Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released

Pàgina inicial
Delete this message
Reply to this message
Autor: Kirill Miazine
Data:  
A: Kirill Miazine via Exim-dev
Assumpte: Re: [exim-dev] [exim-announce] Exim 4.96-RC0 released
So my workaround was to create a simple wrapper and call it, instead of
dovecot-lda:

$ cat /local/bin/dovecot-lda-wrapper
#!/bin/sh
exec /usr/local/libexec/dovecot/dovecot-lda \
-d "${LOCAL_PART}@${DOMAIN}" \
-a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}" \
-r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}" \
-f "${SENDER}"

Here's how it is called from Exim:

dovecot_pipe:
    driver = pipe
    command = /local/bin/dovecot-lda-wrapper


• Kirill Miazine via Exim-dev [2022-04-25 14:47]:
> Beware that the just released RC0 for Exim 4.96 may break your Dovecot
> LDA delivery. It did break mine, which is similar to what is described
> on https://wiki.dovecot.org/LDA/Exim
>
> Here is the relevant ChangeLog entry:
>
> JH/25 Taint-check exec arguments for transport-initiated external processes.
>       Previously, tainted values could be used.  This affects "pipe", "lmtp" and
>       "queryprogram" transport, transport-filter, and ETRN commands.
>       The ${run} expansion is also affected: in "preexpand" mode no part of
>       the command line may be tainted, in default mode the executable name
>       may not be tainted.

>
> As of now I don't have a personal working solution to get untained data.
> I did try a small hack, but Exim was smart enough to see what I was
> doing, so I'm rolling back until I better unstand the tainting
> facilities and how to untaint the data.
>
> The concept is great, though.
>
> • Jeremy Harris via Exim-announce [2022-04-23 20:23]:
> > Hi all,
> >
> > Enough changes have accumulated since 4.95 for it to be worth
> > spinning another release. The first Release Candidate is available
> >
> > - as tarball:        https://ftp.exim.org/pub/exim/exim4/test
> > - directly from Git: https://git.exim.org
> >                      tag exim-4.96-RC0

> >
> > The signatures on the release tarballs (and this mail) should be
> > mine, key ID 0xBCE58C8CE41F32DF.
> >
> > Please test and give feedback on the RC so that we can shake out
> > issues before 4.96 goes official.
> >
> > The sourcebase is still open for feature additions at this point
> > in the release process.
> >
> >
> > New stuff we've added since 4.95:
> >
> >  - A new ACL condition: seen. Records/tests a timestamp against a key.
> >  - A variant of the "mask" expansion operator to give normalised IPv6.
> >  - UTC output option for exim_dumpdb, exim_fixdb.
> >  - An event for failing TLS connects to the daemon.
> >  - The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
> >  - Query-style lookups are now checked for quoting, if the query string is
> >     built using untrusted data ("tainted").  For now lack of quoting is merely
> >     logged; a future release will upgrade this to an error.
> >  - The expansion conditions match_<list-type> and inlist now set $value for
> >     the expansion of the "true" result of the ${if}.  With a static list, this
> >     can be used for de-tainting.

> >
> > Notable removals since 4.95:
> >
> >   - the "allow_insecure_tainted_data" main config option and the
> >     "taint" log_selector.  These were previously deprecated.

> >
> > As usual, you should read the ChangeLog file for other changes.
> > --
> > Cheers,
> > Jeremy

-- 
    -- Kirill Miazine <km@???>