Exim condition for checking mail from header

[somerandomnick]

Hi,
Based on topic https://forum.directadmin.com/threa...il-address-to-authenticated-linux-user.59554/ I've been trying to allow outgoing mails only if from header is on aliases list.

My current condition in /etc/exim.acl_check_message.pre.conf:
{eqi{${address:$header_From:}} {${lookup{${local_part:${address:$header_From:}}}lsearch{/etc/virtual/${domain_data:${address:$header_From:}}/aliases}}}}

gives following error:
DATA: failed to expand ACL string "${if !or { {eqi{$authenticated_id} {${address:$header_From:}}} {eqi{${address:$header_From:}} {${lookup{${local_part:${address:$header_From:}}}lsearch{/etc/virtual/${domain_data:${address:$header_From:}}/aliases}}}} } }": NULL inside "or{...}" condition

(condition from pasted DA thread had same error on my server)

I am running exim 4.96 version. Not sure exactly how to debug it further. I thought that it might be connected with tained changes introduced in exim 4.94 but not sure how bypass it.

P.S I also check different condition just for testing purposes for debug:
{eqi{$domain} {${lookup{${domain}}lsearch{/etc/virtual/${domain_data}/aliases}}}} this prompt following error: failed to open /etc/virtual//aliases for linear search: No such file or directory inside "or{...}" condition

Thanks for any hints!

 

[zEitEr]

Hello,

Tested recently the same. And I came to a conclusion Exim fails to process variables in lsearch{...} statement if it's used within an if{...} construction. I'm not even sure, whether it's designed that way or is it a bug. I did not go so far in investigating the root cause of it. You might try and bring this to attention of Exim developers.

Being in time shortage, I've created a simple script, which runs with cron and lists all matches of auth users with aliases for all domains. Exim checks that simple list. That works fine.

 

[Richard G]

lists all matches of auth users with aliases

Auth users, so this would not work with php scripts using php mail right? Seems logic.
But on the other hand, then I don't understand, if it's auth users only, then it's only users who authenticated can send mail, what is the benefit for the check then?

 

[zEitEr]

The logic is inherited from cPanel or Plesk (do not recall which one is that). An authenticated user is allowed to send emails in the following cases only:

1. User is authorized and auth login = From address, or
2. User is authorized, and From address is an alias, and the auth login is a recipient of emails for such an alias.

 

[kristian]

Is not restricting the sender/from address to the authenticated user's domainpart "good enough", as one of the snippets does in the referenced thread above?

 

[zEitEr]

@Kristian,

I'm not sure who are you addressing your question to. If it's to me, then I don't put my own feelings into such requests. I don't use the solution for my own, but I do accept the others rights to want and use it.

If you are hesitating on whether to use it, then just you might take a look at it from a point of your business model. From that point you would think only of how much good would it be for your customers.

Have a good day)

 

[kristian]

I would prefer to have the sender address/From: address to match the authenticated user (or a valid alias for the user) I think, because it would mean people on the same domain couldn't pretend to be someone else unless they also had the credentials of the other person.

There's a documented way to restrict to the same domain at https://docs.directadmin.com/other-...-to-only-send-from-their-authenticated-domain (with a typo), but I would like more.

Any attempts I've done to expand on it to match the exact account or an alias I seem to be hitting issues with "tainted filename" like the OP, so I suspect there's a need for some additional configuration to successfully to this.

 

[zEitEr]

so I suspect there's a need for some additional configuration to successfully to this.

One might ask it in Exim mailling list. I suspect its an Exim's bug.