diff options
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
| -rw-r--r-- | src/src/acl.c | 8 | ||||
| -rw-r--r-- | src/src/functions.h | 2 | ||||
| -rw-r--r-- | src/src/verify.c | 20 | ||||
| -rw-r--r-- | test/confs/0571 | 78 | ||||
| -rw-r--r-- | test/log/0571 | 4 | ||||
| -rw-r--r-- | test/rejectlog/0571 | 10 | ||||
| -rw-r--r-- | test/scripts/0000-Basic/0571 | 14 |
8 files changed, 129 insertions, 10 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 6976d4bfe..03a4cedf5 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -137,6 +137,9 @@ JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly JH/32 Move Redis support from Experimental to mainline, enabled for a build by defining LOOKUP_REDIS. The libhiredis library is required. +JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit + keys are given for lookup. + Exim version 4.86 ----------------- diff --git a/src/src/acl.c b/src/src/acl.c index 17f55c2ac..1456cc724 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -475,8 +475,10 @@ static unsigned int cond_forbids[] = { ~(1<<ACL_WHERE_DATA), /* dmarc_status */ #endif - (1<<ACL_WHERE_NOTSMTP)| /* dnslists */ - (1<<ACL_WHERE_NOTSMTP_START), + /* Explicit key lookups can be made in non-smtp ACLs so pass + always and check in the verify processing itself. */ + + 0, /* dnslists */ (unsigned int) ~((1<<ACL_WHERE_RCPT) /* domains */ @@ -3567,7 +3569,7 @@ for (; cb != NULL; cb = cb->next) #endif case ACLC_DNSLISTS: - rc = verify_check_dnsbl(&arg); + rc = verify_check_dnsbl(where, &arg, log_msgptr); break; case ACLC_DOMAINS: diff --git a/src/src/functions.h b/src/src/functions.h index bd43934f0..3b700873a 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -480,7 +480,7 @@ extern void utf8_version_report(FILE *); extern int verify_address(address_item *, FILE *, int, int, int, int, uschar *, uschar *, BOOL *); -extern int verify_check_dnsbl(const uschar **); +extern int verify_check_dnsbl(int, const uschar **, uschar **); extern int verify_check_header_address(uschar **, uschar **, int, int, int, uschar *, uschar *, int, int *); extern int verify_check_headers(uschar **); diff --git a/src/src/verify.c b/src/src/verify.c index b73f45a24..ef95394d3 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -3876,7 +3876,9 @@ Note: an address for testing DUL is 192.203.178.4 Note: a domain for testing RFCI is example.tld.dsn.rfc-ignorant.org Arguments: + where the acl type listptr the domain/address/data list + log_msgptr log message on error Returns: OK successful lookup (i.e. the address is on the list), or lookup deferred after +include_unknown @@ -3886,7 +3888,7 @@ Returns: OK successful lookup (i.e. the address is on the list), or */ int -verify_check_dnsbl(const uschar **listptr) +verify_check_dnsbl(int where, const uschar ** listptr, uschar ** log_msgptr) { int sep = 0; int defer_return = FAIL; @@ -3933,21 +3935,19 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL /* See if there's explicit data to be looked up */ - key = Ustrchr(domain, '/'); - if (key != NULL) *key++ = 0; + if ((key = Ustrchr(domain, '/'))) *key++ = 0; /* See if there's a list of addresses supplied after the domain name. This is introduced by an = or a & character; if preceded by = we require all matches and if preceded by ! we invert the result. */ - iplist = Ustrchr(domain, '='); - if (iplist == NULL) + if (!(iplist = Ustrchr(domain, '='))) { bitmask = TRUE; iplist = Ustrchr(domain, '&'); } - if (iplist != NULL) /* Found either = or & */ + if (iplist) /* Found either = or & */ { if (iplist > domain && iplist[-1] == '!') /* Handle preceding ! */ { @@ -3966,6 +3966,7 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL } } + /* If there is a comma in the domain, it indicates that a second domain for looking up TXT records is provided, before the main domain. Otherwise we must set domain_txt == domain. */ @@ -4011,6 +4012,13 @@ while ((domain = string_nextinlist(&list, &sep, buffer, sizeof(buffer))) != NULL if (key == NULL) { + if (where == ACL_WHERE_NOTSMTP_START || where == ACL_WHERE_NOTSMTP) + { + *log_msgptr = string_sprintf + ("cannot test auto-keyed dnslists condition in %s ACL", + acl_wherenames[where]); + return ERROR; + } if (sender_host_address == NULL) return FAIL; /* can never match */ if (revadd[0] == 0) invert_address(revadd, sender_host_address); rc = one_check_dnsbl(domain, domain_txt, sender_host_address, revadd, diff --git a/test/confs/0571 b/test/confs/0571 new file mode 100644 index 000000000..64383cdd8 --- /dev/null +++ b/test/confs/0571 @@ -0,0 +1,78 @@ +# Exim test configuration 0571 + +LOG_SELECTOR= + +exim_path = EXIM_PATH +host_lookup_order = bydns +primary_hostname = myhost.test.ex +spool_directory = DIR/spool +log_file_path = DIR/spool/log/%slog +gecos_pattern = "" +gecos_name = CALLER_NAME +tls_advertise_hosts = + +# ----- Main settings ----- + +disable_ipv6 = true + +addresslist ok_senders = ok@ok.ok + +domainlist local_domains = test.ex : *.test.ex + +qualify_domain = test.ex +trusted_users = CALLER + +# Use first three components of from_domain to select ACL +acl_not_smtp = ${if def:sender_address \ + {acl_${sg{${tr{$sender_address_domain}{.}{_}}}{^(.*)_.*\$}{\$1}}} \ + {accept control=queue_only}} + +# ----- ACLs ----- + +begin acl + +acl_29_29_29: + deny dnslists = test.ex/$sender_address_domain + accept + +acl_29_29_0: + deny dnslists = test.ex + accept + +# ----- Transports ----- + +begin transports + +t1: + driver = appendfile + file = DIR/test-mail/$local_part + user = CALLER + +t2: + driver = appendfile + file = DIR/test-mail/okbatch + user = CALLER + batch_max = 100 + envelope_to_add + +# ----- Routers ----- + +begin routers + +r0: + driver = accept + local_parts = ^ok + transport = t2 + +r1: + driver = accept + local_parts = ^userx : ^cond- + transport = t1 + +r2: + driver = redirect + local_parts = fail + allow_fail + data = :fail: here is a fail message + +# End diff --git a/test/log/0571 b/test/log/0571 new file mode 100644 index 000000000..fc7dd5058 --- /dev/null +++ b/test/log/0571 @@ -0,0 +1,4 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 F=<ted@29.29.0.com> rejected by non-SMTP ACL: cannot test keyless dnslists condition in non-SMTP ACL +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> R=10HmaX-0005vi-00 U=EXIMUSER P=local S=sss +1999-03-02 09:44:33 10HmaY-0005vi-00 no immediate delivery: queued by ACL +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= bill@29.29.29.com U=CALLER P=local S=sss diff --git a/test/rejectlog/0571 b/test/rejectlog/0571 new file mode 100644 index 000000000..494bffed6 --- /dev/null +++ b/test/rejectlog/0571 @@ -0,0 +1,10 @@ +1999-03-02 09:44:33 10HmaX-0005vi-00 F=<ted@29.29.0.com> rejected by non-SMTP ACL: cannot test keyless dnslists condition in non-SMTP ACL +Envelope-from: <ted@29.29.0.com> +Envelope-to: <ok1@test.ex> +P Received: from CALLER by myhost.test.ex with local (Exim x.yz) + (envelope-from <ted@29.29.0.com>) + id 10HmaX-0005vi-00 + for ok1@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 +I Message-Id: <E10HmaX-0005vi-00@myhost.test.ex> +F From: ted@29.29.0.com + Date: Tue, 2 Mar 1999 09:44:33 +0000 diff --git a/test/scripts/0000-Basic/0571 b/test/scripts/0000-Basic/0571 new file mode 100644 index 000000000..3eab04cbf --- /dev/null +++ b/test/scripts/0000-Basic/0571 @@ -0,0 +1,14 @@ +# ACL - dnslists in non-smtp ACL +# +1 +exim -f ted@29.29.0.com -odq ok1@test.ex +should fail +. +**** +# +exim -f bill@29.29.29.com -odq ok1@test.ex +should pass +. +**** +# +no_msglog_check |