Hi Jeremy,
thanks for picking this up.
On 03.12.22 19:05, Jeremy Harris via Exim-users wrote:
It fails on expanding the condition, which is part of the exim configuration
from Ubuntu/Debian:
deny
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
${quote:$sender_host_address} --identity \
${if def:sender_address_domain \
{--scope mfrom --identity ${quote:$sender_address}}\
{--scope helo --identity ${quote:$sender_helo_name}}}}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
The docs for ${run } say:
If the option preexpand is not used, the command string is
split into individual arguments by spaces and then each argument is
expanded.
- so that expansion is questionable around the ${if }'s. But that doesn't
explain
the complaint about ${quote:$sender_host_address}.
That expansion worked for years in my setup.
You could play with "exim -d -be" (replacing variables with suitable values,
to trace the evaluation of the expansion.
Stripping down (removing the if and all quote) to following condition works:
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
As soon as one ${quote: ...} is added, the missing "}" error appears:
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
${quote:$sender_host_address} --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
Corresponding line in the log:
2022-12-03 21:41:55 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity --scope mfrom --identity sender_address}{no}{${if eq
{$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at
end of string
Or you could just slam in a "preexpand" option to see what happens.
Adding option preexpand leads to another error:
2022-12-03 20:41:46 Attempt to exec tainted path:
'/usr/bin/spfquery.mail-spf-perl'
2022-12-03 20:41:46 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run,preexpand{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom
--identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": couldn't create child process: Operation not permitted
Either way, the maintainers of that config probably need to know (if they've not
already made some modification which you've not picked up).
Checked default config from Ubuntu package (exim4-config, 4.96-3ubuntu1.1), that provides the condition as given earlier in the thread. I will file a bug in Ubuntus bug tracker, to let the
maintainers know.
Regards,
Thomas
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
