On 20/07/2022 15:37, Kirill Miazine via Exim-users wrote:
> IIRC Mailman has some facility to generate aliases file, which Exim
> could be using. Mailman is able to generate those automatically, and
> that should make the taint checking happy, as there won't be any unsafe
> variables left.
Getting a file out of Mailman to verify recipient names against would be ideal.
You want also to use a static list of possible affixes, rather than a wildcard.
Handling initial signups for a list, where you don't have a known name
to verify, seems like it could be an issue. Still, do a proper job
on all the possible other cases first, to reduce the attack surface,
*before* resorting to deliberately subverting Exim's attempts to
provide security.
These attempts are not perfect; there are ways of evading them.
But do not forget the log4j fracas.
> Looking athttps://bazaar.launchpad.net/~mailman-coders/mailman/2.1/files/head:/Mailman/MTA
> it seems you'd have to say that your MTA is Postfix.
:-(
--
Cheers,
Jeremy
