Package: exim4-config
Version: 4.96-15+deb12u4
Severity: minor
Dear Maintainer,
I set up a system sending mail via UUCP. In doing so, I read through
section 2.10 of the README.Debian provided. The problem with the
example given is that Exim has a taint check and the example uses
$sender_address in a command, which is tainted. The result is that
exim refuses to run the command and so mail doesn't get sent.
There are three instances of $sender_address being used this way in
the README.Debian file.
As for what to write instead, I'm not so sure.
This is what I currently use:
root@sibirocobombus:~# cat /etc/exim4/conf.d/transport/40_exim4-config_uucp
### uucp
### based on /usr/share/doc/exim4-base/README.Debian.gz
rsmtp:
debug_print = "T: rsmtp for $pipe_addresses"
driver=pipe
command = /usr/bin/uux - -r
-a${lookup{$sender_address_local_part}lsearch,ret=key{/etc/passwd}} -gC
$domain_data!rsmtp
use_bsmtp
return_fail_output
user=uucp
batch_max = 100
The lookup in the /etc/passwd file, combined with the ret=key option,
ensures that the key is now untainted. This works for me because the
alerts are sent via local delivery.
Cheers
Alex
