exim & dkim "tainted filename"

MHFraser

• May 16, 2023 22:25

Hi, have discovered one of my hosts is not able to dkim sign outgoing messages. The /var/log/exim.paniclog is full of messages like this 2023-05-17 13:09:36 1pz7Xg-00083V-31 Tainted filename '/var/cpanel/domain_keys/private/[redacted].com.au' 2023-05-17 13:09:36 1pz7Xg-00083V-31 unable to open file for reading: /var/cpanel/domain_keys/private/[redacted].com.au 2023-05-17 13:13:11 1pz7bC-0008JM-02 Tainted filename '/var/cpanel/domain_keys/private/[redacted].com.au' 2023-05-17 13:13:11 1pz7bC-0008JM-02 unable to open file for reading: /var/cpanel/domain_keys/private/[redacted].com.au exim version # whmapi1 installed_versions packages=1|grep exim: cpanel-exim: 4.96-8.cp108~el7 I know 4.94 introduced a bug like this but I'm not running that version. dkim config in the exim.conf has these entries smarthost_dkim: driver = manualroute domains = !"+local_domains +smart_hosts" condition = "${if eq{${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}{$value}}}{}{false}{true}}" ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : [redacted] headers_add = "${perl{mailtrapheaders}}" require_files = "+/var/cpanel/domain_keys/private/${sender_address_domain}" transport = remote_smtp_smart_dkim route_list = !+local_domains "${lookup{$sender_address_domain}partial-lsearch{/etc/staticroutes}}" remote_smtp_smart_dkim: driver = smtp hosts_require_tls = * interface = ${if exists {/etc/mailips}{${lookup{$sender_address_domain}lsearch*{/etc/mailips}{$value}{}}}{}} helo_data = ${if exists {/etc/mailhelo}{${lookup{$sender_address_domain}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}{$primary_hostname}} dkim_domain = $sender_address_domain dkim_selector = default dkim_private_key = "/var/cpanel/domain_keys/private/${dkim_domain}" dkim_canon = relaxed can someone pot me in the right direction here?

• 

  MHFraser

  • May 17, 2023 04:23

  ah so its my 'smarthost based on sender domain' mod.

  0
• 

  MHFraser

  • May 17, 2023 14:24

  fixed. for future googlers, exim needs to lookup the dkim keys, it wont accept a value from the email, so change these: require_files = "+/var/cpanel/domain_keys/private/${lookup{$sender_address_domain}dsearch{/var/cpanel/domain_keys/private/}}" dkim_private_key = "/var/cpanel/domain_keys/private/${lookup{$dkim_domain}dsearch{/var/cpanel/domain_keys/private/}}"

  0
• 

  cPRex Jurassic Moderator

  • May 17, 2023 15:26

  Thanks for sharing the fix!

  0
• 

  santrix

  • September 28, 2023 09:04

  When trying this fix on v110 cPanel - exim 4.96 #2 built 18-Jan-2023 12:40:24, we are seeing Error message from syntax check: 2023-09-28 09:02:24 cwd=/root 4 args: /usr/sbin/exim -bV -C /etc/exim.conf.buildtest.work.b533fc1b 2023-09-28 09:02:24 Exim configuration error in line 2655 of /etc/exim.conf.buildtest.work.b533fc1b: option "require_files" unknown In the end, we had to adopt mailchannel's fix of using dkim_domain = ${perl{get_dkim_domain}} to fool exim into thinking the dkim_domain variable isn't tainted.

  0

Please sign in to leave a comment.