On 10/26/20 12:22 PM, Jeremy Harris via Exim-users wrote:
On 26/10/2020 09:53, Gregory Edigarov via Exim-users wrote:
Having this in config, exim-4.94
local_copy_incoming:
driver = appendfile
directory = /var/vmail/backup/$domain/$local_part/incoming
Most of this info is in the documentation.
You need to deliberately check that those variable
values, which have been supplied by a potential
attacker, are actually valid on your system. This has to
be done in a way that Exim knows a validated version
of the data that you can use in that "directory" option.
If the local_part is a real user on the system then
the "check_local_user" option on the router selecting
this transport is the simplest way for this component.
A success for that check fills in $local_part_data
with an untainted version of $local_part.
For virtual users (not existing in the password file),
and for domains, you have to do deliberate lookups
in other local sources of data. You might, for example,
have a Postgres DB with your list of locally-serviced
domains. Commonly your router will be checking for these
domains using a "domains" condition. If this condition
uses a lookup then it will populate $domain_data
with an untainted result from the lookup. Likewise, the
"local_parts" option can populate $local_part_data from
a lookup result.
Well, in my use case, this local_copy_incoming transport
is chained to virtual_delivery transport, via the
virtual_delivery:
driver = appendfile
envelope_to_add
return_path_add
mode = 0600
maildir_format = true
create_directory = true
directory = ${extract{smtp}{$address_data}}
user = mail
#${extract{uid}{$address_data}}
group = mail
#${extract{gid}{$address_data}}
quota = ${extract{quota}{$address_data}{${value}M}}
quota_is_inclusive = false
#quota_size_regex = ,S=(\d+):
quota_warn_threshold = 75%
maildir_use_size_file = false
quota_warn_message = "To: $local_part@$domain\n\
Subject: Mailbox quota warning\n\n\
This message was automatically generated by the
mail delivery software.\n\n\
You are now using over 75% of your allocated
mail storage quota.\n\n\
If your mailbox fills completely, further
incoming messages will be automatically\n\
returned to their senders.\n\n\
Please take note of this and remove unwanted
mail from your mailbox.\n"
shadow_transport = local_copy_incoming
which resolves from this router:
virtual_domains:
driver = redirect
domains = +local_domains
address_data = ${lookup mysql{\
select smtp, users.sa_tag*10 AS sa_tag, users.on_spamassassin
AND domains.spamassassin AS on_spamassassin, \
users.uid AS uid, users.gid AS gid, quota \
from users,domains \
where localpart = '${quote_mysql:$local_part}' \
and domain = '${quote_mysql:$domain}' \
and domains.enabled = '1' \
and users.enabled = '1' \
and users.domain_id = domains.domain_id}{$value}fail}
allow_fail
data = ${extract{smtp}{$address_data}}
headers_add = ${if and { \
{match{$domain}{$original_domain}} \
{match{$local_part}{$original_local_part}} \
{>={$spam_score_int}{${extract{sa_tag}{$address_data}}}} \
{eq{1}{${extract{on_spamassassin}{$address_data}}}} \
} {X-Spam-Flag: YES\nX-Spam-Score:
$acl_m_spam_score\nX-Spam-Report: $acl_m_spam_report}{} }
local_part_suffix = +*
local_part_suffix_optional
retry_use_local_part
file_transport = virtual_delivery
reply_transport = address_reply
pipe_transport = address_pipe
this router and virtual_delivery transport work just ok.
So the question is how to correctly connect shadow transport to this
processing in case of 4.94?
Thank you
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
