Mailing List Archive: failed to expand ACL string after upgrade

failed to expand ACL string after upgrade

exim-users at exim

Dec 3, 2022, 8:39 AM

Post #1 of 10 (360 views)

Hi,

after updating to Ubuntu 22.10 (upgrading exim from 4.95-4ubuntu2.2 to 4.96-3ubuntu1.1), SPF checks (via spf-tools-perl) are failing with "failed to expand ACL string" (which leads to a temp
reject):

2022-12-03 15:40:48 H=SENDER_HOST (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT <RCPT_ADDRESS>:
failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom --identity
${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command
"/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at end of string

It fails on expanding the condition, which is part of the exim configuration from Ubuntu/Debian:

--cut exim configuration
deny
message = [SPF] $sender_host_address is not allowed to send mail from \
${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
Please see \
http://www.openspf.org/Why?scope=${if def:sender_address_domain \
{mfrom}{helo}};identity=${if def:sender_address_domain \
{$sender_address}{$sender_helo_name}};ip=$sender_host_address
log_message = SPF check failed.
!acl = acl_local_deny_exceptions
condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
${quote:$sender_host_address} --identity \
${if def:sender_address_domain \
{--scope mfrom --identity ${quote:$sender_address}}\
{--scope helo --identity ${quote:$sender_helo_name}}}}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}
--cut

I double checked parentheses and can't find any missing. Logged all variables used in the query, everything is defined and set properly (I could run spfquery.mail-spf-perl with the params
provided without any issues. I am not able to find a syntax error (especially not the missing "}" mentioned in the error message). Use of tainted $sender_address and $sender_helo_name in run
should not be an issue (according to https://www.exim.org/exim-html-current/doc/html/spec_html/ch-string_expansions.html#vi382).

Is there something I miss/overlook? Any help appreciated.

Regards,
Thomas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 10:05 AM

Post #2 of 10 (360 views)

On 03/12/2022 16:39, exim-users--- via Exim-users wrote:
> It fails on expanding the condition, which is part of the exim configuration from Ubuntu/Debian:

> deny

>     condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
>                    ${quote:$sender_host_address} --identity \
>                    ${if def:sender_address_domain \
>                        {--scope mfrom --identity ${quote:$sender_address}}\
>                        {--scope helo --identity ${quote:$sender_helo_name}}}}\
>                    {no}{${if eq {$runrc}{1}{yes}{no}}}}

The docs for ${run } say:

If the option preexpand is not used, the command string is
split into individual arguments by spaces and then each argument is expanded.

- so that expansion is questionable around the ${if }'s. But that doesn't explain
the complaint about ${quote:$sender_host_address}.

You could play with "exim -d -be" (replacing variables with suitable values,
to trace the evaluation of the expansion. Or you could just slam in a
"preexpand" option to see what happens.

Either way, the maintainers of that config probably need to know (if they've not
already made some modification which you've not picked up).
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 10:10 AM

Post #3 of 10 (360 views)

On 2022-12-03 exim-users--- via Exim-users <exim-users@exim.org> wrote:
> Hi,

> after updating to Ubuntu 22.10 (upgrading exim from 4.95-4ubuntu2.2 to
> 4.96-3ubuntu1.1), SPF checks (via spf-tools-perl) are failing with "failed
> to expand ACL string" (which leads to a temp reject):
[...]

Hello,

I could not quickly find the problem, however exim4-daemon-heavy 4.95
and later should be linked against libspf2 and the default configuration
would use
spf = fail
instead of "condition = ${run{/usr/bin/spfquery.mail ..."

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 12:29 PM

Post #4 of 10 (356 views)

D?a 3. decembra 2022 18:05:05 UTC používate? Jeremy Harris via Exim-users <exim-users@exim.org> napísal:

>- so that expansion is questionable around the ${if }'s. But that doesn't explain
>the complaint about ${quote:$sender_host_address}.

It fails (v4.96) with the same error even with as simple expansion:

${run{/bin/echo ${quote:aaa}}}

The debug shows argv[1] without closing "}", thus there is problem
with parsing which IMO consumes closing } too early. I will guess that
parsing consider first "}" occurence as closing the particular ${run} part.

With preexpand it works as expected, but it is not default mode and
by docs, space separated parts would be expanded serately in default
mode.

regards

--
Slavko
https://www.slavino.sk/

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 12:59 PM

Post #5 of 10 (356 views)

Hi Jeremy,

thanks for picking this up.

On 03.12.22 19:05, Jeremy Harris via Exim-users wrote:

>> It fails on expanding the condition, which is part of the exim configuration from Ubuntu/Debian:
>>
>>    deny
>>
>>      condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
>>                     ${quote:$sender_host_address} --identity \
>>                     ${if def:sender_address_domain \
>>                         {--scope mfrom --identity ${quote:$sender_address}}\
>>                         {--scope helo --identity ${quote:$sender_helo_name}}}}\
>>                     {no}{${if eq {$runrc}{1}{yes}{no}}}}
>
> The docs for ${run } say:
>
>      If the option preexpand is not used, the command string is
>      split into individual arguments by spaces and then each argument is expanded.
>
> - so that expansion is questionable around the ${if }'s. But that doesn't explain
> the complaint about ${quote:$sender_host_address}.

That expansion worked for years in my setup.

> You could play with "exim -d -be" (replacing variables with suitable values,
> to trace the evaluation of the expansion.

Stripping down (removing the if and all quote) to following condition works:

condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
$sender_host_address --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}

As soon as one ${quote: ...} is added, the missing "}" error appears:

condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
${quote:$sender_host_address} --identity \
--scope mfrom --identity sender_address}\
{no}{${if eq {$runrc}{1}{yes}{no}}}}

Corresponding line in the log:
2022-12-03 21:41:55 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity --scope mfrom --identity sender_address}{no}{${if eq
{$runrc}{1}{yes}{no}}}}": Expansion of "${quote:$sender_host_address" from command "/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address" in ${run} expansion failed: missing } at
end of string

> Or you could just slam in a "preexpand" option to see what happens.

Adding option preexpand leads to another error:
2022-12-03 20:41:46 Attempt to exec tainted path: '/usr/bin/spfquery.mail-spf-perl'
2022-12-03 20:41:46 H=SENDER_HOSTNAME (SENDER_HELO) [SENDER_IP] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no F=<SENDER_ADDRESS> temporarily rejected RCPT
<RCPT_ADDRESS>: failed to expand ACL string "${run,preexpand{/usr/bin/spfquery.mail-spf-perl --ip ${quote:$sender_host_address} --identity ${if def:sender_address_domain {--scope mfrom
--identity ${quote:$sender_address}}{--scope helo --identity ${quote:$sender_helo_name}}}}{no}{${if eq {$runrc}{1}{yes}{no}}}}": couldn't create child process: Operation not permitted

> Either way, the maintainers of that config probably need to know (if they've not
> already made some modification which you've not picked up).

Checked default config from Ubuntu package (exim4-config, 4.96-3ubuntu1.1), that provides the condition as given earlier in the thread. I will file a bug in Ubuntus bug tracker, to let the
maintainers know.

Regards,

Thomas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 12:59 PM

Post #6 of 10 (356 views)

Hi Andreas,

thanks for picking this up.

On 03.12.22 19:10, Andreas Metzler via Exim-users wrote:
>> after updating to Ubuntu 22.10 (upgrading exim from 4.95-4ubuntu2.2 to
>> 4.96-3ubuntu1.1), SPF checks (via spf-tools-perl) are failing with "failed
>> to expand ACL string" (which leads to a temp reject):

> I could not quickly find the problem, however exim4-daemon-heavy 4.95
> and later should be linked against libspf2 and the default configuration
> would use
> spf = fail
> instead of "condition = ${run{/usr/bin/spfquery.mail ..."

It seems like the Ubuntu maintainers decided not to link against libspf2 (unfortunately):

# ldd $(which exim4)
linux-vdso.so.1 (0x00007ffc59d45000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fb1dd929000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fb1dd840000)
libnsl.so.2 => /lib/x86_64-linux-gnu/libnsl.so.2 (0x00007fb1dd826000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fb1dd815000)
libdb-5.3.so => /lib/x86_64-linux-gnu/libdb-5.3.so (0x00007fb1dd666000)
libldap-2.5.so.0 => /lib/x86_64-linux-gnu/libldap-2.5.so.0 (0x00007fb1dd606000)
liblber-2.5.so.0 => /lib/x86_64-linux-gnu/liblber-2.5.so.0 (0x00007fb1dd5f6000)
libmysqlclient.so.21 => /lib/x86_64-linux-gnu/libmysqlclient.so.21 (0x00007fb1dce00000)
libpq.so.5 => /lib/x86_64-linux-gnu/libpq.so.5 (0x00007fb1dd5a5000)
libsqlite3.so.0 => /lib/x86_64-linux-gnu/libsqlite3.so.0 (0x00007fb1dccb0000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fb1dd58a000)
libperl.so.5.34 => /lib/x86_64-linux-gnu/libperl.so.5.34 (0x00007fb1dc800000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fb1dc400000)
libgnutls.so.30 => /lib/x86_64-linux-gnu/libgnutls.so.30 (0x00007fb1dc60a000)
libgnutls-dane.so.0 => /lib/x86_64-linux-gnu/libgnutls-dane.so.0 (0x00007fb1dd581000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007fb1dd4e6000)
libidn.so.12 => /lib/x86_64-linux-gnu/libidn.so.12 (0x00007fb1dd4b1000)
libidn2.so.0 => /lib/x86_64-linux-gnu/libidn2.so.0 (0x00007fb1dd48e000)
/lib64/ld-linux-x86-64.so.2 (0x00007fb1ddb50000)
libtirpc.so.3 => /lib/x86_64-linux-gnu/libtirpc.so.3 (0x00007fb1dcc83000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fb1dcc55000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007fb1dcba6000)
libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x00007fb1dc35b000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x00007fb1dbe00000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fb1dcb93000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fb1dba00000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fb1dc33b000)
libgssapi_krb5.so.2 => /lib/x86_64-linux-gnu/libgssapi_krb5.so.2 (0x00007fb1dc2e7000)
libp11-kit.so.0 => /lib/x86_64-linux-gnu/libp11-kit.so.0 (0x00007fb1dbcc3000)
libunistring.so.2 => /lib/x86_64-linux-gnu/libunistring.so.2 (0x00007fb1db856000)
libtasn1.so.6 => /lib/x86_64-linux-gnu/libtasn1.so.6 (0x00007fb1dc2cf000)
libnettle.so.8 => /lib/x86_64-linux-gnu/libnettle.so.8 (0x00007fb1dc27f000)
libhogweed.so.6 => /lib/x86_64-linux-gnu/libhogweed.so.6 (0x00007fb1dbc7b000)
libgmp.so.10 => /lib/x86_64-linux-gnu/libgmp.so.10 (0x00007fb1db7d3000)
libunbound.so.8 => /lib/x86_64-linux-gnu/libunbound.so.8 (0x00007fb1db6dd000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fb1dc276000)
libkrb5.so.3 => /lib/x86_64-linux-gnu/libkrb5.so.3 (0x00007fb1db614000)
libk5crypto.so.3 => /lib/x86_64-linux-gnu/libk5crypto.so.3 (0x00007fb1dbc4f000)
libcom_err.so.2 => /lib/x86_64-linux-gnu/libcom_err.so.2 (0x00007fb1dc270000)
libkrb5support.so.0 => /lib/x86_64-linux-gnu/libkrb5support.so.0 (0x00007fb1dc263000)
libffi.so.8 => /lib/x86_64-linux-gnu/libffi.so.8 (0x00007fb1dc256000)
libevent-2.1.so.7 => /lib/x86_64-linux-gnu/libevent-2.1.so.7 (0x00007fb1db5c2000)
libkeyutils.so.1 => /lib/x86_64-linux-gnu/libkeyutils.so.1 (0x00007fb1dbc48000)

According to the changelog, this is because libspf2 is in universe section:
--cut
exim4 (4.96-3ubuntu1) kinetic; urgency=medium

* Merge with Debian unstable. (LP: #1971274) Remaining changes:
- Show Ubuntu distribution in SMTP banner
+ d/p/fix_smtp_banner.patch: Show Ubuntu distribution
in SMTP banner.
+ Build-Depends on lsb-release to detect Distribution.
- Disable external SPF support to avoid Build-Depends on libspf2-dev
(only available in universe). SPF can still be implemented via
spf-tools-perl, as documented in exim4.conf.template. (LP #1952738)
This reverts Vcs-Git commit 494f1fe, first released in 4.95~RC0-1.
Changes:
+ d/control: drop Build-Depends on libspf2-dev.
+ d/d/c/a/30_exim4-config_check_rcpt: restore SPF logic based
on spfquery.mail-spf-perl from spf-tools-perl.
+ d/EDITME.exim4-heavy.diff: disable support for libspf2.
--cut

Not the first time, I had an issue due to something being in universe and dropped...

Regards,
Thomas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 3:11 PM

Post #7 of 10 (356 views)

On 03/12/2022 20:59, exim-users--- via Exim-users wrote:
> Stripping down (removing the if and all quote) to following condition works:
>
>     condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
>                      $sender_host_address --identity \
>                      --scope mfrom --identity sender_address}\
>                      {no}{${if eq {$runrc}{1}{yes}{no}}}}
>
> As soon as one ${quote: ...} is added, the missing "}" error appears:

Thanks for checking. Yup, this is a real bug; fix in progress.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 3:45 PM

Post #8 of 10 (356 views)

Hi Jeremy,

On 04.12.22 00:11, Jeremy Harris via Exim-users wrote:
>> Stripping down (removing the if and all quote) to following condition works:
>>
>>      condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
>>                       $sender_host_address --identity \
>>                       --scope mfrom --identity sender_address}\
>>                       {no}{${if eq {$runrc}{1}{yes}{no}}}}
>>
>> As soon as one ${quote: ...} is added, the missing "}" error appears:

> Thanks for checking. Yup, this is a real bug; fix in progress.

Least I can do, thanks a lot for working on it.

I'll update the Ubuntu bug, when you have a bug reference or something similar.

Regards,
Thomas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 4:10 PM

Post #9 of 10 (356 views)

On 03/12/2022 23:45, exim-users--- via Exim-users wrote:
> I'll update the Ubuntu bug, when you have a bug reference or something similar.

Commit 44b6e099b76f in the exim project git.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: failed to expand ACL string after upgrade [ In reply to ]

exim-users at exim

Dec 3, 2022, 5:03 PM

Post #10 of 10 (356 views)

Hi Jeremy,

On 04.12.22 01:10, Jeremy Harris via Exim-users wrote:
> On 03/12/2022 23:45, exim-users--- via Exim-users wrote:
>> I'll update the Ubuntu bug, when you have a bug reference or something similar.

> Commit 44b6e099b76f in the exim project git.

Updated the bug. Thanks a lot for the quick fix. Looking forward to the next release.

I really appreciate your (and the other devs and distro maintainer) work! All I like
about open source: quick feedback (by you, Andreas and Slavko) on the problem here
on the list, quick confirmation and a fix in some hours. That is outstanding.

Thanks,
Thomas

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/