Bug#854995: config comment says docs contain info about a security issue but they don't

[Ian Kelling]

Package: exim4
Version: 4.88-5
Severity: minor

Debian (not upstream) has this comment in 40_exim4-config_check_data in
reference to an example config which enables spamassassin.

# Please note that this is only suiteable as an example. There are
# multiple issues with this configuration method. For example, if you go
# this way, you'll give your spamassassin daemon write access to the
# entire exim spool which might be a security issue in case of a
# spamassassin exploit.
#
# See the exim docs and the exim wiki for more suitable examples.

This clearly implies that exim docs or the exim wiki have something
about dealing with the example security issue. They don't. Exim docs
suggest doing the same thing as this example with regard to spamassissin
access to the exim spool, except for excluding mail which is too big and
would cause performance problems or failures if sent to spamassassin.

This leads people like me spending a fair bit of time reading all the
exim documentation that mentions spamassassin with the false expectation
of finding something which is not there.

I also did not turn up any discussion of this issue with a few web
searches.

If I missed something, clarify the comment.

If not, reword and move the "for example ..." sentence outside the
context of "the solution is the docs", and directly state how someone
could deal with this issue. The only obvious thing to me is that you can
exclude classes of mail from going to spamassassin, so you might
classify and exclude security sensitive mail. For example, mail from
debian-security-announce-request at lists.debian.org which could inform the
user in the case of a security exploit in spamassassin.