search

sympa-community / sympa-community.github.io

Incubating the new Sympa documentation site
https://www.sympa.community
Other
10 stars 34 forks source link

Exim 4 configuration changes following taint checking in 4.96 #102

Closed alan-hicks closed 9 months ago

alan-hicks commented 1 year ago

As of Exim 4.96 it is no longer possible to rely on $local_part and $domain in received email as they are considered tained. Both the local_part and domain must be checked before they can be used and after a successful match are available de-tainted in $local_part_data and $domain_data.

The Transport change is from:

command = /usr/lib/sympa/bin/queue ${local_part}\@$domain

to

command = /usr/lib/sympa/bin/queue "${local_part_data}@$domain_data"

My configuration uses Postgres lookups instead of aliases, YMMV.

Sympa aliases

ALIAS_LIST_DOMAINS = SELECT robot_list \
    FROM list_table \
    WHERE robot_list='${quote_pgsql:$domain}';
ALIAS_LIST_COMMAND_LOCAL_PARTS = \
    SELECT 'sympa' \
    FROM list_table \
    WHERE robot_list='${quote_pgsql:$domain}';
ALIAS_LIST_LOCAL_PARTS = \
    SELECT name_list \
    FROM list_table \
    WHERE robot_list='${quote_pgsql:$domain}' \
    AND name_list='${quote_pgsql:$local_part}';
ALIAS_LIST_BOUNCE_LOCAL_PARTS = \
    SELECT '${quote_pgsql:$local_part}' AS local_parts \
    FROM list_table \
    WHERE robot_list='${quote_pgsql:$domain}' \
    AND '${quote_pgsql:$local_part}' LIKE 'bounce+%';
ALIAS_LIST_DOMAIN = SELECT count(*) \
    FROM list_table \
    WHERE robot_list='${quote_pgsql:$domain}';
ALIAS_SYMPA_LIST = SELECT count(*) \
    FROM list_table \
    WHERE robot_list='${quote_pgsql:$domain}' \
    AND name_list='${quote_pgsql:$local_part}';

Routers

sympa_list_command:
  driver = accept
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_COMMAND_LOCAL_PARTS}}
  retry_use_local_part
  transport = sympa_queue_transport

sympa_list:
  driver = accept
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_LOCAL_PARTS}}
  transport = sympa_queue_transport

listrequest:
  driver = accept
  local_part_suffix = -request
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_LOCAL_PARTS}}
  retry_use_local_part
  transport = sympa_queue_transport

listeditor:
  driver = accept
  local_part_suffix = -editor
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_LOCAL_PARTS}}
  retry_use_local_part
  transport = sympa_queue_transport

listsubscribe:
  driver = accept
  local_part_suffix = -subscribe
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_LOCAL_PARTS}}
  retry_use_local_part
  transport = sympa_queue_transport

listunsubscribe:
  driver = accept
  local_part_suffix = -unsubscribe
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_LOCAL_PARTS}}
  retry_use_local_part
  transport = sympa_queue_transport

listowner:
  driver = accept
  local_part_suffix = -owner
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_LOCAL_PARTS}}
  retry_use_local_part
  transport = sympa_queue_transport

listbounce:
  driver = accept
  local_part_prefix = bounce+
  domains = ${lookup pgsql{ALIAS_LIST_DOMAINS}}
  local_parts = ${lookup pgsql{ALIAS_LIST_BOUNCE_LOCAL_PARTS}}
  retry_use_local_part
  transport = sympa_bounce_queue_transport

Transports

sympa_queue_transport:
  driver = pipe
  rcpt_include_affixes = true
  command = SYMPA_QUEUE "${local_part_data}@$domain_data"
  user = sympa
  group = sympa
  return_fail_output
  return_path_add

sympa_bounce_queue_transport:
  driver = pipe
  command = SYMPA_BOUNCE "${local_part_data}@$domain_data"
  user = sympa
  group = sympa
  return_fail_output
  return_path_add

https://www.sympa.community/manual/install/configure-mail-server-exim4.html