[exim] tainted filname issue
How that last message got encrypted, I don't know. But this should be an unencrypted copy. On 5/5/2021 4:04 AM, Heiko Schlittermann via Exim-users wrote: Dan Egli via Exim-users (Mi 05 Mai 2021 02:41:38 CEST): I just upgraded to 4.94.2, and most everything is working fine. But I'm getting an issue on DKIM signings with tainted filename. I looked over the list and tried to apply the same fix I've seen used before, but I guess I'm not understanding it. Here's my dkim_private_key statement: dkim_private_key = ${if exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\ {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}} So how do I correct this? Thanks! You didn't run 4.94 before, did you? No, I've not done 4.94 before. Up until recently I was running 4.93. So, I realized that exim wasn't fork()ing like I thought it would, but actaully calling the exim binary. That explains the complaint about -Mcd. But when I fixed THAT issue, I get a new one that I have no idea whats up. I have a link from /usr/sbin/exim_new to /usr/sbin/exim (and have the old binary on exim_old. So it's calling the correct exim. Can someone explain whats up?: [after receiving a message to se 20094 End of tree 20094 recipients_count=1 20094 SPOOL_IN - No additional fields 20094 body_linecount=159 message_linecount=18 20094 running system filter 20094 rda_interpret (file): '/etc/exim/filters/FILTER2008' 20094 expanded: '/etc/exim/filters/FILTER2008' 20094 search_tidyup called 20094 daemon-accept-delivery forking for router-interpret 20094 daemon-accept-delivery forked for router-interpret: 20095 20095 postfork: router-interpret 20095 LOG: MAIN PANIC DIE 20095 unable to set gid=12 or uid=8 (euid=1002): system filter 20095 search_tidyup called 20095 Exim pid=20095 (router-interpret) terminating with rc=1 20094 rda_interpret: subprocess yield=8 error=NULL 20094 LOG: MAIN PANIC 20094 internal problem in system filter: failure to transfer data from subprocess: status=0100 readerror='No such file or directory' 20094 system filter returned 8 20094 LOG: MAIN PANIC 20094 Error in system filter: internal problem in system filter: failure to transfer data from subprocess: status=0100 readerror='No such file or directory' 20094 search_tidyup called 20094 Exim pid=20094 (daemon-accept-delivery) terminating with rc=0 20091 SMTP<< QUIT 20091 using ACL "acl_check_quit" 20091 processing "warn" (/etc/exim/exim_new.conf 415) 20091 check condition = $authentication_failed 20091 = 0 20091 warn: condition test failed in ACL "acl_check_quit" 20091 processing "warn" (/etc/exim/exim_new.conf 420) 20091 check condition = $authentication_failed 20091 = 0 20091 warn: condition test failed in ACL "acl_check_quit" 20091 end of ACL "acl_check_quit": implicit DENY 20091 SMTP>> 221 eglifamily.name closing connection 20091 tls_write(0x55c69d3d8b10, 40) 20091 SSL_write(0x55c69d50d0e0, 0x55c69d3d8b10, 40) 20091 outbytes=40 error=0 20091 tls_close(): shutting down TLS 20091 SSL3 alert write:warning:close notify 20091 LOG: smtp_connection MAIN 20091 SMTP connection from mobile-166-170-45-144.mycingular.net ([172.20.10.13]) [166.170.45.144] I=[209.141.58.25]:587 closed by QUIT 20091 search_tidyup called 20091 SMTP>>(close on process exit) 20091 Exim pid=20091 (daemon-accept) terminating with rc=0 20031 child 20091 ended: status=0x0 20031 normal exit, 0 20031 0 SMTP accept processes now running 20031 Listening... ^C20031 SIGTERM/SIGINT seen 20031 daemon forking for daemon-del-pidfile 20031 daemon forked for daemon-del-pidfile: 20162 20162 postfork: daemon-del-pidfile 20162 exec /usr/sbin/exim -C /etc/exim/exim_new.conf -d=0xf7795cfd -MCd daemon-del-pidfile -oPX exim: only uid=0 or uid=8 can use -oP and -oPX (uid=1002 euid=1002 | 1002) 20031 search_tidyup called 20031 Exim pid=20031 (daemon) terminating with rc=0 -- Dan Egli From my Test Server OpenPGP_0x11B7451DF2015959.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] ...
binT4DZGM1Tc0.bin Description: PGP/MIME version identification encrypted.asc Description: OpenPGP encrypted message -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Outgoing mail : how to remove tags/keywords from the subjet header ?
Hello, we have a spam/virus filtering system that add spam score and other info with keywords at the beginning of the subject header to inform the end-user and help him write sort-rules in his mail-client. Example : {spam: 43} {newsletter} {SPF: pass} {DKIM: No signature}, etc... But when an end-user answers to that mail we would *remove* all these tags (they are always between { } characters, so a regex search/replace must be possible I hope). The goal is that : - the TO /CC /BCC addresses does not see these spam / info tags - in case of repeated send / answer dialogues the subject line does not fill up with these tags ! I did search and did find how to do this for *incoming* subject header rewrite ( typically sequences like : headers_add "New-Subject: {spam}: $h_subject:" headers_remove subject headers_add "Subject: $h_new-subject:" headers_remove new-subject } but I could *not* find something to do this for *outgoing* mail (as well to local domains addresses or external domain addresses, all answers) I saw... outlook exchange does propose this functionality, exactly for the same purpose. But we want to use Exim he :-) Does someone know a FAQ where is explained how to do that, or have experience with this? or an example of instructions and where to put this in the exim.conf ? Very thanks for your help ! Yves. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 22:45:34 CEST): > and I THINK it's okay. Problem is that I'm encountering another issue that > prevents me from saying all is well. I have my updated exim binary as > exim_new and the updated config as exim_new.conf, but when I try to submit a > message exim conks out saying I passed a bad or incomplete argument: Try setting the binary name exim_path = … in your new config. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 21:45, Dan Egli via Exim-users wrote: 2021-05-05 14:35:29.708 cwd=/etc/exim 5 args: exim_new -d -bd -C exim_new.conf [much deleted for brevity] 15754 Calling SSL_read(0x5573489f8110, 0x5573489f99a0, 4096) 15758 postfork: daemon-accept-delivery 15758 exec /usr/sbin/exim -C exim_new.conf -d=0xf7795cfd -MCd daemon-accept-delivery -Mc 1leOFn-000466-HW exim abandoned: unknown, malformed, or incomplete option -MCd 15754 SMTP<< QUIT So how do I figure out what the heck is going on here? Exim re-execs itself during message processing. Your new binary is exec'ing your old binary, and assuming it can handle the commandline args it knows about. You can't shuffle binary names like that; sorry. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Heiko Schlittermann via Exim-users wrote on 05.05.2021 23:48: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 22:29:32 > CEST): git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git >>> >>> Sorry my fault, far too many branches, merges, and tags during the >>> recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes >>> and the taintwarn feature. >> >> Thank you. >> >> As far as I can see, the exim-4.94.2+taintwarn branch includes the code >> from the exim-4.94.2+fixes branch, doesn't it? > > Exactly. It does include all the stuff in exim-4.94.2+fixes. Please be > aware, the taintwarn feature is only for mitigation. It will be ignored > in one of the future versions. I personally don't need an option allow_insecure_tainted_data. I'm just testing the building of exim 4.94.2 packages for FreeBSD, CentOS and Ubuntu with different combinations of patches (for file parameter in sqlite lookup, exim-4.94.2+fixes, taintwarn code from exim-4.94.2+taintwarn and from Debian patches). -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Victor Ustugov via Exim-users (Mi 05 Mai 2021 22:29:32 CEST): > >> git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git > > > > Sorry my fault, far too many branches, merges, and tags during the > > recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes > > and the taintwarn feature. > > Thank you. > > As far as I can see, the exim-4.94.2+taintwarn branch includes the code > from the exim-4.94.2+fixes branch, doesn't it? Exactly. It does include all the stuff in exim-4.94.2+fixes. Please be aware, the taintwarn feature is only for mitigation. It will be ignored in one of the future versions. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Heiko Schlittermann via Exim-users wrote on 05.05.2021 21:36: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 20:01:56 > CEST): >> Heiko Schlittermann via Exim-users wrote on 05.05.2021 19:11: >> >>> In case you didn't notice. We've added a new but already deprecated main >>> config option: >>> >>> allow_insecure_tainted_data = yes >>> >>> For this option you need to get exim-4.94.2+fixes. This option isn't >>> part of 4.94.2! >> >> Did you mean >> >> git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git > > Sorry my fault, far too many branches, merges, and tags during the > recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes > and the taintwarn feature. Thank you. As far as I can see, the exim-4.94.2+taintwarn branch includes the code from the exim-4.94.2+fixes branch, doesn't it? -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Victor Ustugov via Exim-users (Mi 05 Mai 2021 20:01:56 CEST): > Heiko Schlittermann via Exim-users wrote on 05.05.2021 19:11: > > > In case you didn't notice. We've added a new but already deprecated main > > config option: > > > > allow_insecure_tainted_data = yes > > > > For this option you need to get exim-4.94.2+fixes. This option isn't > > part of 4.94.2! > > Did you mean > > git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git Sorry my fault, far too many branches, merges, and tags during the recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes and the taintwarn feature. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Helo Thanks for response, I add CFLAGS += -std=gnu99 and LDFLAGS=-lrt to Makefile and build successfuly ! Regards - Original Message - From: "Victor Ustugov via Exim-users" To: "Victor Ustugov via Exim-users" Sent: Wednesday, May 5, 2021 6:50 PM Subject: Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released) Victor Ustugov via Exim-users wrote on 05.05.2021 17:14: Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: I'd just refuse to create a bloated 4.94+fixes, instead of releasing 4.95 as soon as possible. Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? I built exim 4.94.2 with patch https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch As I remember patch for exim 4.94 based on: https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb This one isn't related to the file= feture As far as I remember I could not build exim 4.94 with 4a7dca52352d0976f200b89a50825433b7551554 and b8514d1960e259d49ab2c84c89eba52ab993da3f without 44644c2e404a3ea0191db0b0458e86924fb240bb These both I located too and "backported" to 4.94.2 (as did too, probably): https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f See the attached patches. Thanks. I'll try to build exim with these patches today evening. Heiko, I took a look to your patches. Except for the files related to documentation and tests, our patches are identical. So no need to rebuild exim and check patches again. Thank you again. @Odhiambo: as it seems you're building your own version of Exim, we recommend you the patches from Victor or my (attached). Currently we do not plan to do the backport officially, because we'll start working to release 4.95 as soon as possible. -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Quoting Heiko Schlittermann via Exim-users (exim-users@exim.org): > In case you didn't notice. We've added a new but already deprecated main > config option: > allow_insecure_tainted_data = yes Yes, thanks for your hard work, Heiko!! I saw that option being discussed / added. It sure will help people migrate their setups! Best, -Sndr. -- | With her marriage she got a new name and a dress. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Heiko Schlittermann via Exim-users wrote on 05.05.2021 19:11: > In case you didn't notice. We've added a new but already deprecated main > config option: > > allow_insecure_tainted_data = yes > > For this option you need to get exim-4.94.2+fixes. This option isn't > part of 4.94.2! Did you mean git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git ? I see neither allow_insecure_tainted_data nor ALLOW_INSECURE_TAINTED_DATA in the exim/ directory. > This option allowes you to turn the taint errors into warnings and is > provided to help you in reworking your config into a more secure one. > Future Exim release (not sure about "future" though) will ignore this > option. > > Debian 11 includes this patch already. Exim 4.95 will kind of offically > suppport this option too. But, as said above, it is deprecated already > today. > > Best regards from Dresden/Germany > Viele Grüße aus Dresden > Heiko Schlittermann > > -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users wrote on 05.05.2021 17:14: > Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: >> I'd just refuse to create a bloated 4.94+fixes, instead of releasing >> 4.95 as soon as possible. > > Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? >>> >>> I built exim 4.94.2 with patch >>> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch >>> >>> As I remember patch for exim 4.94 based on: >>> >>> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb >> This one isn't related to the file= feture > > As far as I remember I could not build exim 4.94 with > 4a7dca52352d0976f200b89a50825433b7551554 and > b8514d1960e259d49ab2c84c89eba52ab993da3f without > 44644c2e404a3ea0191db0b0458e86924fb240bb > > >> These both I located too and "backported" to 4.94.2 (as did too, >> probably): >>> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 >>> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f >> >> See the attached patches. > > Thanks. I'll try to build exim with these patches today evening. Heiko, I took a look to your patches. Except for the files related to documentation and tests, our patches are identical. So no need to rebuild exim and check patches again. Thank you again. >> @Odhiambo: as it seems you're building your own version of Exim, we >> recommend you the patches from Victor or my (attached). Currently we do >> not plan to do the backport officially, because we'll start working >> to release 4.95 as soon as possible. > > -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error compile exim 4.94.2
On Wed, May 05, 2021 at 06:04:11PM +0200, Sławomir Dworaczek via Exim-users wrote: > exim.o: In function `exim_gettime': > exim.c:(.text+0xfbe): undefined reference to `clock_gettime' > exim.o: In function `main': > exim.c:(.text+0x1894): undefined reference to `clock_gettime' > collect2: ld returned 1 exit status > make[1]: *** [exim] Error 1 > > gcc version 4.5.2 (GCC) What operating system and Glibc (or other C library) version? On a Fedora 31 system: NAME clock_getres, clock_gettime, clock_settime - clock and time functions SYNOPSIS #include int clock_getres(clockid_t clk_id, struct timespec *res); int clock_gettime(clockid_t clk_id, struct timespec *tp); int clock_settime(clockid_t clk_id, const struct timespec *tp); ---> Link with -lrt (only for glibc versions before 2.17). Feature Test Macro Requirements for glibc (see feature_test_macros(7)): clock_getres(), clock_gettime(), clock_settime(): _POSIX_C_SOURCE >= 199309L On a FreeBSD 12.2 system these functions are in the C library, and the manpage reports: STANDARDS The clock_gettime(), clock_settime(), and clock_getres() system calls conform to IEEE Std 1003.1b-1993 (“POSIX.1b”). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error compile exim 4.94.2
On 05/05/2021 17:04, Sławomir Dworaczek via Exim-users wrote: when compiling exim 4.94.2 an error is shown, please help in solving the problem exim.o: In function `exim_gettime': exim.c:(.text+0xfbe): undefined reference to `clock_gettime' You don't say what platform you are compiling on, but here on Fedora 32 /usr/include/time.h has the declaration for clock_gettime(). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error compile exim 4.94.2
thanks for response, the platform is Slackware regards slawek - Original Message - From: "Jeremy Harris via Exim-users" To: Sent: Wednesday, May 5, 2021 6:43 PM Subject: Re: [exim] Error compile exim 4.94.2 On 05/05/2021 17:04, Sławomir Dworaczek via Exim-users wrote: when compiling exim 4.94.2 an error is shown, please help in solving the problem exim.o: In function `exim_gettime': exim.c:(.text+0xfbe): undefined reference to `clock_gettime' You don't say what platform you are compiling on, but here on Fedora 32 /usr/include/time.h has the declaration for clock_gettime(). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Sander Smeenk via Exim-users (Mi 05 Mai 2021 17:10:39 CEST): > Quoting Jeremy Harris via Exim-users (exim-users@exim.org): > > > It is far to easy for someone to write a matcher which just > > untaints everything, disabling the security. Three people > > would do that, and one would post it on serverfault. Then > > it would be cargo-culted forever. > > You mean like this 'hack'? > https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/ > > > TL;DR: > > Late to the party i see, but i was bitten by the new 'tainted > data'-feature yesterday and after reading this thread, i too would > really like to see that ${untaint{}{}} idea implemented. In case you didn't notice. We've added a new but already deprecated main config option: allow_insecure_tainted_data = yes For this option you need to get exim-4.94.2+fixes. This option isn't part of 4.94.2! This option allowes you to turn the taint errors into warnings and is provided to help you in reworking your config into a more secure one. Future Exim release (not sure about "future" though) will ignore this option. Debian 11 includes this patch already. Exim 4.95 will kind of offically suppport this option too. But, as said above, it is deprecated already today. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Cyborg via Exim-users (Mi 05 Mai 2021 16:56:44 CEST): > Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: > > The details about the vulnerabilities*will* be published in the near > > future (onhttp://exim.org/static/doc/security/), but not today. This > > should give you the chance to update your systems. > Time has run up: > https://www.qualys.com/2021/05/04/21nails/21nails.txt It is linked on https://exim.org already since about yesterday. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Error compile exim 4.94.2
Helo when compiling exim 4.94.2 an error is shown, please help in solving the problem exim.o: In function `exim_gettime': exim.c:(.text+0xfbe): undefined reference to `clock_gettime' exim.o: In function `main': exim.c:(.text+0x1894): undefined reference to `clock_gettime' collect2: ld returned 1 exit status make[1]: *** [exim] Error 1 gcc version 4.5.2 (GCC) regards slawek -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] prefer IPv6 over v4?
On 5/5/21 11:04 AM, Jeremy Harris via Exim-users wrote: On 05/05/2021 00:56, Dan Egli via Exim-users wrote: Hey everyone, quick question, more an idle thought. When exim looks up a mail to be delivered via remote_smtp, it seems to always prefer to use IPv4 even when a v6 address is available. For example, in my log I see a message delivered to a gmail address. But both Source and Destination IPs are ipv4 format, even though dig gmail-smtp-in.l.google.com shows a ipv6 address. Is there some option somewhere that can be set that will tell exim to deliver to IPv6 addresses unless no such address is available, and then fall back to IPv4? My system were happily using ipv6 for gmail (until I disabled it). I think you'd need to use exim's debug facilities to see why you're not getting ipv6 used, assuming you've not deliberately enforced that in your config. Maybe disable_ipv6=true in your config. Or daemon not listening on the v6 address ? regards, Olaf -- Karlsruher Institut für Technologie (KIT) Steinbuch Centre for Computing (SCC) Dipl.-Geophys. Olaf Hopp Zirkel 2 Gebäude 20.21, Raum 316 76131 Karlsruhe Telefon: +49 721 608-48009 E-Mail: olaf.h...@kit.edu Web: www.scc.kit.edu Sitz der Körperschaft: Kaiserstraße 12, 76131 Karlsruhe KIT - Die Forschungsuniversität in der Helmholtz-Gemeinschaft smime.p7s Description: S/MIME Cryptographic Signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users: The details about the vulnerabilities*will* be published in the near future (onhttp://exim.org/static/doc/security/), but not today. This should give you the chance to update your systems. Time has run up: https://www.qualys.com/2021/05/04/21nails/21nails.txt best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Quoting Jeremy Harris via Exim-users (exim-users@exim.org): > It is far to easy for someone to write a matcher which just > untaints everything, disabling the security. Three people > would do that, and one would post it on serverfault. Then > it would be cargo-culted forever. You mean like this 'hack'? https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/ TL;DR: echo '*' >/etc/exim/detaint DETAINTFILE = /etc/exim/detaint BADCHARS = \N[^A-Za-z0-9_.-]+\N SAFEDOMAIN = ${lookup{${sg{${domain:$h_from:}}{BADCHARS}{_}}}lsearch*,ret=key{DETAINTFILE}} ... Profit! Late to the party i see, but i was bitten by the new 'tainted data'-feature yesterday and after reading this thread, i too would really like to see that ${untaint{}{}} idea implemented. I'm all for 'out of the box safety', but making it quite hard to untaint data is not very user friendly imo. I've yet to find more situations in my config that break. That's another peeve: there is no warning or error until you run into it. My frustration mostly comes from the fact that my config was working for years, untouched, then suddenly it doesn't anymore and there is no clear guidance on how to fix this mess as others in this thread reported too. My situation was much like others reported, the dkim_key lookup, and can be fixed by doing that dsearch lookup thing. Providing a list of reported taint-issues and acompanying fixes like that would be of great help to people that were rockin' Exim configs for years and forgot about all the ${{acc}olade{mess}} therein. Meh. -Sandr. -- | Broken pencils are pointless. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 16:16: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 14:48:20 > CEST): >> Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57: >>> Victor Ustugov via Exim-users (Mi 05 Mai 2021 >>> 13:21:55 CEST): > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > 4.95 as soon as possible. Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). >>> >>> What did you do? >> >> I built exim 4.94.2 with patch >> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch >> >> As I remember patch for exim 4.94 based on: >> >> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb > This one isn't related to the file= feture As far as I remember I could not build exim 4.94 with 4a7dca52352d0976f200b89a50825433b7551554 and b8514d1960e259d49ab2c84c89eba52ab993da3f without 44644c2e404a3ea0191db0b0458e86924fb240bb > These both I located too and "backported" to 4.94.2 (as did too, > probably): >> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 >> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f > > See the attached patches. Thanks. I'll try to build exim with these patches today evening. > @Odhiambo: as it seems you're building your own version of Exim, we > recommend you the patches from Victor or my (attached). Currently we do > not plan to do the backport officially, because we'll start working > to release 4.95 as soon as possible. -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 14:48:20 CEST): > Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57: > > Victor Ustugov via Exim-users (Mi 05 Mai 2021 > > 13:21:55 CEST): > >>> I'd just refuse to create a bloated 4.94+fixes, instead of releasing > >>> 4.95 as soon as possible. > >> > >> Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. > >> It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > >> and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). > > > > What did you do? > > I built exim 4.94.2 with patch > https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch > > As I remember patch for exim 4.94 based on: > > https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb This one isn't related to the file= feture These both I located too and "backported" to 4.94.2 (as did too, probably): > https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 > https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f See the attached patches. @Odhiambo: as it seems you're building your own version of Exim, we recommend you the patches from Victor or my (attached). Currently we do not plan to do the backport officially, because we'll start working to release 4.95 as soon as possible. -- Heiko From 7ecb8213b1c9a6d9db1886d54cce8a60c5b0b55a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 6 Jun 2020 14:45:47 +0100 Subject: [PATCH 1/2] Refactor lookup argument shuffling (cherry picked from commit 4a7dca52352d0976f200b89a50825433b7551554) --- src/src/expand.c| 20 +++- src/src/functions.h | 1 + src/src/match.c | 17 + src/src/search.c| 36 4 files changed, 41 insertions(+), 33 deletions(-) diff --git a/src/src/expand.c b/src/src/expand.c index 05de94c49..ad9f54402 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -4391,7 +4391,7 @@ if (is_tainted(string)) goto EXPAND_FAILED; } -while (*s != 0) +while (*s) { uschar *value; uschar name[256]; @@ -4777,7 +4777,7 @@ while (*s != 0) int save_expand_nmax = save_expand_strings(save_expand_nstring, save_expand_nlength); - if ((expand_forbid & RDO_LOOKUP) != 0) + if (expand_forbid & RDO_LOOKUP) { expand_string_message = US"lookup expansions are not permitted"; goto EXPAND_FAILED; @@ -4876,21 +4876,7 @@ while (*s != 0) file types, the query (i.e. "key") starts with a file name. */ if (!key) -{ - Uskip_whitespace(); -key = filename; - -if (mac_islookup(stype, lookup_querystyle)) - filename = NULL; -else - if (*filename == '/') - { - while (*key && !isspace(*key)) key++; - if (*key) *key++ = '\0'; - } - else - filename = NULL; -} + key = search_args(stype, name, filename, ); /* If skipping, don't do the next bit - just lookup_value == NULL, as if the entry was not found. Note that there is no search_close() function. diff --git a/src/src/functions.h b/src/src/functions.h index e22fd4f99..a4914b730 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -448,6 +448,7 @@ extern voidroute_init(void); extern gstring * route_show_supported(gstring *); extern voidroute_tidyup(void); +extern uschar *search_args(int, uschar *, uschar *, uschar **); extern uschar *search_find(void *, const uschar *, uschar *, int, const uschar *, int, int, int *, const uschar *); extern int search_findtype(const uschar *, int); diff --git a/src/src/match.c b/src/src/match.c index dfb4b5148..eb8315b46 100644 --- a/src/src/match.c +++ b/src/src/match.c @@ -286,22 +286,7 @@ if (!cb->use_partial) partial = -1; /* Set the parameters for the three different kinds of lookup. */ -keyquery = semicolon + 1; -Uskip_whitespace(); - -if (mac_islookup(search_type, lookup_absfilequery)) - { - filename = keyquery; - while (*keyquery && !isspace(*keyquery)) keyquery++; - filename = string_copyn(filename, keyquery - filename); - Uskip_whitespace(); - } - -else if (!mac_islookup(search_type, lookup_querystyle)) - { - filename = keyquery; - keyquery = s; - } +keyquery = search_args(search_type, s, semicolon+1, ); /* Now do the actual lookup; throw away the data returned unless it was asked for; partial matching is all handled inside search_find(). Note that there is diff --git a/src/src/search.c b/src/src/search.c index f8aaacb04..125dd1c48 100644 --- a/src/src/search.c +++ b/src/src/search.c @@ -217,6 +217,42 @@ return stype; } +/* Set the parameters for the three different kinds of lookup. +Arguments: + search_type the search-type code + search the search-type string + query argument for the search; filename or query + fnamep pointer to return
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57: > Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 > CEST): >>> I'd just refuse to create a bloated 4.94+fixes, instead of releasing >>> 4.95 as soon as possible. >> >> Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit. >> It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) >> and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). > > What did you do? I built exim 4.94.2 with patch https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch As I remember patch for exim 4.94 based on: https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554 https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f Later I ported patch for exim 4.94+fixes. # exim -be '${lookup sqlite,file=/var/spool/exim/db/access.db{SELECT sender FROM awl WHERE sender="${quote_sqlite:exim-users@exim.org}";}}' exim-users@exim.org > I just cherry-picked the mentioned commit > 4a7dca52352d0976f200b89a50825433b7551554 > > But the error didn't disappear. I'll check in more detail now. > > -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 14:04:10 CEST): > > What did you do? I just cherry-picked the mentioned commit > > 4a7dca52352d0976f200b89a50825433b7551554 > > > > But the error didn't disappear. I'll check in more detail now. > > seems to be relevant too: > b8514d1960e259d49ab2c84c89eba52ab993da3f Yes, then it behaves as expected, but serveral conflicts I get in the for the docbook-source. Question now is, if we want to "officially" backport these fixes. I'll ask Jeremy. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 CEST): > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > 4.95 as soon as possible. > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? I just cherry-picked the mentioned commit 4a7dca52352d0976f200b89a50825433b7551554 But the error didn't disappear. I'll check in more detail now. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 13:57:32 CEST): > Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 > CEST): > > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > > 4.95 as soon as possible. > > > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). > > What did you do? I just cherry-picked the mentioned commit > 4a7dca52352d0976f200b89a50825433b7551554 > > But the error didn't disappear. I'll check in more detail now. seems to be relevant too: b8514d1960e259d49ab2c84c89eba52ab993da3f -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann via Exim-users wrote on 05.05.2021 01:39: > Jeremy Harris via Exim-users (Mi 05 Mai 2021 00:11:59 > CEST): >> Having made me go and look... that is what I did, in b8514d1960 >> (which is since 4.94). A comma-sep option "file=/foo" after >> the word "sqlite". > > Yes, that's what I found. But I can't see this neither in 4.94, or > 4.94+fixes. > > @Victor: Yes, the commit *can* be backported, but first I'd like to > understand how this syntax worked for Odhiambo with 4.94. It's depend on now Odhiambo built exim. > And I do not want to drop the support for queries do different SQLite > databases, but again - I'd like to understand why Odhiambo sees this > working with 4.94. > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > 4.95 as soon as possible. Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). @Odhiambo: try this patch. https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch This is minimalistic variant of Jeremy's code adapted for exim 4.94+fixes and exim 4.94.2 -- Best wishes Victor Ustugovmailto:vic...@corvax.kiev.ua Skype ID: corvax_nb JID: vic...@corvax.kiev.ua public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 02:41:38 CEST): > I just upgraded to 4.94.2, and most everything is working fine. But I'm > getting an issue on DKIM signings with tainted filename. I looked over the > list and tried to apply the same fix I've seen used before, but I guess I'm > not understanding it. Here's my dkim_private_key statement: > > dkim_private_key = ${if > exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\ > {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}} > > So how do I correct this? Thanks! You didn't run 4.94 before, did you? The $sender_address_domain is considered tainted. Now (since >= 4.94) Exim refused to use tainted data for filenames. The "exists" doesn't de-taint the data. You need to perform a kind of lookup first, to "clean"/"de-taint" the data. # determine the domain to be used for signing (use the rfc5322.From # or schlittermann.de as a fallback dkim_domain = ${lookup{${domain:${address:$h_from:}}}dsearch{$config_dir/dkim}{$value}{schlittermann.de}} dkim_selector = ${lookup{$dkim_domain}lsearch{$config_dir/dkim/selector}} # use the found signing domain and it's selector to get # the private key dkim_private_key = $config_dir/dkim/$dkim_domain/$dkim_selector.pem -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 01:41, Dan Egli via Exim-users wrote: dkim_private_key = ${if exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\ {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}} So how do I correct this? You look up that domain in a trusted database, so as to obtain a trusted value. This has to be done in a manner that Exim recognises: obtaining untainted data that you can use in your expansion. The "exists" check is not sufficient for this. Replace it with a "dsearch" lookup, since (currently) your trusted database is the filesystem. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] prefer IPv6 over v4?
On 05/05/2021 00:56, Dan Egli via Exim-users wrote: Hey everyone, quick question, more an idle thought. When exim looks up a mail to be delivered via remote_smtp, it seems to always prefer to use IPv4 even when a v6 address is available. For example, in my log I see a message delivered to a gmail address. But both Source and Destination IPs are ipv4 format, even though dig gmail-smtp-in.l.google.com shows a ipv6 address. Is there some option somewhere that can be set that will tell exim to deliver to IPv6 addresses unless no such address is available, and then fall back to IPv4? My system were happily using ipv6 for gmail (until I disabled it). I think you'd need to use exim's debug facilities to see why you're not getting ipv6 used, assuming you've not deliberately enforced that in your config. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
On 05/05/2021 02:41, Dan Egli via Exim-users wrote: > dkim_private_key = ${if > exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\ > {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}} That's a classic already searchable on the list... use dsearch like that: dkim_private_key = ${lookup {${dkim_selector}.${dkim_domain}.pem} dsearch,ret=full {/etc/mail/domainkeys}} Greetings, Wolfgang -- Wolfgang Breyha | https://www.blafasel.at/ Vienna University Computer Center | Austria -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/