Hi, Security changes to Exim have invalidated certain suggested configurations in the Dovecot wiki.
As I do not have a Dovecot installation to test, I am not going to write any updates there. It would be good if someone would test these suggestions and then make updates as needed. 1) The use of $local_part and $domain in commands run by the "pipe" transport will be disallowed in the upcoming Exim release. These are currently noted as optional, with the "-m" flag to dovecot-lda. They should be replaced with validated (untainted) versions, commonly $local_part_data and $domain_data, developed via one of the several de-taint methods documented for Exim. The same applies to $original_local_part and $original_domain. 2) The use of $sender_address will likewise be disallowed. This and the "-f" flag can be dropped from the dovecot-lda command line, and the specification of a null "message_prefix" option removed. The defaults for a pipe transport will then prefix the message with a suitable Mbox "From " header line, which dovecot-lda is documented to extract the sender from. Both of these suggestions are back-compatible to the current 4.95 release of Exim, and will be required with the 4.96 release. -- Cheers, Jeremy Refs: - https://wiki.dovecot.org/LDA/Exim - https://doc.dovecot.org/configuration_manual/protocols/lda/
