Re: [exim] Tainted string changes 4.93
On 29/06/2020 04:57, Robert Blayzor via Exim-users wrote: > The router hitting: > > local_aliases: > driver = redirect > allow_fail = true > allow_defer = true + local_parts = ${lookup{$local_part}wildlsearch,ret=key{/opt/etc/exim/aliases} > data = ${expand:${lookup{$local_part}wildlsearch{/opt/etc/exim/aliases}}} > user = mailnull > group = mail > file_transport = address_file > pipe_transport = address_pipe > > > address_pipe: > driver = pipe > path = /usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin > return_output > > > > where our alias file hits: > > ^sms\+ "| /bin//smssend -e -c ${sg{$local_part}{^sms.(.*)}{\$1}}" replace with ^sms\+ "| /bin//smssend -e -c ${sg{$local_part_data}{^sms.(.*)}{\$1}}" -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Tainted string changes 4.93
I should of added the obvious. We are now on 4.94 on FreeBSD 12. The router hitting: local_aliases: driver = redirect allow_fail = true allow_defer = true data = ${expand:${lookup{$local_part}wildlsearch{/opt/etc/exim/aliases}}} user = mailnull group = mail file_transport = address_file pipe_transport = address_pipe address_pipe: driver = pipe path = /usr/local/bin:/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin return_output -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://pgp.inoc.net/rblayzor/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Tainted string changes 4.93
Since we follow the freebsd ports tree a little too carefully we were bitten by the tainted string changes in 4.93. We use a system aliases file that calls pipe transport ulimately and we see in error log now: Tainted '/bin/smssend -e -c foo' (command for address_pipe transport) not permitted where our alias file hits: ^sms\+ "| /bin//smssend -e -c ${sg{$local_part}{^sms.(.*)}{\$1}}" Basically we look for any local part that is "sms#" and pipe just that part to our external... Now with tainted strings we cannot do that. Whats the easy fix? -- inoc.net!rblayzor XMPP: rblayzor.AT.inoc.net PGP: https://pgp.inoc.net/rblayzor/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted string in 4.93
Larry (and Dima of course), thanks a lot! Now all looks good. Hallelujah! Larry Rosenman via Exim-users писал 2020-02-26 19:38: Please try the latest FreeBSD port of mail/exim. Dima Panov (flu...@freebsd.org) picked up all the patches in 4.93+fixes, and it fixed all MY taint issues. 4.93.0.4_3 is the version. -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted string in 4.93
On 02/26/2020 5:10 am, Max Kostikov via Exim-users wrote: Some debug on this issue (FreeBSD 12.1) 12:58:46 22061 exim 4.93.0.4 daemon started: pid=22061, -q15m, listening for SMTP on [1.2.3.4]:{25,465,587} [2001:2:3:4::1]:{25,465,587} [127.0.0.1]:{25,465,587} [::1]:25 ... ... 12:58:46 22061 set_process_info: 22061 daemon(4.93.0.4): -q15m, listening for SMTP on [1.2.3.4]:{25,465,587} [2001:2:3:4::1]:{25,465,587} [127.0.0.1]:{25,465,587} [::1]:25 ... ... 12:58:46 22061 SPF_dns_exim_new spf_compile.c:523Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}=%{C}=%{R} spf_compile.c:1210 Debug: Compiling record v=spf1 spf_compile.c:523Debug: Parsing macro starting at Please%_see%_http://www.open-spf.org/Why?id=%{S}=%{C}=%{R} 12:58:46 22061 daemon running with uid=26 gid=6 euid=26 egid=6 12:58:46 22061 SIGALRM received 12:58:46 22061 1 queue-runner process running 12:58:46 22061 Listening... 12:58:46 32950 Starting queue-runner: pid 32950 12:58:46 32950 exec /usr/local/sbin/exim -qG 2020-02-26 12:58:46 1j6uLP-0008su-Lw attempt to expand tainted string '$local_part@$domain' 2020-02-26 12:58:46 1j6uLP-0008su-Lw == f...@example.com R=spamassassin_router T=spamassassin_local defer (-1): Expansion of "$local_part@$domain" from command "/usr/local/bin/spamc -s 2097152 -u $local_part@$domain" in transport filter failed: attempt to expand tainted string '$local_part@$domain' 12:58:46 22061 child 32950 ended: status=0x0 12:58:46 22061 normal exit, 0 Please try the latest FreeBSD port of mail/exim. Dima Panov (flu...@freebsd.org) picked up all the patches in 4.93+fixes, and it fixed all MY taint issues. 4.93.0.4_3 is the version. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 214-642-9640 E-Mail: l...@lerctr.org US Mail: 5708 Sabbia Dr, Round Rock, TX 78665-2106 signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted string in 4.93
Some debug on this issue (FreeBSD 12.1) 12:58:46 22061 exim 4.93.0.4 daemon started: pid=22061, -q15m, listening for SMTP on [1.2.3.4]:{25,465,587} [2001:2:3:4::1]:{25,465,587} [127.0.0.1]:{25,465,587} [::1]:25 ... ... 12:58:46 22061 set_process_info: 22061 daemon(4.93.0.4): -q15m, listening for SMTP on [1.2.3.4]:{25,465,587} [2001:2:3:4::1]:{25,465,587} [127.0.0.1]:{25,465,587} [::1]:25 ... ... 12:58:46 22061 SPF_dns_exim_new spf_compile.c:523Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}=%{C}=%{R} spf_compile.c:1210 Debug: Compiling record v=spf1 spf_compile.c:523Debug: Parsing macro starting at Please%_see%_http://www.open-spf.org/Why?id=%{S}=%{C}=%{R} 12:58:46 22061 daemon running with uid=26 gid=6 euid=26 egid=6 12:58:46 22061 SIGALRM received 12:58:46 22061 1 queue-runner process running 12:58:46 22061 Listening... 12:58:46 32950 Starting queue-runner: pid 32950 12:58:46 32950 exec /usr/local/sbin/exim -qG 2020-02-26 12:58:46 1j6uLP-0008su-Lw attempt to expand tainted string '$local_part@$domain' 2020-02-26 12:58:46 1j6uLP-0008su-Lw == f...@example.com R=spamassassin_router T=spamassassin_local defer (-1): Expansion of "$local_part@$domain" from command "/usr/local/bin/spamc -s 2097152 -u $local_part@$domain" in transport filter failed: attempt to expand tainted string '$local_part@$domain' 12:58:46 22061 child 32950 ended: status=0x0 12:58:46 22061 normal exit, 0 Max Kostikov via Exim-users писал 2020-02-25 22:44: With latest Exim (4.93.0.4) FreeBSD ports and fixes I still have 2020-02-24 19:48:02 1j6Hpq-000KXu-9y Taint mismatch, Ustrncpy: ip_unixsocket 518 and no incoming mail. Apparently it is related to "pipe" command in filters. Jeremy Harris via Exim-users писал 2020-02-25 12:31: On 24/02/2020 23:05, Aristedes Maniatis via Exim-users wrote: After an upgrade to 4.93 from 4.92 (FreeBSD ports), I am getting Multiple people are reporting issues with FreeBSD. Please contact the FreeBSD maintainer and check if the +patches branch is being tracked. -- Cheers, Jeremy -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted string in 4.93
With latest Exim (4.93.0.4) FreeBSD ports and fixes I still have 2020-02-24 19:48:02 1j6Hpq-000KXu-9y Taint mismatch, Ustrncpy: ip_unixsocket 518 and no incoming mail. Apparently it is related to "pipe" command in filters. Jeremy Harris via Exim-users писал 2020-02-25 12:31: On 24/02/2020 23:05, Aristedes Maniatis via Exim-users wrote: After an upgrade to 4.93 from 4.92 (FreeBSD ports), I am getting Multiple people are reporting issues with FreeBSD. Please contact the FreeBSD maintainer and check if the +patches branch is being tracked. -- Cheers, Jeremy -- With best regards, Max Kostikov W: https://kostikov.co | DeltaChat: m...@eprove.net signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted string in 4.93
On 24/02/2020 23:05, Aristedes Maniatis via Exim-users wrote: > After an upgrade to 4.93 from 4.92 (FreeBSD ports), I am getting Multiple people are reporting issues with FreeBSD. Please contact the FreeBSD maintainer and check if the +patches branch is being tracked. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted string in 4.93
Hi! > After an upgrade to 4.93 from 4.92 (FreeBSD ports), I am getting > > > 2020-02-24 18:13:08 1j67LU-0005vG-1C == a...@ish.com.au R=localuser > T=local_delivery defer (0): Expansion of > "${local_part}${local_part_suffix}@$domain" from command > "/usr/local/libexec/dovecot/dovecot-lda -a > ${local_part}${local_part_suffix}@$domain -d $local_part@$domain -f > $sender_address" in local_delivery transport failed: attempt to expand > tainted string '${local_part}${local_part_suffix}@$domain' > > > I don't understand how to work around this problem because there is > nothing in the manual I could find around how to mark a particular string > as not tainted, or to filter it appropriately to be safe. Any pointers on > what to do here? There's another update for the FreeBSD port mail/exim, committed today: https://lists.freebsd.org/pipermail/svn-ports-all/2020-February/243949.html this updates to exim 4.93.0.4, which should cover those tainted error messages. -- p...@opsec.eu+49 171 3101372Now what ? -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] tainted string in 4.93
After an upgrade to 4.93 from 4.92 (FreeBSD ports), I am getting 2020-02-24 18:13:08 1j67LU-0005vG-1C == a...@ish.com.au R=localuser T=local_delivery defer (0): Expansion of "${local_part}${local_part_suffix}@$domain" from command "/usr/local/libexec/dovecot/dovecot-lda -a ${local_part}${local_part_suffix}@$domain -d $local_part@$domain -f $sender_address" in local_delivery transport failed: attempt to expand tainted string '${local_part}${local_part_suffix}@$domain' I don't understand how to work around this problem because there is nothing in the manual I could find around how to mark a particular string as not tainted, or to filter it appropriately to be safe. Any pointers on what to do here? Cheers Ari -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/