Did some more research. Looks like, that the advice changing domain to
domain_data is wrong here.
So I tried two more solutions.
The first was, that I tried to do two independent dsearch to construct an
untainted path. My solution looked like:
...
AUTH_DOMAIN_DIR = ${lookup {domain:$authenticated_id} dsearch,ret=full
{VIRT_ROOT}}
AUTH_ACCOUNT_DIR = ${lookup {$authenticated_id} dsearch,ret=full
{AUTH_DOMAIN_DIR/conf/SendPermissions}}
condition = ${lookup {$sender_address} nwildlsearch
{AUTH_ACCOUNT_DIR}{yes}{no}}
...
but that gave an configuration error, "missing or malformed ACL name" but I
have nothing changed on the acl name, nor changed something on indents.
So I tried to combine both dsearches in the condition line, which looks
horrible, but was at least accepted:
condition = ${lookup {$sender_address} nwildlsearch {${lookup
{$authenticated_id} dsearch,ret=full {${lookup {domain:$authenticated_id}
dsearch,ret=full {VIRT_ROOT}}/conf/SendPermissions}}}{yes}{no}}
This however leads to the live error-message: "failed to open
/conf/SendPermissions for directory search" . So the path-concatenation does
not work as I thought.
Hopefully my mails are getting through soon, as I am really running out of
ideas.
Aug 18, 2024, 18:52 by [email protected]:
> After upgrading to debian bookworm I can't send any longer messages, as my
> ACLs are broken.
>
> I receive the error message: "Tainted filename for search", when doing a
> check, if a given Sender address is allowed to be used from an authenticated
> sender.
>
> I have several virtual domains, with users, who have also aliases, they are
> allowed to use as Sender addresses.
> The condition in the ACL looks like:
> >condition = ${lookup {$sender_address} nwildlsearch
> >{VIRT_ROOT${domain:$authenticated_id}/conf/SendPermissions/$authenticated_id}{yes}{no}}
>
> Now I found, that I am no longer allowed, to use $domain in such constructs,
> so I replaced it with
> >condition = ${lookup {$sender_address} nwildlsearch
> >{VIRT_ROOT${domain_data:$authenticated_id}/conf/SendPermissions/$authenticated_id}{yes}{no}}
>
> But that makes no difference.
>
> The lookup database is a hierarchical directory structure and looks like:
> /var/virtualmailaccounts/DOMAIN> /conf/SendPermissions/LOGINACCOUNT@DOMAIN
> <http://wkraft.org/conf/SendPermissions/[email protected]>
> so the last directory looks like the mail-address used for login
> authentication to exim and contains a list with valid aliases.
>
> What can I do, that I can get this again working?
>
> --
> Sent with Tuta; enjoy secure & ad-free emails:
> https://tuta.com
>
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
