Point watchfile to test subdirectory. * New upstream version: + Drop debian/patches/75_*. - + Update example.conf.md5. Upstream now enables verify = header_syntax - check in default config. + + Update example.conf.md5. + Upstream now enables verify = header_syntax check in default config, + mirror this change in Debian, introduce + NO_CHECK_DATA_VERIFY_HEADER_SYNTAX macro to override this. * Build with newly available (well, for GnuTLS) DANE support. * Pull 75_01-Fix-heavy-pipeline-SMTP-command-input-corruption.-Bu.patch from upstream master, fixing https://bugs.exim.org/show_bug.cgi?id=2250. - -- Andreas Metzler <ametz...@debian.org> Sat, 17 Mar 2018 16:09:34 +0100 + -- Andreas Metzler <ametz...@debian.org> Sat, 17 Mar 2018 17:41:51 +0100 exim4 (4.90.1-3) unstable; urgency=medium diff --git a/debian/debconf/conf.d/acl/40_exim4-config_check_data b/debian/debconf/conf.d/acl/40_exim4-con fig_check_data index abfa1643..07a949db 100644 --- a/debian/debconf/conf.d/acl/40_exim4-config_check_data +++ b/debian/debconf/conf.d/acl/40_exim4-config_check_data @@ -17,14 +17,14 @@ acl_check_data: condition = ${if > {$max_received_linelength}{998}} .endif - # Deny unless the address list headers are syntactically correct. + # Deny if the headers contain badly-formed addresses. # - # If you enable this, you might reject legitimate mail. - .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX + .ifndef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX deny - message = Message headers fail syntax check !acl = acl_local_deny_exceptions !verify = header_syntax + message = header syntax + log_message = header syntax ($acl_verify_message) .endif END COMMIT The problem is that if you had a line in your exim config like: CHECK_DATA_VERIFY_HEADER_SYNTAX = true then after this change, .ifndef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX gets expanded to .ifndef NO_true which exim sees as "yes, defined" and the .ifndef becomes false, and so header syntax checking is removed from the config. Thus, people like me who opted in to header syntax checking, suddenly got it turned off after an exim package upgrade. That was clearly not what was intended. The new macro name should have not included the old as a substring. Exim spec 6.5 warns about macro substrings. The ideal solution is to support both the old and new macro names. I think that can be done like so: .ifndef CHECK_DATA_VERIFY_HEADER_SYNTAX .ifdef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX .else header syntax check here .endif .endif -- Package-specific info: Exim version 4.93 #3 built 28-Apr-2021 13:19:17 Copyright (c) University of Cambridge, 1995 - 2018 (c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018 Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013) Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PRDR PROXY SOCKS TCP_Fast_Open Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline Fixed never_users: 0 Configure owner: 0:0 Size of off_t: 8 Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated Configuration file is /var/lib/exim4/config.autogenerated -- System Information: Debian Release: bullseye/sid Architecture: amd64 (x86_64) Kernel: Linux 5.8.0-63-generic (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages exim4-config depends on: ii adduser 3.118ubuntu2 ii debconf [debconf-2.0] 1.5.73 exim4-config recommends no packages. exim4-config suggests no packages. -- debconf information excluded -- Ian Kelling | Senior Systems Administrator, Free Software Foundation GPG Key: B125 F60B 7B28 7FF6 A2B7 DF8F 170A F0E2 9542 95DF https://fsf.org | https://gnu.org