Re: [exim] Tainted spoolfile?

Página Inicial
Delete this message
Reply to this message
Autor: Dominik Vogt
Data:  
Para: exim-users
CC: Andreas Metzler
Assunto: Re: [exim] Tainted spoolfile?
On Tue, Oct 26, 2021 at 08:29:45AM +0200, Andreas Metzler via Exim-users wrote:
> On 2021-10-26 Dominik Vogt via Exim-users <exim-users@???> wrote:
> > After upgrading from Devuan 3 (~= Debian 10) to Devuan-4
> > (~=Debian-11), not changing the exim config file the new Exim
> > version is 4.94.2.
>
> > Running "sendmail -qf" emits error messages like this one:
>
> > 2021-10-25 23:00:12.776 [7584] 1melHk-0000VC-R0 ==
> > FOOBAR@localhost R=local_user T=mail_spool defer (-1) DT=0.004s:
> > Tainted '/var/mail/FOOBAR' (file or directory name for mail_spool
> > transport) not permitted
>
> > It seems to complain about the file /var/mail/FOOBAR for
> > _incoming_ mail. What is the cause of this and how can it be
> > fixed?
> [...]


I didn't get this warning during upgrade. This is likely a Devuan
thing.

> Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the
> concept of tainted data read from untrusted sources, like e.g. message
> sender or recipient. This tainted data (e.g. $local_part or $domain)
> cannot be used among other things as a file or directory name or command
> name.


So, the solution is to merge the modifications to the old
exim4.conf.template into the ...dpkg-dist file and use the result.
That works. Thanks.

--

But I don't understand why Exim behaves differently for the two
local accounts:

(1)
Address: a@???
Local user: FOOBAR

(The local user name is in no way related to the domain part of
the mail address. They are identical by "accident".)

vs.

(2)
Address: b@???
Local user: FANTASYNAME

The emails to (1) trigger the "tainted" error, but the ones to (2)
are delivered without a problem. In both cases, the recipient
address is rewritten by fetchmail ("username@localhost"):

user '...' there is 'FOOBAR' here

vs.

user '...' there is 'FANTASYNAME' here

Ciao

Dominik ^_^ ^_^

--

Dominik Vogt