On 01/05/2022 09:55, Odhiambo Washington via Exim-users wrote:
dovecot_virtual_delivery: driver = pipe return_output command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain -f $sender_address message_prefix =
How do I need to de-taint the arg 2?
The same way as you de-taint local_part and domain for other uses, as has been discussed here many time and is documented. There are multiple ways and which one is best depends on your situation. Once you've done that, you'll run into arg 4 also being tainted; drop the "-f $sender_address" from the command line and remove the message_prefix = option setting. The default for message_prefix is an mbox "From " line, and Dovecot should take the sender from that. (I am assuming that "dovecot/deliver" is the same as the "dovecot/dovecot_lda" documented by the dovecot project). -- Cheers, Jeremy Refs: - http://exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html - https://doc.dovecot.org/configuration_manual/protocols/lda/ - https://www.rfc-editor.org/rfc/rfc4155.txt -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
