Mailing List Archive: SRS example in spec

SRS example in spec

Apr 27, 2024, 10:05 PM

Post #1 of 4 (42 views)

Good morning,

the SRS example in the spec features three routers:
8X-------------------------------------------------------------------
outbound:
[dnslookup router, choose srs-encoding transport when necessary]

inbound_srs:
[.try to SRS-decode incoming bounce and redirect to new adddress on
success]

inbound_srs_failure:
driver = redirect
senders = :
domains = +my_domains
# detect inbound bounces which look SRS'd but are invalid
condition = ${if inbound_srs {$local_part} {}}
allow_fail
data = :fail: Invalid SRS recipient address

#... further routers here
8X-------------------------------------------------------------------

I do not get the third one:
Afaict comment and code do not match. The router fails all bounces where
inbound_srs{} fails, not only the ones that "look SRS'd".

Why is it necessary? The inbound_srs-router will have handled the
valid cases so whatever we get now can be handled by the regular
routers. - SRS0=notvalid@my.domain will be handled by the same logic as
any other invalid-localpart@my.domain.

I am sure I am missing something.

TIA, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SRS example in spec [ In reply to ]

exim-users at lists

Apr 28, 2024, 2:09 AM

Post #2 of 4 (42 views)

Permalink

On 28/04/2024 06:05, Andreas Metzler via Exim-users wrote:
> The router fails all bounces where
> inbound_srs{} fails, not only the ones that "look SRS'd".

It assumes that you really are SRS'ing all outbounds, therefore
any bounce not SRS (in addition to those with bad SRS) is
de-facto not valid.

If the "all outbounds" does not hold in your configuration
then you would need more complexity for this element.
--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SRS example in spec [ In reply to ]

exim-users at lists

Apr 28, 2024, 4:21 AM

Post #3 of 4 (42 views)

Permalink

On 2024-04-28 Jeremy Harris via Exim-users <exim-users@lists.exim.org> wrote:
> On 28/04/2024 06:05, Andreas Metzler via Exim-users wrote:
>> The router fails all bounces where
>> inbound_srs{} fails, not only the ones that "look SRS'd".

> It assumes that you really are SRS'ing all outbounds, therefore
> any bounce not SRS (in addition to those with bad SRS) is
> de-facto not valid.

> If the "all outbounds" does not hold in your configuration
> then you would need more complexity for this element.

Hello,

There is progress. ;-)

inbound_srs_failure only handles addresses with valid SRS-syntax (That
is what I missed before.) that have not been grabbed by inbound_srs,
i.e. they have a wrong checksum or fail the timestamp < 10 day check.
These message are rejected with a nice error message.

So afaiui the whole point of this router is to produce a nice error
instead of a generic "Unrouteable address". - Does this make sense?

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: SRS example in spec [ In reply to ]

exim-users at lists

Apr 28, 2024, 5:55 AM

Post #4 of 4 (42 views)

Permalink

On Sun, 28 Apr 2024, Andreas Metzler via Exim-users wrote:

> On 2024-04-28 Jeremy Harris via Exim-users <exim-users@lists.exim.org> wrote:
>> On 28/04/2024 06:05, Andreas Metzler via Exim-users wrote:
>>> The router fails all bounces where
>>> inbound_srs{} fails, not only the ones that "look SRS'd".
>
>> It assumes that you really are SRS'ing all outbounds, therefore
>> any bounce not SRS (in addition to those with bad SRS) is
>> de-facto not valid.
>
>> If the "all outbounds" does not hold in your configuration
>> then you would need more complexity for this element.
>
> Hello,
>
> There is progress. ;-)
>
> inbound_srs_failure only handles addresses with valid SRS-syntax (That
> is what I missed before.) that have not been grabbed by inbound_srs,
> i.e. they have a wrong checksum or fail the timestamp < 10 day check.
> These message are rejected with a nice error message.
>
> So afaiui the whole point of this router is to produce a nice error
> instead of a generic "Unrouteable address".

That was my guess too.

> - Does this make sense?

When SPF/SRS came out there was concern that SRS had a relay attack,
so showing SRS errors separately would have been desired.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/