Mailing List Archive

unable to use $home variable in accept router?!
Hi
I've spent several hours studying the Exim documentation (chapter 15,
16 etc.)s und trying to understand why the following router doesn't
work reliable on different systems. As far as I understood, the $home
variable should always be set when check_local_user is being executed.
The result could then be used in a following pre-condition check.

Although the debug_print shows that the variable has been set,
the following condition statement fails.

I have the impression that this problem only happens if an accept
router is used, but a redirect router doesn't run into that problem?!

localuser_maildir:
driver = accept
check_local_user
debug_print = DEBUG-HOME:$home:
condition = ${if exists{$home/.imapmail/cur}}
transport = local_delivery_maildir

Trace:

25242 --------> localuser_maildir router <--------
25242 local_part=tom domain=my-domain.dom
25242 checking for local user
25242 seeking password data for user "tom": cache not available
25242 getpwnam() succeeded uid=2001 gid=100
25242 DEBUG-HOME:/home/tom:
25242 checking "condition" "${if exists{$home/.imapmail/cur}}"...
25242 localuser_maildir router skipped: condition failure
25242 --------> unknown_user router <--------

Does anyone have an idea why the condition fails and what need to
be done to get it running?

Thank you in advance for your help!

Regards
Juergen

--

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: unable to use $home variable in accept router?! [ In reply to ]
On Wed, 14 Oct 2020, J?rgen Edner via Exim-users wrote:

> Hi
> I've spent several hours studying the Exim documentation (chapter 15,
> 16 etc.)s und trying to understand why the following router doesn't
> work reliable on different systems. As far as I understood, the $home
> variable should always be set when check_local_user is being executed.
> The result could then be used in a following pre-condition check.
>
> Although the debug_print shows that the variable has been set,
> the following condition statement fails.
>
> I have the impression that this problem only happens if an accept
> router is used, but a redirect router doesn't run into that problem?!
>
> localuser_maildir:
> driver = accept
> check_local_user
> debug_print = DEBUG-HOME:$home:
> condition = ${if exists{$home/.imapmail/cur}}
> transport = local_delivery_maildir
>
> Trace:
>
> 25242 --------> localuser_maildir router <--------
> 25242 local_part=tom domain=my-domain.dom
> 25242 checking for local user
> 25242 seeking password data for user "tom": cache not available
> 25242 getpwnam() succeeded uid=2001 gid=100
> 25242 DEBUG-HOME:/home/tom:
> 25242 checking "condition" "${if exists{$home/.imapmail/cur}}"...
> 25242 localuser_maildir router skipped: condition failure
> 25242 --------> unknown_user router <--------
>
> Does anyone have an idea why the condition fails and what need to
> be done to get it running?

Stupid questions first:

Does /home/tom/.imapmail/cur exist ?
Does the user/group under which exim is running have 'x' permissions on
/home/tom/ and /home/tom/.imapmail ?

ie can we see the result of
ls -ld /home/tom /home/tom/ /home/tom/.imapmail /home/tom/.imapmail/cur
please ?

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: unable to use $home variable in accept router?! [ In reply to ]
On 14/10/2020 19:25, Jürgen Edner via Exim-users wrote:
> localuser_maildir:
>   driver = accept
>   check_local_user
>   debug_print = DEBUG-HOME:$home:
>   condition = ${if exists{$home/.imapmail/cur}}
>   transport = local_delivery_maildir
>
> Trace:
>
> 25242 --------> localuser_maildir router <--------
> 25242 local_part=tom domain=my-domain.dom
> 25242 checking for local user
> 25242 seeking password data for user "tom": cache not available
> 25242 getpwnam() succeeded uid=2001 gid=100
> 25242 DEBUG-HOME:/home/tom:
> 25242 checking "condition" "${if exists{$home/.imapmail/cur}}"...
> 25242 localuser_maildir router skipped: condition failure
> 25242 --------> unknown_user router <--------
>
> Does anyone have an idea why the condition fails and what need to
> be done to get it running?

Presumably you know there is actually a file or directory by that name?

Assuming yes: next step is a repeat of your debug run but with +expand
added, so we see the "if exists" being expanded. Maybe the default
actions for the missing yes/no result cases is not working right.


After that, I guess the next step would be an strace to show the actual
"stat" syscall being done, so we can tell if it correctly ran that
bit of the expansion (I don't see why not, but we're into that level
of distrust) and what the return value from the OS was.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: unable to use $home variable in accept router?! [ In reply to ]
Hi Andrew, hi Jeremy,

>> localuser_maildir:
>> driver = accept
>> check_local_user
>> debug_print = DEBUG-HOME:$home:
>> condition = ${if exists{$home/.imapmail/cur}}
>> transport = local_delivery_maildir
>> ...
>> Does anyone have an idea why the condition fails and what need to
>> be done to get it running?
> Presumably you know there is actually a file or directory by that name?
>
> Assuming yes: next step is a repeat of your debug run but with +expand
> added, so we see the "if exists" being expanded. Maybe the default
> actions for the missing yes/no result cases is not working right.

yes, the directory defintely exists, but I think your hints are
already leading me into the right direction. It seems that the
problem is defintely been caused by insufficient access rights.

1. The access rights of the users home and all sub directories
are 0700, owned by the user, by default. The exim user, under
which the daemon is running, therefore cannot access the
directory.

# ls -ld /home/tom /home/tom/.imapmail /home/tom/.imapmail/cur
drwx------ 13 tom users 12288 Oct 10 01:47 /home/tom
drwx------ 12 tom users 4096 Oct 10 01:47 /home/tom/.imapmail
drwx------ 2 tom users 4096 Sep 23 19:18 /home/tom/.imapmail/cur

For testing purposes I changed the access right to 0701 and the
condition doesn't run into an error anymore.

2. Nevertheless I questioned myself why the same check is working
as expected on another server but not on this one. I found out,
that if I send an email from a local user to another local user
WITHOUT sender authentication the condition check fails:

20475 --------> localuser_maildir router <--------
20475 local_part=tom domain=my-domain.dom
20475 checking for local user
20475 seeking password data for user "tom": cache not available
20475 getpwnam() succeeded uid=2001 gid=100
20475 checking "condition" "${if exists{$home/.imapmail/cur}}"...
20475 ?considering: ${if exists{$home/.imapmail/cur}}
20475 ?considering: $home/.imapmail/cur}}
20475 ???expanding: $home/.imapmail/cur
20475 ??????result: /home/dumbo/.imapmail/cur
20475 ???condition: exists{$home/.imapmail/cur}
20475 ??????result: false
20475 ???expanding: ${if exists{$home/.imapmail/cur}}
20475 ??????result:
20475 localuser_maildir router skipped: condition failure # <<<!!!
20475 --------> unknown_user router <--------

3. If I send an email from a local user to another local user
WITH sender authentication the condition check succeeds:

17647 --------> localuser_maildir router <--------
17647 local_part=tom domain=my-domain.dom
17647 checking for local user
17647 seeking password data for user "tom": cache not available
17647 getpwnam() succeeded uid=2001 gid=100
17647 checking "condition" "${if exists{$home/.imapmail/cur}}"...
17647 ?considering: ${if exists{$home/.imapmail/cur}}
17647 ?considering: $home/.imapmail/cur}}
17647 ???expanding: $home/.imapmail/cur
17647 ??????result: /home/dumbo/.imapmail/cur
17647 ???condition: exists{$home/.imapmail/cur}
17647 ??????result: true
17647 ???expanding: ${if exists{$home/.imapmail/cur}}
17647 ??????result: true
17647 calling localuser_maildir router # <<<!!!
17647 localuser_maildir router called for tom@privatnet.lan
17647 ...

My conclusion is, that although the check_local_user function is called
and the local user is found (getpwnam() succeeded uid=2001 gid=100) and
the $home variable is set correctly, the access priviliges are not
changed for the following exists command which results in a condition
failure.

I've also tried to replaced the "condition" by a "require_files"
statement, but this doesn't work either. So it seems that there is
no way to use this condition check in combination with an
unauthenticated delivery, except I would alter the directory access
rights.

Regards
Juergen
--

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: unable to use $home variable in accept router?! [ In reply to ]
On Thu, 15 Oct 2020, J?rgen Edner via Exim-users wrote:

> My conclusion is, that although the check_local_user function is called
> and the local user is found (getpwnam() succeeded uid=2001 gid=100) and the
> $home variable is set correctly, the access priviliges are not
> changed for the following exists command which results in a condition
> failure.
>
> I've also tried to replaced the "condition" by a "require_files" statement,
> but this doesn't work either. So it seems that there is
> no way to use this condition check in combination with an unauthenticated
> delivery, except I would alter the directory access
> rights.

Routers and transports have the options "user" and "group" (chapters
15 and 24) which allow you to change the user/group that exim runs as
for these actions. For example, the procmail example in chapter 29.6
includes the lines
user = $local_part_data
group = mail


--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: unable to use $home variable in accept router?! [ In reply to ]
Hi Andrew,

>> I've also tried to replaced the "condition" by a "require_files"
>> statement, but this doesn't work either. So it seems that there is
>> no way to use this condition check in combination with an
>> unauthenticated delivery, except I would alter the directory access
>> rights.
>
> Routers and transports have the options "user" and "group" (chapters 15
> and 24) which allow you to change the user/group that exim runs as
> for these actions. For example, the procmail example in chapter 29.6
> includes the lines
> ????user = $local_part_data
> ????group = mail

I've also tried that but without success. I think the strace confirms
that the condition check isn't run with the previously looked-up access
rights (uid=2001 gid=100). If this is the expected/correct behavior can
only be answered by Jeremy:

write(2, " 3255 getpwnam() succeeded uid=2001 gid=100\n", 44) = 44
getpid() = 3255
write(2, " 3255 checking \"condition\" \"${if exists{$home/.imapmail
/cur}}\"...\n", 66) = 66
stat("/home/tom/.imapmail/cur", 0x7fff58dba500) = -1 EACCES
(Permission denied)
getpid() = 3255
write(2, " 3255 localuser_maildir router skipped: condition
failure\n", 58) = 58

Cheers,
Juergen
--

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: unable to use $home variable in accept router?! [ In reply to ]
On 15/10/2020 15:04, Andrew C Aitchison via Exim-users wrote:
> Routers and transports have the options "user" and "group" (chapters 15
> and 24) which allow you to change the user/group that exim runs as
> for these actions.

Not quite. They set up the user/group which will be used for the final
delivery. Specifically, they do not affect the environment in which
the router runs.

Note that while routing is in progress we do not necessarily have
a "final" username.

As with other part of exim operations: if you want to access a file,
it has to be accessible by the UID exim runs as. This usually has
a name such as "mail" or "exim".
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/