Author: Andreas Metzler Date: To: exim-users Subject: Re: [exim] Tainted spoolfile?
On 2021-10-26 Dominik Vogt via Exim-users <exim-users@???> wrote: > After upgrading from Devuan 3 (~= Debian 10) to Devuan-4
> (~=Debian-11), not changing the exim config file the new Exim
> version is 4.94.2. > Running "sendmail -qf" emits error messages like this one: > 2021-10-25 23:00:12.776 [7584] 1melHk-0000VC-R0 ==
> FOOBAR@localhost R=local_user T=mail_spool defer (-1) DT=0.004s:
> Tainted '/var/mail/FOOBAR' (file or directory name for mail_spool
> transport) not permitted > It seems to complain about the file /var/mail/FOOBAR for
> _incoming_ mail. What is the cause of this and how can it be
> fixed? [...]
Hello,
Assuming Devuan is using the Debian packages you should have seen this
warning from /usr/share/doc/exim4-base/NEWS.Debian.gz on upgrading. If
you have not, please install apt-listchanges, which is Priority:
standard for a good reason.
Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the
concept of tainted data read from untrusted sources, like e.g. message
sender or recipient. This tainted data (e.g. $local_part or $domain)
cannot be used among other things as a file or directory name or command
name.
This WILL BREAK configurations which are not updated accordingly.
[....]
-------------------------
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
