Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Thanks to all the involved parties for clearing this up (and obviously for handling the whole thing in the first place)! cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] strip incoming messages of A-R headers that claim to be from our own
On 16/03/2023 14:53, Jim Lamers via Exim-users wrote: headers_remove = Authentication-Results headers_add = "Authentication-Results: TEST" You might prefer to only do the (remove, add-stripped) sequence when there is an offending AR header present. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] strip incoming messages of A-R headers that claim to be from our own
On 16/03/2023 14:53, Jim Lamers via Exim-users wrote: was wondering if there are better ways to remove incoming A-R headers that claim to be from our own admd? Nope. I raised a wishlist item for it. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] strip incoming messages of A-R headers that claim to be from our own
Hello list,
I am sorry for creating a new thread, but i had the settings for the
mailinglist misconfigured and was unable to react to the thread.
I am trying to implement ARC in our Exim setup. While reading
experimental-spec.txt[1] I noticed the following: "Note that it would
be wise to strip incoming messages of A-R headers that claim to be
from our own ." I have some difficulty with realizing
this. I tried a few things and the closest I got to something working
is:
TEST =
${filter{$lheader_Authentication-Results:}{!match{$item}{^our-admd-identifier;}}}
headers_remove = Authentication-Results
headers_add = "Authentication-Results: TEST"
Removing and re-adding the Authentication Result headers does work,
but using headers_add = "Authtentication-Results: TEST" results in all
remaining mail headers to be added at one spot in the email headers. I
was wondering if there are better ways to remove incoming A-R headers
that claim to be from our own admd?
[1]
https://github.com/Exim/exim/blob/b07d141af23f2ab160eba2b58a834baee513b3f8/doc/doc-txt/experimental-spec.txt#L515
--
Kind Regards,
Jim
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Hi Andrew,
Andrew C Aitchison via Exim-users (Mi 15 Mär 2023
21:00:11 CET):
> > > www.exim.org/static/doc/security/CVE-2021-38371.txt
I'll publish your announcement there. Thank you, Andrew, for
preparing it. *But*, as we do not see this as a practical security
issue, we'll place a notice there: "The Exim developers do not consider
this CVE as a security problem." (Suggestions on better wording are
welcome.)
Yesterday JGH and me had a short public IRC chat on this.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
