Dan Egli via Exim-users <exim-users@???> (Mi 05 Mai 2021 02:41:38 CEST):
> I just upgraded to 4.94.2, and most everything is working fine. But I'm
> getting an issue on DKIM signings with tainted filename. I looked over the
> list and tried to apply the same fix I've seen used before, but I guess I'm
> not understanding it. Here's my dkim_private_key statement:
>
> dkim_private_key = ${if
> exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
> {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
>
> So how do I correct this? Thanks!
You didn't run 4.94 before, did you?
The $sender_address_domain is considered tainted. Now (since >= 4.94)
Exim refused to use tainted data for filenames. The "exists" doesn't
de-taint the data. You need to perform a kind of lookup first, to
"clean"/"de-taint" the data.
# determine the domain to be used for signing (use the rfc5322.From
# or schlittermann.de as a fallback
dkim_domain = ${lookup{${domain:${address:$h_from:}}}dsearch{$config_dir/dkim}{$value}{schlittermann.de}}
dkim_selector = ${lookup{$dkim_domain}lsearch{$config_dir/dkim/selector}}
# use the found signing domain and it's selector to get
# the private key
dkim_private_key = $config_dir/dkim/$dkim_domain/$dkim_selector.pem
--
Heiko
