Recommended changes for delivery from Exim
Hi,
Security changes to Exim have invalidated certain suggested configurations in the Dovecot wiki.
As I do not have a Dovecot installation to test, I am not going to write any updates there. It would be good if someone would test these suggestions and then make updates as needed.
The use of $local_part and $domain in commands run by the "pipe" transport will be disallowed in the upcoming Exim release. These are currently noted as optional, with the "-m" flag to dovecot-lda. They should be replaced with validated (untainted) versions, commonly $local_part_data and $domain_data, developed via one of the several de-taint methods documented for Exim.
The same applies to $original_local_part and $original_domain.
The use of $sender_address will likewise be disallowed. This and the "-f" flag can be dropped from the dovecot-lda command line, and the specification of a null "message_prefix" option removed.
The defaults for a pipe transport will then prefix the message with a suitable Mbox "From " header line, which dovecot-lda is documented to extract the sender from.
Both of these suggestions are back-compatible to the current 4.95 release of Exim, and will be required with the 4.96 release.
Cheers, Jeremy
Refs:
Hi,
it's not working do this.
i tried ans doesnt work.
i use workaround from Kirill Miazine <km at krot.org>
$ cat /local/bin/dovecot-lda-wrapper
#!/bin/sh
exec /usr/local/libexec/dovecot/dovecot-lda
-d "${LOCAL_PART}@${DOMAIN}"
-a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-f "${SENDER}"
Here's how it is called from Exim:
dovecot_pipe:
driver = pipe
command = /local/bin/dovecot-lda-wrapper
# command = /usr/local/libexec/dovecot/dovecot-lda
# -d $local_part@$domain
# -a $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -f $return_path
Benoît
Le 01/05/2022 à 12:06, jgh@exim.org a écrit :
Hi,
Security changes to Exim have invalidated certain suggested configurations in the Dovecot wiki.
As I do not have a Dovecot installation to test, I am not going to write any updates there. It would be good if someone would test these suggestions and then make updates as needed.
- The use of $local_part and $domain in commands run by the "pipe" transport will be disallowed in the upcoming Exim release. These are currently noted as optional, with the "-m" flag to dovecot-lda. They should be replaced with validated (untainted) versions, commonly $local_part_data and $domain_data, developed via one of the several de-taint methods documented for Exim.
The same applies to $original_local_part and $original_domain.
- The use of $sender_address will likewise be disallowed. This and the "-f" flag can be dropped from the dovecot-lda command line, and the specification of a null "message_prefix" option removed.
The defaults for a pipe transport will then prefix the message with a suitable Mbox "From " header line, which dovecot-lda is documented to extract the sender from.
Both of these suggestions are back-compatible to the current 4.95 release of Exim, and will be required with the 4.96 release.
On Fri, Feb 2, 2024 at 6:24 PM Benoît PELISSIER via dovecot < dovecot@dovecot.org> wrote:
Hi,
it's not working do this.
i tried ans doesnt work.
i use workaround from Kirill Miazine <km at krot.org>
$ cat /local/bin/dovecot-lda-wrapper #!/bin/sh exec /usr/local/libexec/dovecot/dovecot-lda
-d "${LOCAL_PART}@${DOMAIN}"
-a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}"
-f "${SENDER}"Here's how it is called from Exim:
dovecot_pipe: driver = pipe command = /local/bin/dovecot-lda-wrapper # command = /usr/local/libexec/dovecot/dovecot-lda
# -d $local_part@$domain
# -a $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -r $local_part$local_part_suffix@$domain
# -f $return_pathBenoît
It's 2024! You've awakened a thread from 2022 without explanations :)
What is it that you're trying to achieve?
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart-questions.html]
On Fri, Feb 2, 2024 at 6:24 PM Benoît PELISSIER via dovecot dovecot@dovecot.org wrote: Hi,
it's not working do this.
i tried ans doesnt work.
i use workaround from Kirill Miazine <km at krot.org>
---
$ cat /local/bin/dovecot-lda-wrapper
#!/bin/sh
exec /usr/local/libexec/dovecot/dovecot-lda \
-d "${LOCAL_PART}@${DOMAIN}" \
-a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}" \
-r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}" \
-f "${SENDER}"
Here's how it is called from Exim:
dovecot_pipe:
driver = pipe
command = /local/bin/dovecot-lda-wrapper
# command = /usr/local/libexec/dovecot/dovecot-lda \
# -d $local_part@$domain \
# -a $local_part$local_part_suffix@$domain \
# -r $local_part$local_part_suffix@$domain \
# -r $local_part$local_part_suffix@$domain \
# -f $return_path
---
BenoîtIt's 2024! You've awakened a thread from 2022 without explanations :)
What is it that you're trying to achieve?
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart- questions.html]
Yes this is an old thread.
this part has not been modified in the dovecot documentation : https://doc.dovecot.org/configuration_manual/howto/dovecot_lda_exim/
and under debian 12 exim 4.96 is the installable version.
so let me respond to the thread.
Benoît
Le 02/02/2024 à 16:31, Odhiambo Washington a écrit :
On Fri, Feb 2, 2024 at 6:24 PM Benoît PELISSIER via dovecot dovecot@dovecot.org wrote: Hi,
it's not working do this. i tried ans doesnt work. i use workaround from Kirill Miazine <km at krot.org> --- $ cat /local/bin/dovecot-lda-wrapper #!/bin/sh exec /usr/local/libexec/dovecot/dovecot-lda \ -d "${LOCAL_PART}@${DOMAIN}" \ -a "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}" \ -r "${LOCAL_PART}${LOCAL_PART_SUFFIX}@${DOMAIN}" \ -f "${SENDER}" Here's how it is called from Exim: dovecot_pipe: driver = pipe command = /local/bin/dovecot-lda-wrapper # command = /usr/local/libexec/dovecot/dovecot-lda \ # -d $local_part@$domain \ # -a $local_part$local_part_suffix@$domain \ # -r $local_part$local_part_suffix@$domain \ # -r $local_part$local_part_suffix@$domain \ # -f $return_path --- BenoîtIt's 2024! You've awakened a thread from 2022 without explanations :)
What is it that you're trying to achieve?
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 In an Internet failure case, the #1 suspect is a constant: DNS. "Oh, the cruft.", egrep -v '^$|^.*#' ¯\_(ツ)_/¯ :-) [How to ask smart questions: http://www.catb.org/~esr/faqs/smart- questions.html]
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Benoît PELISSIER
-
jgh@exim.org
-
Odhiambo Washington