[exim] failed to expand ACL string after upgrade

[exim-users--- via Exim-users]

Hi,

after updating to Ubuntu 22.10 (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), SPF checks (via spf-tools-perl) are failing with "failed to expand ACL string" (which leads to a temp 
reject):

2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] 
X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no 
F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom  --identity 
${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command 
"/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string

It fails on expanding the condition, which is part of the exim configuration 
from Ubuntu/Debian:

--cut exim configuration
  deny
    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain 
{$sender_address_domain}{$sender_helo_name}}.  \
              Please see \
              http://www.openspf.org/Why?scope=${if def:sender_address_domain \
              {mfrom}{helo}};identity=${if def:sender_address_domain \
              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
    log_message = SPF check failed.
    !acl = acl_local_deny_exceptions
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                   ${quote:$sender_host_address} --identity \
                   ${if def:sender_address_domain \
                       {--scope mfrom  --identity ${quote:$sender_address}}\
                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                   {no}{${if eq {$runrc}{1}{yes}{no}}}}
--cut

I double checked parentheses and can't find any missing. Logged all variables used in the query, everything is defined and set properly (I could run spfquery.mail-spf-perl with the params 
provided without any issues. I am not able to find a syntax error (especially not the missing "}" mentioned in the error message). Use of tainted $sender_address and $sender_helo_name in run 
should not be an issue (according to https://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#vi382).

Is there something I miss/overlook? Any help appreciated.

Regards,
Thomas



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/