[exim] Exim 4.94.0.4 works where Exim 4.94 fails with tainted path 'not permitted'

Author: Mike Tubby
Date:
To: exim-users
Subject: [exim] Exim 4.94.0.4 works where Exim 4.94 fails with tainted path 'not permitted'

All,

So you can tell its Lockdown 2.0 as I am catching up with email server
sysadmin, updating spam scanning and antivirus ready for when the
thought police visit next month.

I have been running Exim 4.93.0.4 successfully with virtual domains with
a MySQL backend in first-normal form and its been working 'really
well'(tm) and I've added some tweeks like getting spam delivered into
junk folders - if the user wants it configured that way using a couple
of routers and a couple of transports:

*Routers*

#
# Junk folder router - calls alternative junk delivery if spam status is yes
# and user has elected to use the junk folder.
#
junk_folder_router:
        driver = accept
        condition = ${if and { {def:h_X-Spam-Status:} \
                                {eq {$h_X-Spam-Status:}{Yes}} \
                        }}
        condition = ${lookup mysql{SELECT
CONCAT(users.username,'@',domains.domain) AS email FROM \
                users LEFT JOIN domains ON users.domain_id=domains.id
WHERE \
                users.username='${quote_mysql:$local_part}' AND \
                domains.domain='${quote_mysql:$domain}' AND \
                users.active=1 AND \
                users.junk_folder=1 AND \
                domains.active=1}{yes}{no}}
        transport = local_junk_delivery
        user = mail
        group = mail

*Transports*

#
# Normal local delivery
#
normal_delivery_router:
        driver = accept
        condition = ${lookup mysql{SELECT
CONCAT(users.username,'@',domains.domain) AS email FROM \
                users LEFT JOIN domains ON users.domain_id=domains.id
WHERE \
                users.username='${quote_mysql:$local_part}' AND \
                domains.domain='${quote_mysql:$domain}' AND \
                users.active=1 AND \
                domains.active=1}{yes}{no}}
        transport = local_delivery
        user = mail
        group = mail

#
# This transport delivers to local users with virtual mailboxes in Maildir
# format into the primary Maildir/virtual INBOX
#
local_delivery:
        driver = appendfile
        maildir_format = true
        directory = /srv/mail/$domain/$local_part/Maildir
        create_directory = true
        directory_mode = 0770
        mode_fail_narrower = false
        message_prefix =
        message_suffix =
        delivery_date_add
        envelope_to_add
        return_path_add
        user = mail
        group = mail
        mode = 0660

#
# This transport delivers to local user's Junk folder and is used for
# routing suspected spam
#
local_junk_delivery:
        driver = appendfile
        maildir_format = true
        directory = /srv/mail/$domain/$local_part/Maildir/.Junk
        create_directory = true
        directory_mode = 0770
        mode_fail_narrower = false
        message_prefix =
        message_suffix =
        delivery_date_add
        envelope_to_add
        return_path_add
        user = mail
        group = mail
        mode = 0660

*Tainted file paths?*

However if I upgrade from Exim 4.93.0.4 to Exim 4.94 (exactly the same
Makefile and options) and run out the mail queue waiting on the upstream
relay I get a load of 'tainted' and 'not permitted' messages and failed
deliveries:

2020-11-07 20:16:57 1kbUdY-0003XV-I1 == mike.tubby@???
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUdY-0003XS-2P == mike.tubby@???
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUda-0003Xm-Oa == mike.tubby@???
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUdZ-0003Xi-Gx == mike.tubby@???
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUdW-0003XN-Nv == mike.tubby@???
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory
name for local_junk_delivery transport) not permitted

reverting back to Exim 4.94.0.4 resolves this.

What do I need to know to fix this one?

Mike

This message is part of the following thread:
	the complete thread tree sorted by date

	Jeremy Harris at

[exim] Exim 4.94.0.4 works where Exim 4.94 fails with tainte…