> > What's the suggested way to do that for virtual domains, that is many
> > mailboxes that all belong to the same local user, and which are not
> > obtained through a lookup, but through the filesystem itself?
>
> The result of a lookup is untainted, and will likely remain so
> (even if the key for the lookup is tainted, eg. $local_part).
> So whatever you're doing now should still work, so long as you
> don't name the DB for the lookup using tainted data.
Is there a way of un-tainting things from $local_part? We have a
long-standing little feature where we implement per-address settings
for things like blocklists using databases read from directories named
after the local addresses, more or less:
UBDIR = CFDIR/${lc:$local_part}
deny
domains = +local_domains
senders = ${if exists {UBDIR/senders} {UBDIR/senders}}
message = mail from ...
We have not yet updated to a version of Exim that uses tainting and so
I don't know if this usage will be immediately affected, but it seems
that this is now being considered questionable in at least this form.
(We already check and sanitize $local_part, so this is safe in our
usage. People do not get to create valid local addresses with eg '/../'
in them, and if they did manage it somehow, explicit address content
checks would reject them earlier. Also, these per-user files must be
updated by root, so we consider their contents safe.)
- cks