SPF check fails in exim4 with "failed to expand ACL string"
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
exim4 (Ubuntu) | Status tracked in Mantic | |||||
Kinetic |
Fix Released
|
High
|
Bryce Harrington | |||
Lunar |
Fix Released
|
High
|
Bryce Harrington | |||
Mantic |
Fix Released
|
High
|
Bryce Harrington |
Bug Description
[Impact]
SPF checks fail, leading to a temp reject of emails. The logs show errors regarding failures to recognize closing bracket '}'.
This is caused by syntax errors attempting to read the exim4 config snippets that use quoted variables, such as for passing variables to subprocesses via ${run } constructs.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-
host> lxc launch ubuntu-daily:lunar exim4-sru-
-------
Set up the first container as a sending client:
host> lxc exec exim4-sru-
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/
LXD network from the ROUTER_
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
-------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-sru-
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/
local LXD network from the ROUTER_
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
Additionally, edit the SPF configuration snippet to remove the embedded $if statement (which is broken for unrelated reasons), IOW it should look like:
.ifdef CHECK_RCPT_SPF
deny
!acl = acl_local_
condition = ${run{/
message = [SPF] $sender_
${if def:sender_
log_message = SPF check failed.
Finally, install the SPF tools themselves:
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
-------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test <email address hidden>
On the second container:
# cat /var/log/
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-
-------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678
# add-apt-repository -yus ppa:bryce/
# apt-get upgrade -y
Then repeat the steps as above. This time you should see logged output such as:
2023-06-16 03:26:47 1qA06p-00062l-1N <= <email address hidden> H=exim4-
2023-06-16 03:26:47 1qA06p-00062l-1N => ubuntu <email address hidden> R=local_user T=mail_spool
2023-06-16 03:26:47 1qA06p-00062l-1N Completed
[Where Problems Could Occur]
Because the patch involves the parsing of the exim4 config file, things to look for would be issues related to the config file parsing. In particular, the change affects how config construct nesting behaves, which occurs with ${run, ${if, and other such config language features.
Of particular note, while this issue was discovered in association with SPF support, the fix really has nothing to do with SPF in particular, so it is unlikely that SPF-related behavioral changes would be due to this fix, unless they involve the exim4 config file in some fashion.
Finally, it should be added that the SPF configuration included in Ubuntu's exim4 delta does not work any longer, since probably 4.95 or so, and even with this fix it will still error but with a different error message. Unfortunately the Ubuntu-provided snippet relied on undocumented behavior in exim4's config parsing that is no longer supported.
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.
failed to expand ACL string "${run{
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_
803 condition = ${run{/
804 ${quote:
805 ${if def:sender_
806 {--scope mfrom --identity ${quote:
807 {--scope helo --identity ${quote:
808 {no}{${if eq {$runrc}
809 message = [SPF] $sender_
810 ${if def:sender_
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_
815 condition = ${if eq {$runrc}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}
822 {${if eq {$runrc}
823 {${if eq {$runrc}
824 {${if eq {$runrc}
825 } client-
826 ${if def:sender_
827 {envelope-
828 helo=$sender_
829
830 warn
831 condition = ${if >{$runrc}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https:/
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://
500 http://
500 http://
500 http://
100 /var/lib/
4.96-3ubuntu1 500
500 http://
500 http://
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion
Related branches
- Christian Ehrhardt (community): Needs Fixing
- Canonical Server Core Reviewers: Pending requested
- Canonical Server packageset reviewers: Pending requested
- Canonical Server Reporter: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 1674 lines (+1125/-20) (has conflicts)6 files modifieddebian/EDITME.exim4-heavy.diff (+0/-12)
debian/changelog (+1039/-0)
debian/control (+3/-2)
debian/debconf/conf.d/acl/30_exim4-config_check_rcpt (+27/-6)
debian/patches/fix_smtp_banner.patch (+55/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Lena Voytek (community): Approve
- Canonical Server: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 68 lines (+46/-0)3 files modifieddebian/changelog (+9/-0)
debian/patches/fix-run--arg-parsing.patch (+36/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Lena Voytek (community): Approve
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 68 lines (+46/-0)3 files modifieddebian/changelog (+9/-0)
debian/patches/fix-run--arg-parsing.patch (+36/-0)
debian/patches/series (+1/-0)
- git-ubuntu bot: Approve
- Lena Voytek (community): Approve
- Canonical Server Reporter: Pending requested
- Canonical Server: Pending requested
- Canonical Server Core Reviewers: Pending requested
-
Diff: 91 lines (+53/-5)4 files modifieddebian/changelog (+11/-0)
debian/debconf/conf.d/acl/30_exim4-config_check_rcpt (+4/-5)
debian/patches/fix-run--arg-parsing.patch (+37/-0)
debian/patches/series (+1/-0)
tags: | added: server-todo |
Changed in exim4 (Ubuntu Kinetic): | |
assignee: | nobody → Bryce Harrington (bryce) |
Changed in exim4 (Ubuntu Lunar): | |
assignee: | nobody → Bryce Harrington (bryce) |
Changed in exim4 (Ubuntu Kinetic): | |
importance: | Undecided → High |
Changed in exim4 (Ubuntu Lunar): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | added: patch |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Should be fixed by https:/ /git.exim. org/exim. git/commit/ 44b6e099b76f403 a55e77650821f8a 69e9d2682e which requires backporting work due to https:/ /git.exim. org/exim. git/commit/ d8fbda7da9eb20f 98b89f625e8a77e acc443757d
cu Andreas