Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

mail relay - null or empty Envelope Sender problem...

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


exim.talk at gmail

Aug 12, 2009, 3:27 PM

Post #1 of 13 (2375 views)
Permalink
mail relay - null or empty Envelope Sender problem...
Hi all,

I'm using Exim version 4.69 and am having an issue with relaying... it seems
that by simply supplying a null/empty Envelope Sender anyone can relay email
to anywhere they'd like.

#####################
...snip...
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM: <>
<<< 250 OK
>>> RCPT TO: <rlytest [at] h>
<<< 250 Accepted
...snip...
#####################

I've read through all the Exim list archives I can find, and a number of
other articles talking about null and empty Envelope Sender issues, but I
can't find what I need to solve this issue. It seems to me that this should
be basic but for some reason I can't figure it out or find anyone adressing
this particular problem.

I'm going to post a couple excerpts from the config file that might(?) be
relevant and useful in figuring out this situation...

excerpt from exim config:
################################
*...snip...*
acl_smtp_connect = check_connect
acl_smtp_helo = check_helo
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
acl_smtp_auth = check_auth
*...snip...*
begin acl
check_connect:
accept hosts = +whitelist
endpass
warn dnslists = hostkarma.junkemailfilter.com=127.0.0.1
set acl_c1 = white - dnswl - $sender_fullhost
log_message = GREYLIST CONNECT - WHITE Hostname $sender_host_name
$sender_host_address
warn dnslists = hostkarma.junkemailfilter.com=127.0.0.3
set acl_c1 = yellow - $sender_fullhost
log_message = GREYLIST CONNECT - YELLOW Hostname $sender_host_name
$sender_host_address
deny hosts = +hardblacklist
log_message = BLACKLIST CONNECT Hostname $sender_host_name
$sender_host_address
deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2
log_message = GREYLIST CONNECT - BLACK Hostname $sender_host_name
$sender_host_address
deny log_message = SPAM RBL $dnslist_domain
!dnslists = hostkarma.junkemailfilter.com=127.0.0.1,127.0.0.3
dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain :
cbl.abuseat.org :\
web.dnsbl.sorbs.net : socks.dnsbl.sorbs.net :\
http.dnsbl.sorbs.net : blackholes.mail-abuse.org
warn log_message = DNS CHECK REVERSE $sender_host_address.
!verify = reverse_host_lookup
accept
check_helo:
accept hosts = +whitelist
endpass
deny message = Your server announces itself \
($sender_helo_name) with a plain \
IP address which is in breach of RFC2821. \
Please read http://www.faqs.org/rfcs/rfc2821.html \
and fix before attempting to resend.
condition = ${if isip {$sender_helo_name} {1}{0} }
log_message = HELO IP $sender_helo_name
warn condition = ${if !match{$sender_helo_name}{\\.}{yes}{no}}
log_message = HELO NO-FQDN $sender_helo_name
deny log_message = HELO MISMATCH Forged HELO for ($sender_helo_name)
set acl_m5 = ${lookup{$sender_helo_name} \
partial-lsearch{/usr/local/etc/exim/helo-check} \
{${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
message = You are not really $sender_helo_name. Go Away.
condition = ${if !eq{$acl_m5}{} {1}}
condition = ${if !match{$sender_host_name}{${rxquote:$acl_m5}\N$\N}
{1}}
warn !verify = helo
log_message = HELO VERIFY for ($sender_helo_name)
($sender_host_name)
accept
check_recipient:
*...snip...*
################################

Please let me know any ideas you have... I can post more/specific parts of
the config file too of course.

Thanks in advance for your time!

Amrahd
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim.talk at gmail

Aug 12, 2009, 3:27 PM

Post #2 of 13 (2302 views)
Permalink
mail relay - null or empty Envelope Sender problem... [In reply to]
Hi all,

I'm using Exim version 4.69 and am having an issue with relaying... it seems
that by simply supplying a null/empty Envelope Sender anyone can relay email
to anywhere they'd like.

#####################
...snip...
>>> RSET
<<< 250 Reset OK
>>> MAIL FROM: <>
<<< 250 OK
>>> RCPT TO: <rlytest [at] h>
<<< 250 Accepted
...snip...
#####################

I've read through all the Exim list archives I can find, and a number of
other articles talking about null and empty Envelope Sender issues, but I
can't find what I need to solve this issue. It seems to me that this should
be basic but for some reason I can't figure it out or find anyone adressing
this particular problem.

I'm going to post a couple excerpts from the config file that might(?) be
relevant and useful in figuring out this situation...

excerpt from exim config:
################################
*...snip...*
acl_smtp_connect = check_connect
acl_smtp_helo = check_helo
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
acl_smtp_auth = check_auth
*...snip...*
begin acl
check_connect:
accept hosts = +whitelist
endpass
warn dnslists = hostkarma.junkemailfilter.com=127.0.0.1
set acl_c1 = white - dnswl - $sender_fullhost
log_message = GREYLIST CONNECT - WHITE Hostname $sender_host_name
$sender_host_address
warn dnslists = hostkarma.junkemailfilter.com=127.0.0.3
set acl_c1 = yellow - $sender_fullhost
log_message = GREYLIST CONNECT - YELLOW Hostname $sender_host_name
$sender_host_address
deny hosts = +hardblacklist
log_message = BLACKLIST CONNECT Hostname $sender_host_name
$sender_host_address
deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2
log_message = GREYLIST CONNECT - BLACK Hostname $sender_host_name
$sender_host_address
deny log_message = SPAM RBL $dnslist_domain
!dnslists = hostkarma.junkemailfilter.com=127.0.0.1,127.0.0.3
dnslists = nomail.rhsbl.sorbs.net/$sender_address_domain :
cbl.abuseat.org :\
web.dnsbl.sorbs.net : socks.dnsbl.sorbs.net :\
http.dnsbl.sorbs.net : blackholes.mail-abuse.org
warn log_message = DNS CHECK REVERSE $sender_host_address.
!verify = reverse_host_lookup
accept
check_helo:
accept hosts = +whitelist
endpass
deny message = Your server announces itself \
($sender_helo_name) with a plain \
IP address which is in breach of RFC2821. \
Please read http://www.faqs.org/rfcs/rfc2821.html \
and fix before attempting to resend.
condition = ${if isip {$sender_helo_name} {1}{0} }
log_message = HELO IP $sender_helo_name
warn condition = ${if !match{$sender_helo_name}{\\.}{yes}{no}}
log_message = HELO NO-FQDN $sender_helo_name
deny log_message = HELO MISMATCH Forged HELO for ($sender_helo_name)
set acl_m5 = ${lookup{$sender_helo_name} \
partial-lsearch{/usr/local/etc/exim/helo-check} \
{${if eq{$value}{}{$sender_helo_name}{$value}}}{}}
message = You are not really $sender_helo_name. Go Away.
condition = ${if !eq{$acl_m5}{} {1}}
condition = ${if !match{$sender_host_name}{${rxquote:$acl_m5}\N$\N}
{1}}
warn !verify = helo
log_message = HELO VERIFY for ($sender_helo_name)
($sender_host_name)
accept
check_recipient:
*...snip...*
################################

Please let me know any ideas you have... I can post more/specific parts of
the config file too of course.

Thanks in advance for your time!

Amrahd
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tlyons at ivenue

Aug 12, 2009, 5:47 PM

Post #3 of 13 (2307 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
On Wed, Aug 12, 2009 at 3:27 PM, Amrahd Droflow<exim.talk [at] gmail> wrote:
>
> acl_smtp_rcpt = check_recipient
> acl_smtp_auth = check_auth

Want to see the two acl's above.

> check_recipient:
> *...snip...*
>
> Please let me know any ideas you have... I can post more/specific parts of
> the config file too of course.

Show what comes after the snip, and also show the check_auth acl.

--
Regards... Todd

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim.talk at gmail

Aug 13, 2009, 11:15 AM

Post #4 of 13 (2287 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
On Wed, Aug 12, 2009 at 5:47 PM, Todd Lyons <tlyons [at] ivenue> wrote:

> On Wed, Aug 12, 2009 at 3:27 PM, Amrahd Droflow<exim.talk [at] gmail>
> wrote:
> >
> > acl_smtp_rcpt = check_recipient
> > acl_smtp_auth = check_auth
>
> Want to see the two acl's above.
>
> > check_recipient:
> > *...snip...*
> >
> > Please let me know any ideas you have... I can post more/specific parts
> of
> > the config file too of course.
>
> Show what comes after the snip, and also show the check_auth acl.
>
> --
> Regards... Todd
>

Hi Todd,

Thanks for looking at this... here are the sections you wanted to see:

######################################################
check_recipient:
accept hosts = +whitelist
endpass
accept authenticated = *
encrypted = *
accept condition = ${if eq{$interface_port}{587}{1}{0}}
endpass
message = SMTP AUTH required for port 587
authenticated = *
accept senders = /usr/local/etc/exim/relayers
endpass
deny log_message = SPAM RBL $dnslist_domain
message = Your IP address is listed as a Dynamic IP. You cannot send
to $domain
hosts = !+relay_from_hosts
domains = blank.edu:blank.com
dnslists = dul.dnsbl.sorbs.net
deny message = Invalid address
senders = \N^\.|\.@\N
deny sender_domains = example.com
log_message = FILTER RELAY Attempted Spam Relay
deny senders = lsearch;/usr/local/etc/exim/blacklist-senders
log_message = FILTER RELAY Attempted Spam Relay
accept sender_domains = webmail.blank.com
endpass
deny message = Restricted characters in address
log_message = FILTER CHARS Restricted characters in address
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ : ^.*[@%!/|] :
^\\.
accept local_parts = postmaster
domains = +local_domains : +relay_domains
require verify = sender
log_message = INVALID SENDER $sender_host_name
$sender_host_address
accept message = Invalid sender: $local_part@$domain :Blocked Bounce
Message
senders = :
log_message = FILTER BOUNCEBLOCK Blocked Bounce Message
endpass
verify =
recipient/callout=4m,maxwait=4m,connect=30s,use_sender
drop message = I don't take more than 20 RCPTs for $domain
domains = +local_domains : +relay_domains
log_message = FILTER RCPTLIMIT RCPT Limit Reached
condition = ${if > {$rcpt_count}{20}}
accept message = Invalid recipient: $local_part@$domain
domains = +relay_domains : +local_domains
log_message = INVRCPT DOMAIN Invalid Recipient Check - Domains
endpass
verify =
recipient/callout=4m,maxwait=4m,connect=30s/callout_defer_ok
deny message = $sender_host_address is not allowed to send mail from
$sender_address_domain
log_message = SPF BLOCK Sender $sender_host_address is not
allowed to send mail from $sender_address_domain
sender_domains = !+local_domains
spf = fail
deny message = AOL sender, but not from AOL-approved relay.
log_message = SPF BLOCK Sender $sender_host_address is not
allowed to send mail from $sender_address_domain
sender_domains = aol.com
spf = fail:neutral
accept message = Invalid recipient: $local_part@$domain
hosts = +relay_from_hosts
log_message = INVRCPT IP Invalid Recipient Check - IP
endpass
verify =
recipient/callout=4m,maxwait=4m,connect=30s,use_sender/callout_defer_ok
deny hosts = *
encrypted = *
!encrypted = DES-CBC3-SHA:IDEA-CBC-MD5:AES256-SHA
deny message = No dictionary attacks!
condition = ${if > {$rcpt_fail_count}{1} {yes}{no}}
!verify = recipient
delay = ${eval: ($rcpt_fail_count) * 60}s
log_message = SPAM DICT $rcpt_fail_count failed recipient
attempts
accept domains = +local_domains : +relay_domains
accept hosts = +relay_from_hosts
accept hosts = +auth_relay_hosts
endpass
verify = recipient/defer_ok/callout=10s/callout_defer_ok
message = authentication required
authenticated = *
encrypted = *
deny message = RELAYING NOT ALLOWED
log_message = RELAYING NOT ALLOWED


check_message:
accept condition = ${if eq {${hmac{md5}\
{blankmail}\
{$body_linecount}}}\
{$h_X-Scan-Signature:} {1}{0}}
require verify = header_syntax
require verify = header_sender
deny senders = :
message = Rejected: A valid sender is required for bounces
!verify = header_sender
deny message = This message contains a MIME error ($demime_reason)
log_message = MALWARE MIMEERR ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains an unwanted file extension
($found_extension)
log_message = MALWARE EXTENSION $found_extension
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:\
hlp:hta:inf:ins:isp:jse?:lnk:mdb:mde:msc:msi:msp:mst:\
pcd:pif:reg:scr:sct:shs:url:vbs:vbe:wdf:wsh:wsc
deny message = X-VIRUS: This message contains malware ($malware_name)
log_message = MALWARE VIRUS $malware_name
condition = ${if >={$message_size}{200k}{1}{0}}
malware = *
deny message = This message matches a blacklisted regular expression
($regex_match_string)
log_message = MALWARE REGEX $regex_match_string
condition = ${if >={$message_size}{200k}{1}{0}}
regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]
regex = [Vv][Ii][Aa][Gg][Rr][Aa]
regex = [Vv] *[Pp] - *[Rr] *[Xx]
regex = [Cc] *[Ii] *[Aa] *[Ll] *[Tt] *[Ii] *[Ss]
regex = [Cc][Ii][Aa][Ll][Tt][Ii][Ss]
accept log_message = Accepted: Message over 200k - $message_size
message = Accepted: Message over 200k - $message_size
condition = ${if >={$message_size}{200k}{1}{0}}
warn message = X-Spam-Flag: YES
log_message = X-Spam-Flag: YES
spam = nobody
condition = ${if >{$spam_score_int}{50}{1}{0}}
deny message = This is spam: Rejected
log_message = SPAM LIMIT $spam_score
spam = nobody
condition = ${if >{$spam_score_int}{100}{1}{0}}
warn message = X-Scan-Signature: ${hmac{md5}{blank} {$body_linecount}}
accept


check_auth:
accept hosts = +auth_relay_hosts
accept hosts = +local_domains
endpass
message = STARTTLS required before AUTH
encrypted = *
accept
begin authenticators
login:
driver = plaintext
*...snip...*
######################################################

Thanks again for taking a look at this...

Amrahd
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim.talk at gmail

Aug 13, 2009, 11:15 AM

Post #5 of 13 (2280 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
On Wed, Aug 12, 2009 at 5:47 PM, Todd Lyons <tlyons [at] ivenue> wrote:

> On Wed, Aug 12, 2009 at 3:27 PM, Amrahd Droflow<exim.talk [at] gmail>
> wrote:
> >
> > acl_smtp_rcpt = check_recipient
> > acl_smtp_auth = check_auth
>
> Want to see the two acl's above.
>
> > check_recipient:
> > *...snip...*
> >
> > Please let me know any ideas you have... I can post more/specific parts
> of
> > the config file too of course.
>
> Show what comes after the snip, and also show the check_auth acl.
>
> --
> Regards... Todd
>

Hi Todd,

Thanks for looking at this... here are the sections you wanted to see:

######################################################
check_recipient:
accept hosts = +whitelist
endpass
accept authenticated = *
encrypted = *
accept condition = ${if eq{$interface_port}{587}{1}{0}}
endpass
message = SMTP AUTH required for port 587
authenticated = *
accept senders = /usr/local/etc/exim/relayers
endpass
deny log_message = SPAM RBL $dnslist_domain
message = Your IP address is listed as a Dynamic IP. You cannot send
to $domain
hosts = !+relay_from_hosts
domains = blank.edu:blank.com
dnslists = dul.dnsbl.sorbs.net
deny message = Invalid address
senders = \N^\.|\.@\N
deny sender_domains = example.com
log_message = FILTER RELAY Attempted Spam Relay
deny senders = lsearch;/usr/local/etc/exim/blacklist-senders
log_message = FILTER RELAY Attempted Spam Relay
accept sender_domains = webmail.blank.com
endpass
deny message = Restricted characters in address
log_message = FILTER CHARS Restricted characters in address
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ : ^.*[@%!/|] :
^\\.
accept local_parts = postmaster
domains = +local_domains : +relay_domains
require verify = sender
log_message = INVALID SENDER $sender_host_name
$sender_host_address
accept message = Invalid sender: $local_part@$domain :Blocked Bounce
Message
senders = :
log_message = FILTER BOUNCEBLOCK Blocked Bounce Message
endpass
verify =
recipient/callout=4m,maxwait=4m,connect=30s,use_sender
drop message = I don't take more than 20 RCPTs for $domain
domains = +local_domains : +relay_domains
log_message = FILTER RCPTLIMIT RCPT Limit Reached
condition = ${if > {$rcpt_count}{20}}
accept message = Invalid recipient: $local_part@$domain
domains = +relay_domains : +local_domains
log_message = INVRCPT DOMAIN Invalid Recipient Check - Domains
endpass
verify =
recipient/callout=4m,maxwait=4m,connect=30s/callout_defer_ok
deny message = $sender_host_address is not allowed to send mail from
$sender_address_domain
log_message = SPF BLOCK Sender $sender_host_address is not
allowed to send mail from $sender_address_domain
sender_domains = !+local_domains
spf = fail
deny message = AOL sender, but not from AOL-approved relay.
log_message = SPF BLOCK Sender $sender_host_address is not
allowed to send mail from $sender_address_domain
sender_domains = aol.com
spf = fail:neutral
accept message = Invalid recipient: $local_part@$domain
hosts = +relay_from_hosts
log_message = INVRCPT IP Invalid Recipient Check - IP
endpass
verify =
recipient/callout=4m,maxwait=4m,connect=30s,use_sender/callout_defer_ok
deny hosts = *
encrypted = *
!encrypted = DES-CBC3-SHA:IDEA-CBC-MD5:AES256-SHA
deny message = No dictionary attacks!
condition = ${if > {$rcpt_fail_count}{1} {yes}{no}}
!verify = recipient
delay = ${eval: ($rcpt_fail_count) * 60}s
log_message = SPAM DICT $rcpt_fail_count failed recipient
attempts
accept domains = +local_domains : +relay_domains
accept hosts = +relay_from_hosts
accept hosts = +auth_relay_hosts
endpass
verify = recipient/defer_ok/callout=10s/callout_defer_ok
message = authentication required
authenticated = *
encrypted = *
deny message = RELAYING NOT ALLOWED
log_message = RELAYING NOT ALLOWED


check_message:
accept condition = ${if eq {${hmac{md5}\
{blankmail}\
{$body_linecount}}}\
{$h_X-Scan-Signature:} {1}{0}}
require verify = header_syntax
require verify = header_sender
deny senders = :
message = Rejected: A valid sender is required for bounces
!verify = header_sender
deny message = This message contains a MIME error ($demime_reason)
log_message = MALWARE MIMEERR ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = This message contains an unwanted file extension
($found_extension)
log_message = MALWARE EXTENSION $found_extension
demime = ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:\
hlp:hta:inf:ins:isp:jse?:lnk:mdb:mde:msc:msi:msp:mst:\
pcd:pif:reg:scr:sct:shs:url:vbs:vbe:wdf:wsh:wsc
deny message = X-VIRUS: This message contains malware ($malware_name)
log_message = MALWARE VIRUS $malware_name
condition = ${if >={$message_size}{200k}{1}{0}}
malware = *
deny message = This message matches a blacklisted regular expression
($regex_match_string)
log_message = MALWARE REGEX $regex_match_string
condition = ${if >={$message_size}{200k}{1}{0}}
regex = [Vv] *[Ii] *[Aa] *[Gg] *[Rr] *[Aa]
regex = [Vv][Ii][Aa][Gg][Rr][Aa]
regex = [Vv] *[Pp] - *[Rr] *[Xx]
regex = [Cc] *[Ii] *[Aa] *[Ll] *[Tt] *[Ii] *[Ss]
regex = [Cc][Ii][Aa][Ll][Tt][Ii][Ss]
accept log_message = Accepted: Message over 200k - $message_size
message = Accepted: Message over 200k - $message_size
condition = ${if >={$message_size}{200k}{1}{0}}
warn message = X-Spam-Flag: YES
log_message = X-Spam-Flag: YES
spam = nobody
condition = ${if >{$spam_score_int}{50}{1}{0}}
deny message = This is spam: Rejected
log_message = SPAM LIMIT $spam_score
spam = nobody
condition = ${if >{$spam_score_int}{100}{1}{0}}
warn message = X-Scan-Signature: ${hmac{md5}{blank} {$body_linecount}}
accept


check_auth:
accept hosts = +auth_relay_hosts
accept hosts = +local_domains
endpass
message = STARTTLS required before AUTH
encrypted = *
accept
begin authenticators
login:
driver = plaintext
*...snip...*
######################################################

Thanks again for taking a look at this...

Amrahd
--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


tlyons at ivenue

Aug 20, 2009, 7:34 AM

Post #6 of 13 (2181 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
On Thu, Aug 13, 2009 at 11:15 AM, Amrahd Droflow<exim.talk [at] gmail> wrote:
>
>
> On Wed, Aug 12, 2009 at 5:47 PM, Todd Lyons <tlyons [at] ivenue> wrote:
>>
>> On Wed, Aug 12, 2009 at 3:27 PM, Amrahd Droflow<exim.talk [at] gmail>
>> wrote:
>> >
>> > acl_smtp_rcpt = check_recipient
>> > acl_smtp_auth = check_auth
>>
>> Want to see the two acl's above.
>>
>> > check_recipient:
>> > *...snip...*
>> >
>> > Please let me know any ideas you have... I can post more/specific parts
>> > of
>> > the config file too of course.
>>
>> Show what comes after the snip, and also show the check_auth acl.
>>
>> --
>> Regards...      Todd
>
> Hi Todd,
>
> Thanks for looking at this... here are the sections you wanted to see:
>
> ######################################################
> check_recipient:
>   accept  hosts   = +whitelist
>   endpass
>   accept  authenticated = *
>           encrypted = *
>   accept  condition = ${if eq{$interface_port}{587}{1}{0}}
>           endpass
>           message = SMTP AUTH required for port 587
>           authenticated = *
>   accept        senders        = /usr/local/etc/exim/relayers

Can it take just a filename as the argument? Shouldn't it be
something like this:

accept senders = ${lookup{$host_name}lsearch\
{/some/file}{$value}{}}

I also don't really understand this one.

>   accept  message     = Invalid sender: $local_part@$domain :Blocked Bounce
> Message
>           senders     = :
>           log_message = FILTER BOUNCEBLOCK Blocked Bounce Message
>           endpass
>           verify      =
> recipient/callout=4m,maxwait=4m,connect=30s,use_sender

Why is it an accept? That whole endpass thing just never really made
a whole lot of sense to me. Every time I have a case where I need to
use it, I have to study the docs and figure it out step by step. It's
not a natural thought process, and for some reason the knowledge
doesn't stick around after I've implemented it. I'll just assume that
I'm getting old and just can't remember crap anymore...

> Thanks again for taking a look at this...

Hope you get it working soon.

--
Regards... Todd

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


jethro.binks at strath

Aug 20, 2009, 8:32 AM

Post #7 of 13 (2185 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
On Thu, 20 Aug 2009, Todd Lyons wrote:

> Why is it an accept? That whole endpass thing just never really made
> a whole lot of sense to me. Every time I have a case where I need to
> use it, I have to study the docs and figure it out step by step. It's
> not a natural thought process, and for some reason the knowledge
> doesn't stick around after I've implemented it. I'll just assume that
> I'm getting old and just can't remember crap anymore...

If it's any consolution, I made similar grumbles to PH a few years ago
about endpass, I always struggled to get my head around it, and like you,
had to keep re-reading the docs. He didn't disagree that it was
non-intuitive and awkward. :)

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


jethro.binks at strath

Aug 20, 2009, 8:40 AM

Post #8 of 13 (2181 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
On Thu, 20 Aug 2009, I wrote:

> If it's any consolution ...

A "consolution" is not something that Acme Jim And Bob Systems Integrators
might sell you, nor is it along the same lines of "consultant", where you
are both "conned" and "insulted" ...

It is, of course, merely a mis-typing of "consolation".

I'm glad my Friday is come early.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


iane at sussex

Aug 21, 2009, 1:20 AM

Post #9 of 13 (2162 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
--On 20 August 2009 16:32:40 +0100 Jethro R Binks
<jethro.binks [at] strath> wrote:

> On Thu, 20 Aug 2009, Todd Lyons wrote:
>
>> Why is it an accept? That whole endpass thing just never really made
>> a whole lot of sense to me. Every time I have a case where I need to
>> use it, I have to study the docs and figure it out step by step. It's
>> not a natural thought process, and for some reason the knowledge
>> doesn't stick around after I've implemented it. I'll just assume that
>> I'm getting old and just can't remember crap anymore...
>
> If it's any consolution, I made similar grumbles to PH a few years ago
> about endpass, I always struggled to get my head around it, and like you,
> had to keep re-reading the docs. He didn't disagree that it was
> non-intuitive and awkward. :)

so, according to the docs, endpass can only be used in an accept statement.

accept condition a
condition b
endpass
condition c
condition d

will either accept, deny or pass. It'll accept if all conditions are true.
It'll pass if a or b are false. It'll deny if a and b are true, but c or d
are false.


a and b !(a and b)
c or d true: accept pass
c or d false: deny pass

I think it's equivalent to nesting, like this:
accept condition a
condition b
deny
! condition c
! condition d

a and b !(a and b)
c or d true: accept pass
c or d false: deny pass


is that true? if so, it might be a neater, and more general solution, to
allow nesting of statements like this. Some additional syntax would be
required to distinguish a nested statement from a following statement.
Perhaps, like this:

accept condition a
condition b
but deny
! condition c
! condition d

This would be simpler on two counts. First, the nesting could be used in
any statement, not just "accept". Second, it would avoid the mental
contortions involved in remembering that the alternative verb changes after
endpass - with my syntax, the implicit alternative verb is the verb of the
outer statement.

Of course, this could be confused with the existing nesting mechanism,
which allows conditions like "acl = ...". When an acl nested like that
returns "deny", it's simply causes the current statement to pass. So, I
might be proposing an unholy mess here.

A simpler solution, requiring less coding but more social engineering
(education). Just remember that endpass means "but deny if". Perhaps a
synonymous keyword "butdenyif" could deprecate "endpass"?



> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK



--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


markdv.exim at asphyx

Aug 21, 2009, 9:56 AM

Post #10 of 13 (2165 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
Ian Eiloart wrote:
>
> --On 20 August 2009 16:32:40 +0100 Jethro R Binks
> <jethro.binks [at] strath> wrote:
>
>> On Thu, 20 Aug 2009, Todd Lyons wrote:
>>
>>> Why is it an accept? That whole endpass thing just never really made
>>> a whole lot of sense to me. Every time I have a case where I need to
>>> use it, I have to study the docs and figure it out step by step. It's
>>> not a natural thought process, and for some reason the knowledge
>>> doesn't stick around after I've implemented it. I'll just assume that
>>> I'm getting old and just can't remember crap anymore...
>> If it's any consolution, I made similar grumbles to PH a few years ago
>> about endpass, I always struggled to get my head around it, and like you,
>> had to keep re-reading the docs. He didn't disagree that it was
>> non-intuitive and awkward. :)
>
> so, according to the docs, endpass can only be used in an accept statement.
>
> accept condition a
> condition b
> endpass
> condition c
> condition d
>
> will either accept, deny or pass. It'll accept if all conditions are true.
> It'll pass if a or b are false. It'll deny if a and b are true, but c or d
> are false.
>
>
> a and b !(a and b)
> c or d true: accept pass
> c or d false: deny pass

No, that first one should be c _and_ d true. You said it yourself, "if
_all_ conditions are true".

> I think it's equivalent to nesting, like this:
> accept condition a
> condition b
> deny
> ! condition c
> ! condition d

So, no... More like:

accept condition a
condition b
require
condition c
condition d

> a and b !(a and b)
> c or d true: accept pass
> c or d false: deny pass
>
> is that true? if so, it might be a neater, and more general solution, to
> allow nesting of statements like this. Some additional syntax would be
> required to distinguish a nested statement from a following statement.

IMHO, I would not call it nesting so much as making-up-your-mind as to
what the statement should do.

> Perhaps, like this:
>
> accept condition a
> condition b
> but deny
> ! condition c
> ! condition d
>
> This would be simpler on two counts. First, the nesting could be used in
> any statement, not just "accept". Second, it would avoid the mental
> contortions involved in remembering that the alternative verb changes after
> endpass - with my syntax, the implicit alternative verb is the verb of the
> outer statement.

Could you give some examples of how how that would work using other
statements (and combinations) besides this alternative to what we
already have? I'm a little afraid that the you'll only create more/worse
"metal contortions" to go through.

>
> Of course, this could be confused with the existing nesting mechanism,
> which allows conditions like "acl = ...". When an acl nested like that
> returns "deny", it's simply causes the current statement to pass. So, I
> might be proposing an unholy mess here.

I think the "acl = .." mechanism already makes up for the otherwise
somewhat lacking flexibility of "flow-control" in ACLs. If anything,
perhaps I'd like the possibility to specify the acl in-line rather then
having to refer to a named one. Perhaps make a condition out of it,
allowing either a named or in-line acl. Like:

condition = ${acl:named_acl}

or in-line as:

condition = ${acl:
accept
condition...

deny
condition..

defer
etc...
}

Oh yeah, and lets make the parser smart enough to just ignore
line-breaks in places where it could just count braces to figure out
where the statement ends. I find having to tack "\" all over the place
somewhat negates the attempt to make stuff more readable by splitting it
over multiple lines. But I digress...

> A simpler solution, requiring less coding but more social engineering
> (education). Just remember that endpass means "but deny if". Perhaps a
> synonymous keyword "butdenyif" could deprecate "endpass"?

Think that would be better named "but deny _unless_ (also)"...

Having said all that, I think endpass really isn't all that hard to get
your head around. Granted, the word "endpass" is _anything_ _but_
intuitive, once you learn to think about what it actually does in some
other terms then it's not all that hard to remember.

accept
[pre-conditions]
endpass
[post-conditions]

What works for me is to just think of it as:

if( pre-conditions ) {
if( post-conditions ) {
return accept;
} else {
return deny;
}

In exim-ACL terms it is just a shorthand for the sequence:

accept
[pre-conditions]
[post-conditions]

deny
[pre-conditions]

And it should probably just be used as such. i.e. Never start out trying
to use endpass. Only use it as a shorthand when you find yourself having
written a sequence like that.

Oh, just one thing, I did not bother to check if the endpass and "long
version" are equivalent when you have conditions that can return "defer"
(like e.g. callout verification or dns lookups). YMMV.

Cheers,
Mark.

P.S. Or at least I think so... But my understanding of "endpass" has
been wrong plenty of times before too. :S



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


iane at sussex

Aug 24, 2009, 4:02 AM

Post #11 of 13 (2113 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
--On 21 August 2009 18:56:13 +0200 MarkdV <markdv.exim [at] asphyx> wrote:

>
> Ian Eiloart wrote:
>>
>> --On 20 August 2009 16:32:40 +0100 Jethro R Binks
>> <jethro.binks [at] strath> wrote:
>>
>>> On Thu, 20 Aug 2009, Todd Lyons wrote:
>>>
>>>> Why is it an accept? That whole endpass thing just never really made
>>>> a whole lot of sense to me. Every time I have a case where I need to
>>>> use it, I have to study the docs and figure it out step by step. It's
>>>> not a natural thought process, and for some reason the knowledge
>>>> doesn't stick around after I've implemented it. I'll just assume that
>>>> I'm getting old and just can't remember crap anymore...
>>> If it's any consolution, I made similar grumbles to PH a few years ago
>>> about endpass, I always struggled to get my head around it, and like
>>> you, had to keep re-reading the docs. He didn't disagree that it was
>>> non-intuitive and awkward. :)
>>
>> so, according to the docs, endpass can only be used in an accept
>> statement.
>>
>> accept condition a
>> condition b
>> endpass
>> condition c
>> condition d
>>
>> will either accept, deny or pass. It'll accept if all conditions are
>> true. It'll pass if a or b are false. It'll deny if a and b are true,
>> but c or d are false.
>>
>>
>> a and b !(a and b)
>> c or d true: accept pass
>> c or d false: deny pass
>
> No, that first one should be c _and_ d true. You said it yourself, "if
> _all_ conditions are true".

quite right, it should be. Or. "! (c or d false)"

>
>> I think it's equivalent to nesting, like this:
>> accept condition a
>> condition b
>> deny
>> ! condition c
>> ! condition d
>
> So, no... More like:
>
> accept condition a
> condition b
> require
> condition c
> condition d

No, because "require c, d" passes when c or d are false. "deny !c, !d"
denies when c or d are false.

>> a and b !(a and b)
>> c or d true: accept pass
>> c or d false: deny pass

similarly here, that first line should start "! (c or d false)"

>> is that true? if so, it might be a neater, and more general solution, to
>> allow nesting of statements like this. Some additional syntax would be
>> required to distinguish a nested statement from a following statement.
>
> IMHO, I would not call it nesting so much as making-up-your-mind as to
> what the statement should do.

It should do what accept...endpass does. The problem is not the behaviour
of endpass, but the poor self-documentation that results from the lack of
clarity in meaning.

>> Perhaps, like this:
>>
>> accept condition a
>> condition b
>> but deny
>> ! condition c
>> ! condition d
>>
>> This would be simpler on two counts. First, the nesting could be used in
>> any statement, not just "accept". Second, it would avoid the mental
>> contortions involved in remembering that the alternative verb changes
>> after endpass - with my syntax, the implicit alternative verb is the
>> verb of the outer statement.
>
> Could you give some examples of how how that would work using other
> statements (and combinations) besides this alternative to what we already
> have? I'm a little afraid that the you'll only create more/worse "metal
> contortions" to go through.
>
>>
>> Of course, this could be confused with the existing nesting mechanism,
>> which allows conditions like "acl = ...". When an acl nested like that
>> returns "deny", it's simply causes the current statement to pass. So, I
>> might be proposing an unholy mess here.
>
> I think the "acl = .." mechanism already makes up for the otherwise
> somewhat lacking flexibility of "flow-control" in ACLs. If anything,
> perhaps I'd like the possibility to specify the acl in-line rather then
> having to refer to a named one. Perhaps make a condition out of it,
> allowing either a named or in-line acl. Like:

Well, you can't do what endpass does with "acl = ...", so you can't replace
endpass with anything there.

> condition = ${acl:named_acl}
>
> or in-line as:
>
> condition = ${acl:
> accept
> condition...
>
> deny
> condition..
>
> defer
> etc...
> }
>
> Oh yeah, and lets make the parser smart enough to just ignore line-breaks
> in places where it could just count braces to figure out where the
> statement ends. I find having to tack "\" all over the place somewhat
> negates the attempt to make stuff more readable by splitting it over
> multiple lines. But I digress...
>
>> A simpler solution, requiring less coding but more social engineering
>> (education). Just remember that endpass means "but deny if". Perhaps a
>> synonymous keyword "butdenyif" could deprecate "endpass"?
>
> Think that would be better named "but deny _unless_ (also)"...
>
> Having said all that, I think endpass really isn't all that hard to get
> your head around. Granted, the word "endpass" is _anything_ _but_
> intuitive, once you learn to think about what it actually does in some
> other terms then it's not all that hard to remember.
>
> accept
> [pre-conditions]
> endpass
> [post-conditions]
>
> What works for me is to just think of it as:
>
> if( pre-conditions ) {
> if( post-conditions ) {
> return accept;
> } else {
> return deny;
> }
>
> In exim-ACL terms it is just a shorthand for the sequence:
>
> accept
> [pre-conditions]
> [post-conditions]
>
> deny
> [pre-conditions]
>
> And it should probably just be used as such. i.e. Never start out trying
> to use endpass. Only use it as a shorthand when you find yourself having
> written a sequence like that.
>
> Oh, just one thing, I did not bother to check if the endpass and "long
> version" are equivalent when you have conditions that can return "defer"
> (like e.g. callout verification or dns lookups). YMMV.
>
> Cheers,
> Mark.
>
> P.S. Or at least I think so... But my understanding of "endpass" has been
> wrong plenty of times before too. :S

Which is exactly why some alternative is desirable!

--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


markdv.exim at asphyx

Aug 25, 2009, 4:53 AM

Post #12 of 13 (2066 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
Ian Eiloart wrote:
>
> --On 21 August 2009 18:56:13 +0200 MarkdV <markdv.exim [at] asphyx> wrote:
>
>> Ian Eiloart wrote:
>>> --On 20 August 2009 16:32:40 +0100 Jethro R Binks
>>> <jethro.binks [at] strath> wrote:
>>>
>>>> On Thu, 20 Aug 2009, Todd Lyons wrote:
>>>>
>>>>> Why is it an accept? That whole endpass thing just never really made
>>>>> a whole lot of sense to me. Every time I have a case where I need to
>>>>> use it, I have to study the docs and figure it out step by step. It's
>>>>> not a natural thought process, and for some reason the knowledge
>>>>> doesn't stick around after I've implemented it. I'll just assume that
>>>>> I'm getting old and just can't remember crap anymore...
>>>> If it's any consolution, I made similar grumbles to PH a few years ago
>>>> about endpass, I always struggled to get my head around it, and like
>>>> you, had to keep re-reading the docs. He didn't disagree that it was
>>>> non-intuitive and awkward. :)
>>> so, according to the docs, endpass can only be used in an accept
>>> statement.
>>>
>>> accept condition a
>>> condition b
>>> endpass
>>> condition c
>>> condition d
>>>
>>> will either accept, deny or pass. It'll accept if all conditions are
>>> true. It'll pass if a or b are false. It'll deny if a and b are true,
>>> but c or d are false.
>>>
>>>
>>> a and b !(a and b)
>>> c or d true: accept pass
>>> c or d false: deny pass
>> No, that first one should be c _and_ d true. You said it yourself, "if
>> _all_ conditions are true".
>
> quite right, it should be. Or. "! (c or d false)"
>
>>> I think it's equivalent to nesting, like this:
>>> accept condition a
>>> condition b
>>> deny
>>> ! condition c
>>> ! condition d
>> So, no... More like:
>>
>> accept condition a
>> condition b
>> require
>> condition c
>> condition d
>
> No, because "require c, d" passes when c or d are false. "deny !c, !d"
> denies when c or d are false.

IMHO what endpass does now resembles "require", because like require it
requires all conditions to be true otherwise it will reject. That's why
I thought require instead of deny.

deny
! cond c
! cond d

Will only deny if both c and d are false. Where endpass as we know it
will cause a deny if either of the conditions are false. See what I mean?

"!c and !d" is not the same as "!(c and d)". The former is what your
deny does, the latter can't be done with deny but is what require does.

> It should do what accept...endpass does.

Hmm.. wait. Maybe I misunderstood you, are you talking about a different
kind of modifier(s) for accept only? Or allow those modifiers to also be
applied to other statements (deny/require/warn)? I thought you meant the
latter...

>The problem is not the behaviour
> of endpass, but the poor self-documentation that results from the lack of
> clarity in meaning.

Agreed there. ;)

Cheers,
Mark.

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


iane at sussex

Aug 26, 2009, 2:19 AM

Post #13 of 13 (2037 views)
Permalink
Re: mail relay - null or empty Envelope Sender problem... [In reply to]
--On 25 August 2009 13:53:31 +0200 MarkdV <markdv.exim [at] asphyx> wrote:

>
> Ian Eiloart wrote:
>>
>> --On 21 August 2009 18:56:13 +0200 MarkdV <markdv.exim [at] asphyx> wrote:
>>
>>> Ian Eiloart wrote:
>>>> --On 20 August 2009 16:32:40 +0100 Jethro R Binks
>>>> <jethro.binks [at] strath> wrote:
>>>>
>>>>> On Thu, 20 Aug 2009, Todd Lyons wrote:
>>>>>
>>>>>> Why is it an accept? That whole endpass thing just never really made
>>>>>> a whole lot of sense to me. Every time I have a case where I need to
>>>>>> use it, I have to study the docs and figure it out step by step.
>>>>>> It's not a natural thought process, and for some reason the knowledge
>>>>>> doesn't stick around after I've implemented it. I'll just assume
>>>>>> that I'm getting old and just can't remember crap anymore...
>>>>> If it's any consolution, I made similar grumbles to PH a few years ago
>>>>> about endpass, I always struggled to get my head around it, and like
>>>>> you, had to keep re-reading the docs. He didn't disagree that it was
>>>>> non-intuitive and awkward. :)
>>>> so, according to the docs, endpass can only be used in an accept
>>>> statement.
>>>>
>>>> accept condition a
>>>> condition b
>>>> endpass
>>>> condition c
>>>> condition d
>>>>
>>>> will either accept, deny or pass. It'll accept if all conditions are
>>>> true. It'll pass if a or b are false. It'll deny if a and b are true,
>>>> but c or d are false.
>>>>
>>>>
>>>> a and b !(a and b)
>>>> c or d true: accept pass
>>>> c or d false: deny pass
>>> No, that first one should be c _and_ d true. You said it yourself, "if
>>> _all_ conditions are true".
>>
>> quite right, it should be. Or. "! (c or d false)"
> >
>>>> I think it's equivalent to nesting, like this:
>>>> accept condition a
>>>> condition b
>>>> deny
>>>> ! condition c
>>>> ! condition d
>>> So, no... More like:
>>>
>>> accept condition a
>>> condition b
>>> require
>>> condition c
>>> condition d
>>
>> No, because "require c, d" passes when c or d are false. "deny !c, !d"
>> denies when c or d are false.
>
> IMHO what endpass does now resembles "require", because like require it
> requires all conditions to be true otherwise it will reject. That's why I
> thought require instead of deny.
>
> deny
> ! cond c
> ! cond d
>
> Will only deny if both c and d are false. Where endpass as we know it
> will cause a deny if either of the conditions are false. See what I mean?
>
> "!c and !d" is not the same as "!(c and d)". The former is what your deny
> does, the latter can't be done with deny but is what require does.

Right, "!c and !d" == "!(c or d)", which is why I negated those two
conditions. But you're right about require. "require !a" == "deny a", so
"require (c and d)" == "deny (!c or !d)"

So, I think I prefer your suggestion since it uses less logical negation.

>> It should do what accept...endpass does.
>
> Hmm.. wait. Maybe I misunderstood you, are you talking about a different
> kind of modifier(s) for accept only? Or allow those modifiers to also be
> applied to other statements (deny/require/warn)? I thought you meant the
> latter...

I was discussing both ideas, I think. "endpass" is only valid with
"accept". So, a replacement is only required to work with "accept".
However, a more general solution might be desirable. I guess that with a
general solution, one could use require or deny depending on whether the
condition is naturally positive (list membership) or naturally negative
(list non-members).

>> The problem is not the behaviour
>> of endpass, but the poor self-documentation that results from the lack
>> of clarity in meaning.
>
> Agreed there. ;)
>
> Cheers,
> Mark.



--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.