Heads-up: Exim 4.96 RC0 may break your Dovecot LDA delivery
Hi, all
The just released RC0 for Exim 4.96 will break Dovecot LDA delivery as described on https://wiki.dovecot.org/LDA/Exim
Here is the relevant ChangeLog entry:
JH/25 Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects "pipe", "lmtp" and "queryprogram" transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in "preexpand" mode no part of the command line may be tainted, in default mode the executable name may not be tainted.
As of now I don't have a personal working solution to get untained data. I did try a small hack, but Exim was smart enough to see what I was doing.
-- -- Kirill Miazine km@krot.org
So my workaround was to create a simple wrapper and call it, instead of dovecot-lda:
$ cat /local/bin/dovecot-lda-wrapper
#!/bin/sh
exec /usr/local/libexec/dovecot/dovecot-lda
-d "${LOCAL_PART}@${DOMAIN}"
-a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-f "${SENDER}"
Here's how it is called from Exim:
dovecot_pipe:
driver = pipe
command = /local/bin/dovecot-lda-wrapper
# command = /usr/local/libexec/dovecot/dovecot-lda
# -d $local_part@$domain
# -a $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -f $return_path
• Kirill Miazine [2022-04-25 14:36]:
Hi, all
The just released RC0 for Exim 4.96 will break Dovecot LDA delivery as described on https://wiki.dovecot.org/LDA/Exim
Here is the relevant ChangeLog entry:
JH/25 Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects "pipe", "lmtp" and "queryprogram" transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in "preexpand" mode no part of the command line may be tainted, in default mode the executable name may not be tainted.
As of now I don't have a personal working solution to get untained data. I did try a small hack, but Exim was smart enough to see what I was doing.
-- -- Kirill Miazine km@krot.org
-- -- Kirill Miazine km@krot.org
You could also just switch to LMTP instead of LDA.
Aki
On 25/04/2022 16:47 Kirill Miazine km@krot.org wrote:
So my workaround was to create a simple wrapper and call it, instead of dovecot-lda:
$ cat /local/bin/dovecot-lda-wrapper #!/bin/sh exec /usr/local/libexec/dovecot/dovecot-lda
-d "${LOCAL_PART}@${DOMAIN}"
-a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-f "${SENDER}"Here's how it is called from Exim:
dovecot_pipe: driver = pipe command = /local/bin/dovecot-lda-wrapper # command = /usr/local/libexec/dovecot/dovecot-lda
# -d $local_part@$domain
# -a $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -f $return_path• Kirill Miazine [2022-04-25 14:36]:
Hi, all
The just released RC0 for Exim 4.96 will break Dovecot LDA delivery as described on https://wiki.dovecot.org/LDA/Exim
Here is the relevant ChangeLog entry:
JH/25 Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects "pipe", "lmtp" and "queryprogram" transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in "preexpand" mode no part of the command line may be tainted, in default mode the executable name may not be tainted.
As of now I don't have a personal working solution to get untained data. I did try a small hack, but Exim was smart enough to see what I was doing.
-- -- Kirill Miazine km@krot.org
-- -- Kirill Miazine km@krot.org
My main goal was to warn Dovecot people about potential issues when upgrading.
Using LMTP is, of course, an option, and should be considered, but there are still cases when using LDA is appropriate.
In my case I couldn't easily just switch to LMTP, as that would affect the way spam scanning and training is done. In fact, I do have LMTP set up too, but I have it commented out as with LMTP in my setup I'm not getting spam training. My spam scanning and training is implemented using Exim facility called transport_filter and allows for very lightweight spam checking using bogofilter.
Some users might be calling Dovecot LDA from their .forward files.
• Aki Tuomi [2022-04-25 16:56]:
You could also just switch to LMTP instead of LDA.
Aki
On 25/04/2022 16:47 Kirill Miazine km@krot.org wrote:
So my workaround was to create a simple wrapper and call it, instead of dovecot-lda:
$ cat /local/bin/dovecot-lda-wrapper #!/bin/sh exec /usr/local/libexec/dovecot/dovecot-lda
-d "${LOCAL_PART}@${DOMAIN}"
-a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-f "${SENDER}"Here's how it is called from Exim:
dovecot_pipe: driver = pipe command = /local/bin/dovecot-lda-wrapper # command = /usr/local/libexec/dovecot/dovecot-lda
# -d $local_part@$domain
# -a $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -f $return_path• Kirill Miazine [2022-04-25 14:36]:
Hi, all
The just released RC0 for Exim 4.96 will break Dovecot LDA delivery as described on https://wiki.dovecot.org/LDA/Exim
Here is the relevant ChangeLog entry:
JH/25 Taint-check exec arguments for transport-initiated external processes. Previously, tainted values could be used. This affects "pipe", "lmtp" and "queryprogram" transport, transport-filter, and ETRN commands. The ${run} expansion is also affected: in "preexpand" mode no part of the command line may be tainted, in default mode the executable name may not be tainted.
As of now I don't have a personal working solution to get untained data. I did try a small hack, but Exim was smart enough to see what I was doing.
-- -- Kirill Miazine km@krot.org
-- -- Kirill Miazine km@krot.org
-- -- Kirill Miazine km@krot.org
participants (2)
-
Aki Tuomi
-
Kirill Miazine