Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Thanks to all the involved parties for clearing this up (and obviously for handling the whole thing in the first place)! cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] strip incoming messages of A-R headers that claim to be from our own
On 16/03/2023 14:53, Jim Lamers via Exim-users wrote: headers_remove = Authentication-Results headers_add = "Authentication-Results: TEST" You might prefer to only do the (remove, add-stripped) sequence when there is an offending AR header present. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] strip incoming messages of A-R headers that claim to be from our own
On 16/03/2023 14:53, Jim Lamers via Exim-users wrote: was wondering if there are better ways to remove incoming A-R headers that claim to be from our own admd? Nope. I raised a wishlist item for it. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] strip incoming messages of A-R headers that claim to be from our own
Hello list, I am sorry for creating a new thread, but i had the settings for the mailinglist misconfigured and was unable to react to the thread. I am trying to implement ARC in our Exim setup. While reading experimental-spec.txt[1] I noticed the following: "Note that it would be wise to strip incoming messages of A-R headers that claim to be from our own ." I have some difficulty with realizing this. I tried a few things and the closest I got to something working is: TEST = ${filter{$lheader_Authentication-Results:}{!match{$item}{^our-admd-identifier;}}} headers_remove = Authentication-Results headers_add = "Authentication-Results: TEST" Removing and re-adding the Authentication Result headers does work, but using headers_add = "Authtentication-Results: TEST" results in all remaining mail headers to be added at one spot in the email headers. I was wondering if there are better ways to remove incoming A-R headers that claim to be from our own admd? [1] https://github.com/Exim/exim/blob/b07d141af23f2ab160eba2b58a834baee513b3f8/doc/doc-txt/experimental-spec.txt#L515 -- Kind Regards, Jim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Hi Andrew, Andrew C Aitchison via Exim-users (Mi 15 Mär 2023 21:00:11 CET): > > > www.exim.org/static/doc/security/CVE-2021-38371.txt I'll publish your announcement there. Thank you, Andrew, for preparing it. *But*, as we do not see this as a practical security issue, we'll place a notice there: "The Exim developers do not consider this CVE as a security problem." (Suggestions on better wording are welcome.) Yesterday JGH and me had a short public IRC chat on this. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/