[exim] Re: sensitive data appearing in delay warning message…

Top Page
Delete this message
Reply to this message
Author: Brian Candler
Date:  
To: Alexander V Alekseev
CC: exim-users
Old-Topics: Re: [exim] Please help!
Subject: [exim] Re: sensitive data appearing in delay warning messages [was: Please help!]
On Fri, Apr 15, 2005 at 02:46:26PM +0400, Alexander V Alekseev wrote:
>         Some message is in queue. At the time of delivery 
> if we
> have router like this:
> ---------------------------------------------------------------------
> SOME_LDAP_LOOKUP = ${ lookup ldap { user="<username>" 
> pass=<pass> ldap:///<lookup text>}}

>
> some_aliases:
> driver = redirect
> allow_fail = false
> allow_defer = false
> allow_filter = false
> allow_freeze = false
> forbid_blackhole = true
> forbid_file = true
> hide data = SOME_LDAP_LOOKUP
> ---------------------------------------------------------------------
>
>         Exim generates bounce message to sender:
> ---------------------------------------------------------------------
> Delay reason: failed to expand "${ lookup ldap { 
> user="<username>" pass=<pass> ldap:///<lookup text>}} ": 
> lookup of "user="<username>" pass=<pass> ldap:///<lookup
> text>" gave DEFER: failed to bind the LDAP connection to 
> server <IP>:<Port> - LDAP error 81: Can't contact LDAP 
> server
> ---------------------------------------------------------------------
>         So, anyone can see username and password to LDAP 
> server.

>
>         Another example (transport):
> ---------------------------------------------------------------------
> some_mailboxes:
>         driver = appendfile
>         create_directory = true
>         create_file = anywhere
>         hide directory = LDAP_MBX_LOOKUP
>         maildir_format = true
>         quota = LDAP_QUOTA_LOOKUP
> ---------------------------------------------------------------------
> And Exim includes the same hidden data in bounce message 
> if quota lookup fails.


Hmm. Yes, that looks like a real problem.

Looking in src/deliver.c, I see the reason is included if:
- the address itself is not hidden; and
- the error is not just "retry time not reached"

However, this sort of information is useful for debugging generally, so I
guess you just want to suppress it if the expansion is for a configuration
item explicitly marked 'hide'.

That depends on the string expansion knowing that at that time, that it is
within the context of an item tagged as 'hide'.

If so, I guess it could report

Delay reason: failed to expand item in 'data': LDAP error 81: Can't contact LDAP server

or

Delay reason: failed to expand item in 'data'

or just not give a reason at all (forcing the sysadmin to check logs)

Regards,

Brian.