Re: [exim] Tainted filename for search
On 06/06/2020 19:29, Jeremy Harris via Exim-users wrote: > On 05/06/2020 20:02, Laura Williamson via Exim-users wrote: >> dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select >> selector from dkimcerts where domain='$sender_address_domain'}{$value}} > > As I told Max, one of: > > - use the sqlite_dbfile main option > - use separate tables within one sqlite db rather than multiple db files > - ensure your sqlite lookup strings do not contain tainted data > (look in the Concept Index for de-tainting methods) > - move to a different db type > - wait for the next release > To which I'll now add: - If you are building from git, or from source that you can patch, pick up https://git.exim.org/exim.git/commit/b8514d1960e259d49ab2c84c89eba52ab993da3f -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Tainted filename for search
On 05/06/2020 20:02, Laura Williamson via Exim-users wrote: > dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select > selector from dkimcerts where domain='$sender_address_domain'}{$value}} As I told Max, one of: - use the sqlite_dbfile main option - use separate tables within one sqlite db rather than multiple db files - ensure your sqlite lookup strings do not contain tainted data (look in the Concept Index for de-tainting methods) - move to a different db type - wait for the next release -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Tainted filename for search
Hi folks I have an issue that only appears when using 4.94. I use this to lookup dkim information for signing outgoing emails dkim_selector = ${lookup sqlite {/usr/exim/dkimcertificates select selector from dkimcerts where domain='$sender_address_domain'}{$value}} dkim_private_key = ${lookup sqlite {/usr/exim/dkimcertificates select cert from dkimcerts where domain='$sender_address_domain'}{$value}} I get this message in my log Tainted filename for search: '/usr/exim/dkimcertificates' Does anybody have any idea how to fix this? Works in 4.93. Rgds -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SQLite Tainted filename for search error
I've got same issue and the recommended change doesn't solve my issues unfortunately. Rollback to 4.93 solves the problem. Den 06/06/2020 kl. 00:39 skrev Jeremy Harris via Exim-users: On 06/06/2020 00:24, Max Kostikov via Exim-users wrote: 2020-06-06 01:02:28 Tainted filename for search: '/var/db/exim/users.sqlite3' 2020-06-06 01:02:28 failed to expand "${lookup sqlite{/var/db/exim/users.sqlite3 SELECT domain FROM domain WHERE http://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsqlite "The preferred way of specifying the file is by using the sqlite_dbfile option" -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SQLite Tainted filename for search error
Jeremy Harris via Exim-users писал 2020-06-06 13:54: On 06/06/2020 10:57, Max Kostikov via Exim-users wrote: And what if more than one SQLite database used with Exim? One of: ... - wait for the next release It suits me best. Please do not forget about it. -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SQLite Tainted filename for search error
On 06/06/2020 10:57, Max Kostikov via Exim-users wrote: > And what if more than one SQLite database used with Exim? One of: - Use separate tables within one sqlite db rather than multiple db files - ensure your sqlite lookup strings do not contain tainted data (look in the Concept Index for de-tainting methods) - move to a different db type - wait for the next release -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Tainted filename on DKIM signing in 4.94
Ok, I found a solution (thanks, Jeremy!) in the previous thread. So now this configuration works fine begin transports SENDER_DOMAIN = ${if def:h_from:{${lc:${domain:${address:$h_from:{$qualify_domain}} KEYNAME = key${eval10:${substr{4}{2}{$tod_logfile}}%2} DKIM_PATH = /usr/local/etc/exim/dkim DKIM_FILE = SENDER_DOMAIN.KEYNAME DKIM_DEFAULT = $qualify_domain.KEYNAME remote_smtp: driver= smtp dkim_domain = SENDER_DOMAIN dkim_selector = KEYNAME dkim_private_key = ${lookup {DKIM_FILE} dsearch,ret=full {DKIM_PATH}} arc_sign = $primary_hostname : KEYNAME : DKIM_PATH/DKIM_DEFAULT : timestamps ... Max Kostikov via Exim-users писал 2020-06-06 12:25: I found one more issue found after upgrade to latest Exim 4.94. Now this is related to outgoing messages DKIM signing. Jun 6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 Tainted filename '/usr/local/etc/exim/dkim/kostikov.co.key0' Jun 6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 unable to open file for reading: /usr/local/etc/exim/dkim/kostikov.co.key0 In Exim configuration it defined using global variabled at the start of transports section begin transports SENDER_DOMAIN = ${if def:h_from:{${lc:${domain:${address:$h_from:{$qualify_domain}} KEYNAME = key${eval10:${substr{4}{2}{$tod_logfile}}%2} DKIM_FILE = /usr/local/etc/exim/dkim/SENDER_DOMAIN.KEYNAME DKIM_DEFAULT = /usr/local/etc/exim/dkim/$qualify_domain.KEYNAME remote_smtp: driver= smtp dkim_domain = SENDER_DOMAIN dkim_selector = KEYNAME dkim_private_key = ${if exists{DKIM_FILE}{DKIM_FILE}{}} arc_sign = $primary_hostname : KEYNAME : DKIM_DEFAULT : timestamps ... How can I fix this? -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Tainted filename on DKIM signing in 4.94
I found one more issue found after upgrade to latest Exim 4.94. Now this is related to outgoing messages DKIM signing. Jun 6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 Tainted filename '/usr/local/etc/exim/dkim/kostikov.co.key0' Jun 6 12:17:04 beta exim[11180]: 1jhVss-000ORe-45 unable to open file for reading: /usr/local/etc/exim/dkim/kostikov.co.key0 In Exim configuration it defined using global variabled at the start of transports section begin transports SENDER_DOMAIN = ${if def:h_from:{${lc:${domain:${address:$h_from:{$qualify_domain}} KEYNAME = key${eval10:${substr{4}{2}{$tod_logfile}}%2} DKIM_FILE = /usr/local/etc/exim/dkim/SENDER_DOMAIN.KEYNAME DKIM_DEFAULT = /usr/local/etc/exim/dkim/$qualify_domain.KEYNAME remote_smtp: driver= smtp dkim_domain = SENDER_DOMAIN dkim_selector = KEYNAME dkim_private_key = ${if exists{DKIM_FILE}{DKIM_FILE}{}} arc_sign = $primary_hostname : KEYNAME : DKIM_DEFAULT : timestamps ... How can I fix this? -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] SQLite Tainted filename for search error
Thanks! And what if more than one SQLite database used with Exim? E.g. I use one DB for users and domains and separate DB for antispam data. Jeremy Harris via Exim-users писал 2020-06-06 01:39: On 06/06/2020 00:24, Max Kostikov via Exim-users wrote: 2020-06-06 01:02:28 Tainted filename for search: '/var/db/exim/users.sqlite3' 2020-06-06 01:02:28 failed to expand "${lookup sqlite{/var/db/exim/users.sqlite3 SELECT domain FROM domain WHERE http://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html#SECTsqlite "The preferred way of specifying the file is by using the sqlite_dbfile option" -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/