On 2020-07-18 The Doctor via freebsd-ports <freebsd-po...@freebsd.org> wrote:
> Trying Exim 4.94 and I am getting > > 2020-07-17 19:28:04.818 [8344] 1jwbdQ-00023D-Cx == doc...@nk.ca R=localuser > T=local_delivery defer (-1) DT=0.001s: Tainted '/var/mail/doctor' (file or > directory name for local_delivery transport) not permitted ... > 2020-07-17 19:30:09.228 [9608] 1jwbdQ-00023D-Cx == doc...@nk.ca R=localuser > T=local_delivery defer (-1) DT=0.001s: Tainted '/var/mail/doctor' (file or > directory name for local_delivery transport) not permitted > > Why is this happening? You are not alone :-) 4.94 introduced more rigorous checking of expanded strings. Any strings that could potentially be supplied by a remote user e.g. $local_part have been classed as tainted. This means that they are not to be trusted to be used directly for things like file name expansion or database lookups. The log entries you are seeing are informing you that your lookups need a bit of sanitizing. Generally you can use the tainted data but you need to clean it before you use it e.g. quote it or use it to derive another variable. It's a bit more onerous but this is the price we have to pay for enhanced security in exim. Personally, I understand why the devs did this, it is a useful and worthwhile upgrade to exim, where I think they went wrong is that they didn't really handle the release of it quite well in the announcement and even pre-annnouncement. Something along the lines of "We're going to add strict de-tainting to exim 4.94 which will break a lot of configurations so please be ready to re-factor your configurations during the upgrade" would have been useful. If it was made plain, A LOT of users (me included) missed it so it could be argued that it wasn't made plain enough.... The RTFM reply you got was not useful either. There should be a section in the manual purely about de-tainting, its reasoning, possible side effects and mitigations. As it currently is, anybody wanting information on what's going on has to trawl through the manual and make inferences from what they find. In short, the devs haven't covered themselves with glory with this upgrade - IMHO. Regards, D lists/exim/users/2020-07-18.tx exim-users +----------------------------------------------------------------------------+ | Dave Restall, Computer Anorak, Geek, Cyclist, Radio Amateur G4FCU, Bodger | | Mob +44 (0) 7973 831245 Skype: dave.restall Radio: G4FCU | | email : d...@restall.net - Anti-SocialMediaist - Web : Not Ready Yet :-( | +- QOTD ---------------------------------------------------------------------+ | Reappraisal, n.: | | An abrupt change of mind after being found out. | +----------------------------------------------------------------------------+ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/