Bug#440217: exim4-config: lowuid router is misplaced in order and breaks common setups

Wed Sep 5 17:47:53 UTC 2007

On 2007-09-04 Marc Haber <mh+debian-packages at zugschlus.de> wrote:
> On Tue, Sep 04, 2007 at 07:36:26PM +0200, Andreas Metzler wrote:
>> On 2007-09-03 Marc Haber <mh+debian-packages at zugschlus.de> wrote:
>>> On Mon, Sep 03, 2007 at 07:23:27PM +0200, Andreas Metzler wrote:
>> [...] 
>>>> After enabling the lowuid router with
>>>> FIRST_USER_ACCOUNT_UID = 1000
>>>> abuse is undeliverable from remote addresses:

>>> I won't call this a feature, but a "side effect". Solution: alias root
>>> to itself (or directly to ametzler) in /etc/exim4/lowuid-aliases.

>> *Imho* it is a severe bug since blacklisting abuse will put a server
>> on blacklists quickly. If lowuid was enabled by default this would be
>> rc.

> Yes. That's one of the reasons why the feature is not enabled by
> default.

> I have added the following to README.Debian:
>         Please note that enabling this feature will break delivery to
>         postmaster and abuse at your site, which might be
>         undesireable. Be prepared to alias these local parts to a real
>         account in /etc/aliases.

> What do you suggest doing additionally?

Hello,

I do not think this kind of issue can or should simply be "documented
away". The lowuid router is mainly interesting for internet hosts, and
exactly these hosts really should have working abuse and postmaster.
Imho having lowuid after /etc/aliases is a must. "echo news: ametzler
 >> /etc/aliases && newaliases" is something that should just work with
every MTA in debian. Enabling an optional feature should not break
that.

Afaiu the only reason why lowuid is that early is because
300_exim4-config_real_local would suddenly be open again.  There is
some discussion in #307768 about this, which basically boils down to
these eh four points:

#1 Having e.g. real-www-data automatically deliverable even www-data
  itself is aliased to /dev/null or :fail: should not happen.

#2 real-* is only used as a errors-to address in our default config.

#3 real-* is ancient an people might actually use it in the wild even
  for remote deliveries.

#4: problem #1 could done away by moving the router later (In which
case it would not really be a real-* router, since you could not go
around broken /etc/aliases or .forward anymore. Alternatively it could
be restricted to mail not originating from remote addresses.)

-----------

The thing with #3 is that it is a killer argument against any change,
even if it made things better for 999,999,999 out of 1000000000
systems. I do not think this should stop us from doing the right thing,
exim4 has broken existing setups more than once in the past.

Personally I am not happy that currently a spammer could send mail to
real-myemailaddress and bypass my spamfiltering. I do think having a
globally open and enabled by default real-local is not a good thing
in today's internet anymore. I would vote for 
condition = ${if def:$sender_host_address{false}{true}}
or
condition = ${if match_ip{$sender_host_address}{:@[]}}{yes}{no}

This would allow moving lowuid to correct position as next to last
router.

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'