CommandByEmail comments not working

Upgraded from 4.4.4 to 5.0.1 using the Ubuntu repos. Everything seems fine except the CommandbyMail extension. It works, unless I email the -comment queue which kicks in the --action comment modifier in the rt-mailgate command. Our paniclog (and exim4 log) have these:

|/usr/bin/rt-mailgate --queue "Inbox" --action comment --url http://localhost/ <> R=request_tracker4 T=request_tracker4_pipe defer (0): Tainted '/usr/bin/rt-mailgate --queue "Inbox" --action comment --url http://localhost/' (command for request_tracker4_pipe transport) not permitted

If I just reply via email, there’s no issue. The line above has --action correspondence and stops after T=request_tracker4_pipe. Mail flows through fine.

Hoping for some ideas – we have the latest (which admittedly isn’t that new – 3.0.1-4.

Thank you

Are you using Exim version >= 4.94 by any chance? ISTR hitting the “tainted” “not permitted” issue when our CentOS boxes were updated to that version and it was also a Debian bug raised. If that is the case you’ll need to tweak your exim config a bit (how you do this depends very much on what your local exim config looks like).

GreenJimII – thanks, that’s definitely it. I was reading about the tainted changes but wasn’t fully understanding the potential. It is definitely not clear how I’d make the adjustment but I’m working on it. Thank you for the lead.

In a bid for more direction, more details on my situation. Exim 4.95. RT 5.0.1. Ubuntu install. MySQL DB. Exim queues are configured in:

   debug_print = "T: request_tracker4_pipe for $local_part@$domain"
   driver = pipe
   allow_commands = /usr/bin/rt-mailgate


   debug_print = "R: request_tracker4 for \
      $local_part_data$local_part_suffix@$domain \
      (calling ${substr_1:${if eq{$local_part_suffix}{}\

   driver = redirect
   domains = +rt4_domains
   local_parts = mysql; QUEUENAME_QUERY
   local_part_suffix = -comment

   pipe_transport = request_tracker4_pipe

   data = "|/usr/bin/rt-mailgate \
      --queue \"${lookup mysql{QUEUENAME_QUERY}}\" \
      --action ${substr_1:${if eq{$local_part_suffix}{}\
      {$local_part_suffix}}} \
      --url RT4_URL"

   user = www-data


   SELECT Name FROM Queues WHERE  \
   CorrespondAddress = '${quote_mysql:$local_part}@${quote_mysql:$domain}' \
   OR CommentAddress = '${quote_mysql:$local_part}-comment@${quote_mysql:$domain}' \
   AND Disabled = '0'

#hide mysql_servers = $DBHOST/$DBNAME/$DBUSER/$DBPASSWORD
hide mysql_servers = localhost/rtdb5/rtuser/password

domainlist rt4_domains = :

RT4_URL = http://localhost/

The SQL query above was my attempt at getting the to make it past rt-mailgate. I gather the “lookup” syntax is what I’m shooting for, I’m just not sure where to include it. Maybe within the SQL query?

CorrespondAddress = '${quote_mysql:{${lookup{$local_part}lsearch{/etc/exim4/detaint_list}}}}@${quote_mysql:$domain}' \

with a list of accepted email IDs in detaint_list file…

Thinking about it – it’s not the CommandbyEmail plugin that’s problematic – it’s just replying via email to or any of the -comment addresses. There must be something basic wrong with my config. It’s definitely still exim taint-related, just not clear why since non-comment addresses seem to work fine.

Just a thought, and I might be well off the mark here, but should the -comment be inside the mysql quoting in the QUEUENAME_QUERY construction?

Not impossible but I think that would make it look for a variable called $local_part-comment which isn’t a thing. The $local_part would be the email ID (such as “inbox”) and I’m adding -comment to that so it finds it all in the query. I think my issue is I need to detaint the data in $local_part first using the lookup, then perhaps the query will work.

But I’m not sure. I’m not sure it’s even in the RT-focused configs that I need to detaint $local_part. It could be in another part of the transport or router, and then the query uses the contents of that data.

I think this is the key. I have a similar line in my exim config (I detainted a while ago, and have forgotten most of the details).

I think you’ll need to detaint local_part every time you use it.