diff --git a/src/libexim-encrypt-dlfunc.c b/src/libexim-encrypt-dlfunc.c
index 042e72f..c4913c4 100644
--- a/src/libexim-encrypt-dlfunc.c
+++ b/src/libexim-encrypt-dlfunc.c
@@ -9,6 +9,16 @@
 /* Exim4 dlfunc API header */
 #include <local_scan.h>
 
+#if LOCAL_SCAN_ABI_VERSION_MAJOR < 3
+#define LOCAL_SCAN
+#define store_get_untainted(size) store_get(size)
+#define store_get_tainted(size) store_get(size)
+#else
+#define DLFUNC_IMPL
+#define store_get_untainted(size) store_get(size, FALSE)
+#define store_get_tainted(size) store_get(size, TRUE)
+#endif
+
 /*
  * Encrypt message using crypto_secretbox_easy().
  *
@@ -48,7 +58,7 @@ int sodium_crypto_secretbox_encrypt_password(uschar **yield, int argc, uschar *a
 
     // prepare buffer for ciphertext
     unsigned int cipherlen = messagelen + crypto_secretbox_MACBYTES;
-    unsigned char *ciphertext = (unsigned char *) store_get(cipherlen);
+    unsigned char *ciphertext = (unsigned char *) store_get_untainted(cipherlen);
     sodium_memzero(ciphertext, cipherlen);
 
     // encrypt message
@@ -61,14 +71,14 @@ int sodium_crypto_secretbox_encrypt_password(uschar **yield, int argc, uschar *a
 
     // combine nonce and ciphertext
     size_t combined_message_len = crypto_secretbox_NONCEBYTES + cipherlen;
-    unsigned char *combined_message = store_get(combined_message_len);
+    unsigned char *combined_message = store_get_untainted(combined_message_len);
     memcpy(combined_message, nonce, crypto_secretbox_NONCEBYTES);
     memcpy(&combined_message[crypto_secretbox_NONCEBYTES], ciphertext, cipherlen);
 
     // base64-encode the ciphertext
     unsigned int outputsize = sodium_base64_ENCODED_LEN(combined_message_len,
                                                         sodium_base64_VARIANT_ORIGINAL);
-    unsigned char *outstring = (unsigned char *) store_get(outputsize);
+    unsigned char *outstring = (unsigned char *) store_get_untainted(outputsize);
     //sodium_memzero(outstring, outputsize);
     sodium_bin2base64((char *const) outstring, outputsize,
                       combined_message, combined_message_len,
@@ -115,7 +125,7 @@ int sodium_crypto_secretbox_decrypt_password(uschar **yield, int argc, uschar *a
     // base64-decode the ciphertext
     size_t combined_message_buf_len = ciphertextb64_len / 4 * 3;
     size_t combined_message_len;
-    unsigned char *combined_message = (unsigned char *) store_get(combined_message_buf_len);
+    unsigned char *combined_message = (unsigned char *) store_get_untainted(combined_message_buf_len);
     sodium_memzero(combined_message, combined_message_buf_len);
     int b64err = sodium_base642bin(combined_message, combined_message_buf_len,
                                    (const char *) ciphertextb64, ciphertextb64_len,
@@ -132,7 +142,7 @@ int sodium_crypto_secretbox_decrypt_password(uschar **yield, int argc, uschar *a
 
     // prepare buffer for cleartext
     unsigned int cleartextlen = combined_message_len - crypto_secretbox_NONCEBYTES - crypto_secretbox_MACBYTES;
-    unsigned char *cleartext = (unsigned char *) store_get(cleartextlen + 1);
+    unsigned char *cleartext = (unsigned char *) store_get_untainted(cleartextlen + 1);
     sodium_memzero(cleartext, cleartextlen + 1);
 
     // decrypt message
@@ -173,7 +183,7 @@ int sodium_crypto_box_seal(uschar **yield, int argc, uschar *argv[]) {
     size_t pkb64_len = strlen((const char *) pkb64);
     // reserve space for conversion
     unsigned int pk_buffer_len = crypto_box_PUBLICKEYBYTES; // pkb64_len / 4 * 3 + 1;
-    unsigned char *pk = (unsigned char *) store_get(pk_buffer_len);
+    unsigned char *pk = (unsigned char *) store_get_untainted(pk_buffer_len);
     sodium_memzero(pk, pk_buffer_len);
     // convert encoded key to raw form
     int b64err = sodium_base642bin(pk, pk_buffer_len,
@@ -190,7 +200,7 @@ int sodium_crypto_box_seal(uschar **yield, int argc, uschar *argv[]) {
 
     // prepare buffer for ciphertext
     unsigned int cipherlen = messagelen + crypto_box_SEALBYTES;
-    unsigned char *ciphertext = store_get(cipherlen);
+    unsigned char *ciphertext = store_get_untainted(cipherlen);
     sodium_memzero(ciphertext, cipherlen);
 
     // encrypt message
@@ -202,7 +212,7 @@ int sodium_crypto_box_seal(uschar **yield, int argc, uschar *argv[]) {
     // base64-encode the ciphertext
     unsigned int outputsize = sodium_base64_ENCODED_LEN(cipherlen,
                                                         sodium_base64_VARIANT_ORIGINAL);
-    unsigned char *outstring = store_get(outputsize);
+    unsigned char *outstring = store_get_untainted(outputsize);
     sodium_bin2base64((char *const) outstring, outputsize,
                       ciphertext, cipherlen,
                       sodium_base64_VARIANT_ORIGINAL);
@@ -236,7 +246,7 @@ int sodium_crypto_box_seal_open(uschar **yield, int argc, uschar *argv[]) {
     size_t skb64_len = strlen((const char *) skb64);
     // reserve space for conversion
     unsigned int sk_buffer_len = crypto_box_SECRETKEYBYTES;// skb64_len / 4 * 3;
-    unsigned char *sk = (unsigned char *) store_get(sk_buffer_len);
+    unsigned char *sk = (unsigned char *) store_get_untainted(sk_buffer_len);
     sodium_memzero(sk, sk_buffer_len);
     // convert encoded key to raw form
     int b64err = sodium_base642bin(sk, sk_buffer_len,
@@ -252,7 +262,7 @@ int sodium_crypto_box_seal_open(uschar **yield, int argc, uschar *argv[]) {
     size_t pkb64_len = strlen((const char *) pkb64);
     // reserve space for conversion
     unsigned int pk_buffer_len = crypto_box_PUBLICKEYBYTES; // pkb64_len / 4 * 3;
-    unsigned char *pk = (unsigned char *) store_get(pk_buffer_len);
+    unsigned char *pk = (unsigned char *) store_get_untainted(pk_buffer_len);
     sodium_memzero(pk, pk_buffer_len);
     // convert encoded key to raw form
     b64err = sodium_base642bin(pk, pk_buffer_len,
@@ -269,7 +279,7 @@ int sodium_crypto_box_seal_open(uschar **yield, int argc, uschar *argv[]) {
 
     // base64-decode the ciphertext
     unsigned int ciphertextbuflen = ciphertextb64_len / 4 * 3;
-    unsigned char *ciphertext = (unsigned char *) store_get(ciphertextbuflen);
+    unsigned char *ciphertext = (unsigned char *) store_get_untainted(ciphertextbuflen);
     size_t ciphertextlen;
     sodium_memzero(ciphertext, ciphertextbuflen);
     b64err = sodium_base642bin(ciphertext, ciphertextbuflen,
@@ -283,7 +293,7 @@ int sodium_crypto_box_seal_open(uschar **yield, int argc, uschar *argv[]) {
 
     // prepare buffer for cleartext
     unsigned int cleartextlen = ciphertextlen - crypto_box_SEALBYTES;
-    unsigned char *cleartext = (unsigned char *) store_get(cleartextlen + 1);
+    unsigned char *cleartext = (unsigned char *) store_get_untainted(cleartextlen + 1);
     sodium_memzero(cleartext, cleartextlen + 1);
 
     // decrypt message