[exim-dev] [Bug 2267] New: Contradictory error/no error logged to paniclog for ratelimit options in QUIT/NOTQUIT ACLs

Wed, 18 Apr 2018 06:27:53 -0700 

https://bugs.exim.org/show_bug.cgi?id=2267

            Bug ID: 2267
           Summary: Contradictory error/no error logged to paniclog for
                    ratelimit options in QUIT/NOTQUIT ACLs
           Product: Exim
           Version: 4.86
          Hardware: x86
                OS: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: ACLs
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]

I have both acl_smtp_quit and acl_smtp_notquit ACLs defined. These check
whether authentication failed and, if it did, use ratelimit to update a count
with a view to throttling or blocking clients trying repeated AUTH attempts.

In each of the ACLs the ratelimit line reads:
    ratelimit = 5 / 1h / strict / BadAuth:$sender_host_address

This is accepted without error and the associated rate limiting worked for a
long time.

Realising I hadn't explicitly named a "per_XXX" option I explicitly added the
"per_mail" option that until now the ratelimit condition had been defaulting to
using:
    ratelimit = 5 / 1h / per_mail / strict / BadAuth:$sender_host_address

This now causes Exim to log an entry in paniclog whenever the ACL runs
complaining with either
    ACL for QUIT returned ERROR: error in arguments to "ratelimit" condition:
"per_mail" must not have /leaky or /strict option in QUIT ACL
or
    ACL for not-QUIT returned ERROR: error in arguments to "ratelimit"
condition: "per_mail" must not have /leaky or /strict option in NOTQUIT ACL
depending which ACL triggered.

This seems inconsistent and wrong because:

1) If I explicitly include the "per_mail" option in the ratelimit condition
Exim paniclogs an error saying I MUST NOT use either strict or leaky with
"per_mail" in that ACL.

2) If I omit all "per_XXX" options but still include "strict" or "leaky" then
the ratelimit defaults to use "per_mail" but DOES NOT paniclog an error.

Surely you can't have it both ways?! :-)
Either strict/leaky can be used with per_mail in these ACLs (in which case (1)
is wrong, or cannot be used (in which case (2) is wrong).

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to