[exim] tainted filname issue
How that last message got encrypted, I don't know. But this should be an
unencrypted copy.
On 5/5/2021 4:04 AM, Heiko Schlittermann via Exim-users wrote:
Dan Egli via Exim-users (Mi 05 Mai 2021 02:41:38
CEST):
I just upgraded to 4.94.2, and most everything is working fine. But I'm
getting an issue on DKIM signings with tainted filename. I looked over
the
list and tried to apply the same fix I've seen used before, but I
guess I'm
not understanding it. Here's my dkim_private_key statement:
dkim_private_key = ${if
exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
So how do I correct this? Thanks!
You didn't run 4.94 before, did you?
No, I've not done 4.94 before. Up until recently I was running 4.93. So,
I realized that exim wasn't fork()ing like I thought it would, but
actaully calling the exim binary. That explains the complaint about
-Mcd. But when I fixed THAT issue, I get a new one that I have no idea
whats up. I have a link from /usr/sbin/exim_new to /usr/sbin/exim (and
have the old binary on exim_old. So it's calling the correct exim. Can
someone explain whats up?:
[after receiving a message to se
20094 End of tree
20094 recipients_count=1
20094 SPOOL_IN - No additional fields
20094 body_linecount=159 message_linecount=18
20094 running system filter
20094 rda_interpret (file): '/etc/exim/filters/FILTER2008'
20094 expanded: '/etc/exim/filters/FILTER2008'
20094 search_tidyup called
20094 daemon-accept-delivery forking for router-interpret
20094 daemon-accept-delivery forked for router-interpret: 20095
20095 postfork: router-interpret
20095 LOG: MAIN PANIC DIE
20095 unable to set gid=12 or uid=8 (euid=1002): system filter
20095 search_tidyup called
20095 Exim pid=20095 (router-interpret) terminating
with rc=1
20094 rda_interpret: subprocess yield=8 error=NULL
20094 LOG: MAIN PANIC
20094 internal problem in system filter: failure to transfer data from
subprocess: status=0100 readerror='No such file or directory'
20094 system filter returned 8
20094 LOG: MAIN PANIC
20094 Error in system filter: internal problem in system filter:
failure to transfer data from subprocess: status=0100 readerror='No such
file or directory'
20094 search_tidyup called
20094 Exim pid=20094 (daemon-accept-delivery)
terminating with rc=0
20091 SMTP<< QUIT
20091 using ACL "acl_check_quit"
20091 processing "warn" (/etc/exim/exim_new.conf 415)
20091 check condition = $authentication_failed
20091 = 0
20091 warn: condition test failed in ACL "acl_check_quit"
20091 processing "warn" (/etc/exim/exim_new.conf 420)
20091 check condition = $authentication_failed
20091 = 0
20091 warn: condition test failed in ACL "acl_check_quit"
20091 end of ACL "acl_check_quit": implicit DENY
20091 SMTP>> 221 eglifamily.name closing connection
20091 tls_write(0x55c69d3d8b10, 40)
20091 SSL_write(0x55c69d50d0e0, 0x55c69d3d8b10, 40)
20091 outbytes=40 error=0
20091 tls_close(): shutting down TLS
20091 SSL3 alert write:warning:close notify
20091 LOG: smtp_connection MAIN
20091 SMTP connection from mobile-166-170-45-144.mycingular.net
([172.20.10.13]) [166.170.45.144] I=[209.141.58.25]:587 closed by QUIT
20091 search_tidyup called
20091 SMTP>>(close on process exit)
20091 Exim pid=20091 (daemon-accept) terminating with
rc=0
20031 child 20091 ended: status=0x0
20031 normal exit, 0
20031 0 SMTP accept processes now running
20031 Listening...
^C20031 SIGTERM/SIGINT seen
20031 daemon forking for daemon-del-pidfile
20031 daemon forked for daemon-del-pidfile: 20162
20162 postfork: daemon-del-pidfile
20162 exec /usr/sbin/exim -C /etc/exim/exim_new.conf -d=0xf7795cfd -MCd
daemon-del-pidfile -oPX
exim: only uid=0 or uid=8 can use -oP and -oPX (uid=1002 euid=1002 | 1002)
20031 search_tidyup called
20031 Exim pid=20031 (daemon) terminating with rc=0
--
Dan Egli
From my Test Server
OpenPGP_0x11B7451DF2015959.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] ...
binT4DZGM1Tc0.bin Description: PGP/MIME version identification encrypted.asc Description: OpenPGP encrypted message -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Outgoing mail : how to remove tags/keywords from the subjet header ?
Hello,
we have a spam/virus filtering system that add spam score and other info
with keywords at the beginning of the subject header
to inform the end-user and help him write sort-rules in his mail-client.
Example : {spam: 43} {newsletter} {SPF: pass} {DKIM: No signature}, etc...
But when an end-user answers to that mail we would *remove* all these
tags (they are always between { } characters, so a regex search/replace
must be possible I hope).
The goal is that :
- the TO /CC /BCC addresses does not see these spam / info tags
- in case of repeated send / answer dialogues the subject line does not
fill up with these tags !
I did search and did find how to do this for *incoming* subject header
rewrite
(
typically sequences like :
headers_add "New-Subject: {spam}: $h_subject:"
headers_remove subject
headers_add "Subject: $h_new-subject:"
headers_remove new-subject
}
but I could *not* find something to do this for *outgoing* mail (as well
to local domains addresses or external domain addresses, all answers)
I saw... outlook exchange does propose this functionality, exactly for
the same purpose.
But we want to use Exim he :-)
Does someone know a FAQ where is explained how to do that,
or have experience with this?
or an example of instructions and where to put this in the exim.conf ?
Very thanks for your help !
Yves.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 22:45:34 CEST): > and I THINK it's okay. Problem is that I'm encountering another issue that > prevents me from saying all is well. I have my updated exim binary as > exim_new and the updated config as exim_new.conf, but when I try to submit a > message exim conks out saying I passed a bad or incomplete argument: Try setting the binary name exim_path = … in your new config. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 21:45, Dan Egli via Exim-users wrote: 2021-05-05 14:35:29.708 cwd=/etc/exim 5 args: exim_new -d -bd -C exim_new.conf [much deleted for brevity] 15754 Calling SSL_read(0x5573489f8110, 0x5573489f99a0, 4096) 15758 postfork: daemon-accept-delivery 15758 exec /usr/sbin/exim -C exim_new.conf -d=0xf7795cfd -MCd daemon-accept-delivery -Mc 1leOFn-000466-HW exim abandoned: unknown, malformed, or incomplete option -MCd 15754 SMTP<< QUIT So how do I figure out what the heck is going on here? Exim re-execs itself during message processing. Your new binary is exec'ing your old binary, and assuming it can handle the commandline args it knows about. You can't shuffle binary names like that; sorry. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Heiko Schlittermann via Exim-users wrote on 05.05.2021 23:48: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 22:29:32 > CEST): git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git >>> >>> Sorry my fault, far too many branches, merges, and tags during the >>> recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes >>> and the taintwarn feature. >> >> Thank you. >> >> As far as I can see, the exim-4.94.2+taintwarn branch includes the code >> from the exim-4.94.2+fixes branch, doesn't it? > > Exactly. It does include all the stuff in exim-4.94.2+fixes. Please be > aware, the taintwarn feature is only for mitigation. It will be ignored > in one of the future versions. I personally don't need an option allow_insecure_tainted_data. I'm just testing the building of exim 4.94.2 packages for FreeBSD, CentOS and Ubuntu with different combinations of patches (for file parameter in sqlite lookup, exim-4.94.2+fixes, taintwarn code from exim-4.94.2+taintwarn and from Debian patches). -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Victor Ustugov via Exim-users (Mi 05 Mai 2021 22:29:32 CEST): > >> git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git > > > > Sorry my fault, far too many branches, merges, and tags during the > > recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes > > and the taintwarn feature. > > Thank you. > > As far as I can see, the exim-4.94.2+taintwarn branch includes the code > from the exim-4.94.2+fixes branch, doesn't it? Exactly. It does include all the stuff in exim-4.94.2+fixes. Please be aware, the taintwarn feature is only for mitigation. It will be ignored in one of the future versions. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Heiko Schlittermann via Exim-users wrote on 05.05.2021 21:36: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 20:01:56 > CEST): >> Heiko Schlittermann via Exim-users wrote on 05.05.2021 19:11: >> >>> In case you didn't notice. We've added a new but already deprecated main >>> config option: >>> >>> allow_insecure_tainted_data = yes >>> >>> For this option you need to get exim-4.94.2+fixes. This option isn't >>> part of 4.94.2! >> >> Did you mean >> >> git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git > > Sorry my fault, far too many branches, merges, and tags during the > recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes > and the taintwarn feature. Thank you. As far as I can see, the exim-4.94.2+taintwarn branch includes the code from the exim-4.94.2+fixes branch, doesn't it? -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Victor Ustugov via Exim-users (Mi 05 Mai 2021 20:01:56
CEST):
> Heiko Schlittermann via Exim-users wrote on 05.05.2021 19:11:
>
> > In case you didn't notice. We've added a new but already deprecated main
> > config option:
> >
> > allow_insecure_tainted_data = yes
> >
> > For this option you need to get exim-4.94.2+fixes. This option isn't
> > part of 4.94.2!
>
> Did you mean
>
> git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git
Sorry my fault, far too many branches, merges, and tags during the
recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes
and the taintwarn feature.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Helo Thanks for response, I add CFLAGS += -std=gnu99 and LDFLAGS=-lrt to Makefile and build successfuly ! Regards - Original Message - From: "Victor Ustugov via Exim-users" To: "Victor Ustugov via Exim-users" Sent: Wednesday, May 5, 2021 6:50 PM Subject: Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released) Victor Ustugov via Exim-users wrote on 05.05.2021 17:14: Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: I'd just refuse to create a bloated 4.94+fixes, instead of releasing 4.95 as soon as possible. Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? I built exim 4.94.2 with patch https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch As I remember patch for exim 4.94 based on: https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb This one isn't related to the file= feture As far as I remember I could not build exim 4.94 with 4a7dca52352d0976f200b89a50825433b7551554 and b8514d1960e259d49ab2c84c89eba52ab993da3f without 44644c2e404a3ea0191db0b0458e86924fb240bb These both I located too and "backported" to 4.94.2 (as did too, probably): https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f See the attached patches. Thanks. I'll try to build exim with these patches today evening. Heiko, I took a look to your patches. Except for the files related to documentation and tests, our patches are identical. So no need to rebuild exim and check patches again. Thank you again. @Odhiambo: as it seems you're building your own version of Exim, we recommend you the patches from Victor or my (attached). Currently we do not plan to do the backport officially, because we'll start working to release 4.95 as soon as possible. -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Quoting Heiko Schlittermann via Exim-users (exim-users@exim.org): > In case you didn't notice. We've added a new but already deprecated main > config option: > allow_insecure_tainted_data = yes Yes, thanks for your hard work, Heiko!! I saw that option being discussed / added. It sure will help people migrate their setups! Best, -Sndr. -- | With her marriage she got a new name and a dress. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Heiko Schlittermann via Exim-users wrote on 05.05.2021 19:11: > In case you didn't notice. We've added a new but already deprecated main > config option: > > allow_insecure_tainted_data = yes > > For this option you need to get exim-4.94.2+fixes. This option isn't > part of 4.94.2! Did you mean git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git ? I see neither allow_insecure_tainted_data nor ALLOW_INSECURE_TAINTED_DATA in the exim/ directory. > This option allowes you to turn the taint errors into warnings and is > provided to help you in reworking your config into a more secure one. > Future Exim release (not sure about "future" though) will ignore this > option. > > Debian 11 includes this patch already. Exim 4.95 will kind of offically > suppport this option too. But, as said above, it is deprecated already > today. > > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann > > -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users wrote on 05.05.2021 17:14: > Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: >> I'd just refuse to create a bloated 4.94+fixes, instead of releasing >> 4.95 as soon as possible. > > Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? >>> >>> I built exim 4.94.2 with patch >>> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch >>> >>> As I remember patch for exim 4.94 based on: >>> >>> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb >> This one isn't related to the file= feture > > As far as I remember I could not build exim 4.94 with > 4a7dca52352d0976f200b89a50825433b7551554 and > b8514d1960e259d49ab2c84c89eba52ab993da3f without > 44644c2e404a3ea0191db0b0458e86924fb240bb > > >> These both I located too and "backported" to 4.94.2 (as did too, >> probably): >>> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 >>> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f >> >> See the attached patches. > > Thanks. I'll try to build exim with these patches today evening. Heiko, I took a look to your patches. Except for the files related to documentation and tests, our patches are identical. So no need to rebuild exim and check patches again. Thank you again. >> @Odhiambo: as it seems you're building your own version of Exim, we >> recommend you the patches from Victor or my (attached). Currently we do >> not plan to do the backport officially, because we'll start working >> to release 4.95 as soon as possible. > > -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error compile exim 4.94.2
On Wed, May 05, 2021 at 06:04:11PM +0200, Sławomir Dworaczek via Exim-users wrote: > exim.o: In function `exim_gettime': > exim.c:(.text+0xfbe): undefined reference to `clock_gettime' > exim.o: In function `main': > exim.c:(.text+0x1894): undefined reference to `clock_gettime' > collect2: ld returned 1 exit status > make[1]: *** [exim] Error 1 > > gcc version 4.5.2 (GCC) What operating system and Glibc (or other C library) version? On a Fedora 31 system: NAME clock_getres, clock_gettime, clock_settime - clock and time functions SYNOPSIS #include int clock_getres(clockid_t clk_id, struct timespec *res); int clock_gettime(clockid_t clk_id, struct timespec *tp); int clock_settime(clockid_t clk_id, const struct timespec *tp); ---> Link with -lrt (only for glibc versions before 2.17). Feature Test Macro Requirements for glibc (see feature_test_macros(7)): clock_getres(), clock_gettime(), clock_settime(): _POSIX_C_SOURCE >= 199309L On a FreeBSD 12.2 system these functions are in the C library, and the manpage reports: STANDARDS The clock_gettime(), clock_settime(), and clock_getres() system calls conform to IEEE Std 1003.1b-1993 (“POSIX.1b”). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error compile exim 4.94.2
On 05/05/2021 17:04, Sławomir Dworaczek via Exim-users wrote: when compiling exim 4.94.2 an error is shown, please help in solving the problem exim.o: In function `exim_gettime': exim.c:(.text+0xfbe): undefined reference to `clock_gettime' You don't say what platform you are compiling on, but here on Fedora 32 /usr/include/time.h has the declaration for clock_gettime(). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error compile exim 4.94.2
thanks for response, the platform is Slackware regards slawek - Original Message - From: "Jeremy Harris via Exim-users" To: Sent: Wednesday, May 5, 2021 6:43 PM Subject: Re: [exim] Error compile exim 4.94.2 On 05/05/2021 17:04, Sławomir Dworaczek via Exim-users wrote: when compiling exim 4.94.2 an error is shown, please help in solving the problem exim.o: In function `exim_gettime': exim.c:(.text+0xfbe): undefined reference to `clock_gettime' You don't say what platform you are compiling on, but here on Fedora 32 /usr/include/time.h has the declaration for clock_gettime(). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Sander Smeenk via Exim-users (Mi 05 Mai 2021 17:10:39
CEST):
> Quoting Jeremy Harris via Exim-users (exim-users@exim.org):
>
> > It is far to easy for someone to write a matcher which just
> > untaints everything, disabling the security. Three people
> > would do that, and one would post it on serverfault. Then
> > it would be cargo-culted forever.
>
> You mean like this 'hack'?
> https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/
>
>
> TL;DR:
>
> Late to the party i see, but i was bitten by the new 'tainted
> data'-feature yesterday and after reading this thread, i too would
> really like to see that ${untaint{}{}} idea implemented.
In case you didn't notice. We've added a new but already deprecated main
config option:
allow_insecure_tainted_data = yes
For this option you need to get exim-4.94.2+fixes. This option isn't
part of 4.94.2!
This option allowes you to turn the taint errors into warnings and is
provided to help you in reworking your config into a more secure one.
Future Exim release (not sure about "future" though) will ignore this
option.
Debian 11 includes this patch already. Exim 4.95 will kind of offically
suppport this option too. But, as said above, it is deprecated already
today.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Cyborg via Exim-users (Mi 05 Mai 2021 16:56:44 CEST):
> Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users:
> > The details about the vulnerabilities*will* be published in the near
> > future (onhttp://exim.org/static/doc/security/), but not today. This
> > should give you the chance to update your systems.
> Time has run up:
> https://www.qualys.com/2021/05/04/21nails/21nails.txt
It is linked on https://exim.org already since about yesterday.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Error compile exim 4.94.2
Helo when compiling exim 4.94.2 an error is shown, please help in solving the problem exim.o: In function `exim_gettime': exim.c:(.text+0xfbe): undefined reference to `clock_gettime' exim.o: In function `main': exim.c:(.text+0x1894): undefined reference to `clock_gettime' collect2: ld returned 1 exit status make[1]: *** [exim] Error 1 gcc version 4.5.2 (GCC) regards slawek -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] prefer IPv6 over v4?
On 5/5/21 11:04 AM, Jeremy Harris via Exim-users wrote: On 05/05/2021 00:56, Dan Egli via Exim-users wrote: Hey everyone, quick question, more an idle thought. When exim looks up a mail to be delivered via remote_smtp, it seems to always prefer to use IPv4 even when a v6 address is available. For example, in my log I see a message delivered to a gmail address. But both Source and Destination IPs are ipv4 format, even though dig gmail-smtp-in.l.google.com shows a ipv6 address. Is there some option somewhere that can be set that will tell exim to deliver to IPv6 addresses unless no such address is available, and then fall back to IPv4? My system were happily using ipv6 for gmail (until I disabled it). I think you'd need to use exim's debug facilities to see why you're not getting ipv6 used, assuming you've not deliberately enforced that in your config. Maybe disable_ipv6=true in your config. Or daemon not listening on the v6 address ? regards, Olaf -- Karlsruher Institut für Technologie (KIT) Steinbuch Centre for Computing (SCC) Dipl.-Geophys. Olaf Hopp Zirkel 2 Gebäude 20.21, Raum 316 76131 Karlsruhe Telefon: +49 721 608-48009 E-Mail: olaf.h...@kit.edu Web: www.scc.kit.edu Sitz der Körperschaft: Kaiserstraße 12, 76131 Karlsruhe KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: The details about the vulnerabilities*will* be published in the near future (onhttp://exim.org/static/doc/security/), but not today. This should give you the chance to update your systems. Time has run up: https://www.qualys.com/2021/05/04/21nails/21nails.txt best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Quoting Jeremy Harris via Exim-users (exim-users@exim.org):
> It is far to easy for someone to write a matcher which just
> untaints everything, disabling the security. Three people
> would do that, and one would post it on serverfault. Then
> it would be cargo-culted forever.
You mean like this 'hack'?
https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/
TL;DR:
echo '*' >/etc/exim/detaint
DETAINTFILE = /etc/exim/detaint
BADCHARS = \N[^A-Za-z0-9_.-]+\N
SAFEDOMAIN =
${lookup{${sg{${domain:$h_from:}}{BADCHARS}{_}}}lsearch*,ret=key{DETAINTFILE}}
... Profit!
Late to the party i see, but i was bitten by the new 'tainted
data'-feature yesterday and after reading this thread, i too would
really like to see that ${untaint{}{}} idea implemented.
I'm all for 'out of the box safety', but making it quite hard to untaint
data is not very user friendly imo. I've yet to find more situations in
my config that break. That's another peeve: there is no warning or error
until you run into it.
My frustration mostly comes from the fact that my config was working for
years, untouched, then suddenly it doesn't anymore and there is no clear
guidance on how to fix this mess as others in this thread reported too.
My situation was much like others reported, the dkim_key lookup, and can
be fixed by doing that dsearch lookup thing.
Providing a list of reported taint-issues and acompanying fixes like
that would be of great help to people that were rockin' Exim configs for
years and forgot about all the ${{acc}olade{mess}} therein.
Meh.
-Sandr.
--
| Broken pencils are pointless.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 14:48:20 > CEST): >> Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57: >>> Victor Ustugov via Exim-users (Mi 05 Mai 2021 >>> 13:21:55 CEST): > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > 4.95 as soon as possible. Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). >>> >>> What did you do? >> >> I built exim 4.94.2 with patch >> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch >> >> As I remember patch for exim 4.94 based on: >> >> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb > This one isn't related to the file= feture As far as I remember I could not build exim 4.94 with 4a7dca52352d0976f200b89a50825433b7551554 and b8514d1960e259d49ab2c84c89eba52ab993da3f without 44644c2e404a3ea0191db0b0458e86924fb240bb > These both I located too and "backported" to 4.94.2 (as did too, > probably): >> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 >> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f > > See the attached patches. Thanks. I'll try to build exim with these patches today evening. > @Odhiambo: as it seems you're building your own version of Exim, we > recommend you the patches from Victor or my (attached). Currently we do > not plan to do the backport officially, because we'll start working > to release 4.95 as soon as possible. -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 14:48:20
CEST):
> Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57:
> > Victor Ustugov via Exim-users (Mi 05 Mai 2021
> > 13:21:55 CEST):
> >>> I'd just refuse to create a bloated 4.94+fixes, instead of releasing
> >>> 4.95 as soon as possible.
> >>
> >> Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit.
> >> It works as expected on FreeBSD (exim 4.94.2 from ports with my patches)
> >> and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches).
> >
> > What did you do?
>
> I built exim 4.94.2 with patch
> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch
>
> As I remember patch for exim 4.94 based on:
>
> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb
This one isn't related to the file= feture
These both I located too and "backported" to 4.94.2 (as did too,
probably):
> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554
> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f
See the attached patches.
@Odhiambo: as it seems you're building your own version of Exim, we
recommend you the patches from Victor or my (attached). Currently we do
not plan to do the backport officially, because we'll start working
to release 4.95 as soon as possible.
--
Heiko
From 7ecb8213b1c9a6d9db1886d54cce8a60c5b0b55a Mon Sep 17 00:00:00 2001
From: Jeremy Harris
Date: Sat, 6 Jun 2020 14:45:47 +0100
Subject: [PATCH 1/2] Refactor lookup argument shuffling
(cherry picked from commit 4a7dca52352d0976f200b89a50825433b7551554)
---
src/src/expand.c| 20 +++-
src/src/functions.h | 1 +
src/src/match.c | 17 +
src/src/search.c| 36
4 files changed, 41 insertions(+), 33 deletions(-)
diff --git a/src/src/expand.c b/src/src/expand.c
index 05de94c49..ad9f54402 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -4391,7 +4391,7 @@ if (is_tainted(string))
goto EXPAND_FAILED;
}
-while (*s != 0)
+while (*s)
{
uschar *value;
uschar name[256];
@@ -4777,7 +4777,7 @@ while (*s != 0)
int save_expand_nmax =
save_expand_strings(save_expand_nstring, save_expand_nlength);
- if ((expand_forbid & RDO_LOOKUP) != 0)
+ if (expand_forbid & RDO_LOOKUP)
{
expand_string_message = US"lookup expansions are not permitted";
goto EXPAND_FAILED;
@@ -4876,21 +4876,7 @@ while (*s != 0)
file types, the query (i.e. "key") starts with a file name. */
if (!key)
-{
- Uskip_whitespace();
-key = filename;
-
-if (mac_islookup(stype, lookup_querystyle))
- filename = NULL;
-else
- if (*filename == '/')
- {
- while (*key && !isspace(*key)) key++;
- if (*key) *key++ = '\0';
- }
- else
- filename = NULL;
-}
+ key = search_args(stype, name, filename, );
/* If skipping, don't do the next bit - just lookup_value == NULL, as if
the entry was not found. Note that there is no search_close() function.
diff --git a/src/src/functions.h b/src/src/functions.h
index e22fd4f99..a4914b730 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -448,6 +448,7 @@ extern voidroute_init(void);
extern gstring * route_show_supported(gstring *);
extern voidroute_tidyup(void);
+extern uschar *search_args(int, uschar *, uschar *, uschar **);
extern uschar *search_find(void *, const uschar *, uschar *, int,
const uschar *, int, int, int *, const uschar *);
extern int search_findtype(const uschar *, int);
diff --git a/src/src/match.c b/src/src/match.c
index dfb4b5148..eb8315b46 100644
--- a/src/src/match.c
+++ b/src/src/match.c
@@ -286,22 +286,7 @@ if (!cb->use_partial) partial = -1;
/* Set the parameters for the three different kinds of lookup. */
-keyquery = semicolon + 1;
-Uskip_whitespace();
-
-if (mac_islookup(search_type, lookup_absfilequery))
- {
- filename = keyquery;
- while (*keyquery && !isspace(*keyquery)) keyquery++;
- filename = string_copyn(filename, keyquery - filename);
- Uskip_whitespace();
- }
-
-else if (!mac_islookup(search_type, lookup_querystyle))
- {
- filename = keyquery;
- keyquery = s;
- }
+keyquery = search_args(search_type, s, semicolon+1, );
/* Now do the actual lookup; throw away the data returned unless it was asked
for; partial matching is all handled inside search_find(). Note that there is
diff --git a/src/src/search.c b/src/src/search.c
index f8aaacb04..125dd1c48 100644
--- a/src/src/search.c
+++ b/src/src/search.c
@@ -217,6 +217,42 @@ return stype;
}
+/* Set the parameters for the three different kinds of lookup.
+Arguments:
+ search_type the search-type code
+ search the search-type string
+ query argument for the search; filename or query
+ fnamep pointer to return
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57:
> Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55
> CEST):
>>> I'd just refuse to create a bloated 4.94+fixes, instead of releasing
>>> 4.95 as soon as possible.
>>
>> Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit.
>> It works as expected on FreeBSD (exim 4.94.2 from ports with my patches)
>> and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches).
>
> What did you do?
I built exim 4.94.2 with patch
https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch
As I remember patch for exim 4.94 based on:
https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb
https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554
https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f
Later I ported patch for exim 4.94+fixes.
# exim -be '${lookup sqlite,file=/var/spool/exim/db/access.db{SELECT
sender FROM awl WHERE sender="${quote_sqlite:exim-users@exim.org}";}}'
exim-users@exim.org
> I just cherry-picked the mentioned commit
> 4a7dca52352d0976f200b89a50825433b7551554
>
> But the error didn't disappear. I'll check in more detail now.
>
>
--
Best wishes
Victor Ustugovmailto:vic...@corvax.kiev.ua
Skype ID: corvax_nb JID: vic...@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 14:04:10 CEST):
> > What did you do? I just cherry-picked the mentioned commit
> > 4a7dca52352d0976f200b89a50825433b7551554
> >
> > But the error didn't disappear. I'll check in more detail now.
>
> seems to be relevant too:
> b8514d1960e259d49ab2c84c89eba52ab993da3f
Yes, then it behaves as expected, but serveral conflicts I get in the
for the docbook-source.
Question now is, if we want to "officially" backport these fixes. I'll
ask Jeremy.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 CEST): > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > 4.95 as soon as possible. > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? I just cherry-picked the mentioned commit 4a7dca52352d0976f200b89a50825433b7551554 But the error didn't disappear. I'll check in more detail now. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 13:57:32 CEST): > Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 > CEST): > > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > > 4.95 as soon as possible. > > > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). > > What did you do? I just cherry-picked the mentioned commit > 4a7dca52352d0976f200b89a50825433b7551554 > > But the error didn't disappear. I'll check in more detail now. seems to be relevant too: b8514d1960e259d49ab2c84c89eba52ab993da3f -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 01:39: > Jeremy Harris via Exim-users (Mi 05 Mai 2021 00:11:59 > CEST): >> Having made me go and look... that is what I did, in b8514d1960 >> (which is since 4.94). A comma-sep option "file=/foo" after >> the word "sqlite". > > Yes, that's what I found. But I can't see this neither in 4.94, or > 4.94+fixes. > > @Victor: Yes, the commit *can* be backported, but first I'd like to > understand how this syntax worked for Odhiambo with 4.94. It's depend on now Odhiambo built exim. > And I do not want to drop the support for queries do different SQLite > databases, but again - I'd like to understand why Odhiambo sees this > working with 4.94. > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > 4.95 as soon as possible. Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). @Odhiambo: try this patch. https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch This is minimalistic variant of Jeremy's code adapted for exim 4.94+fixes and exim 4.94.2 -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 02:41:38 CEST):
> I just upgraded to 4.94.2, and most everything is working fine. But I'm
> getting an issue on DKIM signings with tainted filename. I looked over the
> list and tried to apply the same fix I've seen used before, but I guess I'm
> not understanding it. Here's my dkim_private_key statement:
>
> dkim_private_key = ${if
> exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
> {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
>
> So how do I correct this? Thanks!
You didn't run 4.94 before, did you?
The $sender_address_domain is considered tainted. Now (since >= 4.94)
Exim refused to use tainted data for filenames. The "exists" doesn't
de-taint the data. You need to perform a kind of lookup first, to
"clean"/"de-taint" the data.
# determine the domain to be used for signing (use the rfc5322.From
# or schlittermann.de as a fallback
dkim_domain =
${lookup{${domain:${address:$h_from:}}}dsearch{$config_dir/dkim}{$value}{schlittermann.de}}
dkim_selector = ${lookup{$dkim_domain}lsearch{$config_dir/dkim/selector}}
# use the found signing domain and it's selector to get
# the private key
dkim_private_key = $config_dir/dkim/$dkim_domain/$dkim_selector.pem
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 01:41, Dan Egli via Exim-users wrote:
dkim_private_key = ${if
exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
So how do I correct this?
You look up that domain in a trusted database, so as to obtain a trusted
value. This has to be done in a manner that Exim recognises: obtaining
untainted data that you can use in your expansion.
The "exists" check is not sufficient for this. Replace it with a "dsearch"
lookup, since (currently) your trusted database is the filesystem.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] prefer IPv6 over v4?
On 05/05/2021 00:56, Dan Egli via Exim-users wrote: Hey everyone, quick question, more an idle thought. When exim looks up a mail to be delivered via remote_smtp, it seems to always prefer to use IPv4 even when a v6 address is available. For example, in my log I see a message delivered to a gmail address. But both Source and Destination IPs are ipv4 format, even though dig gmail-smtp-in.l.google.com shows a ipv6 address. Is there some option somewhere that can be set that will tell exim to deliver to IPv6 addresses unless no such address is available, and then fall back to IPv4? My system were happily using ipv6 for gmail (until I disabled it). I think you'd need to use exim's debug facilities to see why you're not getting ipv6 used, assuming you've not deliberately enforced that in your config. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 02:41, Dan Egli via Exim-users wrote:
> dkim_private_key = ${if
> exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
> {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
That's a classic already searchable on the list... use dsearch like that:
dkim_private_key = ${lookup {${dkim_selector}.${dkim_domain}.pem}
dsearch,ret=full {/etc/mail/domainkeys}}
Greetings, Wolfgang
--
Wolfgang Breyha | https://www.blafasel.at/
Vienna University Computer Center | Austria
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
