Re: [exim] tainted data issues

Top Page
This message is part of the following thread:
M++--+---+-\the complete thread tree sorted by date
MMM..M-+\M\M\Kai Bojens at <-
MMM+\M\MMMMMMJulian Bradfield at ->
Delete this message
Reply to this message
Author: Mark Elkins
Date:  
To: exim-users
Subject: Re: [exim] tainted data issues
On 2020/11/10 08:44, Kai Bojens via Exim-users wrote:
> Am 09.11.20 um 23:27 schrieb Heiko Schlittermann via Exim-users:
>
>
>> We're open for suggestions. And intentionally we do not provide
>> suggestions from our side here and now (this doesn't mean that we do
>> not have
>> ideas ;)) My thoughts I'll present here later.
>
> The only problem I have with tainting is the lack of documentation.
> Why is there no single page with just "Hey, external data is now
> considered tainted. This is how you handle this new stuff:"?
>
> Right now the information about tainting is spread all over the
> documentation so that admins who upgrade have to go through all of this.

...and because of this, I have kept to older versions of EXIM - because
my configs rely on the fact that all my users are in a MySQL Database.

Some more general "this is how you do it" examples would be greatly
appreciated.
Thank you Heiko for raising this discussion.

I personally run some 1000 domains with perhaps 4000 e-mail users. Not
big but not insignificant. I understand that when an email arrives, the
recipient may not exist - but then the first thing I think I do is see
if the address exists - and has not been suspended - etc. Surely this
would cover 'tainted' data checks? Same for mail submission senders,
they only 'get in' if their username (full email address) and password
is a valid combination - so what is left to check?

As an aside, I also discovered my MySQL database was running on very old
software - so there are other issues at hand too - just to confuse my
particular issues. The old MySQL has just been sorted - so 'tainted'
data is next.

Running an email service used to be reasonably easy... now people do
dumb thinks like double SPF records or double sign DKIM (with one always
broken).

So a suggestion, if its the incoming email that has tainted data - then
an immediate lookup (give various examples) that then set some globally
useable variables for everything else - could be an ideal way forward.

--

Mark James ELKINS  -  Posix Systems - (South) Africa
mje@???       Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
<https://ftth.posix.co.za>


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] tainted data issuesRe: [exim] tainted data issues->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)