[exim] Exim 4.94.0.4 works where Exim 4.94 fails with tainted path 'not permitted'

[Mike Tubby via Exim-users]

All,

So you can tell its Lockdown 2.0 as I am catching up with email server 
sysadmin, updating spam scanning and antivirus ready for when the 
thought police visit next month.

I have been running Exim 4.93.0.4 successfully with virtual domains with 
a MySQL backend in first-normal form and its been working 'really 
well'(tm) and I've added some tweeks like getting spam delivered into 
junk folders - if the user wants it configured that way using a couple 
of routers and a couple of transports:


*Routers*

#
# Junk folder router - calls alternative junk delivery if spam status is yes
# and user has elected to use the junk folder.
#
junk_folder_router:
        driver = accept
        condition = ${if and {  {def:h_X-Spam-Status:} \
                                {eq {$h_X-Spam-Status:}{Yes}} \
                        }}
        condition = ${lookup mysql{SELECT 
CONCAT(users.username,'@',domains.domain) AS email FROM \
                users LEFT JOIN domains ON users.domain_id=domains.id 
WHERE \
                users.username='${quote_mysql:$local_part}' AND \
                domains.domain='${quote_mysql:$domain}' AND \
                users.active=1 AND \
                users.junk_folder=1 AND \
                domains.active=1}{yes}{no}}
        transport = local_junk_delivery
        user = mail
        group = mail


*Transports*

#
# Normal local delivery
#
normal_delivery_router:
        driver = accept
        condition = ${lookup mysql{SELECT 
CONCAT(users.username,'@',domains.domain) AS email FROM \
                users LEFT JOIN domains ON users.domain_id=domains.id 
WHERE \
                users.username='${quote_mysql:$local_part}' AND \
                domains.domain='${quote_mysql:$domain}' AND \
                users.active=1 AND \
                domains.active=1}{yes}{no}}
        transport = local_delivery
        user = mail
        group = mail



#
# This transport delivers to local users with virtual mailboxes in Maildir
# format into the primary Maildir/virtual INBOX
#
local_delivery:
        driver = appendfile
        maildir_format = true
        directory = /srv/mail/$domain/$local_part/Maildir
        create_directory = true
        directory_mode = 0770
        mode_fail_narrower = false
        message_prefix =
        message_suffix =
        delivery_date_add
        envelope_to_add
        return_path_add
        user = mail
        group = mail
        mode = 0660

#
# This transport delivers to local user's Junk folder and is used for
# routing suspected spam
#
local_junk_delivery:
        driver = appendfile
        maildir_format = true
        directory = /srv/mail/$domain/$local_part/Maildir/.Junk
        create_directory = true
        directory_mode = 0770
        mode_fail_narrower = false
        message_prefix =
        message_suffix =
        delivery_date_add
        envelope_to_add
        return_path_add
        user = mail
        group = mail
        mode = 0660


*Tainted file paths?*

However if I upgrade from Exim 4.93.0.4 to Exim 4.94 (exactly the same 
Makefile and options) and run out the mail queue waiting on the upstream 
relay I get a load of 'tainted' and 'not permitted' messages and failed 
deliveries:

2020-11-07 20:16:57 1kbUdY-0003XV-I1 == mike.tu...@thorcom.co.uk 
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted 
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory 
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUdY-0003XS-2P == mike.tu...@thorcom.co.uk 
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted 
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory 
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUda-0003Xm-Oa == mike.tu...@thorcom.co.uk 
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted 
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory 
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUdZ-0003Xi-Gx == mike.tu...@thorcom.co.uk 
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted 
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory 
name for local_junk_delivery transport) not permitted
2020-11-07 20:16:57 1kbUdW-0003XN-Nv == mike.tu...@thorcom.co.uk 
R=junk_folder_router T=local_junk_delivery defer (-1): Tainted 
'/srv/mail/thorcom.co.uk/mike.tubby/Maildir/.Junk' (file or directory 
name for local_junk_delivery transport) not permitted

reverting back to Exim 4.94.0.4 resolves this.


What do I need to know to fix this one?



Mike

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/