On Wed, 8 Jan 2020, Tobias Klausmann via Exim-users wrote:
Hi!
On Wed, 08 Jan 2020, Andrew C Aitchison via Exim-users wrote:
I see from your latest message that
/home/$local_part/... is tainted.
Would using $home - and check_local_user to set it - do what you need ?
Indeed that seems to work. I change the earlier config thus:
$ diff -Naur exim-old.conf exim.conf
--- exim-old.conf 2020-01-08 10:02:17.450333630 +0100
+++ exim.conf 2020-01-08 10:01:33.290288221 +0100
@@ -103,18 +103,20 @@
extension_user_verify:
driver = accept
local_part_suffix = -*
- require_files = /home/$local_part/.mail-extensions
+ require_files = $home/.mail-extensions
verify_only
- condition =
${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
+ check_local_user
+ condition =
${lookup{$local_part_suffix}lsearch{$home/.mail-extensions}{yes}{no}}
extension_user_delivery_f:
driver = redirect
+ check_local_user
local_part_suffix = -*
- require_files =
/home/$local_part/.mail-extensions:/home/$local_part/.forward
- condition =
${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
+ require_files = $home/.mail-extensions:$home/.forward
+ condition =
${lookup{$local_part_suffix}lsearch{$home/.mail-extensions}{yes}{no}}
user=$local_part
check_ancestor
- file = /home/$local_part/.forward
+ file = $home/.forward
allow_filter
allow_fail
verify=false
@@ -125,8 +127,9 @@
extension_user_delivery:
driver = accept
local_part_suffix = -*
- require_files = /home/$local_part/.mail-extensions
- condition =
${lookup{$local_part_suffix}lsearch{/home/$local_part/.mail-extensions}{yes}{no}}
+ check_local_user
+ require_files = $home/.mail-extensions
+ condition =
${lookup{$local_part_suffix}lsearch{$home/.mail-extensions}{yes}{no}}
user=$local_part
verify=false
transport = local_delivery
If you have check_local_user you shouldn't need user=$local_part as well.
And this seems to work. I'll test it for a bit and report back.
Is the use of $local_part in the transports seen as safe, or
should I cange those to use $home as well?
On principle I would say change them too.
If $home and /home/$local_part are different directories which do you want ?
The one from the password file/database or the one derived from the
potential hacker's input ?
If /home fills up and you put a new user on a different
disk/partition/volume $home will still work, but /home/$local_part
would need attention ...
--
Andrew C. Aitchison Kendal, UK
[email protected]
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
