Re: [exim] Re: sensitive data appearing in delay warning mes…

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Alexander V Alekseev
CC: exim-users, Brian Candler
Subject: Re: [exim] Re: sensitive data appearing in delay warning messages [was: Please help!]
On Sat, 16 Apr 2005, Alexander V Alekseev wrote:

>    Thank you for patch, but it works only if pass= doesn't contain
> space. But really, text of search must not be shown in bounce message
> (but should be in log file). (I'll modify it for myself, but it's not good.)

>

This is a nice example of how modifications in one part of a program
have unexpected consequences in another part.

When I first created Exim, it did not have support for interfacing with
databases, and it seemed to make sense to include delivery error
messages in bounce and warning messages. There were no options that
contained sensitive data.

Later, new options and new forms of expansion were added, but of course
I never considered how failures in expansions could find their way into
delivery error messages and thus into bounce and warning messages.

Times have changed. Perhaps the best plan now would be *never* to give
any details in bounce and delay warning messages. What do people think?
Please post your opinion.

Meanwhile, you can cut them out by hacking in the area of lines 6094
(bounce) and 6608 (warning) in deliver.c.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book