-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 2012-10-26 at 11:45 +0300, Marius Stan wrote: > On 26.10.2012 11:35, Phil Pennock wrote: > > During internal code review on Wednesday, I uncovered a remote code > > execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM > > handling. This can be triggered by anyone who can send you email from a > > domain for which they control the DNS, and gets them the Exim run-time > > user. > Hi Phil, > If an existing exim instalation doesn't verify received DKIMs is it > still vulnerable ?
Be careful: "verify DKIM on received mails" is *not* the same as "has defined a DKIM ACL". If Exim was built normally (without DISABLE_DKIM) then the DKIM logic is present. Then, even if you don't define a DKIM ACL, Exim does verification anyway for inbound mails, to set various needed variables. *IF* you have: warn control = dkim_disable_verify at the start of an ACL which has been plumbed into acl_smtp_connect or acl_smtp_rcpt, then you are safe. If you do not explicitly set the dkim_disable_verify control, then you are vulnerable. Regards, - -Phil -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAlCKUIEACgkQQDBDFTkDY39t0gCeIe6VJPGhalr6aF2TDlQgjxU6 F0wAoIXdbvC0ukjVKOYpU8NMBdkE3ySG =0wd6 -----END PGP SIGNATURE----- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
