Bug#992421: dnslookup_relay_to_domains probably needs ignore_target_hosts

Marc Haber mh+debian-packages at zugschlus.de
Wed Aug 18 12:43:01 BST 2021 

Package: exim4-config
Version: 4.94.2-2~zg100+3
Severity: normal

Hi,

I am not sure whether this is an actual bug. I have observed this
behaviod on an exim that is backup MX for domain.example. The MX records
are like:
domain.example mail is handled by 0 mx.domain.example.
domain.example mail is handled by 10 myexim.otherdomain.example.

Both hosts have both IPv4 and IPv6 addresses in DNS; the local resolver
on myexim.otherdomain.example resolves its own host name to 127.0.1.1 by
virtue of the normal Debian /etc/hosts file.

[36/5023]mh at q:~ $ sudo exim -bt lists at domain.example
R: domain_literal for lists at domain.example
R: dnslookup_relay_to_domains for lists at domain.example
lists at domain.example
  router = dnslookup_relay_to_domains, transport = remote_smtp
  host mx.domain.example [IPv6 address] MX=0
  host mx.domain.example [IPv4 address]                         MX=0
  host myexim.otherdomain.example      [127.0.1.1]                             MX=10
[37/5024]mh at q:~ $

If mx.domain.example refuses mail, the local exim happily delivers to itself, causing a loop:
2021-08-18 08:06:15 1mGEiM-00089y-Vx <= linux-staging+bounces-5545-lists=domain.example at lists.linux.dev H=localhost (myexim.otherdomin.example) [127.0.0.1] P=esmtps X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=no K S=14699 id=<snip>
2021-08-18 08:06:15 1mGEiK-00089g-NR => lists at domain.example R=dnslookup_relay_to_domains T=remote_smtp H=myexim.otherdomain.example [127.0.1.1] X=TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256 CV=yes DN=<snip> K C="250- 7595 byte chunk, total 14687\\n250 OK id=1mGEiM-00089y-Vx"
2021-08-18 08:06:15 1mGEiK-00089g-NR Completed

I have noticed that the dnslookup router in the upstream configure.defaut has a
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 option set, while our
dnslookup_relay_to_domains router doesn't. I guess this was an omission made by
myself back in 2003 when i added the dedicated handling of dnslookup for
general e-mail and for domains that we have listed in
dnslookup_relay_to_domains.

I would like to suggest changing the dnslookup_relay_to_domains router to something like that:
.ifndef ROUTER_DNSLOOKUP_RELAY_TO_DOMAINS_IGNORE_TARGET_HOSTS
ROUTER_DNSLOOKUP_RELAY_TO_DOMAINS_IGNORE_TARGET_HOSTS = <; 0.0.0.0 ; 127.0.0.0/8 ; ::/128 ; ::1/128
.endif

dnslookup_relay_to_domains:
  debug_print = "R: dnslookup_relay_to_domains for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains : +relay_to_domains
  transport = remote_smtp
  same_domain_copy_routing = yes
  ignore_target_hosts = ROUTER_DNSLOOKUP_RELAY_TO_DOMAINS_IGNORE_TARGET_HOSTS
  no_more

Or is exim supposed to never relay to itself automatically? If that is the
case, more debugging is needed to find out why this happens here. Advice
appreciated.

Greetings
Marc

-- Package-specific info:
Exim version 4.94.2 #2 built 04-May-2021 19:57:22
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC Event I18N OCSP PIPE_CONNECT PRDR PROXY SOCKS TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file search path is /etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
Configuration file is /var/lib/exim4/config.autogenerated

-- System Information:
Debian Release: 10.10
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.13.10-zgsrv20080 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages exim4-config depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.71

Versions of packages exim4-config recommends:
ii  ca-certificates  20200601~deb10u2

exim4-config suggests no packages.

-- Configuration Files:
/etc/exim4/conf.d/acl/20_exim4-config_local_deny_exceptions changed [not included]
/etc/exim4/conf.d/router/600_exim4-config_userforward changed [not included]
/etc/exim4/conf.d/router/700_exim4-config_procmail changed [not included]
/etc/exim4/conf.d/router/800_exim4-config_maildrop changed [not included]
/etc/exim4/conf.d/router/900_exim4-config_local_user changed [not included]
/etc/exim4/passwd.client [Errno 13] Permission denied: '/etc/exim4/passwd.client'

-- debconf information excluded

More information about the Pkg-exim4-maintainers mailing list