Exim Sysadmins Beware, Debian Bookworm Is a Major Update

17 Jul 2023
One-minute read

A warning for all sysadmin using Exim on Debian Bullseye, don't switch to Debian Bookworm just yet.

The changelog will tell you that, for Exim 4.96-15 in Debian Bookworm:

The allow_insecure_tainted_data main config option and the "taint"
log_selector were removed

However, if you run Debian Bullseye, you never get the warning. Those might have come with Exim in unstable/bullseye-backports:

Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the
concept of tainted data read from untrusted sources, like e.g. message
sender or recipient. This tainted data (e.g. $local_part or $domain)
cannot be used among other things as a file or directory name or command
name.

This WILL BREAK configurations which are not updated accordingly.

That version at least came with a quick fix:

.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
 allow_insecure_tainted_data = yes
.endif

Which is not available in Bookworm.

debian exim