Hello Phil, On Mon, Oct 7, 2013 at 11:06 PM, Phil Pennock <[email protected]> wrote: > On 2013-10-07 at 12:13 +0200, Peter Gervai wrote: >> > ${if match_ip{$sender_host_address}{ ${lookup dnsdb{>: >> > defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=$sender_address_domain}}}} } >> > {no}{yes}} > > We had too many people creating security holes through misconfiguration > so I introduced EXPAND_LISTMATCH_RHS and defaulted it off; this is in > the second-last paragraph of the description of match_ip in The Exim > Specification.
Ah, you're right. My bad. > You fell afoul of the one place where Exim behaves inconsistently; it > does so because the right-hand-side is a list. What I was thinking is maybe the error message could hint this possibility, but I'm not sure it can be separated from the normal parameter error cases. Just mentioning, maybe. > Thus if the dnsdb string were slightly different and looked up something > which could return a TXT record or a hostname, then you would have an > injection attack against the configuration using DNS as a vector. Indeed, I agree with the move. > Since you found a way which works, and which I hope is simpler to read, > understand and debug, I think you're good? Yes thank you, I'm good. It was originally about the nice fragments on the wiki: https://github.com/Exim/exim/wiki/Verification where the ADSL examples actually won't work under the new regime since they're using the condition with match_ip and a lookup. The rewrite is tougher since the acl already contains a '!hosts' predicament so I only attached a comment at the end and let the end user find a solution. Evil. :-) (A hack would be to expand the string first into a variable I guess, or to combine teh existing hosts check with the new one, but it doesn't look to be simple.) In my case I had no previous hosts check so for me it was easy. Thanks, Peter -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
