| 2022-12-03 22:16:10 |
Thomas F. |
bug |
|
|
added bug |
| 2022-12-04 07:12:30 |
Andreas Metzler |
bug |
|
|
added subscriber Andreas Metzler |
| 2022-12-06 07:08:40 |
Bryce Harrington |
tags |
|
server-todo |
|
| 2022-12-06 14:09:35 |
Thomas F. |
attachment added |
|
config.autogenerated https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1998678/+attachment/5634820/+files/config.autogenerated |
|
| 2022-12-06 14:13:05 |
Thomas F. |
attachment added |
|
update-exim4.conf.conf https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1998678/+attachment/5634821/+files/update-exim4.conf.conf |
|
| 2022-12-06 14:13:28 |
Thomas F. |
attachment added |
|
exim4.conf.template https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1998678/+attachment/5634822/+files/exim4.conf.template |
|
| 2022-12-07 23:12:10 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Kinetic |
|
| 2022-12-07 23:12:10 |
Sergio Durigan Junior |
bug task added |
|
exim4 (Ubuntu Kinetic) |
|
| 2022-12-07 23:12:10 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Lunar |
|
| 2022-12-07 23:12:10 |
Sergio Durigan Junior |
bug task added |
|
exim4 (Ubuntu Lunar) |
|
| 2022-12-07 23:12:14 |
Sergio Durigan Junior |
exim4 (Ubuntu Kinetic): status |
New |
Triaged |
|
| 2022-12-07 23:12:17 |
Sergio Durigan Junior |
exim4 (Ubuntu Lunar): status |
New |
Triaged |
|
| 2022-12-07 23:12:30 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Ubuntu Server |
| 2022-12-07 23:14:03 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Sergio Durigan Junior |
| 2023-01-04 16:23:41 |
Bryce Harrington |
exim4 (Ubuntu Kinetic): assignee |
|
Bryce Harrington (bryce) |
|
| 2023-01-04 16:23:43 |
Bryce Harrington |
exim4 (Ubuntu Lunar): assignee |
|
Bryce Harrington (bryce) |
|
| 2023-01-04 16:25:44 |
Bryce Harrington |
exim4 (Ubuntu Kinetic): importance |
Undecided |
High |
|
| 2023-01-04 16:25:46 |
Bryce Harrington |
exim4 (Ubuntu Lunar): importance |
Undecided |
High |
|
| 2023-01-30 23:57:36 |
Bryce Harrington |
description |
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
TBD
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
|
| 2023-02-10 07:35:20 |
Bryce Harrington |
description |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
TBD
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu:kinetic exim4-sru-lp1998678-kinetic-spf-1 --network net-lp1998678
host> lxc launch ubuntu:kinetic exim4-sru-lp1998678-kinetic-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-kinetic-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-kinetic-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-kinetic-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-lp1998678-kinetic-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-kinetic-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-kinetic-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-kinetic-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-kinetic-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-kinetic-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-kinetic-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
|
| 2023-02-17 22:52:14 |
Bryce Harrington |
description |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu:kinetic exim4-sru-lp1998678-kinetic-spf-1 --network net-lp1998678
host> lxc launch ubuntu:kinetic exim4-sru-lp1998678-kinetic-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-kinetic-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-kinetic-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-kinetic-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-lp1998678-kinetic-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-kinetic-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-kinetic-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-kinetic-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-kinetic-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-kinetic-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-kinetic-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-1 --network net-lp1998678
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-lunar-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-lp1998678-lunar-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-lunar-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-lunar-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
--------------------------------------------------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678-...-[1,2] -- bash
# apt-get update && apt-get -y full-upgrade
# add-apt-repository -yus ppa:bryce/exim4-merge-v4.96-14
# apt-get install -y exim4
Then repeat the steps as above
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
|
| 2023-04-19 05:23:20 |
Bryce Harrington |
description |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-1 --network net-lp1998678
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-lunar-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-lp1998678-lunar-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-lunar-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-lunar-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
--------------------------------------------------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678-...-[1,2] -- bash
# apt-get update && apt-get -y full-upgrade
# add-apt-repository -yus ppa:bryce/exim4-merge-v4.96-14
# apt-get install -y exim4
Then repeat the steps as above
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-1 --network net-lp1998678
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-lunar-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-lp1998678-lunar-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-lunar-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-lunar-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
--------------------------------------------------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678-...-[1,2] -- bash
# apt-get update && apt-get -y full-upgrade
# add-apt-repository -yus ppa:bryce/exim4-sru-lp1998678
# apt-get install -y exim4
Then repeat the steps as above
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
|
| 2023-04-22 20:55:15 |
Hasse Hagen Johansen |
bug |
|
|
added subscriber Hasse Hagen Johansen |
| 2023-05-10 06:07:32 |
Bryce Harrington |
description |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-1 --network net-lp1998678
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-lunar-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-lp1998678-lunar-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-lunar-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-lunar-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
--------------------------------------------------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678-...-[1,2] -- bash
# apt-get update && apt-get -y full-upgrade
# add-apt-repository -yus ppa:bryce/exim4-sru-lp1998678
# apt-get install -y exim4
Then repeat the steps as above
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-1 --network net-lp1998678
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-lunar-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-sru-lp1998678-lunar-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-lunar-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-lunar-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
--------------------------------------------------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678-...-[1,2] -- bash
# add-apt-repository -yus ppa:bryce/exim4-sru-lp1998678
# apt-get upgrade -y
Then repeat the steps as above
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
|
| 2023-06-08 21:37:12 |
Bryce Harrington |
nominated for series |
|
Ubuntu Mantic |
|
| 2023-06-08 21:37:12 |
Bryce Harrington |
bug task added |
|
exim4 (Ubuntu Mantic) |
|
| 2023-06-08 21:49:11 |
Bryce Harrington |
attachment added |
|
0001-d-p-fix-run-arg-parsing.patch-Fix-argument-parsing-f.patch https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1998678/+attachment/5678695/+files/0001-d-p-fix-run-arg-parsing.patch-Fix-argument-parsing-f.patch |
|
| 2023-06-09 00:17:53 |
Ubuntu Foundations Team Bug Bot |
tags |
server-todo |
patch server-todo |
|
| 2023-06-11 11:44:08 |
Andreas Metzler |
bug watch added |
|
http://bugs.exim.org/show_bug.cgi?id=3008 |
|
| 2023-06-16 03:34:00 |
Bryce Harrington |
description |
[Impact]
SPF checks fail, leading to a temp reject of emails. This is caused by an error in the argument parsing in exim4
The cause is an error in handling of argument parsing in exim4 that fails to recognize closing bracket '}' in some circumstances.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-1 --network net-lp1998678
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-lunar-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-sru-lp1998678-lunar-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-lunar-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-lunar-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
--------------------------------------------------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678-...-[1,2] -- bash
# add-apt-repository -yus ppa:bryce/exim4-sru-lp1998678
# apt-get upgrade -y
Then repeat the steps as above
[Where Problems Could Occur]
TBD
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
[Impact]
SPF checks fail, leading to a temp reject of emails. The logs show errors regarding failures to recognize closing bracket '}'.
This is caused by syntax errors attempting to read the exim4 config snippets that use quoted variables, such as for passing variables to subprocesses via ${run } constructs.
[Test Case]
On the host system, create a network for your local lxc containers:
host> lxc network create net-lp1998678
host> lxc network show net-lp1998678 | grep \.address
ipv4.address: 10.167.37.1/24
ipv6.address: fd42:723:9515:39f5::1/64
Then launch two containers:
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-1 --network net-lp1998678
host> lxc launch ubuntu-daily:lunar exim4-sru-lp1998678-lunar-spf-2 --network net-lp1998678
--------------------------------------------------
Set up the first container as a sending client:
host> lxc exec exim4-sru-lp1998678-lunar-spf-1 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-1.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-1.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Edit /etc/exim4/exim4.conf.template, remove the IP range of your local
LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list.
Restart exim4.service.
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
The second container is set up as a receiver, that checks SPF:
host> lxc exec exim4-sru-lp1998678-lunar-spf-2 -- bash
# apt-get update && apt-get -y full-upgrade
# apt-get install -y exim4
# dpkg-reconfigure exim4-config
? General type of mail configuration: internet site
? System mail name: exim4-sru-lp1998678-lunar-spf-2.lxd
? IP-addresses to listen on for incoming SMTP connections: <blank>
? Other destinations for which mail is accepted: exim4-sru-lp1998678-lunar-spf-2.lxd
? Domains to relay mail for: <blank>
? Machines to relay mail for: <blank>
? Keep number of DNS-queries minimal (Dial-on-Demand)? No
? Delivery method for local mail: mbox format in /var/mail/
? Split configuration into small files? No
? Root and postmaster mail recipient: <blank>
Modify /etc/exim4/exim4.conf.template to remove the IP range of your
local LXD network from the ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS list,
and enable checking of SPF emails on receipt:
CHECK_RCPT_SPF = true
Additionally, edit the SPF configuration snippet to remove the embedded $if statement (which is broken for unrelated reasons), IOW it should look like:
.ifdef CHECK_RCPT_SPF
deny
!acl = acl_local_deny_exceptions
condition = ${run{/usr/bin/spfquery.mail-spf-perl \
--ip ${quote:$sender_host_address} \
--scope mfrom \
--identity ${quote:$sender_address} \
}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
message = [SPF] $sender_host_address is not allowed to send mail from \
${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
log_message = SPF check failed.
Finally, install the SPF tools themselves:
# apt-get install -y spf-tools-perl
Restart exim4.service
# update-exim4.conf || echo "Error"
# service exim4 restart
# service exim4 status | grep Active
Active: active (running) since [...]
--------------------------------------------------
Now you should be able to send an email from the first to the second container.
On the first container:
# echo TEST | mail -s test ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd
On the second container:
# cat /var/log/exim4/mainlog
In the erroneous case you should see an error such as:
2023-02-10 07:27:12 H=exim4-sru-lp1998678-lunar-spf-1.lxd [10.167.37.41] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<root@exim4-sru-lp1998678-lunar-spf-1.lxd> temporarily rejected RCPT <ubuntu@exim4-sru-lp1998678-lunar-spf-2.lxd>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
--------------------------------------------------
To test the fixed case, enable the PPA (or -proposed once it's available) in each of the containers after launching:
host> lxc exec exim4-lp1998678-...-[1,2] -- bash
# add-apt-repository -yus ppa:bryce/exim4-sru-lp1998678
# apt-get upgrade -y
Then repeat the steps as above. This time you should see logged output such as:
2023-06-16 03:26:47 1qA06p-00062l-1N <= ubuntu@exim4-sru-lp1998678-mantic-spf-1.lxd H=exim4-sru-lp1998678-mantic-spf-1.lxd [10.167.37.174] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no K S=1067 id=E1qA06p-0004zR-0v@exim4-sru-lp1998678-mantic-spf-1.lxd
2023-06-16 03:26:47 1qA06p-00062l-1N => ubuntu <ubuntu@exim4-sru-lp1998678-mantic-spf-2.lxd> R=local_user T=mail_spool
2023-06-16 03:26:47 1qA06p-00062l-1N Completed
[Where Problems Could Occur]
Because the patch involves the parsing of the exim4 config file, things to look for would be issues related to the config file parsing. In particular, the change affects how config construct nesting behaves, which occurs with ${run, ${if, and other such config language features.
Of particular note, while this issue was discovered in association with SPF support, the fix really has nothing to do with SPF in particular, so it is unlikely that SPF-related behavioral changes would be due to this fix, unless they involve the exim4 config file in some fashion.
Finally, it should be added that the SPF configuration included in Ubuntu's exim4 delta does not work any longer, since probably 4.95 or so, and even with this fix it will still error but with a different error message. Unfortunately the Ubuntu-provided snippet relied on undocumented behavior in exim4's config parsing that is no longer supported.
[Original Report]
After upgrading from Jammy to Kinetic (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), exim SPF checks (prepared in exim4.conf.template, after defining CHECK_RCPT_SPF) fail with:
2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string
Expanding the condition in line 803ff of exim4.conf.template fails:
--cut exim4.conf.template
793 # Use spfquery to perform a pair of SPF checks.
794 #
795 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
796 # enable if that's an issue. Also note that if you enable this, you must
797 # install "spf-tools-perl" which provides the spfquery command.
798 # Missing spf-tools-perl will trigger the "Unexpected error in
799 # SPF check" warning.
800 .ifdef CHECK_RCPT_SPF
801 deny
802 !acl = acl_local_deny_exceptions
803 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
804 ${quote:$sender_host_address} --identity \
805 ${if def:sender_address_domain \
806 {--scope mfrom --identity ${quote:$sender_address}}\
807 {--scope helo --identity ${quote:$sender_helo_name}}}}\
808 {no}{${if eq {$runrc}{1}{yes}{no}}}}
809 message = [SPF] $sender_host_address is not allowed to send mail from \
810 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
811 log_message = SPF check failed.
812
813 defer
814 !acl = acl_local_deny_exceptions
815 condition = ${if eq {$runrc}{5}{yes}{no}}
816 message = Temporary DNS error while checking SPF record. Try again later.
817
818 warn
819 condition = ${if <={$runrc}{6}{yes}{no}}
820 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
821 {${if eq {$runrc}{2}{softfail}\
822 {${if eq {$runrc}{3}{neutral}\
823 {${if eq {$runrc}{4}{permerror}\
824 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
825 } client-ip=$sender_host_address; \
826 ${if def:sender_address_domain \
827 {envelope-from=${sender_address}; }{}}\
828 helo=$sender_helo_name
829
830 warn
831 condition = ${if >{$runrc}{6}{yes}{no}}
832 log_message = Unexpected error in SPF check.
833 .endif
--cut
Stripping down condition to
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
works, as soon as any thing with curly brackets is added, the expansion fails.
Issue is also discussed on exim-users Mailing list, see https://lists.exim.org/lurker/message/20221203.163916.01eb5f41.en.html
Ubuntu Version:
$ lsb_release -rd
Description: Ubuntu 22.10
Release: 22.10
Exim4 package versions:
$ apt-cache policy exim4
exim4:
Installed: 4.96-3ubuntu1.1
Candidate: 4.96-3ubuntu1.1
Version table:
*** 4.96-3ubuntu1.1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main amd64 Packages
500 http://security.ubuntu.com/ubuntu kinetic-security/main i386 Packages
100 /var/lib/dpkg/status
4.96-3ubuntu1 500
500 http://de.archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
500 http://de.archive.ubuntu.com/ubuntu kinetic/main i386 Packages
$ dpkg -l | grep exim
ii exim4 4.96-3ubuntu1.1 all metapackage to ease Exim MTA (v4) installation
ii exim4-base 4.96-3ubuntu1.1 amd64 support files for all Exim MTA (v4) packages
ii exim4-config 4.96-3ubuntu1.1 all configuration for the Exim MTA (v4)
ii exim4-daemon-heavy 4.96-3ubuntu1.1 amd64 Exim MTA (v4) daemon with extended features, including exiscan-acl
Expected behavior:
SPF checks after defining CHECK_RCPT_SPF
Actual behavior:
All external mail is temp rejected due to an error in ACL expansion |
|
| 2023-06-17 03:01:26 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/exim4/+git/exim4/+merge/444946 |
|
| 2023-06-17 03:07:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/exim4/+git/exim4/+merge/444947 |
|
| 2023-06-17 03:09:41 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/exim4/+git/exim4/+merge/444948 |
|
| 2023-06-17 03:10:18 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/exim4/+git/exim4/+merge/444949 |
|
| 2023-06-17 03:28:07 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/exim4/+git/exim4/+merge/444950 |
|
| 2023-06-23 08:03:32 |
Bryce Harrington |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2023-06-25 03:46:06 |
Ubuntu Archive Robot |
bug |
|
|
added subscriber Bryce Harrington |
| 2023-06-28 07:55:25 |
Launchpad Janitor |
exim4 (Ubuntu Mantic): status |
Triaged |
Fix Released |
|
| 2023-06-30 20:27:59 |
Andreas Hasenack |
exim4 (Ubuntu Lunar): status |
Triaged |
Fix Committed |
|
| 2023-06-30 20:28:01 |
Andreas Hasenack |
bug |
|
|
added subscriber SRU Verification |
| 2023-06-30 20:28:06 |
Andreas Hasenack |
tags |
patch server-todo |
patch server-todo verification-needed verification-needed-lunar |
|
| 2023-06-30 20:28:42 |
Andreas Hasenack |
exim4 (Ubuntu Kinetic): status |
Triaged |
Fix Committed |
|
| 2023-06-30 20:28:49 |
Andreas Hasenack |
tags |
patch server-todo verification-needed verification-needed-lunar |
patch server-todo verification-needed verification-needed-kinetic verification-needed-lunar |
|
| 2023-07-05 22:36:13 |
Bryce Harrington |
tags |
patch server-todo verification-needed verification-needed-kinetic verification-needed-lunar |
patch server-todo verification-done-kinetic verification-done-lunar verification-needed |
|
| 2023-07-06 00:28:13 |
Bryce Harrington |
tags |
patch server-todo verification-done-kinetic verification-done-lunar verification-needed |
patch server-todo verification-done verification-done-kinetic verification-done-lunar |
|
| 2023-07-10 10:46:00 |
Launchpad Janitor |
exim4 (Ubuntu Lunar): status |
Fix Committed |
Fix Released |
|
| 2023-07-10 10:46:05 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2023-07-10 11:03:29 |
Launchpad Janitor |
exim4 (Ubuntu Kinetic): status |
Fix Committed |
Fix Released |
|
| 2023-08-05 03:30:56 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~bryce/ubuntu/+source/exim4/+git/exim4/+merge/448540 |
|
