> We have been briefly discussing that very issue last year and the consensus was basically going the environment
variableroute (which can also be implemented on older exim installs) - the above list is only the "default" set of
environmentvariables available and we can add more.
But using environment variable is just working around the problem by evading the security mechanism. Documentation
stillwarns about being careful [1]. And given that exim keeps extending tainting to more places, it's possible this
solutionwill break in the future.
I think I found a good, yet hacky, workaround: using a pgsql lookup to insert the values directly into the database.
Thisway, we avoid passing dangerous data through a shell, and we can escape them using ${quote_pgsql}. Using
event_action,I can execute this at the right time (after delivery).
My current solution is something like this:
command = /pglister_path/web/pglister/bin/python /pglister_path/bin/inject.py -d $local_part_data@$domain_data -m
$message_id-s ''
event_action = ${if eq {msg:delivery}{$event_name} {${lookup pgsql{update incoming_mail set
sender='${quote_pgsql:$sender_address}'where messageid='${quote_pgsql:$message_id}'; notify incoming}} {}}}
and removing the "notify incoming" in inject.py.
This still requires tweaking and adding the bounce case, but I think it's a good start and tests are working so far.
[1] : https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html point 4
--
Célestin Matte
