[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Jeremy Harris changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #21 from Jeremy Harris --- Since we now have a native implementation, not needing the dead library, closing as fixed. Note that the old implementation will be removed, before the next release. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #22 from Git Commit --- Git commit: https://git.exim.org/exim.git/commitdiff/b07d141af23f2ab160eba2b58a834baee513b3f8 commit b07d141af23f2ab160eba2b58a834baee513b3f8 Author: Jeremy Harris AuthorDate: Sat Feb 5 15:38:04 2022 + Commit: Jeremy Harris CommitDate: Sat Feb 5 15:38:04 2022 + retire old libsrs_alt -based srs support. bug 1649 doc/doc-txt/experimental-spec.txt | 56 - src/OS/Makefile-Base | 2 - src/src/EDITME| 12 +- src/src/config.h.defaults | 1 - src/src/deliver.c | 13 --- src/src/exim.c| 3 - src/src/exim.h| 3 - src/src/expand.c | 11 +- src/src/globals.c | 20 src/src/globals.h | 15 --- src/src/macro_predef.c| 5 +- src/src/readconf.c| 9 -- src/src/routers/queryprogram.c| 4 - src/src/routers/redirect.c| 106 - src/src/routers/redirect.h| 8 -- src/src/srs.c | 236 -- src/src/srs.h | 30 - src/src/structs.h | 3 - src/src/verify.c | 4 - 19 files changed, 3 insertions(+), 538 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Pihuram changed: What|Removed |Added CC||pihuramkapo...@gmail.com --- Comment #20 from Pihuram --- http://naturomac.com/ -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Git Commit changed: What|Removed |Added CC||g...@exim.org --- Comment #19 from Git Commit --- Git commit: https://git.exim.org/exim.git/commitdiff/7ef88aa0c4c0608ee54ed2ff90b4b34c518d9bb5 commit 7ef88aa0c4c0608ee54ed2ff90b4b34c518d9bb5 Author: Jeremy Harris AuthorDate: Sun Oct 13 15:50:46 2019 +0100 Commit: Jeremy Harris CommitDate: Sun Oct 13 15:54:14 2019 +0100 srs: native implementation. bug 1649 doc/doc-txt/NewStuff | 6 + doc/doc-txt/experimental-spec.txt | 75 - src/src/EDITME| 4 + src/src/config.h.defaults | 1 + src/src/exim.c| 2 +- src/src/expand.c | 332 -- src/src/globals.c | 3 + src/src/globals.h | 3 + src/src/macro_predef.c| 5 +- test/confs/4620 | 87 ++ test/log/4620 | 16 ++ test/mail/4620.CALLER | 56 +++ test/scripts/4620-SRS/4620| 16 ++ test/scripts/4620-SRS/REQUIRES| 2 + 14 files changed, 559 insertions(+), 49 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Jeremy Harris changed: What|Removed |Added See Also||https://bugs.exim.org/show_ ||bug.cgi?id=1790 -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 hart changed: What|Removed |Added CC||hart3778av...@gmx.com --- Comment #18 from hart --- Thanks Heiko. How's the work going? Hope you made some progress. ,http://mrcoupon.com.tw/ -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Jeremy Harris changed: What|Removed |Added See Also||https://bugs.exim.org/show_ ||bug.cgi?id=2193 -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649
--- Comment #17 from Mike Brudenell ---
Something that can help here is to set yor "Email whitelist" and "Inbound
gateway" settings correctly within your Google Admin Console...
Here we have one set of servers ("inbound") that receive email from the outside
world, and hence untrusted sources. A second set ("outbound") receive email
from local or trusted clients.
We list the outbound servers in the "Email whitelist" within our Gsuite Admin
Console, which makes their spam checking a little more lenient for messages
arriving from these servers.
We list the inbound servers in the "Inbound gateway" within out Gsuite Admin
Console, which lets Google do SPF etc checks against the IP address of the
server connecting to ours, rather than against the IP address of our own
inbound servers.
Rightly or wrongly we don't do SRS for messages passing through the inbound
servers: only for ones going out through the outbound servers (ie, trusted
sources) that need to use an RFC5321.MailFrom that isn't our own domain.
PS. Should we really be continuing to discuss this within a bug report thread?
It just feels wrong somehow...
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #16 from Jim Barry --- Thanks Felix, I'm painfully aware of that! Naturally I try my best to reject as much spam as possible, but I don't quite have the same resources as Google ;-) I had hoped that as long as I used a SPF-compliant envelope address, GMail would accept the forwarded email, labelling it as spam if appropriate. However, this is evidently not the case. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Felix Schwarz changed: What|Removed |Added CC||felix.schwarz@oss.schwarz.e ||u --- Comment #15 from Felix Schwarz --- (In reply to Jim Barry from comment #12) > Also, it seems that SRS is basically a waste of time for my situation. My > users forward their mail to accounts such as GMail that either accept the > message or reject it at SMTP time. Just fyi I think you need to ensure that only non-spam is forwarded to gmail. Otherwise your ip reputation will deteriorate significantly (gmail will hold your server responsible for all forwarded messages so it might consider you a "spammer"). If you can't help it use a separate forwarding ip. For more details please read the mailop archives (Brandon Long is a gmail postmaster on that list so he can be considered an authoritative source). Sorry for this off-topic comment. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #14 from Jim Barry --- Thanks Jeremy, but how do I get Exim to discard the messages instead of bouncing? -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #13 from Jeremy Harris --- A specific retry rule, eg: gmail.com data_421G,4d,1h,1.5 http://exim.org/exim-html-current/doc/html/spec_html/ch-retry_configuration.html#SECID163 -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #12 from Jim Barry --- Really quite annoyed to discover that even after rewriting the envelope sender to pass SPF, GMail still rejects messages with header.from addresses that it doesn't like. Worse, it issues a temporary error code (421) causing my mail queue to fill up with forwarded messages that GMail won't accept, but won't permanently reject either. This is exactly what I was trying to avoid by implementing SRS. Also, it seems that SRS is basically a waste of time for my situation. My users forward their mail to accounts such as GMail that either accept the message or reject it at SMTP time. There will never be NDR, so there is no need for SRS. A fixed return path (with an invalid local part) will do just fine. Now, if I could figure out how to discard the messages that GMail rejects... anyone got any ideas? Thanks -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #11 from Mike Brudenell --- Hi, Jim! You're quite right about "max_rcpt = 1", which Jeremy had in his original transport and I lost in my version. Mea culpa! I think that happened because I was trying to extract code from my config and backporting it to Jeremy's example. My own config here does two tests -- one to see whether to SRS-rewrite, the other whether to DKIM-sign -- within my single remote_smtp router. The SRS test doesn't use $original_domain at all (I now explicitly use a different domain name for SRS-rewritten addresses), but the DKIM test does still use $original_domain so I've just been peering at it long and hard... I *think* I'm safe using $original_domain in that test because it's only used when identifying incoming NDRs to messages we sent out with an SRS-rewritten sender. I *think* I'm right in believing that an NDR should normally only be going to a single recipient? (Sure a spammer could forge an NDR message from "<>" and going to multiple recipients, but my test will fail safe and not DKIM-sign in that case.) Cheers, Mike B-) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Jim Barry changed: What|Removed |Added CC||j...@chez-jim.net --- Comment #10 from Jim Barry --- Many thanks to Jeremy and Mike for sharing their ideas. Mike, $original_domain is not set when more than one address is being delivered in a single transport run, resulting in a malformed return path. Setting "max_rcpt = 1" does fix this, though of course it causes a separate copy to be sent to each recipient. Instead, I ended up specifying the rewritten sender domain directly (via a macro named SRS_DOMAIN). -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #9 from Jonathan Cooper --- Thanks for the details Mike, that's now working perfectly for me. Sorry for muffing my previous comment, clearly I shouldn't try communicating when half asleep! Thanks again, Jonathan -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649
--- Comment #8 from Mike Brudenell ---
Hi, unnamed person(!) -
I can't see a "Mark" in the chain of comments so I'm guessing you mean me
(Mike)...
To avoid using the base32 and base32d you basically just need to omit them, and
tweak pattern matches to check against the character set of the replacement
method you use. For example instead of using base32 I use decimal, as Jeremy
suggested in his original comment, so use a match pattern for "[0-9]+" instead.
I've extracted the relevant bits of my configuration file and include them
below, to be used with the code I posted in the comment dated 2016-08-02
16:12:53 BST. I hope I've not introduced any syntactic or logic errors whilst
doing so â my routers and transports are bit more complicated as they also
handle DKIM signing and might cause severe melting of the brain! 8-0
To make the router and transport slightly clearer and configurable I define
some macros in the main part of the configuration file (and which use slightly
different values to the previous examples posted):
# The SRS Secret that's been generated for signing SRS-rewritten addresses
SRS_SECRET = ...
# The number of characters to extract from the computed hash and include within
the SRS-rewritten address.
SRS_HASH_LENGTH = 6
# The modulus at which the age (in days) wraps around. 0xfff = 4095 days = ~11
years
SRS_AGE_MODULUS = 0xfff
# The maximum age (in days) of a valid SRS-rewritten address. Messages arriving
for addresses older than this will be rejected.
SRS_MAX_AGE = 31
For the inbound_srs router the replacement "condition" line (simplified, to
remove some of the redundant true/false's) would be:
condition = ${if match {$local_part}
{^(?i)SRS0=([^=]+)=([0-9]+)=([^=]*)=(.*)\$} \
{${if and { \
{<= {${eval:$tod_epoch/86400 - $2 &
SRS_AGE_MODULUS}} {SRS_MAX_AGE} } \
{eq {$1} {${length {SRS_HASH_LENGTH} {${hmac
{md5} {SRS_SECRET} {${lc:$4@$3}}} \
} \
}} \
{false}}
For the remote_forwarded_smtp transport the "return_path" line becomes:
return_path = SRS0\
=${length {SRS_HASH_LENGTH}
{${hmac{md5}{SRS_SECRET}{${lc:$return_path}\
=${eval:$tod_epoch / 86400 & SRS_AGE_MODULUS}\
=${domain:$return_path}\
=${local_part:$return_path}\
@$original_domain
Cheers,
Mike B-)
--
You are receiving this mail because:
You are on the CC list for the bug.--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 bugs.exim@jonc.me.uk changed: What|Removed |Added CC||bugs.exim@jonc.me.uk --- Comment #7 from bugs.exim@jonc.me.uk --- Mark, could you expand on how to avoid using base32 for someone who's not an exim guru? Many thanks! -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649
Mike Brudenell changed:
What|Removed |Added
CC||mike.bruden...@york.ac.uk
--- Comment #6 from Mike Brudenell ---
There's a problem with applying base32d to the $2 pattern match. The latter
contains an extract of user-supplied data within $local_part; if this contains
characters outside the base32 character set then base32d fails, causing the
string expansion to fail, eventually leading to an entry being logged in
paniclog.
This can be avoided by making sure the pattern matching expression that
produces $2 only matches against the base32 character set, and also ensures it
consists of at least one character. The hash string ($1) should also be at
least one character, as in the pattern used within the sg substitution later:
^(?i)SRS0=([^=]+)=([A-Z2-7]+)=([^=]*)=(.*)\$
It's probably also a good idea to follow the inbound_srs router with one that
matches the SRS0 address with most other conditions relaxed and have it issue a
failure response if, for example, the hash fails to verify or the timestamp is
too old.
Finally, I don't think that the "max_rcpt = 1" is needed on the transport as
nothing within it depends on the recipient address, or uses variables that are
only populated if all the recipients share the same domain. My testing so far
supports this.
These changes, along with Jeremy's earlier response about needing to use "lc:"
to lowercase the return-path, the above becomes...
#routers
outbound:
driver =dnslookup
domains = ! +my_domains
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
inbound_srs:
driver =redirect
senders = :
domains = +my_domains
condition = ${if match {$local_part} \
{^(?i)SRS0=([^=]+)=([A-Z2-7]+)=([^=]*)=(.*)\$} \
{${if and { {<= {${eval:$tod_epoch/86400 - ${base32d:$2} &
0x3ff}} \
{10}} \
{eq {$1} \
{${l_4:${hmac{md5}{SRS_SECRET}{${lc:$4@$3}}
\
} \
{true}{false} \
}} \
{false} \
}
data =${sg {$local_part} \
{^(?i)SRS0=[^=]+=[^=]+=([^=]*)=(.*)\$} \
{\$2@\$1}}
inbound_srs_failure:
driver =redirect
senders = :
domains = +my_domains
condition = ${if match {$local_part} \
{^(?i)SRS0=([^=]+)=([^=]+)=([^=]*)=(.*)\$} \
}
allow_fail
data =:fail: Invalid SRS recipient address
# transport
remote_forwarded_smtp:
driver = smtp
return_path = SRS0\
=${l_4:${hmac{md5}{SRS_SECRET}{${lc:$return_path\
=${base32:${eval:$tod_epoch/86400&0x3ff}}\
=${domain:$return_path}\
=${local_part:$return_path}\
@$original_domain
The above uses ${base32:}, which only just appeared in 4.next, for the
timestamp. You could perfectly well use the decimal number, making sure you
update the pattern match that produces $2 to contain just decimal digits:
[0-9]+
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649
--- Comment #5 from Jeremy Harris ---
Addendum to #3: best to ${lc: ...} the last argument to hmac (two places);
you cannot trust that the original return-path was all lowercase, and was
not lowercased by the forwarding destination upon generating a bounce.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649
Heiko Schlittermann changed:
What|Removed |Added
Assignee|ni...@exim.org |h...@schlittermann.de
CC||h...@schlittermann.de
--- Comment #4 from Heiko Schlittermann ---
I'll do the work. But please don't hold your breath :) Currently I'm using SRS
via the Debian srs package and ${run{/usr/bin/srs ...}}}.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649
--- Comment #3 from Jeremy Harris ---
If you're willing to use only SRS0 addresses:
#routers
outbound:
driver =dnslookup
domains = ! +my_domains
transport = ${if eq {$local_part@$domain} \
{$original_local_part@$original_domain} \
{remote_smtp} {remote_forwarded_smtp}}
inbound_srs:
driver =redirect
senders = :
domains = +my_domains
condition = ${if match {$local_part} \
{^(?i)SRS0=([^=]*)=([^=]*)=([^=]*)=(.*)\$} \
{${if and { {<= {${eval:$tod_epoch/86400 - ${base32d:$2} &
0x3ff}} \
{10}} \
{eq {$1} \
{${l_4:${hmac{md5}{SRS_SECRET}{$4@$3} \
} \
{true}{false} \
}} \
{false} \
}
data =${sg {$local_part} \
{^(?i)SRS0=[^=]+=[^=]+=([^=]*)=(.*)\$} \
{\$2@\$1}}
# transport
remote_forwarded_smtp:
driver = smtp
max_rcpt =1
return_path = SRS0\
=${l_4:${hmac{md5}{SRS_SECRET}{$return_path}}}\
=${base32:${eval:$tod_epoch/86400&0x3ff}}\
=${domain:$return_path}\
=${local_part:$return_path}\
@$original_domain
The above uses ${base32:}, which only just appeared in 4.next, for the
timestamp. You could perfectly well use the decimal number.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #2 from Arkadiusz Miskiewicz --- I'm a SRS user (on non Debian though) and it works nicely for forwarding used by users (without SRS forwards are obviously broken due to SPF widely used). If internal SRS is too hard/not worthy to implement/maintain then better leave as is. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 --- Comment #1 from Jeremy Harris --- If the libraries are dead, possibly there just isn't enough call for SRS and we should drop any pretence at supporting it? Otherwise any "rework" actually means "write it, maybe from scratch, and support it forever". -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1649] rework SRS to avoid using dead libraries
https://bugs.exim.org/show_bug.cgi?id=1649 Jeremy Harris changed: What|Removed |Added Target Milestone|Exim 4.86 |Indeterminate CC||jgh146...@wizmail.org -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
