[exim] tainted data issues

Top Page

Reply to this message
Author: Heiko Schlittermann
Date:  
To: Exim-users
Subject: [exim] tainted data issues
Hello,

As many of you may have noticed, with the release of 4.94 we introduced
strict checks for the data Exim uses in expansions. This broke old
configurations that used "tainted" data.

Unfortunately the introduction of these taint checks wasn't communicated
very well, and as not all of you were able to test the release
candidates, we understand that this "breaking" change was unexpected to
a majority of our user base. (Or will be, in case of Debian, which
currently ships 4.92, but having 4.94 already in its backports.)

The traffic on the mailing lists indicated that there are issues with
these taint checks. A good share of the issues was caused by broken
builds. But another share of the issues arose due to suddenly broken
configurations.

Even configurations, simple like in:

  begin transports
    smtp:
      driver = smtp
      dkim_domain = $sender_address_domain
      dkim_selector = 2020-08-25
      dkim_private_key = /etc/exim/dkim/$dkim_selector.$dkim_domain.pem


broke, because the $sender_address_domain is considered to be tainted.

The currently proposed way to make this configuration safe, is to
introduce an additional lookup to verify the $sender_address_domain.
As for example in:

  begin transports
    smtp:
      driver = smtp
      dkim_domain = ${lookup{$sender_address_domain}dsearch{/etc/exim/dkim}}
      dkim_selector = 2020-08-25
      dkim_private_key = /etc/exim/dkim/$dkim_selector.$dkim_domain.pem


We understand that this introduces an additional level of complexity for
the configuration. And we're seeking for better ways, to balance between
a secure and a simple configuration.

We're open for suggestions. And intentionally we do not provide
suggestions from our side here and now (this doesn't mean that we do not have
ideas ;)) My thoughts I'll present here later.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -