On 12/06/2024 11:33, Thew, Alan via Exim-users wrote:
listserv_pipe: driver = pipe command = /XXXXX/bin/lsv_amin -t $local_part
[
driver = accept condition = ${if match{$local_part}{-dmarc-}{yes}{no}} retry_use_local_part transport = listserv_pipe no_verify
] Read up on taint in the docs. The common place for a detaining operation is in a router, by extracting from trusted data (ie. held locally on the system) using the tainted data as a search key. Usually this is done in a way that (for a local-part) populates a variable "$local_part_data". The verification you are doing - a regex match - is technically insufficient because Exim cannot reason deeply about REs. It's also not good enough on a wider view, as is doesn't refuse content within the (possibly attacker-supplied) local-part which is potentially damaging. Think in terms of shell metacharacters, and Exim's own expansions syntax - and never forget the lessors of the log4j debacle. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/