On 20/07/2022 15:37, Kirill Miazine via Exim-users wrote:
IIRC Mailman has some facility to generate aliases file, which Exim could be using. Mailman is able to generate those automatically, and that should make the taint checking happy, as there won't be any unsafe variables left.
Getting a file out of Mailman to verify recipient names against would be ideal. You want also to use a static list of possible affixes, rather than a wildcard. Handling initial signups for a list, where you don't have a known name to verify, seems like it could be an issue. Still, do a proper job on all the possible other cases first, to reduce the attack surface, *before* resorting to deliberately subverting Exim's attempts to provide security. These attempts are not perfect; there are ways of evading them. But do not forget the log4j fracas.
Looking athttps://bazaar.launchpad.net/~mailman-coders/mailman/2.1/files/head:/Mailman/MTA it seems you'd have to say that your MTA is Postfix.
:-( -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
