Re: Making pglister work with exim 4.96+

> We have been briefly discussing that very issue last year and the consensus was basically going the environment variable route (which can also be implemented on older exim installs) - the above list is only the "default" set of environment variables available and we can add more.

But using environment variable is just working around the problem by evading the security mechanism. Documentation still warns about being careful [1]. And given that exim keeps extending tainting to more places, it's possible this solution will break in the future.

I think I found a good, yet hacky, workaround: using a pgsql lookup to insert the values directly into the database. This way, we avoid passing dangerous data through a shell, and we can escape them using ${quote_pgsql}. Using event_action, I can execute this at the right time (after delivery).
My current solution is something like this:
command = /pglister_path/web/pglister/bin/python /pglister_path/bin/inject.py -d $local_part_data(at)$domain_data -m $message_id -s ''
event_action = ${if eq {msg:delivery}{$event_name} {${lookup pgsql{update incoming_mail set sender='${quote_pgsql:$sender_address}' where messageid='${quote_pgsql:$message_id}'; notify incoming}} {}}}
and removing the "notify incoming" in inject.py.

This still requires tweaking and adding the bounce case, but I think it's a good start and tests are working so far.

[1] : https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_pipe_transport.html point 4
--
Célestin Matte