Mailing List Archive

On Sat, 20 Mar 2021, Luca Bertoncello via Exim-users wrote:

> Hi list!
>
> Since yesterday I cannot read the domainkey file by sending the E-Mails.
> In the log I see:
>
> 2021-03-20 08:41:28 1lNWEh-0004NA-PE Tainted filename
> '/etc/exim/domainKeys/lucabert.de/2021.priv'
>
> 2021-03-20 08:41:28 1lNWEh-0004NA-PE unable to open file for reading:
> /etc/exim/domainKeys/lucabert.de/2021.priv
>
> Of course the whole path is readable for the user "exim".
> Yesterday I updated the system to Debian 10 and recompiled Exim to the
> latest Version 4.94.
>
> Do someone has any idea what can be the problem?

The message says "Tainted filename"
recent versions of exim refuse to open files with names derived from the
incoming message unless they have been "sanitised" eg by a database
lookup. To be certain we would have to see how the filename is created in
your config file, but you *may* be able to fix this by changing
$domain to $domain_data

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 20.03.2021 um 09:43 schrieb Andrew C Aitchison via Exim-users:

Hi Andrew!

> The message says "Tainted filename"
> recent versions of exim refuse to open files with names derived from the
> incoming message unless they have been "sanitised" eg by a database
> lookup. To be certain we would have to see how the filename is created
> in your config file, but you *may* be able to fix this by changing
> $domain to $domain_data

This is my transport:

remote_smtp_DK:
driver = smtp
helo_data = $smtp_active_hostname
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_selector = ${substr{0}{4}{$tod_zulu}}
dkim_private_key = /etc/exim/domainKeys/$dkim_domain/$dkim_selector.priv
interface =
${lookup{$sender_address_domain}lsearch{/etc/exim/mailouts}{$value}{<;
DEFAULT_IPv4 ; DEFAULT_IPv6}}
tls_try_verify_hosts = !*

I'm not sure what you mean with "changing $domain to $domain_data"...
Could you explain it?

Thanks
Luca Bertoncello
(lucabert@lucabert.de)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2021-03-20 Luca Bertoncello via Exim-users <exim-users@exim.org> wrote:
> Am 20.03.2021 um 09:43 schrieb Andrew C Aitchison via Exim-users:
> > The message says "Tainted filename"
> > recent versions of exim refuse to open files with names derived from the
> > incoming message unless they have been "sanitised" eg by a database
> > lookup.
[...]
> dkim_domain = $sender_address_domain
> dkim_selector = ${substr{0}{4}{$tod_zulu}}
> dkim_private_key = /etc/exim/domainKeys/$dkim_domain/$dkim_selector.priv
[...]
> Could you explain it?

Hello,

Like Andrew said: "exim refuse to open files with names derived from the
incoming message". $sender_address_domain is derived directly from the
incoming message. You need to use the result of a lookup
(${lookup{$sender_address_domain}...}, perhaps with ret=key) instead.

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Am 20.03.2021 um 09:43 schrieb Andrew C Aitchison via Exim-users:

Hi again

> The message says "Tainted filename"
> recent versions of exim refuse to open files with names derived from the
> incoming message unless they have been "sanitised" eg by a database
> lookup. To be certain we would have to see how the filename is created
> in your config file, but you *may* be able to fix this by changing
> $domain to $domain_data

I got it!

I had to recompile Exim with:

LOOKUP_DSEARCH=yes

Then I changed my transport so:

remote_smtp_DK:
driver = smtp
helo_data = $smtp_active_hostname
dkim_canon = relaxed
dkim_domain = ${lookup {$sender_address_domain} dsearch
{/etc/exim/domainKeys/}}
dkim_selector = ${substr{0}{4}{$tod_zulu}}
dkim_private_key = /etc/exim/domainKeys/$dkim_domain/$dkim_selector.priv
interface =
${lookup{$sender_address_domain}lsearch{/etc/exim/mailouts}{$value}{<;
DEFAULT_IPv4 ; DEFAULT_IPv6}}
tls_try_verify_hosts = !*

Now it works. No errors/warnings in the exim log and E-Mails signed with
DKIM.

Hope to help someone other...

Regards
Luca Bertoncello
(lucabert@lucabert.de)

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/