CommandByEmail comments not working

lymond01 · April 24, 2023, 9:52pm

Upgraded from 4.4.4 to 5.0.1 using the Ubuntu repos. Everything seems fine except the CommandbyMail extension. It works, unless I email the -comment queue which kicks in the --action comment modifier in the rt-mailgate command. Our paniclog (and exim4 log) have these:

|/usr/bin/rt-mailgate --queue "Inbox" --action comment --url http://localhost/ <inbox-comment@ourdomainname.com> R=request_tracker4 T=request_tracker4_pipe defer (0): Tainted '/usr/bin/rt-mailgate --queue "Inbox" --action comment --url http://localhost/' (command for request_tracker4_pipe transport) not permitted

If I just reply via email, there’s no issue. The line above has --action correspondence and stops after T=request_tracker4_pipe. Mail flows through fine.

Hoping for some ideas – we have the latest CommandbyMail.pm (which admittedly isn’t that new – 3.0.1-4.

Thank you

GreenJimll · April 25, 2023, 11:03am

Are you using Exim version >= 4.94 by any chance? ISTR hitting the “tainted” “not permitted” issue when our CentOS boxes were updated to that version and it was also a Debian bug raised. If that is the case you’ll need to tweak your exim config a bit (how you do this depends very much on what your local exim config looks like).

lymond01 · April 25, 2023, 6:23pm

GreenJimII – thanks, that’s definitely it. I was reading about the tainted changes but wasn’t fully understanding the potential. It is definitely not clear how I’d make the adjustment but I’m working on it. Thank you for the lead.

lymond01 · April 25, 2023, 10:27pm

In a bid for more direction, more details on my situation. Exim 4.95. RT 5.0.1. Ubuntu install. MySQL DB. Exim queues are configured in:

/etc/exim4/transport/30_request-tracker4
request_tracker4_pipe:
   debug_print = "T: request_tracker4_pipe for $local_part@$domain"
   driver = pipe
   return_fail_output
   allow_commands = /usr/bin/rt-mailgate

And

/etc/exim4/router/310_request-tracker4
request_tracker4:
   debug_print = "R: request_tracker4 for \
      $local_part_data$local_part_suffix@$domain \
      (calling ${substr_1:${if eq{$local_part_suffix}{}\
      {-correspond}\
      {$local_part_suffix}}})"

   driver = redirect
   domains = +rt4_domains
   local_parts = mysql; QUEUENAME_QUERY
   local_part_suffix = -comment
   local_part_suffix_optional

   pipe_transport = request_tracker4_pipe

   data = "|/usr/bin/rt-mailgate \
      --queue \"${lookup mysql{QUEUENAME_QUERY}}\" \
      --action ${substr_1:${if eq{$local_part_suffix}{}\
      {-correspond}\
      {$local_part_suffix}}} \
      --url RT4_URL"

   user = www-data

AND

/etc/exim4/main/10_request-tracker4
QUEUENAME_QUERY   = \
   SELECT Name FROM Queues WHERE  \
   CorrespondAddress = '${quote_mysql:$local_part}@${quote_mysql:$domain}' \
   OR CommentAddress = '${quote_mysql:$local_part}-comment@${quote_mysql:$domain}' \
   AND Disabled = '0'

#hide mysql_servers = $DBHOST/$DBNAME/$DBUSER/$DBPASSWORD
hide mysql_servers = localhost/rtdb5/rtuser/password

domainlist rt4_domains = rt.ourdomain.com : rt.ourdomainalias.com

RT4_URL = http://localhost/

The SQL query above was my attempt at getting the inbox-comment@rt.domain.com to make it past rt-mailgate. I gather the “lookup” syntax is what I’m shooting for, I’m just not sure where to include it. Maybe within the SQL query?

CorrespondAddress = '${quote_mysql:{${lookup{$local_part}lsearch{/etc/exim4/detaint_list}}}}@${quote_mysql:$domain}' \

with a list of accepted email IDs in detaint_list file…

lymond01 · April 26, 2023, 1:30am

Thinking about it – it’s not the CommandbyEmail plugin that’s problematic – it’s just replying via email to inbox-comment@domain.com or any of the -comment addresses. There must be something basic wrong with my config. It’s definitely still exim taint-related, just not clear why since non-comment addresses seem to work fine.

GreenJimll · April 26, 2023, 1:06pm

Just a thought, and I might be well off the mark here, but should the -comment be inside the mysql quoting in the QUEUENAME_QUERY construction?

lymond01 · April 26, 2023, 6:24pm

Not impossible but I think that would make it look for a variable called $local_part-comment which isn’t a thing. The $local_part would be the email ID (such as “inbox”) and I’m adding -comment to that so it finds it all in the query. I think my issue is I need to detaint the data in $local_part first using the lookup, then perhaps the query will work.

But I’m not sure. I’m not sure it’s even in the RT-focused configs that I need to detaint $local_part. It could be in another part of the transport or router, and then the query uses the contents of that data.

Dippery_Kyle · April 26, 2023, 8:18pm

lymond01:

I gather the “lookup” syntax is what I’m shooting for, I’m just not sure where to include it. Maybe within the SQL query?
CorrespondAddress = '${quote_mysql:{${lookup{$local_part}lsearch{/etc/exim4/detaint_list}}}}@${quote_mysql:$domain}' \
with a list of accepted email IDs in detaint_list file…

I think this is the key. I have a similar line in my exim config (I detainted a while ago, and have forgotten most of the details).

I think you’ll need to detaint local_part every time you use it.