Autor: Peter Wullinger Datum: To: exim-users Betreff: [exim] spf lookup requires untained values / detaint a header
Dear all,
I am a little bit stuck on a tainting issue.
Background: We will be moving our MX to an external provider.
This also means that all incoming mails will go through their servers
and we no longer
have direct access to the address of the original remote host.
Currently, the provider will perform SPF envelope checks (and report the
result to us), but
it will not perform DMARC-like SPF check against the header from.
To make it possible to still perform SPF checks on the header from,
the provider will deliver the original remote IP in a custom header, e.g.:
X-Original-Remote-Addr: 192.168.123.45
This header is basically trusted. If the mail comes in from the hosts of
the provider,
the header will have been set only by the provider's mail servers.
LOG: XXXXXX-XXXXX-XX Tainted filename for search: '192.168.123.45'
This seems reasonable. I can see that by forging the header, it is
possible to have the mail
servers perform arbitrary DNS lookups (via a carefully crafted
SPF-Record and suitable macro expansions),
even if the error message is slightly misleading.
Is there a way to make this work besides a custom lookup, e.g. a
local daemon that just echos back the address once validating it is a
properly
formatted IP address?