[exim] Staying in the queue taints data ?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MJeremy Harris at ->
Delete this message
Reply to this message
Author: Olaf Hopp (SCC)
Date:  
To: 'Mailing List'
Subject: [exim] Staying in the queue taints data ?
Dear collegues,
I'm facing a weired 'tainted data' problem under Debian Bullseye with exim-4.94.2
Currently I am working around this using the option
"allow_insecure_tainted_data = yes"
but I want to understand it and resolve it.

Normally everything runs fine for thousands of mails per day, such as

2022-03-09 09:24:44 1nRrci-0001OB-TG <= <> H=host.example.com [x.x.x.x] P=esmtps X=TLS1.3:ECDHE_SECP256R1__ECDSA_SECP384R1_SHA384__AES_256_GCM:256 CV=no K S=6146 id=E1nRrch-005FKl-SX@??? from <> for bounce+does-not-exist==a==example.com.de==tainted@???
2022-03-09 09:24:45 1nRrci-0001OB-TG => | /usr/lib/sympa/bin/bouncequeue sympa@??? <bounce+does-not-exist==a==example.com==tainted@???> R=sympa_verp_bounces_virtual T=sympa_pipe_virtual
2022-03-09 09:24:45 1nRrci-0001OB-TG Completed

But e.g. there is load on the server and it goes into
queue-only mode because queue_only_load is exceeded then I have

2022-03-09 09:30:02 1nRrhq-0001WF-L1 <= <> H=host.example.com [x.x.x.x] P=esmtps X=TLS1.3:ECDHE_SECP256R1__ECDSA_SECP384R1_SHA384__AES_256_GCM:256 CV=no K S=6174 id=E1nRrfL-005FkK-56@??? from <> for bounce+does-not-exist==a==example.com==tainted@???
2022-03-09 09:34:24 1nRrhq-0001WF-L1 Warning: Tainted '/usr/lib/sympa/bin/bouncequeue sympa@???' (command for sympa_pipe_virtual transport) not permitted
2022-03-09 09:34:25 1nRrhq-0001WF-L1 => | /usr/lib/sympa/bin/bouncequeue sympa@??? <bounce+does-not-exist==a==example.com==tainted@???> R=sympa_verp_bounces_virtual T=sympa_pipe_virtual
2022-03-09 09:34:25 1nRrhq-0001WF-L1 Completed

See the timestamps, the first mail goes straight through without staying in the queue
and without "tainted data warning" and the second one stuck a few minutes in the queue
and thus became tainted. Both mails are more or less the same mails generated by swaks.

The router:
----------
sympa_verp_bounces_virtual:
driver = redirect
allow_defer
allow_fail
domains = +sympa_virtual
local_part_prefix = bounce+
data = "| SYMPA_BIN/bouncequeue sympa@$domain"
pipe_transport = sympa_pipe_virtual

The transport:
--------------
sympa_pipe_virtual:
driver=pipe
command="SYMPA_BIN/queue $local_part@$domain"
return_path_add
delivery_date_add
envelope_to_add
user = SYMPA_USER
group = SYMPA_GROUP


Any ideas ?
Regards, Olaf


--
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Dipl.-Geophys. Olaf Hopp

Zirkel 2
Gebäude 20.21, Raum 316
76131 Karlsruhe

Telefon: +49 721 608-48009
E-Mail: Olaf.Hopp@???
Web: www.scc.kit.edu

Sitz der Körperschaft:
Kaiserstraße 12, 76131 Karlsruhe

KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] stuck exim processesRe: [exim] stuck exim processes->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)