On 2019-05-08 at 00:39 +0100, Mike Tubby via Exim-users wrote:
> Which suggests I need something like:
>
> user_filter:
> driver = forwardfile
> data = ${lookup mysql{SELECT rule FROM users LEFT JOIN domains \
> ON domains.id=users.domain_id LEFT JOIN filters \
> ON users.id=filters.user_id WHERE
> domains.domain='${quote_mysql:$domain}' \
> AND users.username='${quote_mysql:$local_part}' \
> AND domains.active=1 \
> AND users.active=1 \
> AND filters.active=1}}
> no_verify
> no_expn
> check_ancestor
This is a central mailhub where users no longer have accounts. Please
read the Exim Spec security section on "Running Local Commands":
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html#SECTsecconslocalcmds
You're going to need to add a bunch of forbid_* options to that Router,
and keep an eye on release notes when upgrading, to watch for shiny new
forbid_* options.
See:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_redirect_router.html#SECID130
for the list of options, search for "forbid_" (and "allow_").
> Am I going to need to arrange for the database result set to start with '#
> Exim Filter' each time or is their a boolean to force this?
If it worked before, it'll work now; if I were choosing, I would leave
it to the users to choose an Exim filter, a Sieve filter, or just a
simple forward rule.
-Phil
