On 2026-06-15 Terry Roy via Pkg-exim4-maintainers <[email protected]> wrote: > Package: exim4-daemon-heavy > Version: 4.98.2-1+deb13u3 > Severity: important
> Dear Maintainer, > The security update to exim4 4.98.2-1+deb13u3 (trixie-security, installed > 2026-06-15) introduced a regression in virtual alias routing for sites using > a bare filename in the `domains` condition of Exim routers. > ** Symptoms > Virtual alias addresses are rejected with: > 550 5.1.1 Bad destination mailbox address > `exim4 -d -bt user@domain` shows the virtual_aliases router being skipped > with "domains mismatch" despite the domain being present in the domains file. > ** Configuration > The virtual_aliases router had: > domains = VIRTDIR/domains > where VIRTDIR expands to /etc/exim4/virtual. This configuration worked > correctly under all previous versions of exim4 in trixie. > ** Root cause > In 4.98.2-1+deb13u3, a bare filename in a domains list is no longer treated > as an implicit lsearch. The string is matched literally, so no domain ever > matches. The debug trace confirms this: > cfsg.net in domains? > list element: /etc/exim4/virtual/domains > cfsg.net in domains? no (end of list) > virtual_aliases router skipped: domains mismatch > Note that the domainlist declaration for local_domains in the same config > uses the explicit prefix and was unaffected: > domainlist local_domains = @ : localhost : > lsearch;/etc/exim4/virtual/domains > ** Workaround > Adding the explicit lsearch; prefix to the router domains condition restores > correct behavior: > domains = lsearch;VIRTDIR/domains [...] Hello Terry, using a literal filename and lsearch-ing it are not equivalent, see https://www.exim.org/exim-html-current/doc/html/spec_html/ch-domain_host_address_and_local_part_lists.html 2.2 and 2.3. Trivial example: ametzler@argenau:/tmp$ head /tmp/inputforlsearch /tmp/exim4.conf.test ==> /tmp/inputforlsearch <== ubuntu.com: debian.org: ==> /tmp/exim4.conf.test <== domainlist works_b = lsearch;/tmp/inputforlsearch domainlist fails_b = /tmp/inputforlsearch ametzler@argenau:/tmp$ /usr/sbin/exim4 -C /tmp/exim4.conf.test -be '${if match_domain{debian.org}{+works_b}{yes}{no}}' yes ametzler@argenau:/tmp$ /usr/sbin/exim4 -C /tmp/exim4.conf.test -be '${if match_domain{debian.org}{+fails_b}{yes}{no}}' no A file used as literal filename would use a different format: ametzler@argenau:/tmp$ head /tmp/inclusionasfilename /tmp/exim4.conf.test ==> /tmp/inclusionasfilename <== ubuntu.com debian.org ==> /tmp/exim4.conf.test <== domainlist works_a = /tmp/inclusionasfilename ametzler@argenau:/tmp$ /usr/sbin/exim4 -C /tmp/exim4.conf.test -be '${if match_domain{debian.org}{+works_a}{yes}{no}}' yes cu Andreas
