Heads-up: Exim 4.96 RC0 may break your Dovecot LDA delivery

Kirill Miazine km at krot.org
Mon Apr 25 12:36:22 UTC 2022


Hi, all

The just released RC0 for Exim 4.96 will break Dovecot LDA delivery as
described on https://wiki.dovecot.org/LDA/Exim

Here is the relevant ChangeLog entry:

JH/25 Taint-check exec arguments for transport-initiated external processes.
      Previously, tainted values could be used.  This affects "pipe", "lmtp" and
      "queryprogram" transport, transport-filter, and ETRN commands.
      The ${run} expansion is also affected: in "preexpand" mode no part of
      the command line may be tainted, in default mode the executable name
      may not be tainted.

As of now I don't have a personal working solution to get untained data.
I did try a small hack, but Exim was smart enough to see what I was
doing.

-- 
    -- Kirill Miazine <km at krot.org>


More information about the dovecot mailing list