Moritz Wilhelmy wrote:
Hello,
Just for the record:
On Mon, May 02, 2011 at 03:49:55PM +0000, W B Hacker wrote:
Before you go any further, PLEASE upgrade to the current Exim release!
There were serious security issues in pre 4.7X versions.
I assume he is using exim 4.69 on oldstable/lenny (I remember lenny had 4.69
and I know squeeze has 4.72. wheezy currently has 4.75). I assume the debian
guys "fixed" these bugs by patching them out downstream, because the debian way
to do it is not to bump versions until the next stable release.
Perhaps.
BUT ... if not, and/or some barrier is perceived to rolling in the
latest for some obscure reason, (modified source in my case), what I do
for the last remaining unpatched 4.69 on one of my boxes, is:
- remove the setuid root bit on the binary. Not needed if all users are
virtual -and shell holders can easily be made to be so. or just not
*allowed* mail (by their login UID).
- mount /var and wherever the mailstore is as:
nosetuid, noexec,
- adjust 'log_selector =' to include:
-rejected_header
- if one or more of the above not possible, consider, for rejections
within acl_smtp_data, ONLY, temporarily switching to using a 'defer'
(forever) instead of a 'deny'. CAVEAT: Very much 'Not optimal', but
might save an older rev from grief, as it is the quickest fix to apply.
I still recommend the upgrade to 4.7X in any case.
It isn't JUST for the improved security. Full DKIM support, to name one,
only came in with (IIRC) 4.71.
Even so..
Any system that uses that generated split-config toolset
(Debian-only AFAIK) comes complete with extensive docs.
Debian and everything based (i.e. Ubuntu etc.) on it. And the documentation is
located in /usr/share/doc/exim4-base/
More historical information, and more specific current help, are
available on the Debian specific mailing list (also pointed to in
your on-box docs).
MOST, though not all, on THIS list use the standard monolithic Exim
~/configure file, which may be less 'automated', but otherwise
simpler.
I agree. I was glad when I noticed the "original" exim configuration file was
quite simple in contrary to the macro hell on debian.
It CAN be, but as experience and (alleged) cleverness | deviousness
accumulate, that goes away. I have had them grow to over 3,000 lines of
text, even with terse comments. And that with a good deal of the
'cleverness' offloaded to PostgreSQL.
The quasi-automated split config has had a good deal of kraft -
conveyed experience - built into it, and 'should' work quite well for
the inexperienced doing simpler basic installs.
I disagree more with the method than the effort or goal.
IMNSHO, better a collection of known-compatible modules to concatenate
in proper sequence into one 'ordinary' file - ELSE be left OUT
altogether, than the split files and so many .ifdefs...
IF ONLY .. because the resulting output would be the same sort of
monolithic ~/configure most often referenced HERE, and altered in the
same manner. Editor of choice for fine-tuning, start the concatenation
chooser from scratch otherwise..
Familiar structure [1] to more hands and eyes = easier to support 'quickly'.
AFAIK, that is also an option on Debian.
It is, but you have to supply your own. As far as I know, debian does not ship
the default config in any of these /usr/share/doc/exim4-* directories. So you
will probably need to download it from [1]. For more information please see
update-exim4.conf(8)[2].
Best regards,
Moritz
[1] http://git.exim.org/exim.git/blob/HEAD:/src/src/configure.default
[2] http://pwet.fr/man/linux/administration_systeme/update_exim4_conf
I thought I had seen posts to the effect that both WERE shipped?
But don't rely on a aged 4-flavor *BSD to grok aleph-null flavor Penguin
variants...
;-)
Bill
[1] 'Familiar' as in a ~/configure file originally built for 4.4X and
carried over for years with many changes - even to the underlying OS -
but only a very few of those changes required to cover version shifts
such as settings and variable nomenclature/usage, or new/retired features.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
