Morning all.
How do I untaint $sender?
On my personal server I am trying to install sieve like services using
dovecot-pidgeonhole.
I have amended my localuser router and created a transport
dovecot_delivery - see below
The instructions were taken from https://wiki.dovecot.org/LDA/Exim
However, when I sent a test email I got the following log entries and
the email was rejected:
2023-05-10 21:28:56 1pwqQi-00057k-1N <= some.testuser@gmail.com
H=hub.ringways.co.uk (ringways.co.uk) [88.211.105.30] P=esmtps
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=5388 DKIM=gmail.com
id=CA+GsGL6gvYJAuKmR8nTNGTkKZ8GTLxNhLSwkWivE3SxWnjaJsQ@mail.gmail.com
T="JATE 2128"
2023-05-10 21:28:56 Warning: purging the environment.
Suggested action: use keep_environment.
2023-05-10 21:28:56 1pwqQi-00057k-1N ** some@testuser.com R=localuser
T=dovecot_delivery: Tainted arg 2 for dovecot_delivery transport
command: 'some.testuser@gmail.com'
2023-05-10 21:28:56 Warning: purging the environment.
Suggested action: use keep_environment.
2023-05-10 21:28:57 1pwqQi-00057s-3C <= <> R=1pwqQi-00057k-1N U=exim
P=local S=6669 T="Mail delivery failed: returning message to sender"
2023-05-10 21:28:57 Warning: purging the environment.
Suggested action: use keep_environment.
2023-05-10 21:28:57 1pwqQi-00057k-1N Completed
I know how to untaint $local_part and $domain using lookups, but I have
no idea how to untaint $sender.
localuser:
debug_print = "R: local_user $local_part @ $domain"
domains = +local_domains
driver = accept
condition = ${lookup pgsql{select lu_userID from local_user_details \
where lu_localpart = '${quote_pgsql:$local_part}' \
and domain='${quote_pgsql:$domain}'}}
check_local_user
# amended 2023-05-10
# transport = local_delivery
transport = dovecot_delivery
dovecot_delivery:
driver = pipe
# Use /usr/lib/dovecot/dovecot-lda if using Debian's package.
# You may or may not want to add -d $local_part@$domain depending on
if you need a userdb lookup done.
command = /usr/local/libexec/dovecot/dovecot-lda -f $sender_address
message_prefix =
message_suffix =
log_output
delivery_date_add
envelope_to_add
return_path_add
#group = mail
#mode = 0660
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
--
Kind regards
Gary Stainburn
*Group I.T. Manager - D.M.Keith Ford/Kia After-Sales*
*Switchboard* 0113 2634 222
*Address:* D.M.Keith Ford/Kia Aftersales | Hales Road | Leeds | LS12 4TG
/*Branches throughout Yorkshire and North Lincolnshire.*/
*Ford Leeds *0113 263 4222 | *Transit Centre Leeds* 0113 2634222 |
*Skoda Leeds* 0113 2771777 | *KiaLeeds* 0113426 8111 | *Kia Doncaster*
01302 384350 | *Skoda Bradford* 01274 741200 | *Skoda Wakefield* 01924
246900 | *Skoda Huddersfield*01484 435499 | *Skoda York* 01904 692921|
*SEAT York* 01904 692921 | *Cupra York* 01904 692921 | *Skoda Hull*
01482 802000 | *Skoda Grimsby* 01472 803 545 | *SEAT Grimsby* 01472 348
348 | *Honda Grimsby* 01472 358 625 | *SEAT MO* 01472 348 348 | *Trade
Car Outlet Ossett* 01924 255476 | *Ringways Hire & Leasing Ltd* 0344
4146789.
/This email message is confidential and may contain legally privileged
information. It may be monitored (whether you are the sender or
recipient) and recorded and retained by D.M.Keith Ltd, Ringways Garages
(Leeds) Ltd, Ringways Garages (Doncaster) Ltd, Ringways Hire & Leasing
Limited and or its other Group Companies. Under the “Lawful Business
Practices Interception of Communication Regulations 2000” email and
telephone monitoring and or recording software may be used, and email or
telephone call content may be reviewed at any time. If you are not the
intended recipient you should not read, copy, distribute, disclose or
otherwise use the information in this e-mail. Please also contact
D.M.Keith Ltd by emailing _privacy@dmkeith.com_ or fax us on 0113
2703641, immediately and delete the message from your system. Copyright
in this email belongs to D.M.Keith Ltd., ALL RIGHTS RESERVED. Whilst
every effort has been made to check for viruses, D.M.Keith Ltd and its
Group Companies does not warrant that it is free of viruses. E-mail may
be susceptible to data corruption, interception and unauthorised
amendment, and we do not accept liability for any such corruption,
interception or amendment or the consequences thereof. D.M. Keith Ltd is
registered under the Data Protection Act 1998 registration No. Z7389610,
Ringways Garages (Leeds) Ltd is registered under the Data Protection Act
1998 registration No. Z5414640 , Ringways Garages (Doncaster) Ltd is
registered under the Data Protection Act 1998 registration No. Z5414654.
D.M.Keith Limited and its other Group companies are an appointed
representative of ITC Compliance Limited which is authorised and
regulated by the Financial Conduct Authority (their registration number
is 313486). Permitted activities include advising on and arranging
general insurance contracts and acting as a credit broker not a lender.
We can introduce you to a limited number of finance providers. We do not
charge fees for our Consumer Credit services. We may receive a
payment(s) or other benefits from finance providers should you decide to
enter into an agreement with them, typically either a fixed fee or a
fixed percentage of the amount you borrow. The payment we receive may
vary between finance providers and product types. The payment received
does not impact the finance rate offered. All finance applications are
subject to status, terms and conditions apply, UK residents only, 18’s
or over, Guarantees may be required. D.M. Keith Ltd and its group
companies are as follows: - D M Keith Ltd, Company registration No.
00749256 Registered office, Thwaite Gate, Leeds, LS10 1DY. Ringways
Garages (Leeds) Ltd, Company registration No. 00543323 trading as D M
Keith Kia Leeds and D M Keith Ford Leeds Registered office, Whitehall
Road, Leeds, LS12 5NL. Ringways Garages (Doncaster) Ltd, Company
registration No. 00282527 trading as D M Keith Kia Doncaster. Registered
office, Whitehall Road, Leeds, LS12 5NL, Ringways (HIRE & LEASING) LTD,
company registration No. 00470274, Registered Office, Whitehall Road,
Leeds, LS12 5NL. All group companies VAT registration No. 169785889. All
goods and services are sold subject to our Conditions of Sale which can
be found along with our; Data Protection Policy, Security Policy,
Privacy & Cookie Policy, Anti-Slavery Human-Trafficking Statement, Job
Applicant Privacy Notice, Gender Pay Gap Statement, Treating Customers
Fairly Policy & FCA Status Disclosure. These can be found on the link
_https://www.dmkeith.com/website-privacy-and-legal-information_ E&O.E./
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
How do I untaint $sender?
On my personal server I am trying to install sieve like services using
dovecot-pidgeonhole.
I have amended my localuser router and created a transport
dovecot_delivery - see below
The instructions were taken from https://wiki.dovecot.org/LDA/Exim
However, when I sent a test email I got the following log entries and
the email was rejected:
2023-05-10 21:28:56 1pwqQi-00057k-1N <= some.testuser@gmail.com
H=hub.ringways.co.uk (ringways.co.uk) [88.211.105.30] P=esmtps
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=5388 DKIM=gmail.com
id=CA+GsGL6gvYJAuKmR8nTNGTkKZ8GTLxNhLSwkWivE3SxWnjaJsQ@mail.gmail.com
T="JATE 2128"
2023-05-10 21:28:56 Warning: purging the environment.
Suggested action: use keep_environment.
2023-05-10 21:28:56 1pwqQi-00057k-1N ** some@testuser.com R=localuser
T=dovecot_delivery: Tainted arg 2 for dovecot_delivery transport
command: 'some.testuser@gmail.com'
2023-05-10 21:28:56 Warning: purging the environment.
Suggested action: use keep_environment.
2023-05-10 21:28:57 1pwqQi-00057s-3C <= <> R=1pwqQi-00057k-1N U=exim
P=local S=6669 T="Mail delivery failed: returning message to sender"
2023-05-10 21:28:57 Warning: purging the environment.
Suggested action: use keep_environment.
2023-05-10 21:28:57 1pwqQi-00057k-1N Completed
I know how to untaint $local_part and $domain using lookups, but I have
no idea how to untaint $sender.
localuser:
debug_print = "R: local_user $local_part @ $domain"
domains = +local_domains
driver = accept
condition = ${lookup pgsql{select lu_userID from local_user_details \
where lu_localpart = '${quote_pgsql:$local_part}' \
and domain='${quote_pgsql:$domain}'}}
check_local_user
# amended 2023-05-10
# transport = local_delivery
transport = dovecot_delivery
dovecot_delivery:
driver = pipe
# Use /usr/lib/dovecot/dovecot-lda if using Debian's package.
# You may or may not want to add -d $local_part@$domain depending on
if you need a userdb lookup done.
command = /usr/local/libexec/dovecot/dovecot-lda -f $sender_address
message_prefix =
message_suffix =
log_output
delivery_date_add
envelope_to_add
return_path_add
#group = mail
#mode = 0660
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
--
Kind regards
Gary Stainburn
*Group I.T. Manager - D.M.Keith Ford/Kia After-Sales*
*Switchboard* 0113 2634 222
*Address:* D.M.Keith Ford/Kia Aftersales | Hales Road | Leeds | LS12 4TG
/*Branches throughout Yorkshire and North Lincolnshire.*/
*Ford Leeds *0113 263 4222 | *Transit Centre Leeds* 0113 2634222 |
*Skoda Leeds* 0113 2771777 | *KiaLeeds* 0113426 8111 | *Kia Doncaster*
01302 384350 | *Skoda Bradford* 01274 741200 | *Skoda Wakefield* 01924
246900 | *Skoda Huddersfield*01484 435499 | *Skoda York* 01904 692921|
*SEAT York* 01904 692921 | *Cupra York* 01904 692921 | *Skoda Hull*
01482 802000 | *Skoda Grimsby* 01472 803 545 | *SEAT Grimsby* 01472 348
348 | *Honda Grimsby* 01472 358 625 | *SEAT MO* 01472 348 348 | *Trade
Car Outlet Ossett* 01924 255476 | *Ringways Hire & Leasing Ltd* 0344
4146789.
/This email message is confidential and may contain legally privileged
information. It may be monitored (whether you are the sender or
recipient) and recorded and retained by D.M.Keith Ltd, Ringways Garages
(Leeds) Ltd, Ringways Garages (Doncaster) Ltd, Ringways Hire & Leasing
Limited and or its other Group Companies. Under the “Lawful Business
Practices Interception of Communication Regulations 2000” email and
telephone monitoring and or recording software may be used, and email or
telephone call content may be reviewed at any time. If you are not the
intended recipient you should not read, copy, distribute, disclose or
otherwise use the information in this e-mail. Please also contact
D.M.Keith Ltd by emailing _privacy@dmkeith.com_ or fax us on 0113
2703641, immediately and delete the message from your system. Copyright
in this email belongs to D.M.Keith Ltd., ALL RIGHTS RESERVED. Whilst
every effort has been made to check for viruses, D.M.Keith Ltd and its
Group Companies does not warrant that it is free of viruses. E-mail may
be susceptible to data corruption, interception and unauthorised
amendment, and we do not accept liability for any such corruption,
interception or amendment or the consequences thereof. D.M. Keith Ltd is
registered under the Data Protection Act 1998 registration No. Z7389610,
Ringways Garages (Leeds) Ltd is registered under the Data Protection Act
1998 registration No. Z5414640 , Ringways Garages (Doncaster) Ltd is
registered under the Data Protection Act 1998 registration No. Z5414654.
D.M.Keith Limited and its other Group companies are an appointed
representative of ITC Compliance Limited which is authorised and
regulated by the Financial Conduct Authority (their registration number
is 313486). Permitted activities include advising on and arranging
general insurance contracts and acting as a credit broker not a lender.
We can introduce you to a limited number of finance providers. We do not
charge fees for our Consumer Credit services. We may receive a
payment(s) or other benefits from finance providers should you decide to
enter into an agreement with them, typically either a fixed fee or a
fixed percentage of the amount you borrow. The payment we receive may
vary between finance providers and product types. The payment received
does not impact the finance rate offered. All finance applications are
subject to status, terms and conditions apply, UK residents only, 18’s
or over, Guarantees may be required. D.M. Keith Ltd and its group
companies are as follows: - D M Keith Ltd, Company registration No.
00749256 Registered office, Thwaite Gate, Leeds, LS10 1DY. Ringways
Garages (Leeds) Ltd, Company registration No. 00543323 trading as D M
Keith Kia Leeds and D M Keith Ford Leeds Registered office, Whitehall
Road, Leeds, LS12 5NL. Ringways Garages (Doncaster) Ltd, Company
registration No. 00282527 trading as D M Keith Kia Doncaster. Registered
office, Whitehall Road, Leeds, LS12 5NL, Ringways (HIRE & LEASING) LTD,
company registration No. 00470274, Registered Office, Whitehall Road,
Leeds, LS12 5NL. All group companies VAT registration No. 169785889. All
goods and services are sold subject to our Conditions of Sale which can
be found along with our; Data Protection Policy, Security Policy,
Privacy & Cookie Policy, Anti-Slavery Human-Trafficking Statement, Job
Applicant Privacy Notice, Gender Pay Gap Statement, Treating Customers
Fairly Policy & FCA Status Disclosure. These can be found on the link
_https://www.dmkeith.com/website-privacy-and-legal-information_ E&O.E./
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/