Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. users
Untainting data and Vacation configuration
exim-users at lists
Mar 21, 2024, 12:23 AM
Post #1 of 7 (82 views)
Permalink
Good Day!

I am running Exim 4.97.  Trying to configure a vacation/out-of-office
autoreply.  I have read a bunch of articles and examples from before and
after "tainting" was implemented. Alas, I am still confused as I build
the configuration.

Presently, I am having issues getting my router untainted.  Very simply,
I have a router, "vacationUser", listed below.

vacation-domains is a text file containing domain names, 1 per line.
users is a text file in UNIX password format.

I am trying to build the router so I understand what is happening at
each step.  I have not even gotten to the transport yet.  :-O

Thank You in Advance for any assistance!!!

glenn

===


QUESTIONs:
Why does the "local_parts" line not populate $local_part_data?
Why does this router just dump out?
Would a password lookup type be better for local_parts?  If yes, what is
the proper format?

===

vacationUser:
  driver = redirect
  domains                     =
${lookup{${lc:${domain}}}lsearch,ret=key{/usr/local/etc/exim/vacation-domains}}
  local_parts                 =
${lookup{${lc:${local_part}@${domain}}}lsearch,ret=key{/usr/local/etc/dovecot/users}}
  file                        =
/var/vmail/$domain_data/$local_part_data@$domain_data/.vacation.msg
  debug_print                 = ROUTER - $router_name for
$local_part@$domain - Local_part_data is $local_part_data - Domain_data
is $domain_data


exim -bt -d user@domain.com yields:

--------> vacationUser router <--------
local_part=user domain=domain.com
checking domains
 search_open: lsearch "/usr/local/etc/exim/vacation-domains"
   cached open
 search_find: file="/usr/local/etc/exim/vacation-domains"
   key="domain.com" partial=-1 affix=NULL starflags=0 opts="ret=key"
 LRU list:
   7/usr/local/etc/exim/vacation-domains
   7/usr/local/etc/exim/vusers.domain.com
   7/usr/local/etc/dovecot/users
   End
 internal_search_find: file="/usr/local/etc/exim/vacation-domains"
   type=lsearch key="domain.com" opts=NULL
 cached data used for lookup of domain.com
   in /usr/local/etc/exim/vacation-domains
 lookup yielded:
domain.com in "domain.com"?
 list element: domain.com
 domain.com in "domain.com"? yes (matched "domain.com")
checking local_parts
 search_open: lsearch "/usr/local/etc/dovecot/users"
   cached open
 search_find: file="/usr/local/etc/dovecot/users"
   key="user@domain.com" partial=-1 affix=NULL starflags=0 opts="ret=key"
 LRU list:
   7/usr/local/etc/dovecot/users
   7/usr/local/etc/exim/vacation-domains
   7/usr/local/etc/exim/vusers.domain.com
   End
 internal_search_find: file="/usr/local/etc/dovecot/users"
   type=lsearch key="user@domain.com" opts=NULL
 cached data used for lookup of user@domain.com
   in /usr/local/etc/dovecot/users
 lookup yielded: ENCRYPTED-PASSWORD::::::
user in "user@domain.com"?
 list element: user@domain.com
user in "user@domain.com"? no (end of list)
vacationUser router skipped: local_parts mismatch


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Untainting data and Vacation configuration [ In reply to ]
exim-users at lists
Mar 21, 2024, 5:09 AM
Post #2 of 7 (82 views)
Permalink
On 21/03/2024 07:23, Glenn Gregorec via Exim-users wrote:
> vacationUser:
>   driver = redirect
>   domains                     = ${lookup{${lc:${domain}}}lsearch,ret=key{/usr/local/etc/exim/vacation-domains}}
>   local_parts                 = ${lookup{${lc:${local_part}@${domain}}}lsearch,ret=key{/usr/local/etc/dovecot/users}}
>   file                        = /var/vmail/$domain_data/$local_part_data@$domain_data/.vacation.msg
>   debug_print                 = ROUTER - $router_name for $local_part@$domain - Local_part_data is $local_part_data - Domain_data is $domain_data

Here's your lookup for the "local_parts" option:
>  internal_search_find: file="/usr/local/etc/dovecot/users"
>    type=lsearch key="user@domain.com" opts=NULL
>  cached data used for lookup of user@domain.com
>    in /usr/local/etc/dovecot/users
>  lookup yielded: ENCRYPTED-PASSWORD::::::

The result was "ENCRYPTED-PASSWORD::::::".
a) this does not look anything like the key used for lookup
b) the "opts=NULL" is of concern, suggesting that the actual lookup
is not the one you show as being the configuration

> user in "user@domain.com"?
>  list element: user@domain.com
> user in "user@domain.com"? no (end of list)
> vacationUser router skipped: local_parts mismatch

You have obfuscated that, so we cannot decode in detail and be certain.
Thanks for making helping you harder.
It is extremely likely that the local_part of the envelope recipient for the
-bt test does not match the list you are giving to the "local_parts" option
of that router.

--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Untainting data and Vacation configuration [ In reply to ]
exim-users at lists
Mar 21, 2024, 10:59 AM
Post #3 of 7 (79 views)
Permalink
Thank You for sharing your insight Jeremy! :-)

My intention was not to make assisting my issue harder.  I was actually
trying to make it easier.  I hope this helps.

I have tried several other lookups in the hopes of learning where I am
making a mistake.  These did not work...

=== NOT WORKING ===
#    local_parts                 =
${lookup{${lc:${local_part}}}lsearch,{/usr/local/etc/dovecot/users}}
#    local_parts                 =
${lookup{${lc:${local_part}@${domain}}}lsearch,ret=key{/usr/local/etc/dovecot/users}}
    local_parts                 =
${lookup{${lc:$local_part@$domain}}lsearch,ret=key{/usr/local/etc/dovecot/users}}
#    local_parts                 =
passwd;${lookup{${lc:${local_part}@${domain}}}} :
lsearch;/usr/local/etc/dovecot/users
#    local_parts                 = passwd;$local_part@$domain_data :
lsearch;/usr/local/etc/dovecot/users

===

Here is the data from exim -bt -d emailUser@emailDomain.com

===
--------> vacationUser router <--------
local_part=emailUser domain=emailDomain.com
checking domains
 search_open: lsearch "/usr/local/etc/exim/vacation-domains"
   cached open
 search_find: file="/usr/local/etc/exim/vacation-domains"
   key="emailDomain.com" partial=-1 affix=NULL starflags=0 opts="ret=key"
 LRU list:
   7/usr/local/etc/exim/vacation-domains
   7/usr/local/etc/exim/vusers.emailDomain.com
   7/usr/local/etc/dovecot/users
   End
 internal_search_find: file="/usr/local/etc/exim/vacation-domains"
   type=lsearch key="emailDomain.com" opts=NULL
 cached data used for lookup of emailDomain.com
   in /usr/local/etc/exim/vacation-domains
 lookup yielded:
emailDomain.com in "emailDomain.com"?
 list element: emailDomain.com
 emailDomain.com in "emailDomain.com"? yes (matched "emailDomain.com")
checking local_parts
 search_open: lsearch "/usr/local/etc/dovecot/users"
   cached open
 search_find: file="/usr/local/etc/dovecot/users"
   key="emailUser@emailDomain.com" partial=-1 affix=NULL starflags=0
opts="ret=key"
 LRU list:
   7/usr/local/etc/dovecot/users
   7/usr/local/etc/exim/vacation-domains
   7/usr/local/etc/exim/vusers.emailDomain.com
   End
 internal_search_find: file="/usr/local/etc/dovecot/users"
   type=lsearch key="emailUser@emailDomain.com" opts=NULL
 cached data used for lookup of emailUser@emailDomain.com
   in /usr/local/etc/dovecot/users
 lookup yielded:
{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::
emailUser in "emailUser@emailDomain.com"?
 list element: emailUser@emailDomain.com
emailUser in "emailUser@emailDomain.com"? no (end of list)
vacationUser router skipped: local_parts mismatch


On 2024-03-21 5:09 AM, Jeremy Harris via Exim-users wrote:
> On 21/03/2024 07:23, Glenn Gregorec via Exim-users wrote:
>> vacationUser:
>>    driver = redirect
>>    domains                     =
>> ${lookup{${lc:${domain}}}lsearch,ret=key{/usr/local/etc/exim/vacation-domains}}
>>    local_parts                 =
>> ${lookup{${lc:${local_part}@${domain}}}lsearch,ret=key{/usr/local/etc/dovecot/users}}
>>    file                        =
>> /var/vmail/$domain_data/$local_part_data@$domain_data/.vacation.msg
>>    debug_print                 = ROUTER - $router_name for
>> $local_part@$domain - Local_part_data is $local_part_data -
>> Domain_data is $domain_data
>
> Here's your lookup for the "local_parts" option:
>>   internal_search_find: file="/usr/local/etc/dovecot/users"
>>     type=lsearch key="user@domain.com" opts=NULL
>>   cached data used for lookup of user@domain.com
>>     in /usr/local/etc/dovecot/users
>>   lookup yielded: ENCRYPTED-PASSWORD::::::
>
> The result was "ENCRYPTED-PASSWORD::::::".
> a) this does not look anything like the key used for lookup
> b) the "opts=NULL" is of concern, suggesting that the actual lookup
>    is not the one you show as being the configuration
>
>> user in "user@domain.com"?
>>   list element: user@domain.com
>> user in "user@domain.com"? no (end of list)
>> vacationUser router skipped: local_parts mismatch
>
> You have obfuscated that, so we cannot decode in detail and be certain.
> Thanks for making helping you harder.
> It is extremely likely that the local_part of the envelope recipient
> for the
> -bt test does not match the list you are giving to the "local_parts"
> option
> of that router.
>


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Untainting data and Vacation configuration [ In reply to ]
exim-users at lists
Mar 21, 2024, 1:41 PM
Post #4 of 7 (79 views)
Permalink
On 21/03/2024 17:59, Glenn Gregorec via Exim-users wrote:
>  lookup yielded: {BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::

So the "local_users" option setting is telling Exim to try to match the
local_part of the recipient to a local-part list which looks like
"{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::"

It doesn't match that list, so this router does not fire.

I think you should go back to the Exim documentation on
"general options for routers", "lists" and "lookups".
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Untainting data and Vacation configuration [ In reply to ]
exim-users at lists
Mar 22, 2024, 11:51 AM
Post #5 of 7 (78 views)
Permalink
Thank You Jeremy!  :-)

I went back and read up some on lookups (Chapter 9 - File and database
lookups) in particular.

May I get some insight as to why this lookup does not work properly:

local_parts                 =
${lookup{${lc:$local_part@$domain}}lsearch,ret=key{/usr/local/etc/dovecot/users}}

Is not the option, ret=key, supposed to return the actual lookup key?

Although the lookup yielded:
{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::
, the next line shows another lookup.?.

emailUser in "emailUser@emailDomain.com"?
 list element: emailUser@emailDomain.com
emailUser in "emailUser@emailDomain.com"? no (end of list)

Is this not trying to lookup the string "emailUser" in the string
"emailUser@emailDomain.com"?  Should this not return true?

===
Removing ret=key from the lookup yields:

emailUser in
"{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::"?
 list element:
{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy:::
emailUser in
"{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::"?
no (end of list)


===
I am just trying to get a value into $local_part_data which is
untainted.  Is there a better way to handle this?

Again, Thank You for Your Assistance!!!

glenn


On 2024-03-21 1:41 PM, Jeremy Harris via Exim-users wrote:
> On 21/03/2024 17:59, Glenn Gregorec via Exim-users wrote:
>>   lookup yielded:
>> {BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::
>
> So the "local_users" option setting is telling Exim to try to match the
> local_part of the recipient to a local-part list which looks like
> "{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbyOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::"
>
>
> It doesn't match that list, so this router does not fire.
>
> I think you should go back to the Exim documentation on
> "general options for routers", "lists" and "lookups".


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Untainting data and Vacation configuration [ In reply to ]
exim-users at lists
Mar 22, 2024, 12:20 PM
Post #6 of 7 (78 views)
Permalink
On Fri, Mar 22, 2024 at 11:51:05AM -0700, Glenn Gregorec via Exim-users wrote:

> emailUser in "emailUser@emailDomain.com"?
> list element: emailUser@emailDomain.com
> emailUser in "emailUser@emailDomain.com"? no (end of list)

> Is this not trying to lookup the string "emailUser" in the string
> "emailUser@emailDomain.com"? Should this not return true?

This part is easy: the answer is no. "List" in exim is a technical term,
they are more structured than mere strings.

emailUser in "emailUser : emailDomain.com"

would return true.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Untainting data and Vacation configuration [ In reply to ]
exim-users at lists
Mar 22, 2024, 1:57 PM
Post #7 of 7 (78 views)
Permalink
Thank You Ian!

I have updated my lookup to this:

local_parts                 =
${lookup{${local_part}@${domain}}lsearch,{/usr/local/etc/dovecot/users}{$local_part}{no}}

This returns:

 internal_search_find: file="/usr/local/etc/dovecot/users"
   type=lsearch key="emailUser@emailDomain.com" opts=NULL
 file lookup required for emailUser@emailDomain.com
   in /usr/local/etc/dovecot/users
 creating new cache entry
 lookup yielded:
{BLF-CRYPT}$2a$05$xqWtKL1l.e3B98ISN0xbxOSROOIcMgAn6hIBZ7J9tHp/Wu28jvJfy::::::
emailUser in "emailUser"?
 list element: emailUser
 emailUser in "emailUser"? yes (matched "emailUser")
ROUTER - vacationUser for emailUser@emailDomain - Local_part_data is
emailUser - Domain_data is emailDomain
calling vacationUser router
rda_interpret (file):
'/var/vmail/$domain_data/$local_part_data@$domain_data/.vacation.msg'
expanded:
'/var/vmail/emailDomain/emailUser@emailDomain.com/.vacation.msg' (tainted)
vacationUser router: defer for emailUser@emailDomain.com
  message: Tainted name
'/var/vmail/emailDomain.com/emailUser@emailDomain.com/.vacation.msg' for
file read not permitted

This gets the lookup to work.  However, my $domain_data and
$local_part_data are still tainted?  Everything I have read says they
should only have untainted data.  What am I doing wrong?  :-/

Thank You!

glenn



On 2024-03-22 12:20 PM, Ian Z via Exim-users wrote:
> On Fri, Mar 22, 2024 at 11:51:05AM -0700, Glenn Gregorec via Exim-users wrote:
>
>> emailUser in "emailUser@emailDomain.com"?
>> list element: emailUser@emailDomain.com
>> emailUser in "emailUser@emailDomain.com"? no (end of list)
>> Is this not trying to lookup the string "emailUser" in the string
>> "emailUser@emailDomain.com"? Should this not return true?
> This part is easy: the answer is no. "List" in exim is a technical term,
> they are more structured than mere strings.
>
> emailUser in "emailUser : emailDomain.com"
>
> would return true.
>


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal