[debian-edu-commits] [Git][debian-edu/debian-edu-config][master] 2 commits: Adjust etc/exim4/exim-ldap-server-v4.conf

Wolfgang Schweer gitlab at salsa.debian.org
Sat Jun 27 10:45:15 BST 2020 


Wolfgang Schweer pushed to branch master at Debian Edu / debian-edu-config


Commits:
bcc602fd by Wolfgang Schweer at 2020-06-27T11:42:35+02:00
Adjust etc/exim4/exim-ldap-server-v4.conf

 Fix after Exim 4.94 security improvements. Don't use tainted data from
 sender information for delivery path construction, gather data from the
 'check_local_user' directive (routers section) instead and use
 $local_part_data (tranports section) to construct the path.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
adf10d7b by Wolfgang Schweer at 2020-06-27T11:44:03+02:00
testsuite/doc: Grab suite value for both testing and stable release cases.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -


3 changed files:

- debian/changelog
- etc/exim4/exim-ldap-server-v4.conf
- testsuite/doc


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+debian-edu-config (2.11.28) UNRELEASED; urgency=medium
+
+  * etc/exim4/exim-ldap-server-v4.conf:
+    - Fix after Exim 4.94 security improvements. Don't use tainted data from
+      sender information for delivery path construction, gather data from the
+      'check_local_user' directive (routers section) instead and use
+      $local_part_data (tranports section) to construct the path.
+  * testsuite/doc: Grab suite value for both testing and stable release cases.
+
+ -- Wolfgang Schweer <wschweer at arcor.de>  Sat, 27 Jun 2020 10:30:36 +0200
+
 debian-edu-config (2.11.27) unstable; urgency=medium
 
   [ Wolfgang Schweer ]
@@ -20,7 +31,7 @@ debian-edu-config (2.11.27) unstable; urgency=medium
 
 debian-edu-config (2.11.26) unstable; urgency=medium
 
-  [ Wolfgang Schweer ]
+  [ Wolfgang Schweer ].
   * Improve LTSP client setup, provide a full iPXE menu for both the backbone
     and the dedicated LTSP network, use ISC DHCP server instead of dnsmasq.
     - ldap-bootstrap/gosa-server.ldif: Adjust LTSP related DHCP options and


=====================================
etc/exim4/exim-ldap-server-v4.conf
=====================================
@@ -11,6 +11,11 @@
 # Also improve security some more: enable TLS, re-enable identity check;
 # only system mail to postmaster is enabled unconditionally; see #794602.
 # -- Wolfgang Schweer <wschweer at arcor.de>, 2017-05-13.
+#
+# Adjusted to work after exim4 4.94 security improvements: don't use tainted
+# data (from sender information) for delivery path construction, gather data
+# from 'check_local_user' directive instead.
+# -- Wolfgang Schweer <wschweer at arcor.de>, 2020-06-27.
 
 ##
 keep_environment = KRB5_KTNAME : PWD : ^LDAP
@@ -309,6 +314,7 @@ root:
 
 ldapuser:
   driver = accept
+  check_local_user
   condition = ${if eq {}{${lookup ldap {ldap://LDAPSERVER/LDAPBASE?uid?sub?(uid=${local_part})}}}{no}{yes}}
   cannot_route_message = Recipent ${local_part} unknown.
   retry_use_local_part
@@ -326,13 +332,11 @@ ldapuser:
 begin transports
 
 ldap_delivery:
-# prefix renamed message_prefix
-# suffix renamed message_suffix
   driver = appendfile
   check_string = ""
   create_directory
   delivery_date_add
-  directory = /var/mail/$local_part
+  directory = /var/mail/$local_part_data
   directory_mode = 0700
   envelope_to_add
   group = mail
@@ -342,7 +346,6 @@ ldap_delivery:
   mode = 0660
   no_mode_fail_narrower
   return_path_add
-  user = $local_part
 
 remote_smtp:
   driver = smtp


=====================================
testsuite/doc
=====================================
@@ -4,7 +4,13 @@
 
 set -e
 
-suite=$(lsb_release -sc)
+# Grab suite value for both testing and stable release cases.
+if grep -q / /etc/debian_version ; then
+	suite=$(cat /etc/debian_version | cut -d/ -f1)
+else
+	suite=$(lsb_release -sc)
+fi
+
 capsuite=$(echo $suite | sed 's/\([a-z]\)\([a-zA-Z0-9]*\)/\u\1\2/g')
 
 docfile=/usr/share/doc/debian-edu-doc/en/debian-edu-$suite-manual.html
@@ -13,7 +19,7 @@ docurl=https://wiki.debian.org/DebianEdu/Documentation/$capsuite
 if [ -r $docfile ] ; then
     fixmes=$(grep -c FIXME: $docfile)
     if [ 0 -eq "$fixmes" ]; then
-	echo "success: $0: Release manual have zero FIXMEs."
+	echo "success: $0: Release manual has zero FIXMEs."
     else
 	echo "error: $0: The manual for the $capsuite release has $fixmes FIXMEs.  Please fix at $docurl."
     fi



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/c95487b04d55204f7321e4c1ce809992867331df...adf10d7b168ae8f3d04d0dafc88c78fb4e46ec37

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/compare/c95487b04d55204f7321e4c1ce809992867331df...adf10d7b168ae8f3d04d0dafc88c78fb4e46ec37
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20200627/a7b9a5dc/attachment-0001.html>

More information about the debian-edu-commits mailing list