On 17/11/2022 15:12, Martin Clayton wrote: > On 17/11/2022 13:49, Jeremy Harris via Exim-users wrote:
>> On 16/11/2022 14:06, Martin Clayton via Exim-users wrote:
>>> Removing the rhsbl services (i.e, $sender_address_domain) and all is
>>> well.
>>>
>> [...]
>> dbl.spamhaus.org!=127.0.1.255,127.255.255.252,127.255.255.254,127.255.255.255/$sender_address_domain
>>
>> because it uses $sender_address_domain (which is tainted), taints the
>> entire string
Ah, so it's unexpectedly expected behaviour ;)
So, sorry to be a tainted dummy, but I'm still left wondering how to
deal with this.
The dns query runs without issue, log messages, etc, all good. It's only
the $dnslist_domain based file lookup to define the action to take.
It sounds like dnslists using rhsbl services have to be tainted. (I'm
assuming that attempting to detaint $sender_address_domain isn't
sensible when it could legitimately be anything protocol-valid).
So, can $dnslist_domain be detainted? We know it lives in a pre-defined
list. The parent (dnslists) may be tainted but the child is reliable,
innocent and completely immune to anything in $sender_address_domain
