Bug#1003399: After distribution upgrade many mails are "tainted" and not delivered

Sun Jan 9 15:25:21 GMT 2022

Package: exim4-daemon-heavy
Version: 4.94.2-7
Severity: important

Hello Maintainer,

after upgrading the server from Debian 9 to 11 there is a problem with (actual) no solution.
Here is an example from the paniclog:

2022-01-06 14:13:56 1n4NwM-00ASE5-Py == system at example.com R=mysql_user T=local_mysql_delivery defer (-1): Tainted '/srv/ma
il/example.com/system/' (file or directory name for local_mysql_delivery transport) not permitted
2022-01-06 14:13:56 1n3cy0-008N8T-By == karsten at example-com R=mysql_user T=local_mysql_delivery defer (-1): Tainted '/srv/m
ail/example.com/karsten/' (file or directory name for local_mysql_delivery transport) not permitted

The mainlog is full of messages like this for every local delivery:
2022-01-09 14:53:39 1n5pDL-000Z0k-OR == system at example.com R=mysql_user T=local_mysql_delivery defer (-1): Tainted '/srv/ma
il/example.com/system/' (file or directory name for local_mysql_delivery transport) not permitted

The research of this error message leads to a big discussion without an solution here:

https://www.mail-archive.com/exim-users@exim.org/msg54866.html (another example)

This seems to be introduced in exim V 4.94:
https://www.mail-archive.com/exim-users@exim.org/msg54868.html

The documentation is not understandable:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_appendfile_transport.html#SECTfildiropt

Even other hints did not work, like this:
https://www.gentoo.org/support/news-items/2021-05-04-exim-transports-disallow-tainted.html

What must be done to get the mails de-tainted?
When there is no simple understandable solution an server version < 4.94 must be used.

The config for this part is this:

local_mysql_delivery:
   driver = appendfile
   directory = /srv/mail/${domain}/${local_part}/
   maildir_format
   delivery_date_add
   envelope_to_add
   return_path_add
   user = Debian-exim
   group = mail
   mode = 0660

Thank you for any hint to solve the problem.

Best regards
karsten

-- Package-specific info:
Exim version 4.94.2 #2 built 13-Jul-2021 16:04:57
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DANE DKIM DNSSEC 
Event I18>
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql 
nis nis>
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa tls
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Malware: f-protd f-prot6d drweb fsecure sophie clamd avast sock cmdline
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8

-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-10-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled