Mailing List Archive

EXPN and :fail:
In exim4 (4.34) I observe that when I set a custom error message using
:fail: in /etc/aliases (or using the fail command in an exim filter),
I see the custom message in the result of a VRFY command, and in the
result of a RCPT command (if the relevant ACL doesn't override the
message, or incorporates $acl_verify_message into its override) but I
don't see it in the result of an EXPN command, and it looks like there's
currently no way of configuring EXPN to show it. Is that by design?

For comparison, I observe that exim3 (3.35) shows the :fail: message for
all three commands, but shows a filter fail message only for EXPN, not
for VRFY or RCPT.

AMC
Re: EXPN and :fail: [ In reply to ]
[.Reply-to set to the exim-users list, which is the better home for this
discussion, if there's any more to be had. The exim-dev list is
currently for discussion of the Exim development process itself.]

On Wed, 26 Jan 2005, Adam M. Costello wrote:

> In exim4 (4.34) I observe that when I set a custom error message using
> :fail: in /etc/aliases (or using the fail command in an exim filter),
> I see the custom message in the result of a VRFY command, and in the
> result of a RCPT command (if the relevant ACL doesn't override the
> message, or incorporates $acl_verify_message into its override) but I
> don't see it in the result of an EXPN command, and it looks like there's
> currently no way of configuring EXPN to show it. Is that by design?

Probably by accident. My natural instinct is to think that nobody
permits the use of EXPN any more, so it is not in my consciousness.

> For comparison, I observe that exim3 (3.35) shows the :fail: message for
> all three commands,

Thanks for pointing out this anomaly. I'll check them all out in the
current source code, and fix the problem, as it seems reasonable that
EXPN should show the error. Unless I find some buried comment in the
code which explains why a change was made. If so, I'll document it.

This may or may not happen before the 4.50 release, as I'm about to be
away.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Re: EXPN and :fail: [ In reply to ]
On Wed, 26 Jan 2005, Adam M. Costello wrote:

> For comparison, I observe that exim3 (3.35) shows the :fail: message for
> all three commands, but shows a filter fail message only for EXPN, not
> for VRFY or RCPT.

Just had time to take a quick look at the code. The change does seem to
be deliberate, though I cannot find any documentation of when or why it
happened. However, the change is there in Exim 4.00, so I think it must
date from the great 3->4 upheaval, where a lot of individual changes
didn't get noted.

For release 4.11, the additional restriction of requiring the caller to
be an admin user was added. The ChangeLog for this mentions only defer
rather than hard errors, but the change was made for both.

The reason for the restriction was to prevent "private" information
escaping. At the level this is output, all Exim knows is that
verification failed, and here is the error message. It no longer know
that is was specifically :fail: that generated the message. The problem
is that the message might be something internal such as a failed
expansion, and that might contain, for example, LDAP password
information.

[I'm now offline for the best part of a week.]

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Re: EXPN and :fail: [ In reply to ]
On Thu, 27 Jan 2005, Philip Hazel wrote:

> > In exim4 (4.34) I observe that when I set a custom error message using
> > :fail: in /etc/aliases (or using the fail command in an exim filter),
> > I see the custom message in the result of a VRFY command, and in the
> > result of a RCPT command (if the relevant ACL doesn't override the
> > message, or incorporates $acl_verify_message into its override) but I
> > don't see it in the result of an EXPN command, and it looks like there's
> > currently no way of configuring EXPN to show it. Is that by design?
>
> Probably by accident. My natural instinct is to think that nobody
> permits the use of EXPN any more, so it is not in my consciousness.

> Thanks for pointing out this anomaly. I'll check them all out in the
> current source code, and fix the problem, as it seems reasonable that
> EXPN should show the error. Unless I find some buried comment in the
> code which explains why a change was made. If so, I'll document it.

On looking at the code, it seems to be quite deliberate. The data from
:fail: is shown only when the address verification is NOT from EXPN. I
suspect that the reasoning is to reduce the amount of information
leakage when EXPN is permitted, but there is no comment in the code
giving any reasoning. I will document the restriction.

Regards,
Philip

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Re: EXPN and :fail: [ In reply to ]
Philip Hazel <ph10@cus.cam.ac.uk> wrote:

> The data from :fail: is shown only when the address verification is
> NOT from EXPN. I suspect that the reasoning is to reduce the amount
> of information leakage when EXPN is permitted, but there is no comment
> in the code giving any reasoning.

I realize that this whole issue isn't very important, but anyway...

I don't understand the reasoning. If my aliases file contains:

alias foo user@domain
alias bar :fail: reason for failure

and I've enabled EXPN, then "EXPN foo" will show "user@domain", but
"EXPN bar" won't show "reason for failure"? Why would anyone
want that behavior?

(But now I'll shut up about this until I care enough to write a patch.)

AMC
Re: EXPN and :fail: [ In reply to ]
Please note that if we go back to having deliberately obfuscated
addresses in basic headers I will change the sesame exim config to do
header checking (or more easily, just not approve this stuff when it
gets moderated by Mailman).

Nigel.
--
[ Nigel Metheringham Nigel.Metheringham@InTechnology.co.uk ]
[. - Comments in this message are my own and not ITO opinion/policy - ]
Re: EXPN and :fail: [ In reply to ]
On Thu, 17 Feb 2005, Adam M. Costello wrote:

> I don't understand the reasoning.

I'm afraid I can no longer reproduce the reasoning (if there was any
:-). Let's not try to re-hash the history.

> and I've enabled EXPN, then "EXPN foo" will show "user@domain", but
> "EXPN bar" won't show "reason for failure"? Why would anyone
> want that behavior?

Probably not; but there are other causes of failure and maybe that was
what was in my mind. By the time it is showing the result of routing,
there is no indication where the message came from. :fail: isn't the
only possible source. But as I said, I can't actually remember.

> (But now I'll shut up about this until I care enough to write a patch.)

:-)

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book: http://www.uit.co.uk/exim-book