[exim] Mis-documented negated DNSBL bitmask matches?

[Chris Siebenmann via Exim-users]

As covered in chapter 44, section 18.6 and 18.7, 'dnslists = ...'
things in ACL conditions can have additional matching conditions. If you
are using Spamhaus, you absolutely want to use these, because under some
conditions Spamhaus will return error codes in 127.255.255.0/24 instead
of regular lookup results, so if you don't exclude these you will wind
up thinking that all incoming email is Spamhaus-listed.

Currently, the documentation says this about negated bitwise-and
conditions:

        Negation can also be used with a bitwise-and restriction. The
        dnslists condition with only be trus if a result is returned by
        the lookup which, anded with the restriction, is all zeroes. For
        example:

(The 'trus' is authentic to the current website but this typo isn't
the issue.)

It then gives the example of:
        deny dnslists = zen.spamhaus.org!&0.255.255.0

This example is great and it works, but either I don't understand
what the documentation is saying or the documentation is incorrect
about how negated bitwise-and matches behaves. I'm not sure which
it is, so I haven't filed a bug report and instead I'm asking here.

As I read it, the documentation appears to be saying that a '!&'
bitwise-and works as:
        (ip & bitmask) == 0

(ie, that a negated bitwise-and match cannot have *any* of the bits set
in the bitmask, which is a useful matching condition.)

If this was the case, 'dbl.spamhaus.org!&0.255.255.0' wouldn't do
what we want. The DBL returns results in 127.0.1.*; bitwise-anded
with 0.255.255.0, we'd get 0.0.1.0 and we'd decide that this wasn't a
successful lookup. However, experimentally DBL lookups do work with this
condition (and do correctly exclude Spamhaus error code returns).

What the actual code does is invert the results of a non-negated
bitwise-and. The non-negated bitwise-and condition is:
        (ip & bitmask) == bitmask

With '!&', if this bitwise-and condition succeeds, the lookup fails.
So if Spamhaus returns 127.255.255.*, we bitwise-and it with 0.255.255.0,
get 0.255.255.0 back, the bitwise-and condition succeeds, and then we
negate that to make the DNSBL lookup fail.

        - cks

-- 
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at https://www.exim.org/
## Please use the Wiki with this list - https://code.exim.org/exim/wiki/wiki