2013-05-20
A serious potential danger with Exim host lists in ACLs
Suppose that you have an Exim installation and you want to support some sort of source host based blocking (selective or otherwise) of incoming connections. The obvious way is to create an ACL section that looks something like this:
deny
domains = +local_domains
hosts = ${if exists {UBLOCKDIR/hosts} {UBLOCKDIR/hosts}}
message = mail from host $sender_host_address not accepted by <$local_part@$domain>.
log_message = blocked by personal hosts blacklist.
(This one is a selective, per destination address host block list, hence
the fun and games with UBLOCKDIR.)
This looks great and generally works but you've just armed a ticking time bomb, one that can blow your incoming email up with permanent temporary deferrals. The first problem is that Exim has no way in a host list to say 'this domain and any of its subdomains', in the way that the TCP wrappers '.host.com' will match both 'host.com' and 'fred.host.com'. If you want to match this case, the obvious way is to write two entries:
*.host.com host.com
The first matches any subdomains of the domain; the second matches the domain itself. But you've just put the fuse in the bomb, because of just how plain host and domain names work in host lists. From the Exim specification with the emphasis being mine:
- If the pattern is a plain domain name [...] Exim calls the operating system function to find the associated IP address(es). [...]
If there is a temporary problem (such as a DNS timeout) with the host name lookup, a temporary error occurs. For example, if the list is being used in an ACL condition, the ACL gives a "defer" response, usually leading to a temporary SMTP error code.
So here's what happens. You list '*.spammer.com' and 'spammer.com' in your blocklist. Spammer.com turns off their DNS (or their DNS server turns it off because hey, they're a spammer) but doesn't de-register their domain, so DNS queries to their nominal authoritative DNS servers either don't get answers or get non-authoritative 'look elsewhere' results. Although this is a permanent condition, it's considered a temporary failure in DNS resolution. Exim now defers all SMTP connections that consult this host blocklist, regardless of where they are from. For ever, or at least until you notice.
Now that I've read the Exim documentation in detail, it spells out
that you can turn this behavior off with the special option
+ignore_defer. You probably want to do this. Certainly we do.
My feeling is that you want to do this for every host list anywhere except ones used for real, strong access control (which probably don't want to be using DNS names anyways). Consider, for example, a host list used for exceptions to greylisting; you probably don't want that ACL to defer the connection if you can't resolve a domain in it.
Sidebar: the other surprise in Exim host lists
Suppose that you have a host list like this:
*.spammer.com192.168.0.0/16
Surprise: any connection from a host in 192.168/16 that does not have valid reverse DNS will not match the list. The moment you list a hostname wildcard in a host list, any IP address without a hostname automatically fails to match that entry or anything later in the list (or file if the list is in a file). It will match IP address patterns that are earlier in the list, though, so you get to remember to list all IP address patterns first. This behavior is documented if you read the documentation carefully.
Per the fine documentation
this behavior can be turned off with +ignore_unknown. Now that I've
found this, I need to make some configuration changes.
This is generally less dangerous than the host list defer time bomb, but it depends on what you're using the host list for. If you have a locked down configuration where you're using the host list for strong access control, well, you have potential issues here.