Re: [exim] How to customize the autoreply email subject?

[Cyborg via Exim-users]

Am 28.02.23 um 00:27 schrieb Tony via Exim-users:
 Now, the auto reply email subject start with "*Autoreply*:" , I want 
to change it.  How?


Sounds like a custom rule:

grep -r -i "Autoreply" /etc/exim/*

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] failed expand ACL

[Cyborg via Exim-users]

Am 19.01.23 um 13:47 schrieb Sławomir Dworaczek via Exim-users:

helo
where is the error in the ACL

continue = ${run{SHELL -c "echo $sender_host_address 
>>/var/spool/exim/blacklists/blocked_IPs;\N{\N echo Subject: $sender_host_address 
blocked; echo; echo for bruteforce auth cracking attempt.;\N}\N | EXIMBINARY 
WARNTO"}}{yes}{no}}

Your count of { does not match the count of } .

Tip: keep it simple

create a bash script you call with the host address as argument. It 
helps aa lot against those kind of error.



Best regards,
Cyborg


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Remote Spamassassin with TLS

[Cyborg via Exim-users]

Am 12.01.23 um 16:23 schrieb Patrik Peng via Exim-users:

Hi all

Is it somehow possible to use TLS encrypted connections when using a 
remote Spamassassin instance while scanning at ACL time with 
`spamd_address`?


According to their man pages, spamc and spamd support TLS but I 
couldn't find any hints in Exim's docs.



if you do not find a solution, there is always the option to use 
"stunnel": A TLS-encrypting socket wrapper


just configure exim for your  local endpoint and all is fine.

best regards,
Cyborg

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] A study of failing tls certs, with valid certificate files

[Cyborg via Exim-users]

Am 09.01.23 um 19:12 schrieb Jeremy Harris via Exim-users:


If so, you should pick up commits ef57b25bfa76, a1ec98dd9637
"Symlink following for TLS creds files"
These are post-4.96 so have not hit a release yet.


I will see if the maintainer can help fedora users here.

I switched to restart exim after a renew, so solved for me.

Best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] A study of failing tls certs, with valid certificate files

[Cyborg via Exim-users]

Hi all,

please take this text as it is, a study for a fail you could avoid, no 
fingerpointing, no flaming, only suggestions what to look for/change in 
your toolchains.


In early December 2022 the server in question switched his os release 
and was restarted (exim including). In this upgrade, the following 
switch was made:


FROM:

2022-11-28T20:46:24+0100 SUBDEBUG Upgraded: exim-4.96-5.fc35.x86_64
2022-11-28T20:46:32+0100 SUBDEBUG Upgraded: *openssl-1:*1.1.1q-1.fc35.x86_64

TO:

2022-11-28T20:41:00+0100 SUBDEBUG Upgrade: *openssl-1:3*.0.5-2.fc36.x86_64
2022-11-28T20:42:54+0100 SUBDEBUG Upgrade: exim-4.96-5.fc36.x86_64

later was an update to 4.96-6

2022-12-01T08:01:27+0100 SUBDEBUG Upgrade: exim-4.96-6.fc36.x86_64
2022-12-01T08:01:45+0100 SUBDEBUG Upgraded: exim-4.96-5.fc36.x86_64

Certs are renewed by a periodic 5 day cron job ( to not hurt LE to much 
) which restarts the apache, but not exim.


At that time the Let's Encrypt certificate for exim and all other 
services had these dates:


    Not Before: Oct 10 21:07:39 2022 GMT
    Not After : Jan  8 21:07:38 2023 GMT

On the 11th of December 2022 0:08 it was auto renewed and switched to 
these dates:


    Not Before: Dec 10 22:08:37 2022 GMT
    Not After : Mar 10 22:08:36 2023 GMT

-rw-r- 1 root exim 1834 11. Dez 00:08 cert-1670713689.csr
-rw-r- 1 root exim 2366 11. Dez 00:08 cert-1670713689.pem

Yesterday evening at around 22:25 CET ( +1 GMT ) openssl( via exim ) 
started to spit out these messages on incoming connections:


2023-01-08 22:25:18 TLS error on connection from 
vmi395689.contaboserver.net [5.189.157.109] (SSL_accept): 
error:0A000415:SSL routines::sslv3 alert certificate expired


This was caused by the EOT of the cert loaded at the last update 
(2022-12-01) and exim not being restarted since.


This was happening for the first time since Let's Encrypted was formed ( 
we use it since then ), so for years by now.


ATM this exim is in use:

Name    : exim
Version : 4.96
Release : 6.fc36
Architecture: x86_64
Install Date: Do 01 Dez 2022 08:01:27 CET
Build Date  : Di 22 Nov 2022 15:25:30 CET

Name    : openssl
Version : 3.0.5
Release : 2.fc36
Architecture: x86_64
Install Date: Mo 28 Nov 2022 20:41:00 CET
Build Date  : Di 01 Nov 2022 17:26:57 CET

The original cert setup looks like this:

lrwxrwxrwx 1 root root 59 17. Sep 2018  /etc/pki/tls/certs/exim.pem -> 
/etc/httpd/letsencrypt/certs/server.de/fullchain.pem
0 lrwxrwxrwx 1 root root 24 11. Dez 00:08 fullchain.pem -> 
fullchain-1670713689.pem

8 -rw-r- 1 root exim 6117 11. Dez 00:08 fullchain-1670713689.pem

/etc/pki/tls/certs/exim.pem is the default location for Fedoras exim 
package.


O== are there more systems?

Yes, there are, this is just the one, we detected it first. So it's not 
a glitch.


O== Conclusion:

As I can't remember any downstream patches to Exim inside Fedora's 
build, so something changed how exim or openssl3  is handling the 
underlying certificate switch detection. As Exim had only a tiny minor 
switch, OpenSSL3 is my personal candidate for this.


O== Suggestions:

In this combination exim needs to be restarted, when the server cert was 
renewed, as the auto detection is not reliable working any more.


It may be a good idea to check for a new solution inside exim like auto 
reloading the used cert every 24h's the server is running, if openssl3 
is causing this "detection" bug.



best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Ideas for blocking addresses with quotation marks in them?

[Cyborg via Exim-users]

Am 27.12.22 um 01:58 schrieb Jarland Donnell via Exim-users:

Hey friends,

I'e been getting some weird spam/virus email that seems to be causing 
an unexpected result with exim. I'll show you what I'm seeing, and I'm 
wondering if anyone has any ideas on how I can ACL out email addresses 
that actually have quotations in their envelope sender address


2022-12-26 18:20:59 1p9s5q-0007aL-2S <= 
""@server12.sistemthfl[breakforfilters]ineamarket.com 
H=server12.sistemthflineamarket.com [91.234[breakforfilters].198.105] 
P=esmtps X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=no S=9286


Add ' " ' here :

  deny    message   = Restricted characters in address
     domains   = +local_domains
         local_parts   = ^[.] : ^.*[\$@%!/|] : ^.*x24 : ^.*0.44

It, if added, would deny any messages containing the " symbol. You may 
need to check, if an attempt with "x22" needs additional handling in 
this rule as for the $ char seen above.


Best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] if you use openssl v3+ with exim

[Cyborg via Exim-users]

Am 09.12.22 um 21:10 schrieb Andrew C Aitchison via Exim-users:

On Fri, 9 Dec 2022, Cyborg via Exim-users wrote:


The issue is reproduceable with openssl s_client directly:

openssl s_client -connect 82.218.176.66:25 -starttls smtp


I am not going to report the testssl results I got for that host:port
here, but they are very worrying.

Marius, do you have a contact for that server ?


No, about none of them. I had 2 others detected, if posted here, could 
create, in one case, a shitstorm about a big german foodseller's IT 
capabilities ;) AFAIHBT one already handles that case.


Best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] if you use openssl v3+ with exim

[Cyborg via Exim-users]

Am 09.12.22 um 18:22 schrieb Viktor Dukhovni via Exim-users:


Are there any destination domains or MX hostnames you're willing and
able to share which exhibit this issue?  If this is reproducible also
with e.g. Postfix and other MTAs, then there's nothing here for Exim
to do.  The remote server does not have an interoperable STARTTLS
implementation: something is broken on the Internet...



Guys, it was just a FYI without the FYI mark. I will add it next time :)

There is nothing exim can do or should do. It's 100% caused by outdated 
legacy servers, ignoring the year 2009 CVE.


The issue is reproduceable with openssl s_client directly:

openssl s_client -connect 82.218.176.66:25 -starttls smtp

for that host, you need to downgrade to " -tls1 ", as that candidate is 
extremly old :D


All you should have in mind: if you switch to openssl3, this will haben 
with a small minority of foreign mailservers. You are not the cause for 
this.


Best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] if you use openssl v3+ with exim

[Cyborg via Exim-users]

Am 09.12.22 um 13:21 schrieb Jeremy Harris via Exim-users:

On 09/12/2022 10:43, Jeremy Harris via Exim-users wrote:


The message looks like a courtesy note only, saying "I'm no longer prepared to 

TLS-renegotiate this sort of connection"; something that TLS endpoints have always 

been permitted to do for any class of TLS connection, and not implying a fault. 



Having looking around the code, it does look like the "TLS session" bit
implies Exim's smtp transport, with a conn fail.  I'll investigate 
further.


It'd help to get a debug trace for such a connection, so I can see detail
on the TLS operations for re-creation of the condition.


It's not an exim error message, it upstreams from openssl into the logs.

If a TLS connect is done to an outdated server using the old 
renegotiation methode,

openssl 3 ends the connection with that error messge.

The root cause for this, is a change in the default config compiled 
intothe openssl executable.
For OpenSSL 3 in 2021 they pulled in a patch to enable the check routine 
for this old renegotiation bug from 2009.
In Openssl 1 it stayed turned off. Upgrading a os from openssl 1 to 3 
will auto enable this check and bring this error

to the logs.

so, if you use openssl 3 and see this error message:

2022-12-09 10:23:22 1p3ZbF-003Bdo-2L ==   R=dnslookup 
T=remote_smtp defer (-37) H=mailin2.Z.z.z [a.b.c.d]: TLS session: 
(SSL_connect): error:0A000152:SSL routines::unsafe legacy renegotiation 
disabled


you need to contact the receiver and inform it , that hes using an 
outdated mailserver software with MITM enabling ageold security holes.


best reagards,
Marius





OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] if you use openssl v3+ with exim

[Cyborg via Exim-users]

Hi all,

since Fedora switched to openssl 3 (3.0.5 atm) we encounter these messages:

TLS session: (SSL_connect): error:0A000152:SSL routines::unsafe legacy 
renegotiation disabled


This is connected to a 2009 CVE against common SSL libs ( nss, openssl 
etc.) using an insecure form of handshake.


All faulty external mailserver have in common, that they are not 
up2date, as they at least do not offer TLS 1.3 encryption.

On was even TLS 1.0 only ..

The question "if OpenSSL 3 is buggy or not" is under investigation atm.  
There is a workaround for the issue, but it involves introducing MITM 
attackvectors and we don't won't this, don't we? :) (if you need to know 
throw me a mail).


best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Recall a message

[Cyborg via Exim-users]

Hi,

Am 30.11.22 um 11:02 schrieb DIARRA Douba Samuel via Exim-users:

Hello

I would like to enable the "recall message in exim" feature.

Now, when I try to recall, deleting the old message sent, and replacing it
with the new message, I notice that the new message is sent but the old
message always stays with the recipient while I want it to be permanently
deleted with the recipient.


What you describe is a "Cancel" mail, which is afaik only 
used/implemented by Exchange.


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Storing messages in Maildir format with symmetric encryption

[Cyborg via Exim-users]

Am 24.11.22 um 09:23 schrieb Andrew C Aitchison via Exim-users:



Perhaps use some sort of GPG wrapper as a transport_filter,
and do decryption client-side?


Ah.
If we use OpenPGP format then the recipient can use any
PGP-aware client to read the message.



Tried it.. It's complex and it ended with all sorts of charset issues 
within the pgp mails.


But, yes, it's the only imaginable way to make it secure for all 
local/remote attack scenarios,

after it got encrypted.

Everything else, like the dovecot mailcrypt plugin, has loopholes:

- no protection of physical theft, except password for keys is used and 
database for password was not stolen too.

- no protection against rogue admins
- no protection against system breaches
- no protection against stolen/bruteforced credentials --> imap login

- only working scenario:
  Attacker with none-root privileges on system side, with read access 
to mailbox files.
  Access should be only valid for exim and dovecot itself anyway, so 
encryption is obsolete, if access rights are restricted correctly.


Of course, these are only my opinions on the topic.

best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] run{} string builder buggy?

[Cyborg via Exim-users]

Exim: 4.96 Fedorabuild

Hi,

I have this acl condition in use for years and it worked, but nowadays 
it seems to fail:


  deny
    ...
    set acl_m9  = ${run{/usr/share/doc/perl-Mail-SPF/bin/spfquery $acl_m9}}
    condition   = ${if eq{$runrc}{1}{true}{false}}

for debugging I added

  warn log_message = "SPF TEST für --scope mfrom --id $sender_address 
--ip $sender_host_address
  warn set acl_m9  = --scope mfrom --id $sender_address --ip 
$sender_host_address
       set acl_m9  = 
${run{/usr/share/doc/perl-Mail-SPF/bin/spfquery $acl_m9}}

           log_message = returncode {$runrc}

which gives us:

 Warning: "SPF TEST f\303\274r --scope mfrom --id X --ip Y
 Warning: returncode {255}

Wenn i run the resulting command in bash as exim I get:

# echo $?
1

which is the expected code for a spf fail, but in exim it is 255 because 
of this:


 /usr/share/doc/perl-Mail-SPF/bin/spfquery "--scope mfrom --id X --ip Y"

instead of :

 /usr/share/doc/perl-Mail-SPF/bin/spfquery --scope mfrom --id X --ip Y

changing the config from:

  warn set acl_m9  = --scope mfrom --id $sender_address --ip 
$sender_host_address
       set acl_m9  = 
${run{/usr/share/doc/perl-Mail-SPF/bin/spfquery $acl_m9}}


to

  warn set acl_m9  = ${run{/usr/share/doc/perl-Mail-SPF/bin/spfquery 
--scope mfrom --id '$sender_address' --ip '$sender_host_address'}}


Solved it.

The thought here is: Why was $acl_m9 escaped as it was inserted into 
itself and i.e. $sender_address was not, when it was used in a string?









best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Broken pipe > MYSQL: no data found

[Cyborg via Exim-users]

Am 25.10.22 um 10:50 schrieb Jeremy Harris via Exim-users:

That "broken pipe" is from the "malware" ACL condition code sending
Yeap, no questions that it happens in mid transit of the mail to the 
external clamd.



You might prefer to only virus-scan smaller messages, by
checking $message_size.



That would be very good for attackers, don't you agree? For Spam it's 
ok, but virusprotection? It's a no-go.


But, your suggestion, as usual, helped me to find a safe wordaround for 
the issue. Sometimes, all it takes is to explain the problem to someone 
else  ;) THX Jeremy.



I suspect that "MYSQL: no data found" error comes from a different part


It comes from the mysql module:

# strings /usr/lib64/exim/4.96-3.fc35/lookups/mysql.so| grep MYSQL
close MYSQL connection: %s
MYSQL connection failed: %s
MYSQL: query failed: %s
*MYSQL: no data found*
MYSQL new connection: host=%s port=%d socket=%s database=%s user=%s
MYSQL using cached connection for %s
MYSQL: query was not one that returns data
MYSQL: lookup result failed: %s
MYSQL: lookup result error when checking for more results: %s
MYSQL: got unexpected more results

Best regards,
marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Broken pipe > MYSQL: no data found

[Cyborg via Exim-users]

Hi,

Exim Version: 4.96-3

I'm curios, why does the mysql modul set "No data found" when there is a 
fail on the clamd pipe?


2022-10-25 07:36:45 1onCcF-002IAu-0b malware acl condition: clamd  : 
unable to send file body to socket (83.x.x.x): Broken pipe
2022-10-25 07:36:45 1onCcF-002IAu-0b H=X [x.x.x.x] 
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no F= temporarily 
rejected after DATA: MYSQL: no data found


The pipe fail is caused IMHO by some big uncompressed TIFF files 
(22MB++) in the specific email. The targeted clamd server does not even 
note down, that he had an incoming message which failed, so, the 
resulting email must be "very" big if the connections breaks in mid 
transit.


What i like to know about is the fact, that the mysql modul also looses 
it's connection to the database, which is the normal cause of "MYSQL: no 
data found". As one can see, this leads to the uncontrolled exit of exim 
and the temporal rejection of that mail.


IMHO, it would be better to not drop the db connection and continue with 
normal progress. It would be cool, if the fail of the service in use 
would be available to the acls, so they can decide if the messages gets 
thru or gets finally rejected ( safty first ). Both ways finalize the 
delivery of the email in one way or the other, which is good.


ATM the mail in question hangs in between and will never be successfully 
delivered. Only god and some M$ admins know, how long it will stay in 
the mailqueue before the sender gets a final fail notice ( if he ever 
gets one ).


@Jeremy: Can I workaround this db con problem in 4.96?

Best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS session is required, but an attempt to start TLS failed

[Cyborg via Exim-users]

Am 18.10.22 um 14:58 schrieb Patrick Porteous via Exim-users:
I've recently started receiving the following message in my log files 
when sending to one host:


2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.196]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:45 H=example.com [###.###.###.198]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.197]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:46 H=example.com [###.###.###.194]: a TLS session is 
required, but an attempt to start TLS failed
2022-10-18 07:12:46 someu...@example.com R=dnslookup T=remote_smtp 
defer (-38) H=example.com [###.###.###.194]: a TLS session is 
required, but an attempt to start TLS failed


The error is causing email addressed to this host to hang in my queue 
and then fail to be delivered after the time out period.  My 
exim.config is setup with the following options enabled:


Thats exactly what should happen, if you enforce TLS and the other side 
can't offer it, it fails.


You used:

hosts_require_tls = 
tls_tempfail_tryclear = false

in your transport . Ergo, it fails, if it's not possible. And I go 10:1 
whatever is used in:


tls_require_ciphers = ...

is not been offered in the external mailserver tls offer i.e. because 
it's a malconfigured exchange server.


To not block your queue, you can do this:

begin retry
# Address or Domain    Error   Retries
# -    -   ---

*  refused
*  quota
*  tls_required
*  *   F,2h,15m; G,16h,1h,1.5; F,4d,6h

which instantly sends a delivery-message to the sender, if TLS fails.

best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

[Cyborg via Exim-users]

Am 29.09.22 um 12:19 schrieb Evgeniy Berdnikov via Exim-users:



corps and gov entities, which states, that 2048 bit RSA keys, for any
purpose,*should*  not be used anymore in 2022.

  
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf?__blob=publicationFile=10

  Comment to table 3.1:

  | For a period of use beyond 2022, it is recommended to use RSA/DLIES
  | keys of 3000 bits length to achieve a consistent level of security in
  | all recommended asymmetric encryption schemes. The key length of 2000
  | bits will remain compliant with this Technical Guideline for DLIES
  | keys until the end of 2022, and also transitionally for RSA keys until
  | the end of 2023.

  So, BSI statement is significantly different from what you wrote.



"recommended" is a suggestion to do something, not an enforcement. So 
"should" is the correct form.


To shorten this up: 'You "should" use bigger keys, for a usage beyond 
2022, but you don't need to.' (to stay compliant with the tr)


My POV here: "why waiting".  Encryption doesn't slow down todays cpus 
anymore as it has 15 years ago, same for a smartphone soc.


best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

[Cyborg via Exim-users]

Am 28.09.22 um 17:51 schrieb Viktor Dukhovni via Exim-users:

On Wed, Sep 28, 2022 at 05:08:37PM +0200, Cyborg via Exim-users wrote:


But your key is a bit short. I suggest to upgrade it to at least 4096 bits.

I strongly disagree.  There's no need to be a crypto
exhibitionist/maximalist.  The vast majority of issuing CA RSA keys are
2048-bits.  The use of 4096-bit keys is pointless waste of CPU,



There is a BSI ( the german cybersecurity agency ) guideline for german 
corps and gov entities, which states, that 2048 bit RSA keys, for any 
purpose,

should not be used anymore in 2022.

Although, it's an EllipticCurve Key, so it's long enough. I did not 
considers this in my answere, my fault.


Can you state, why you think, that this 2048 bit key is only used for 
authentication, rather than for TLS encryption? I think, it is used, as 
it's presented on port 25.


best regards,
Marius




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] GnuTTS woes

[Cyborg via Exim-users]

Am 28.09.22 um 16:28 schrieb Viktor Dukhovni via Exim-users:


Ditto on port 465 and with IPv4:

 $ posttls-finger -c -lmay -Lsummary -w -o inet_protocols=ipv4 -p TLSv1.2 
"[eximtest.duckdns.org]:465"
 posttls-finger: Untrusted TLS connection established
 to eximtest.duckdns.org[172.105.179.7]:465:
 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)



Same with openssl:

TLS 1.3

openssl s_client --connect eximtest.duckdns.org:25 -starttls smtp
CONNECTED(0003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit

TLS 1.2:

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported


But your key is a bit short. I suggest to upgrade it to at least 4096 bits.

best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] problem Tainted permission to file autoreply once

[Cyborg via Exim-users]

Hi,

Am 27.09.22 um 11:54 schrieb Sławomir Dworaczek via Exim-users:

heloo
Yeah ! maybe not elegant, but it works!,
once = /var/spool/db/autoreply_${lookup mysql{select localpart 
from users,domains where domain='${quote_mysql:$domain}' and 
localpart='${quote_mysql:$local_part}' and 
users.domain_id=domains.domain_id}}_${lookup mysql{select domain from 
users,domains where domain='${quote_mysql:$domain}' and 
localpart='${quote_mysql:$local_part}' and 
users.domain_id=domains.domain_id}}.db


create file autoreply_username_domain.com.db



from variouse points of views, this suggestion is the worst one you can 
have.



a) you have a shitload of files laying around if more than a handfull of 
users is involved


b) it's unclear, what happens, if the file needed has not been created.

c) but worst of all: it's producing a filename to a filebased db file, 
from a mysql database select, which could do all of this in a query and 
an insert


skip responder if true:

...
condition = check if respondertext exists at all for $header_to
condition = ${lockup mysql{select '1' from responsedb where ( rcpt 
='${quote_mysql:$header_to)' and ' 
sender='${quote_mysql:$local_part}@${quote_mysql:$domain} and now() < ( 
lasttime + 7*86400 ) ) }}
< this part depends on how you implemented it. It could be i.e. filling 
a variable to reuse its content in the responder router >

...

continue with

warn condition = check if respondertext exists at all for $header_to
 condition = ${lockup mysql{insert into responsedb set rcpt 
='${quote_mysql:$header_to)' , sender = 
'${quote_mysql:$local_part}@${quote_mysql:$domain}'  , lasttime = now(); 
select '1';}}

 log_message = "adding  to responder database"

This does not involve any further files and just needs the database, you 
already have in use, which is way faster.




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] SSL_renegotiate:wrong ssl version

[Cyborg via Exim-users]

Am 10.09.22 um 17:06 schrieb Viktor Dukhovni via Exim-users:


speaking of "case", one simple way to work around these is to issue all
SMTP commands in lower case.



Your workaround "worked". Thx..

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] SSL_renegotiate:wrong ssl version

[Cyborg via Exim-users]

Hi,

I discovered a renegotiation problem between openssl s_client and 
exim(same openssl)


This is, what Exim 4.96 Release 2 Fedora 35 logged:


2022-09-10 13:47:18 unexpected disconnection while reading SMTP command 
from (d111.x-mailer.de) [83.246.32.110] D=13s
2022-09-10 13:48:14 unexpected disconnection while reading SMTP command 
from (d111.x-mailer.de) [83.246.32.110] D=16s
2022-09-10 13:51:25 unexpected disconnection while reading SMTP command 
from (d111.x-mailer.de) [83.246.32.110] D=12s



And this happend on the client side:

# openssl s_client -connect me.target.de:25 -starttls smtp
CONNECTED(0003)

...lots of SSL INFOS 

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2858 bytes and written 438 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
250 HELP
HELO smtp.example.com
250 smtp.target.de Hello smtp.example.com [83.246.32.110]
MAIL FROM:
250 OK
RCPT TO:
RENEGOTIATING
140149325708800:error:1420410A:SSL routines:SSL_renegotiate:wrong ssl 
version:ssl/ssl_lib.c:2143:


I tried it 3 times, everytime with the same result, an exact 
renegotiation after RCPT TO.


The certificate is fine, openssl does not seem to be able to verify 
because it doesn't know which domainname it should have,

as no hint was given to openssl s_client.


Any ideas why this renegotiation is :

a) started at all
b) fails
and c) on how to counter this?

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] CVE-2022-37452

[Cyborg via Exim-users]

Am 24.08.22 um 18:14 schrieb Jeremy Harris via Exim-users:

On 24/08/2022 16:45, Ken Olum via Exim-users wrote:

How serious is CVE-2022-37452: buffer overflow for the alias list in
host_name_lookup? 


The associated bug, 2747, reported it as a segfault in the receive
process.


Besides the real impact here, if a CVE number has been assigned, and 
it's reasonable to assume it's correct,

it should be mentioned in the security section, don't you agree?

Best regards,
Marius




OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Closing off Port to non-SSL traffic

[Cyborg via Exim-users]

Am 24.06.22 um 22:45 schrieb Sebastian Nielsen via Exim-users:

Best way here is to add your users primary country to the auth_advertise_hosts 
list. Could be quite a IP list, but you can store it in a file if you want, by 
using a lookup condition.
Then if they travel to a non-approved country, they have to be without mail or 
be approved by you as administrator.



That only works for some handfull of people, with  thousends of 
customers traveling, the entire planet will be in that list sooner or 
later, as it simply doesn't scale good. It may work in a fixed working 
environment, but that's it.


Best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Closing off Port to non-SSL traffic

[Cyborg via Exim-users]

Am 24.06.22 um 08:08 schrieb Slavko via Exim-users:

That is pretty simple, just add this IP to firewall's DROP. To automatize
its banning, use fail2ban. But be aware, that they will often try from
other IP soon. I have 100 - 800 different IPs per day, most of them
has only one attempt allowed here, it is some thousands of IPs in last
24 days (maximum ipset timeout) from whole word.
In the past, some admins usedtar pitts , once you recognized an 
offending ip,
your drop the connection rate to 1 bps . That way they can't harm anyone 
else
and don't recognize automatically, that you banned them, because the 
connection

doesn't get closed ;)

Best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] stopping spam with forged from:

[Cyborg via Exim-users]

Am 25.05.22 um 17:20 schrieb Evgeniy Berdnikov via Exim-users:

On Wed, May 25, 2022 at 08:38:32AM -0600, Chad Leigh Shire.Net LLC via 
Exim-users wrote:

What is the best strategy to combat and right out reject mail that
has the from: and the recipient address the same?  Or alternately to
force things like SPF checking against the from: in addition to the
envelope-sender?  (Not sure if that is a good idea — will it mess up
legit email from mail processors etc )

  Such a mail may be a test message that user sent to its own address.
  So blind comparison of From: and To: is not a good idea, especially taking
  into accout that To: can contain several destination addresses and
  may be used as Cc: field to keep own copy of outgoing mail.

  Take a look at DMARC.

but, a valid user would use SMTP-Auth which the spammer won't use.

so the test:  ( From == To || From in To || From in CC )  && 
SMTP-AUTH==FALSE  would be a valid methode IMHO.


It ofcourse requires the use of amtp-auth, but that should be enabled 
anyway or the server will become or is an open relay for anyone.


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] DO NOT CLICK THE LINKS was [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow

[Cyborg via Exim-users]

DO NOT click the links in that email!

JUST DELETE the  mail.


regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] default certificate file /etc/exim4/exim.crt

[Cyborg via Exim-users]

Hi,

Am 22.03.22 um 09:15 schrieb Andreas Barth via Exim-users:

You need to activate MAIN_TLS_ENABLE in a configuration file. Of
course, you current way works as well.


Honestly, I think that today, not enabling TLS as default in a 
mailserver, is a complete no-go and should be changed ASAP by the distro 
maintainer.


exim isn't exchange, where M$ had the example cipher list reversed, so 
that SSLv3 was the best cipher they offered :D, but it's an easy to 
setup config, where
working TLS is just 3-4 lines of config and a simple installscripthook 
to create a default cert. That's not magic.


It may be "ok" for an automatic system reporting some technical data, 
but also TLS won't hurt there, so it's no excuse for not enabling TLS by 
default. Not to speak of, that in some parts of the world it is now 
against data protection laws not to use TLS, if personal data is 
transported and rl named emailaddresses count as such personal data. 
(i.E. §32 1a EU GDPR)



best regard,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] default certificate file /etc/exim4/exim.crt

[Cyborg via Exim-users]

Am 21.03.22 um 09:45 schrieb jk-exim via Exim-users:


So it works now for me now but I still have a feeling there is something
wrong.



I suggest to talk to your distribution maintainer about this, as it's 
not the default config you may think of:


i.E. this from the Fedora example config:
/
//# Specify the location of the Exim server's TLS certificate and 
private key.//
//# The private key must not be encrypted (password protected). You can 
put//
//# the certificate and private key in the same file, in which case you 
only//
//# need the first setting, or in separate files, in which case you need 
both//

//# options.//
//
//tls_certificate = /etc/pki/tls/certs/exim.pem//
//tls_privatekey = /etc/pki/tls/private/exim.pem/

No macros, no defines. This one from exim's github config examples:

/# SSL options. advertise TLS but don't insist on it.//
//
//tls_advertise_hosts=*//
//tls_certificate=/var/cert/securemail.your.site.cert//
//tls_privatekey=/var/cert/securemail.your.site.key//
//tls_verify_hosts= *//
/

best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Limiting outside world to ports 465 and 587

[Cyborg via Exim-users]

Am 13.03.22 um 02:00 schrieb The Doctor via Exim-users:

I was wonder if it is doable that the outside world
can only see ports 587 and 465
while limiting port 25 to localhost only.



a universal solution would be:

iptables -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp -m tcp --dport 25 -j DROP

best regards,
Marius




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Hit with some kind of hidden multiple recipients relay hack?

[Cyborg via Exim-users]

Am 24.02.22 um 22:56 schrieb Henry S. Thompson via Exim-users:

Jeremy Harris via Exim-users  writes:


Start with your log.  How was 1nKNYR-000bDv-0w submitted?

022-02-16 16:53:23
  1nKNYR-000bDv-0w <= t...@mof.gov.la H=(ogcb16c7f19.openstack local) 
[103.104.169.173] P=esmtp S=1313
  1nKNYR-000bDv-0w H=gmail-smtp-in.l.google.com [2a00:1450:400c:c07::1b] 
Network is unreachable


This means, you have an openrelay running, not necessarily on port 25, 
as the attacker did not use smtp-auth. He has send the mails directly, 
unencrypted and without an auth from an external system.


How to fix:


acl_check_data:

  deny    condition  = ${if eq{$authenticated_id}{} {1}{0}}
  domains = ! +local_domains


Explanation: (short version)

if $authenticated_id == "" AND target-domainname NOT IN ( localdomains ) 
: reject


If the sender did not use smtp-auth to send a message to an external 
domainname ( which is everything that is not hosted on your server -> 
local_domain ),

it wasn't you and you don't want this.

If the sender doesn't use smtp-auth and wants to send it to your domain, 
you want to accept this message, after the usual spam checks, as it's 
for you.


If you have anti-spam, anti-virus or other checks, they may need to be 
expanded for " condition  = ${if eq{$authenticated_id}{} {1}{0}}" as 
those rules needs to work in the correct context. Changing your config 
accordingly can be time consuming task, but you need to check every 
single acl , if it needs an expansion for an empty smtp-auth check or a 
correctly filled one.


And you need to advertise for auth and you need a loginvalidator like this:

plain:
 driver = plaintext
 public_name = PLAIN
 server_prompts = :
 server_condition = "${if and { \
  {!eq{$2}{}} \
  {!eq{$3}{}} \
  {eq{1}{    ... check $2 (user) and $3 (pass) 
against a db or passwdfile ... }"

 server_set_id = $2
 server_advertise_condition = *

The condition fails if:  user="" or pass="" or  check(user,pass) fails.

The Long version of this can be find in the exim docs under 
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Hit with some kind of hidden multiple recipients relay hack?

[Cyborg via Exim-users]

Am 22.02.22 um 19:39 schrieb Henry S. Thompson via Exim-users:

I came back from a few days out of town to find 1000s of frozen queue
entries and my server blacklisted by gmail.  Here's a sample:


I don't have open relaying set up, at least I don't think so, and a
few online checkers agree...

How is this happening/where are the recipients coming from?

More importantly, how do I fix my exim4 configuration to stop this!



You need to post more infos, i.e. the exim mainlog for this message and 
you need to tell us (besides it's from china),
who 103.104.169.173 <=> ogcb16c7f19.openstacklocal is: yours or an 
external server?


judding just by the given header, i think you have a big open hole in 
your config and should shutdown it now.


i.e. open delivery via port 465 or 587 or someone nicked your 
credentials for your mailbox.


Don't panic about google, they will delist your server quickly when he 
stops spamming.


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Running our own email server on GCP

[Cyborg via Exim-users]

Am 20.02.22 um 01:05 schrieb Terrance Devor via Exim-users:

Hello Zakaria,

I agree if port 25 is open it would work just fine, but how to get around
the fact that GCP block port 25?



... using a different hoster ofcourse.

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim maildirsize quota calculation in the face of symlinks

[Cyborg via Exim-users]

Am 16.02.22 um 14:46 schrieb Maarten van Baarsel via Exim-users:
I'd like to say thanks for the replies, and ask for guidance how to 
put this on the feature-addition-list so that it won't be forgotten, I 
did find the problem Cyborg was alluding to in a post from a while ago :)


I had a quick look at the code but did not see a fast path to a fix.

Maarten.





Just an idea:

Calc() ...
   array = new array();
   Loop:
   file = openfile( ... );
       if file.inode.linkcounter == 1 || array.get( file.inode.id ) == 
NULL  {

    array.put( file.inode.id );
            count file.size
       } // skip if it's a known hardlink


(note: the linkcounter check is actually obsolete, because it would not 
matter. It's just for illustration. )


IMHO, it's dovecot who's causing this by adding hardlinks to files in 
the first place. it's not Exims fault, even if it could avoid this 
"miscount" easily.


Best regards,
Marius


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] exim maildirsize quota calculation in the face of symlinks

[Cyborg via Exim-users]

Am 10.02.22 um 11:55 schrieb Maarten van Baarsel via Exim-users:


I was surprised by the symlink behaviour so I'm reconsidering the use of
the dovecot plugin, but I still wanted to ask whether this behaviour is
considered OK. I've read the appendfile docs and I could find anything
explicit about symlinks. 


You will be much more puzzled, when dovecot starts to make hardlinks for 
your emailfiles

and exim starts to count the quota differently than i.e. "du" does.

here is a report about this behaviour and how to fix the issue:

https://marius.bloggt-in-braunschweig.de/2014/11/30/exim-hoehere-quota-durch-hardlinks/

use deepl.com for translation from german to your desired language.

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Inap^Pp^Propriate File Type or Format

[Cyborg via Exim-users]

Am 21.01.22 um 11:36 schrieb Andrew C Aitchison via Exim-users:


This would be a build change, not a code change,
so although that would be ideal it isn't possible
except at the package level.


Year, i thought so myself. The package maintainer at the distrolevel 
should get a heads up for the switch, so they can remove the db files 
before starting the service after the update.


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] is the log caused by this helo name?

[Cyborg via Exim-users]

Hi,

this is a logline created by emoted or another malware:

2022-01-11 22:01:45 LOGIN authenticator failed for ([0.0.0.0]) 
[41.133.x.x]: 535 Incorrect authentication data (set_id=EmotedBot)


It shows the "hostname" used as "[0.0.0.0]" but is this really caused by 
i.e. this:


220 x.x.x ESMTP Exim 4.94.2 Fri, 21 Jan 2022 10:27:11 +0100
HELO [0.0.0.0]

or is it (logline) created with another syntax,I don't know yet?

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Inappropriate File Type or Format

[Cyborg via Exim-users]

Am 20.01.22 um 22:52 schrieb Jeremy Harris via Exim-users:

On 20/01/2022 18:45, Pete Long via Exim-users wrote:
failed to open DB file /var/spool/exim/db/wait-remote_smtp: 
Inappropriate file type or format


You have a corrupt DB file, or one not matching the version of DBM 
linbrary

you are (now?) running with.

Stop the daemon and wait for all exim processes to finish,
then remove the file and start the daemon.


if exim "changed" to a new db format, shouldn't exim detect an handle 
this internally?


best regards,
Marius Schwarz


OpenPGP_0x048770A738345DD3.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] sendind email to an intermittently connected host

[Cyborg via Exim-users]

Am 18.01.22 um 12:02 schrieb Odhiambo Washington via Exim-users:

Hi Leonardo,

If I were you, I'd approach the problem a different way. I remember doing
something like that with intermittently connected hosts.
I would instead just queue the messages and let p.example.com to request
for their delivery when its connection comes up.

Please refer to this link for the details:
https://plonk.de/sw/odmr/index.php



You mean someting like a message box, that gets pulled from p-server 
when it gets online. Some office mailserver do this, so there is 
matching configs and software available.


IMHO, sounds like the better option, because messing it's save in the 
mailbox, can be accessed from anywhere else and is available instantly 
when p-server wakes up,

instead of the worst-case scenario "push-mailqueue" :23h 59m 59s delayed.

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Re-routing mail to the secondary MX server

[Cyborg via Exim-users]

Am 12.01.22 um 16:02 schrieb Dmitriy Matrosov via Exim-users:

Hi.

Is it possible to re-route certain mails on the primary server (with 
lowest MX priority)

to the secondary (the one with highest priority)?

My use case is if the recipient is not found on the primary server,
try to deliver a message to the secondary server (which is controlled 
by another person).


Thanks.



SMTP Server are backupservers, with the same address setup.

Your primary should take the mail and send it to the second server, or, 
easier: use a subdomain for the secondserver and his addresses, as any 
subdomain can have it's own MX entry. Example:


domain.com. IN MX  0 mx.domain.com
berlin.domain.com. IN MX  0 mx.berlin.domain.com


If you want one  @domain.com with two distinct servers, take it on any 
of them and reroute it :


for your secondary

secondmx:
  driver = manualroute
  domains = +local_domains
  condition = ... your condition for a message to your primary server...
  transport = remote_smtp
  route_data = mx.primary.domain.com
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more

for your primary

secondmx:
  driver = manualroute
  domains = +local_domains
  condition = ... your condition for a message to your secondary server...
  transport = remote_smtp
  route_data = mx.secondary.domain.com
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more


Each one should stand BEFORE the "dnslookup"-router in it's version of 
your exim.conf, depending on the server it is on.


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] problem with mails in queue while config changes routers

[Cyborg via Exim-users]

Am 29.12.21 um 12:10 schrieb Jeremy Harris via Exim-users:

Each delivery attempt (re)runs the routing (hence, changes
in things like DNS will get picked up) and starts with a
clean slate as far as cached lookup results goes.


Let me specifiy this, the "routing process" is not equal to "the process 
to decide which router is used". Correct?


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] problem with mails in queue while config changes routers

[Cyborg via Exim-users]

Am 28.12.21 um 17:04 schrieb Evgeniy Berdnikov via Exim-users:


  So, if you want to keep message in queue with periodic delivery attempts,
  you should avoid situations which Exim cosiders as "permanent delivery
  failure" and put message to "frozen" state.


You noticed, that the message wasn't about keeping it in the queue.
It was about changing environments while in queue.

Best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] problem with mails in queue while config changes routers

[Cyborg via Exim-users]

Version : 4.94.2
Release : 2.fc34
Architecture: x86_64

Hi,

I have found a curios problem in exim: mails, that are in the queue, do 
not update route status on config changes.


We have these two routers, nothing fancy, besides the clever sql to find 
out, if a local domain has in reality an external domain:



externalmx:
  driver = dnslookup
  domains = +local_domains
  condition =  .. sql for condition match on premise "domain has 
external mx".. not important how that works
  transport = transportselector .. also not important ( decides to use 
gpg or not )

  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  no_more

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
  transport = transportselector .. also not important ( decides to use 
gpg or not )

  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8


IF the condition on "externalmx" matches, i.e. because of an wrongfully 
made entry in the database, but the domain does not really have an 
external mx,

the mail ends up in queue to try to deliver it later.

2021-12-27 11:47:06 1n1nWy-006Ps5-Uo <= SENDER H=ip-XXX (X) 
[X] P=esmtpsa X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no A=LOGIN:X 
S=385112 id=X
2021-12-27 11:47:06 1n1nWy-006Ps5-Uo lowest numbered MX record points to 
local host: receiver.domain
2021-12-27 11:47:06 1n1nWy-006Ps5-Uo == to@receiver.domain R=externalmx 
defer (-1): lowest numbered MX record points to local host

2021-12-27 11:47:06 1n1nWy-006Ps5-Uo Frozen

That's fine so far.

Now, lets say at 15:00, the db entry is removed, because someone found 
out, that this is a wrongfully made entry or it simply got outdated by 
reality(DNS-TTL).


The next retry on the stored message does not recognize the necessarity 
to switch to the now matching router.


2021-12-27 11:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 12:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 13:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 14:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 15:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 16:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 17:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 18:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 19:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 20:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 21:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 22:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-27 23:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 00:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 01:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 02:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 03:53:02 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 04:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 05:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 06:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 07:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 08:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 09:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 10:52:58 1n1nWy-006Ps5-Uo Message is frozen
2021-12-28 11:52:58 1n1nWy-006Ps5-Uo cancelled by timeout_frozen_after
2021-12-28 11:52:58 1n2A6E-00BYBW-OW <= <> R=1n1nWy-006Ps5-Uo U=exim 
P=local S=2395


And here it failed permanently. It was stuck on "externalmx".

The same mail, send after 15:00 got handles correctly.

No idea how exim interally handles this, but exim does not seem to be 
flexibel enough to react on dynamic changes in the environment.This is 
bad luck, because freezing the mail in the queue is exactly there to 
wait for things to change ;) (i.e. an external mx become online again )


Can this already be avoided with implemented functions/settings, or is 
this something you need to implement in the coming exim 5?


Best regards,
Marius






--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] can send mails with swaks, not with mailx

[Cyborg via Exim-users]

Am 08.11.21 um 22:25 schrieb Carlo via Exim-users:

hi
i'm playing with a nas i've installed debian stable on, and i used to
have some scripts with mailx work to send me messages through external
providers/servers/etc till i upgraded debian: now i can't send mails
through mailx but i can through telnet and swaks: here are mailx and
swaks logs, please treat me as a true noob

ok.

this contains the message, that one ...


echo “Subject: sendmail test” | mail -vtroianica...@gmail.com
LOG: MAIN
   <=nas...@federcasapescara.it  U=root P=local S=479
➜  ~ delivering 1mk3js-0006Jf-IB
...  contains this error: You did not use SMTP-AUTH to authenticate 
yourself as a valid user:



HELP
   SMTP>> MAIL FROM:  SIZE=1515
   SMTP>> RCPT TO:
   SMTP>> DATA
   SMTP<< 250 OK
   SMTP<< 550 authentication required
   SMTP<< 503-All RCPT commands were rejected with this error:
  503-*authentication required*
  503 Valid RCPT command must precede DATA
   SMTP>> QUIT
   SMTP(close)>>
LOG: MAIN


where this:

swaks --tls --auth --tosegrete...@federcasapescara.it  --server
mail.federcasapescara.it
Username:nas...@federcasapescara.it
Password: xxx
=== Trying mail.federcasapescara.it:25...

did do SMTP-AUTH and succeeded:


  ~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
  ~> bmFzb25lQGZlZGVyY2FzYXBlc2NhcmEuaXQ=
<~  334 UGFzc3dvcmQ6
  ~> Tmd1bGFtbWFtbXQxIQ==
<~  235 Authentication succeeded
  ~> MAIL FROM:
<~  250 OK
  ~> RCPT TO:
<~  250 Accepted



As simple as it can be, your "mailx" approach needs SMTP-AUTH support or 
your mailserver needs to allow your actual ip as a relayhost without 
smtp-auth. If you have trouble adding smtp-auth to mailx, you could 
revert to an old form of authentication: pop-before-smtp, but honestly, 
use a better mailclient if mailx can't support smtp-auth.


best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Relayed Message: problems sending to list

[Cyborg via Exim-users]

This is a forward from:

Laura Williamson 


   Delivery incomplete

There was a temporary problem while delivering your message to 
*exim-users@exim.org*. Gmail will retry for 47 more hours. You'll be 
notified if the delivery fails permanently. The response was:


*The MX host does not match any MX allowed by the STS policy. *

I cannot write to the mailing list for the above reason, tried twice :-)

Best

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] it's always the dns

[Cyborg via Exim-users]

Am 11.10.21 um 13:42 schrieb Randy Bush via Exim-users:

yes, i know this is the wrong channel, but i seem to be unable to find
the players or the game here.

tip.psg.com used to run a secondary dns server for exim.org.  evidently,
the dns service and lots of other things changed, and i was not in the
room or was thinking of more interesting things.  so things are failing.

 rip.psg.com:/root# dig @37.221.193.62 exim.org. axfr

 ; <<>> DiG 9.16.21 <<>> @37.221.193.62 exim.org. axfr
 ; (1 server found)
 ;; global options: +cmd
 ; Transfer failed.

i looked for mailing list discussion, but the archive is useless.  if
anyone knows folk trying to manage this, please put me in touch.  or
i can just drop it.



It looks like, that the main site 37.221.193.62 does not host a dns 
service. It's also not listed in the NS record set.


anonymous axfr is something, most dns server do not allow anymore. I 
believe, someone needs to add your dns to the list allowed axfr hosts.


Best regards,
Marius



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] bad memory allocation requested (2147483632 bytes) at string_catn 1163

[Cyborg via Exim-users]

Am 05.10.21 um 15:17 schrieb Laura Williamson via Exim-users:

Hi

Getting this error with 4.95, does not happen with 4.94.2, any idea?

Best



That's 2 GB of Memory or  in 32 Bit 0x7FFF aka a signed int.

Can you give some context when it happend i.e. high traffic, big 
attachment etc.


Best regards,
Marius



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] DKIM: error message improvement

[Cyborg via Exim-users]

Am 05.10.21 um 00:46 schrieb Jeremy Harris via Exim-users:

On 04/10/2021 16:35, Cyborg via Exim-users wrote:

Fedora 33 4.92.2-1


oh that's embarrassing for me // .. ofcourse it's 4.94.2-1   F33 latest



are you sure that isn't a log message generated by your
config?  If not, can you get a repeat with debug?


That was the first thought, and it wasn't a config log entry.

I assume, it should have been "invalid signature"

Yes, I can try to debug it if you like. But if 4.95 does not even 
contain a fragment of this message,

the issue is most likely fixed already.

As long as it states "invalid signature, because ... " ( i.e. key not 
found in dns ) everything is fine.


For anyone having problems with DKIM Signatures, try this page as a 
first step:


https://dkimcore.org/tools/keycheck.html

At least you know there is or is not a key in dns.

Best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] DKIM: error message improvement

[Cyborg via Exim-users]

Am 04.10.21 um 16:32 schrieb Jeremy Harris via Exim-users:

On 04/10/2021 15:10, Cyborg via Exim-users wrote:

while investigating a DKIM problem, this messages was found:


Distro?  Version?



Fedora 33 4.92.2-1

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] DKIM: error message improvement

[Cyborg via Exim-users]

Hi,

while investigating a DKIM problem, this messages was found:


2021-10-04 14:38:43 1mXNEx-0057RV-3Q H=sender.de [sender-ip] 
X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no rejected DKIM 1084 LAST: Mail 
from sender-domain.de with invalid


a) invalid what???

I think a complete message would be nice ;)

b) while your on it:

it was a missing DNS TXT-record for the selector subdomain, so the 
message should reflect it. If the sig is false/broken, the message 
created should reflect that, so debugging problems easier would be nice. 
A general "it failed" messages is not helpfull.


If diversification of causes is already implemented, forget b)  ;)

best regards,
Marius Schwarz



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Question regarding TLS SNI Certificates

[Cyborg via Exim-users]

Am 16.09.21 um 18:39 schrieb Jeremy Harris via Exim-users:


  Can any one help on this.  Is it ok to use a perl subroutine 
instead of the following


Yes, assuming you built exim with embedded perl.  But you probably 
don't need to,
so much as concisely express what you need.  The obfucation above 
("foo" etc.)

doesn't help us help you.




It's obviose what he wants to do, which can only work, if he gets the 
username before this condition is used,

which is not possible.

The solution is to use a sql select, which yields the path of the cert, 
just by selecting for the domainname.


It also simplifies the condition, as the "path to use, if exists" part 
is outsourced to whatever script inserts the data to this database table:


tls_certificate =${lockup mysql{"SELECT certpath FROM certs WHERE 
domain='${quote_mysql:${tls_in_sni}}' order by commercial limit 1"}}
tls_privatekey =${lockup mysql{"SELECT keypath FROM certs WHERE 
domain='${quote_mysql:${tls_in_sni}}' order by commercial limit 1"}}


In case you wanne use a default cert, use ... 
'${quote_mysql:${tls_in_sni}}' REGEXP domain order by commercial, domain 
limit 1


and a domain entry => ".*" with the default key and certpath. OR you 
make an IF-Clause in Exim.. your choice. The sortorder in the above 
query depends on how it's organized in detail, and may or may not 
contain "DESC" .


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Regarding handling suspened email accounts

[Cyborg via Exim-users]

Am 16.09.21 um 11:37 schrieb Sherin A via Exim-users:

Hello,

  I have the following router setting or validating suspened accounts and
the perl validation is working fine.

   suspendedcheck:
 # check if sending user is suspened
 driver = redirect
 domains = +local_domains : $primary_hostname
 condition =${if eq
{${perl{is_suspended}{$domain_data}{$local_part}}}{yes}{no}}
 allow_fail
 allow_defer
 allow_freeze
 data = :fail: Suspended account
 no_more

But the problem is this email is still sending to transport and delivering
to the inbox. Do it suppoes to simply fail ?




First thought: it's not processed at all.

Do a debug run and check, if it's really used:

exim -d externaldomaint...@mydomain.com < /tmp/mail.fail

use the suspended address, fake a mail to that address and watch the 
routers list to be processed. You can see, if the condition you created 
really ->yields<- a "true" .


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Combine hosts/sender_domains in condition?

[Cyborg via Exim-users]

Am 08.09.21 um 09:31 schrieb MRob via Exim-users:



I'm not sure this is what you want but I have an "or" condition:

    condition = ${if or{\
  {match{$mime_content_type}{(?i)executable}}\

{match{$mime_filename}{\N(?i)\.(exe|com|vbs|bat|pif|scr|hta|js|cmd|chm|cpl|jsp|reg|vbe|lnk|dll|sys|btm|dat|msi|prf|vb)$\N}}\ 


  }}
Here I use mime type and filename extension.


I don't think you can put hosts or sender_domains in like that:
${if or{{hosts = ...}{sender_domains = ...}}}



Ofcourse not, you need to add those checks you need too:

or{
     {COND1}
 {COND2}
}

where COND can be one with FORANY/FORALL:

forany{}{}

   These conditions iterate over a list. The first argument is expanded
   to form the list. By default, the list separator is a colon, but it
   can be changed by the normal method (6.21
   
).
   The second argument is interpreted as a condition that is to be
   applied to each item in the list in turn. During the interpretation
   of the condition, the current list item is placed in a variable
   called $item.

 *

   For forany, interpretation stops if the condition is true for
   any item, and the result of the whole condition is true. If the
   condition is false for all items in the list, the overall
   condition is false.

 *

   For forall, interpretation stops if the condition is false for
   any item, and the result of the whole condition is false. If the
   condition is true for all items in the list, the overall
   condition is true.

   Note that negation of forany means that the condition must be false
   for all items for the overall condition to succeed, and negation of
   forall means that the condition must be false for at least one item.
   In this example, the list separator is changed to a comma:

   ${if forany{<, $recipients}{match{$item}{^user3@}}{yes}{no}}

that way, you can parse those lists and combine the results in an OR . I 
think MATCH or EQ are the compareoperators you need.



Best regards,

Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] local_domains by dns

[Cyborg via Exim-users]

Am 26.08.21 um 15:35 schrieb Jan Ingvoldstad via Exim-users:


But if a domain holder changes the domain's DNS records to indicate that
delivery should happen at a different MX, it is not, ordinarily, reasonable
for a provider to override that.




Thanks to any suggestions made, they were very helpful.

I found a way:

- New Router ( top position in router chain )
- for local_domains check if they have external mx
- check if mail comes from 127.0.0.1 OR has SMTP-AUTH
(- add checks for your relayhost configs )
- send to external mx, instead of processing locally.

... continue with normal routine ...

This covers all the requirements[we had]:

local keeps being local,
external mx get mails,
and external processors of any kind can send in mail after processing.
It does not generate loops.
(and if spammers try this host, antispam setup kicks in)

and it's already confirmed working. I could say, it came to me in a 
dream, but it was more one of those heureka moments, while writing a 
mail, why it doesn't work :D


Unfortunately, this router needs some help from outside exim to 
function, as exim can't do the necessary mx checks, as it's logic is too 
complicated and not implemented. You can use perl for it(live), or build 
a domainlist of any kind(periodic checks).


if anyone thinks, this routersetup has a loophole, feel free to discuss 
it, anyone will profit from it.


best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] One Smart Host for certain domain

[Cyborg via Exim-users]

Am 27.08.21 um 15:35 schrieb Effendy Abdullah via Exim-users:

Hi,

How do I route to one Smart Host for certain domain and all other domain route 
to another Smart Host. Using WHM/cPanel with Exim.

The answere you seek is in the default config:

# Alternatively, comment out the above router and uncomment this one to
# route all mail to a smarthost instead of sending it directly to the
# intended recipients. If your smarthost requires authentication, change
# 'remote_smtp' to 'remote_msa' and set up the 'client_auth' authenticator
# later in this file. You might need to change the port number in the
# remote_msa transport.
#

begin routers

smarthost:
  driver = manualroute
  domains = ! +local_domains
  condition = ${if eq{"domainname.target"}{${domain}}}
  transport = remote_smtp
  route_data = smarthost.myisp.net
  no_more

...{repeat as often as needed}...

dnslookup:
  driver = dnslookup
  domains = ! +local_domains
...

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim on server hardware

[Cyborg via Exim-users]

Am 26.08.21 um 19:34 schrieb M.R.P. zensky via Exim-users:

Can Exim be installed on a desktop pc or is it better to have a dedicated 
server.
it can, but that pc should be reachable via the internet, or you don't 
get mails in .


Exim itself does not use much cpu power, if that was your concern.


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] local_domains by dns

[Cyborg via Exim-users]

Am 26.08.21 um 15:35 schrieb Jan Ingvoldstad via Exim-users:

On Thu, Aug 26, 2021 at 3:24 PM Evgeniy Berdnikov via Exim-users <
exim-users@exim.org> wrote:


  If somebody change MX to other host, he should think also how to handle
  multiple mailboxes (hosted on "old" place and on "new" one),
  and what to do with already stored mails.


Yes, this is something the client/customer and host/provider ideally should
be discussing before a change.

Correct, but in reality, they don't think that far.

Quote: "We have changed mx, so your service needs to follow."

Best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] local_domains by dns

[Cyborg via Exim-users]

Am 26.08.21 um 11:38 schrieb Evgeniy Berdnikov via Exim-users:

On Thu, Aug 26, 2021 at 10:57:49AM +0200, Cyborg via Exim-users wrote:

My actual problem is to build the content of local_domains from DNS IN MX
Records. The server shall only handle the domain as local,
if the mx is pointing to an address on the host.

  If so, then anybody making pointer to your server in MX record for
  controlled domain (not your domain) could send spam to you.


No.. local_domains may say that it found a matching mx for the domain, 
but there is no mailbox, forward or anything

configured for this domain => mailbox not found , goodbye spammer.

The reason the mx should decide this, are the other users on the server.

Example:

You have domain foo.com and bar.com on the same server.

If you have both foo.com and bar.com in your local_domains,
a mail send from foo.com to bar.com is interally accepted and delivered.

If i.e. the bar.com owner changes the mx to another host, foo.com will still
deliver it's mails to bar.com locally, as local_domains says so.

Thats where the mx check comes in handy:

if the msg comes in, local_domains may only contain the domain, if the 
mx returns a valid ip/cname.
if foo.com now sends a mail for bar.com and the mx does not point to the 
server itself,
the message is handeld as if it was never on the server, completly 
ignoring the (old) local config for this domain .


This scenary is a  reallife problem in multi-domain hosting. If you only 
have a handfull of domain, most of them your property or under your 
admin control, you won't have it and will never have thought about it. 
With thousands of domains and external admins just switching mx entries 
as they like, it gets a problem for all those on the server, who send 
mail to the switched domain. The users correctly assume, that the server 
will handle this situation.





--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] local_domains by dns

[Cyborg via Exim-users]

Hi,

the exim docs do not seem to cover the topic of "how to build" a 
local_domains list, they only cover the topic of "whats the syntax of a 
list".


My actual problem is to build the content of local_domains from DNS IN 
MX Records. The server shall only handle the domain as local,

if the mx is pointing to an address on the host.

Has anyone done this?

Can it be archived without perl script execution, which would be a 
performance drop at least?



best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Differences exim 4.93 and 4.94

[Cyborg via Exim-users]

Am 20.08.21 um 14:13 schrieb SysAdmin EM via Exim-users:

I am installing proxysql as a local cache. In a laboratory the connection
between exim and proxysql works correctly.

hide mysql_servers = 127.0.0.1::6033/database/user/pass

Exim version 4.94 #2 built 03-Aug-2020 15:07:07
Exim version 4.93 #5 built 18-Dec-2019 13:45:23


If these are your test & production servers, your lacking several 
important security fixes in both. Keyword: 21Nails.


I suggest to shut them down now, before your server gets detected by 
shodan or censys. Use exim >= 4.94.2 or a backport patched version with 
a builddate after may 1st, 2021 only.


This would solve your problem btw.

best regards,
Marius



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Strange problem with the communication to ClamAV

[Cyborg via Exim-users]

Am 08.07.21 um 14:32 schrieb Luca Bertoncello via Exim-users:


As you see, I already tried to give a huge timeout in the 
communication between Exim and ClamAV, but it does not solve the 
problem...


Do someone have an idea?



You could try the tcp/ip approach:

av_scanner = clamd:127.0.0.1 3310


if that also failes in that why, it's your clamd having a problem.

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Better way to deal with phished users?

[Cyborg via Exim-users]

Am 05.07.21 um 14:42 schrieb Niels Kobschätzki:


  I want to automate the acting upon it. This is about damage 
mitigation when the preventive measures didn’t help.




How about:

remote_smtp:
  driver = smtp
  .include_if_exists /etc/exim/ip.conf
  transport_filter = '/usr/local/sbin/count-script.pl' 
'$sender_host_address' '$authenticated_id'

  ... options ...
  tls_tempfail_tryclear = false


that transport filter can so anything you like, i.e. counting the number 
of mails per timeframe per authid and block the ip,
disable the account, clear the messagequeue and it also can technically, 
blank the actual message, so it's not spam anymore ;)


It's not what transport filters are used for normally, but i think, it 
would do the trick. All you need to make sure is, that STDIN goes 
untampered to STDOUT, in case the message is fine. It may drop the 
server performance a bit on high traffic systems...


best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Better way to deal with phished users?

[Cyborg via Exim-users]

Am 05.07.21 um 13:19 schrieb Niels Kobschätzki via Exim-users:

The problem is the identification because you usually get to know it only, when 
the accounts are actively misused. If I get to know that users where 
specifically targeted I inform them. And at 2am in the night it might already 
be too late (you landed yourself on blacklists) - even though you still kick 
them from the system.



If you don't wanne use a form of 2FA, it could be impossible to identify 
hacked accounts before they spam.


The nature of a hacked account is, that the attacker has obtained the 
credentials from a PC and it's mailprogram oder via phising. In both 
cases, they have a valid set of credentials, do not produce any login 
error ( bruteforcing ) and their first login is most likely the moment 
they start spamming.


A 2FA could add the IP to a database(file) and you only accept mails 
from ips in this list + credentials. The 2FA could be a Website to login 
or an android app.


I i.e. used something different: an ip-account-timeframe threshold to 
detect botnets, which kicks them reliable at 2 AM before they can spam ;)


Best regards,
Marius




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] IPv6 bug with reverse_host_lookup

[Cyborg via Exim-users]

Am 25.06.21 um 12:59 schrieb Jasen Betts via Exim-users:

On 2021-06-24, Cyborg via Exim-users  wrote:


# exim -be '${lookup dnsdb {ptr=2602:ff1c:1:80::50}}'
mta4.pr.judicialwatch.org

perhaps you have ip6 lookups disabled in /etc/gai.conf ?



no, it's Fedora, it does not have one and the server uses ipv6 on the web.

It only shows, that the problem itself is reproduceable, which helps 
debugging it.


@Robert: can you check if you have "disable_ipv6 = true" in your config?

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] IPv6 bug with reverse_host_lookup

[Cyborg via Exim-users]

Am 24.06.21 um 23:39 schrieb Jeremy Harris via Exim-users:

On 24/06/2021 19:05, Evgeniy Berdnikov via Exim-users wrote:
  The difference is that your Exim does not do IPv6 () record 
lookup.
  Try to locate the reason... I'd propose to compare with pure Exim 
setup.


Possibly reason to not do the  lookup include
- the disable_ipv6 main config option
- the dns_ipv4_lookup main config option
For anything else I'd expect something visible in debug output
(in the best case, the "lookup succeeded" line).



I forgot to tell:

disable_ipv6 = true


so no IPv6 support inside exim.

Q: shouldn't this option force exim to throw an error "it's ipv6 
incoming, but you disabled it! "



best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] IPv6 bug with reverse_host_lookup

[Cyborg via Exim-users]

Am 24.06.21 um 20:05 schrieb Evgeniy Berdnikov via Exim-users:

On Thu, Jun 24, 2021 at 01:11:40PM -0400, Robert Blayzor via Exim-users wrote:

On 6/24/21 11:54 AM, Evgeniy Berdnikov via Exim-users wrote:

   Pls, post here result of
   exim -d-all+dns+acl -bh '[2602:ff1c:1:80::50]:60631'

Exim version 4.94.2 uid=0 gid=0 pid=27354 D=24

...

looking up host name for 2602:ff1c:0001:0080::::0050
DNS lookup of
0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa.
(PTR) succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
   192.107.243.81
no IP address for mta4.pr.judicialwatch.org matched
2602:ff1c:0001:0080::::0050
2602:ff1c:0001:0080::::0050 does not match any IP address for
mta4.pr.judicialwatch.org

  And below is output from my test host:

looking up host name for 2602:ff1c:0001:0080::::0050
DNS lookup of 
0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. (PTR) 
succeeded
Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org () succeeded
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified
   2602:ff1c:1:80::50 OK

  The difference is that your Exim does not do IPv6 () record lookup.
  Try to locate the reason... I'd propose to compare with pure Exim setup.


I just verified it on a IPv6 enabled 4.92.2 system, and it does show the 
excat same error as Robert gets:


host in hosts_connection_nolog? no (option unset)
LOG: smtp_connection MAIN
  SMTP connection from [2602:ff1c:0001:0080::::0050]
host in host_lookup? yes (matched "*")
looking up host name for 2602:ff1c:0001:0080::::0050
DNS lookup of 
0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.0.1.0.0.0.c.1.f.f.2.0.6.2.ip6.arpa. 
(PTR) succeeded

Reverse DNS security status: unverified
IP address lookup yielded "mta4.pr.judicialwatch.org"
DNS lookup of mta4.pr.judicialwatch.org (A) succeeded
checking addresses for mta4.pr.judicialwatch.org
Forward DNS security status: unverified*
**  192.107.243.81*
no IP address for mta4.pr.judicialwatch.org matched 
2602:ff1c:0001:0080::::0050
2602:ff1c:0001:0080::::0050 does not match any IP address 
for mta4.pr.judicialwatch.org


# exim -be '${lookup dnsdb {ptr=2602:ff1c:1:80::50}}'
mta4.pr.judicialwatch.org

OS: Fedora 33   / systemd-resolved disabled / named in use


best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack

[Cyborg via Exim-users]

Am 09.06.21 um 22:03 schrieb Heiko Schlittermann via Exim-users:


|smtp_max_synprot_errors|Use: main|Type: integer|Default: 3|



A small follow-up on my change of this config on a -> very low traffic 
<- mail-server in less than 18h after activation:


2021-06-10 17:09:54 SMTP call from [134.122.7.20] dropped: too many 
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 17:09:55 SMTP call from [134.122.7.20] dropped: too many 
syntax or protocol errors (last command was "GET /system_api.php 
HTTP/1.1", NULL)
2021-06-10 17:09:56 SMTP call from [134.122.7.20] dropped: too many 
syntax or protocol errors (last command was "GET /c/version.js 
HTTP/1.1", NULL)
2021-06-10 17:09:58 SMTP call from [134.122.7.20] dropped: too many 
syntax or protocol errors (last command was "GET 
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 17:09:59 SMTP call from [134.122.7.20] dropped: too many 
syntax or protocol errors (last command was "GET 
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 17:10:01 SMTP call from [134.122.7.20] dropped: too many 
syntax or protocol errors (last command was "GET /stream/live.php 
HTTP/1.1", NULL)
2021-06-10 17:17:30 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 17:17:31 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET /system_api.php 
HTTP/1.1", NULL)
2021-06-10 17:17:32 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET /system_api.php 
HTTP/1.1", NULL)
2021-06-10 17:17:34 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET /c/version.js 
HTTP/1.1", NULL)
2021-06-10 17:17:35 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET 
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 17:17:37 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET 
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 17:17:39 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET /client_area/ 
HTTP/1.1", NULL)
2021-06-10 17:17:40 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET /stalker_portal/c/ 
HTTP/1.1", NULL)
2021-06-10 17:17:42 SMTP call from [138.197.154.233] dropped: too many 
syntax or protocol errors (last command was "GET /stream/live.php 
HTTP/1.1", NULL)
2021-06-10 19:08:50 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 19:08:51 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET /system_api.php 
HTTP/1.1", NULL)
2021-06-10 19:08:51 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET /system_api.php 
HTTP/1.1", NULL)
2021-06-10 19:08:51 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET /c/version.js 
HTTP/1.1", NULL)
2021-06-10 19:08:52 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET 
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 19:08:52 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET 
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 19:08:53 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET /client_area/ 
HTTP/1.1", NULL)
2021-06-10 19:08:53 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET /stalker_portal/c/ 
HTTP/1.1", NULL)
2021-06-10 19:08:53 SMTP call from [46.101.86.104] dropped: too many 
syntax or protocol errors (last command was "GET /stream/live.php 
HTTP/1.1", NULL)
2021-06-10 19:54:12 SMTP call from [134.122.5.182] dropped: too many 
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 19:54:13 SMTP call from [134.122.5.182] dropped: too many 
syntax or protocol errors (last command was "GET /system_api.php 
HTTP/1.1", NULL)
2021-06-10 19:54:14 SMTP call from [134.122.5.182] dropped: too many 
syntax or protocol errors (last command was "GET /c/version.js 
HTTP/1.1", NULL)
2021-06-10 19:54:15 SMTP call from [134.122.5.182] dropped: too many 
syntax or protocol errors (last command was "GET 
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 19:54:17 SMTP call from [134.122.5.182] dropped: too many 
syntax or protocol errors (last command was "GET 
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 19:54:18 SMTP call from [134.122.5.182] dropped: too many 
syntax or protocol errors (last command was "GET /stream/live.php 
HTTP/1.1", NULL)
2021-06-10 20:21:18 SMTP call from [64.225.63.33] dropped: too many 
syntax or protocol errors 

Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack

[Cyborg via Exim-users]

Am 11.06.21 um 00:37 schrieb Jeremy Harris via Exim-users:

On 10/06/2021 13:52, Cyborg via Exim-users wrote:
After reading the paper a bit closer, rejecting the entire connection 
when a HTTP headerline is detected,
seems to be only valid option here, as long as ALPN isn't implemented 
widely.


Do we need ACL-level visibilty of a synprot-rejected line?



don't think so, as the first line of communication will be rejected, 
there is no smtp happening.


Heikos suggestion to set smtp_max_synprot_errors = 0 is the 
workaround to go atm.


But, ALPN implemented by what protocols?

All, but esmtp. Thats the whole point of ALPN. "You reject whats not 
intendet for you."




The next level would be something like
- server option hosts_require_alpn
- client options hosts_offer_alpn, hosts_require_alpn
And logging.


as a consequence, yes. ATM only a few others have adopted ALPN, so you 
can plan and implement those features without any hurry.


I can imagine, that gnutls, libre and openssl  also need time to offer 
api functions to support or enable this. So it will take time anyway, 
before it can be implemented fully. For the moment, a reject reaction on 
any HTTP/ header or a default of 0 protocol errors would be sufficient.


Best regards,
marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack

[Cyborg via Exim-users]

Am 10.06.21 um 11:18 schrieb Jeremy Harris via Exim-users:


It's beyond most script-kiddies, at least.

Email has no current standard for using ALPN; do we need one?
That is suggested as mitigation for this attack.
Exim does support SNI, which is also suggested (but only
used if explicitly configured, at present, unless DANE).

We might think about tightening up on the SNI defaults.

I guess using DANE counts as another defense against this attack.


After reading the paper a bit closer, rejecting the entire connection 
when a HTTP headerline is detected,
seems to be only valid option here, as long as ALPN isn't implemented 
widely.


Heikos suggestion to set smtp_max_synprot_errors = 0 is the workaround 
to go atm.


I suggest to change the default in the next exim release too.

Let's check if it's responable to change the default:

Next to noone is sending emails via manually entering text in telnet 
connection.
Normal users will use clients, clientes know stmp protocol, so there 
will be no harm in changing it.


Developers who need to test things, i.e. client devs or server admins, 
will most likely use pre-typed scripts, because they usually need to 
reexecute the tests over and over again. No harm here too.


I can't see one, that would be harmed by this change or did I overlook 
something important?


@Heiko: always a pleasure, check the programm for next tuesday, you 
might wanne join up.


best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack

[Cyborg via Exim-users]

Am 09.06.21 um 22:03 schrieb Heiko Schlittermann via Exim-users:

Cyborg via Exim-users  (Mi 09 Jun 2021 21:13:43 CEST):

Don#t get me wrong, exim is at the top of this "best of the worse" list,
because it stops after 3 retriesm but other server like proftpd have already
reacted to this by implementing countermeasures. This can also be seen in
the mentioned figure.

The "3" is configurable:

|smtp_max_synprot_errors|Use: main|Type: integer|Default: 3|

So, if you worry about the abuse of your bandwidth and your Exim server,
then set this to zero. Should be enough to not be a part of this attack
vector, shouldn't it?



In the article, a reflextion attack is mentioned, so i may be important 
what's coming back from the server. It may not be enough to just react 
only once, but we will see, when more information is revealed.


I'm trying to get more infos about that attack vector from the german 
universities which found it, and will make some tests if possible, so we 
see what we actually have to defend against.


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Exim (aoom) named in context of new TLS cross-protocol attack

[Cyborg via Exim-users]

Context: 
https://thehackernews.com/2021/06/new-tls-attack-lets-attackers-launch.html?


See figure 1 right column line #2

--

A few weeks ago, I suggested to take care of these freaks, that redirect 
HTTP requests to SMTP Ports,

spamming logs and wasting valueable hamstertime.

As it looks, this redirects can now be used to do reflection attacks and 
other cross-protocol attacks on servers,

that use the same tls cert for different services.

I think, this is a pretty good reason to end this, by silently dropping 
those connections as the garbage they are and
sendout a press release about it. It has three benefits: it's good pr, 
it's good for security and reduces waste traffic on exim mailservers.


Don#t get me wrong, exim is at the top of this "best of the worse" list, 
because it stops after 3 retriesm but other server like proftpd have 
already reacted to this by implementing countermeasures. This can also 
be seen in the mentioned figure.


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] ** SOLVED ** Re: missing logline, as if the delivery crashed

[Cyborg via Exim-users]

Am 02.06.21 um 11:15 schrieb Heiko Schlittermann via Exim-users:

PROBLEM 1 "the missing logline" :  **SOLVED**

it's not DHE related.


Problem 2:

This may be strong evidence for the policy change: TLS session:
(SSL_connect): error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
small

I think, this isn't related to Exim directly, as we do not require
special key sizes in the default configuration. So maybe library
defaults changed?


It the systems crypto policy that changed so openssl refused to connect.

This was fixed by relax the crypto-policy back to Fedora 32 .

I will continue with Fedora on this topic.

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] missing logline, as if the delivery crashed

[Cyborg via Exim-users]

Am 02.06.21 um 10:23 schrieb Jeremy Harris via Exim-users:

On 02/06/2021 07:49, Cyborg via Exim-users wrote:
since an os upgrade of fedora, where the security policy changed, 
this happens to some connections:


2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de 
H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps 
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127 
id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de

2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed

You will notice, that the delivery line is missing.


You're not showing a connection there; either of reception or of 
delivery.


That the delivery "=>" line is missing, is exactly the problem here.

All other valid attempts in and out have that delivery line, but this -> 
failed  <- message, does not have one.  I  have never seen this happen 
in 15 years of exim services.


It's reliably happening if a specific server


How were those lines extracted from the log?


manually copy and paste . I searched for error lines between <= and 
completed, but there are none. The "=>" is not printed to the log at all 
and there is no other error.



Do you log connection arrivals, incoming connection terminations,


Standard logs are active, so we get "<=" "=>" "**" and Completed and 
some internal warnings used for in-case-debugging of antispam problems.


here is a typical, randomly choosen, working log:

2021-06-02 10:51:44 1loMbI-00794v-6n 
H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195] 
Warning: processing file "" for "To: "X XXX"  
-> From: "YYY"  / 
R="YYY" "
2021-06-02 10:51:44 1loMbI-00794v-6n 
H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195] 
Warning: send for "X XX" 
2021-06-02 10:51:48 1loMbI-00794v-6n <= 
msprvs1=18787dju2Uvig=bounces-23...@bounces.senderdomain.de 
H=mta-174-90-195.senderdomain.de.sparkpostmail.com [192.174.90.195] 
P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=76268 
id=dd.f8.45130.c9647...@ai.mta1vrest.cc.prd.sparkpost
2021-06-02 10:51:48 1loMbI-00794v-6n => /STORAGE/Maildir/ 
(i...@domain.tld)  R=virtual_user T=address_directory

2021-06-02 10:51:48 1loMbI-00794v-6n Completed

The messages in question have normal entries in those Warnings we 
additional create, so i left them out, as they are not relevant personal 
informations.



delivery connection attempts or terminations?


Normally everything is logged, thats exactly the point.

NOW, AFTER i downgraded the crypto-policy of fedora back to F32, the 
delivery of these message from the named server are processed and fully 
logged again.


My guess is, we just found a bug in processing of the DH KEY TOO SMALL 
error on incoming connections, openssl throws , where the error avoids 
getting logged.


We are talking about a mailcluster with thousands of mailboxes, which 
had no problems with >99% of all incoming/outgoing mails when the new 
crypto-policy was active. That <1% of mailserver "seem" to have the same 
dhe problem.


After i switched back to f32 policy and restarted exim, those remote 
mailserver with the "DH key too small" error ( problem 2)  did use DHE 
ciphers . I'm pretty sure, the orginal problem is a config error either 
in fedoras openssl default config ( never changed it manually ) or the 
remote servers DHE exchange is misconfigured.


If someone knows how to tell openssl s_client to  simulate or detect 
this zero sized DH key, i can run tests on those servers to find out more.


best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] UPDATE: missing logline, as if the delivery crashed

[Cyborg via Exim-users]

Am 02.06.21 um 08:49 schrieb Cyborg via Exim-users:


Exim:  4.94.2   Fedora 33
Openssl: 1.1.1k-1

Hi,

Problem 1:

since an os upgrade of fedora, where the security policy changed, this 
happens to some connections:


2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de 
H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps 
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127 
id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de

2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed

You will notice, that the delivery line is missing.



UPDATE:

After lowering the security policy back to Fedora 32, the sending 
mailserver does not cause this bug anymore, which it did reliably before.


The missing error logline, for whatever happend inside exim, still 
remains and needs investigation.



WORKAROUND:

@Anyone have the same problems:

update-crypto-policies --set DEFAULT:FEDORA32;systemctl restart exim


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] missing logline, as if the delivery crashed

[Cyborg via Exim-users]

Exim:  4.94.2   Fedora 33
Openssl: 1.1.1k-1

Hi,

Problem 1:

since an os upgrade of fedora, where the security policy changed, this 
happens to some connections:


2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de 
H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps 
X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127 
id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de

2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed

You will notice, that the delivery line is missing.

There is no error, no warning, no nothing that explains what happens.

As this server has run this exact exim version of fedora 33 packages due 
to 21Nails before the os update without such problems, those packages 
actually did not not update at all, I think,  the os security policy of 
fedora 33 is causing this, but i can't profe it.


As i can't reproduce it with any of our other exims as source, how can 
we find out what happened to this mails?

What log option is to enable to get more infos here?

Problem 2:

This may be strong evidence for the policy change: TLS session: 
(SSL_connect): error:141A318A:SSL routines:tls_process_ske_dhe:dh key 
too small


It also happens since the os upgrade. It is an indicator, that the 
remote smtp server does not have it's setup straight ( dh key size = 0 
according to debian).


I checked it by lowering the policy back to Fedora 32 and now the server 
can send mails to the before erroring servers again.



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] TLS error no shared cipher with SSL_accept: error in error

[Cyborg via Exim-users]

Am 31.05.21 um 13:44 schrieb Marcin Gryszkalis via Exim-users:

Hi, I have problem with one server connecting to my exim.
Just after Client Hello server sends "Handshake Failure" and closes 
connection.


exim's cipher list is wide 
ALL:!EXPORT:!DES:!RC2:!RC4:!MD5:!PSK:!aNULL:!eNULL:!EXP:!SRP:!DSS:!DHE:!3DES
and contains ciphers that are mentioned by client, the same for 
curves, signatures etc. The only difference is extended_master_secret 
is not supported by exim but I guess it should be ignored.




The client did not offer a cipher you have allowed.

You can do various tests to find out with openssl's s_client:

Firts find out, what you would offer with openssl:

$ openssl ciphers

now you can compare it with the list the client send or you do it the 
hard way and test it manually:


Examples:

$ openssl s_client --connect c1:25 -starttls smtp -ssl3
CONNECTED(0003)
140007688099648:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert 
handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40


2021-05-31 14:32:15 TLS error on connection from (mail.example.com) 
[XXX] (SSL_accept (SSLv3)): error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported protocol



$ openssl s_client --connect c1:25 -starttls smtp -tls1 -cipher 
RSA-PSK-AES128-CBC-SHA  ( this one would work with tls1_3+ only )

CONNECTED(0003)
140164130756416:error:141A90B5:SSL routines:ssl_cipher_list_to_bytes:no 
ciphers available:ssl/statem/statem_clnt.c:3801:No ciphers enabled for 
max supported SSL/TLS version


2021-05-31 14:34:42 TLS error on connection from (mail.example.com) 
[XXX] (SSL_accept): error:140940F4:SSL 
routines:ssl3_read_bytes:unexpected message


TLS 1.3:

$ openssl s_client --connect c1:25 -starttls smtp -tls1_3 -cipher 
RSA-PSK-AES128-CBC-SHA


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] discard mail from all local users except

[Cyborg via Exim-users]

Am 31.05.21 um 09:25 schrieb Evgeniy Berdnikov via Exim-users:

On Mon, May 31, 2021 at 01:57:26PM +0700, Victor Sudakov via Exim-users wrote:

Here is -d+lookup: https://termbin.com/08fv

  Lookup failed. Have you string "r...@http1.hiddendomain.com" in this file?
  Check it by hands: exim -be '${lookup {r...@http1.hiddendomain.com} ...}'.

next question: is the format of the file content correct?

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] IRC channel for Exim

[Cyborg via Exim-users]

Am 27.05.21 um 21:23 schrieb Heiko Schlittermann via Exim-users:



You should know, that there was a bridge to Matrix already working in the
freenodesystem. it had some minor bugs, but all was mirrored from irc to
matrix.

For me this bridge was unidirectional only, it didn't send my Matrix
messages to IRC/freenode.


The bridge Fedora used did work "better", but differently. BTW, Fedora 
moved over to Libera too, and announced it a few minutes ago.

*By any Matrix account* - I'm not sure if I'd want to register an
account for the sole purpose to get Exim help. IRC seems to be more open
here. But that's just *my* point of view. Matrix doesn't seem to be
widely established as a support channel yet, at least - again - from my
limited point of view.


There is no reason, why a webclient should not be able to log into a 
room as a guest with a random name.




Please don't get me wrong - I do not vote against Matrix, but I do not
see a good reason to drop IRC. But - if we setup a Matrix server, I'd
use it and we can see if this gets more users than the #exim channel on
libera.chat.

If you could see it throu my eyes, you wouldn't wait for it, you would 
just do it :)


And now Community, your opinion is required.

If the final decision is to stay on libra, pls do not forget to use a 
different type of irc bridge to matrix, so it works "better".


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] IRC channel for Exim

[Cyborg via Exim-users]

Am 26.05.21 um 10:55 schrieb Jeremy Harris via Exim-users:


If anyone wants to comment, please raise a hand.


I shall ask you, the community, if you would adopt Matrix as an IRC 
alternative.


You should know, that there was a bridge to Matrix already working in 
the freenodesystem. it had some minor bugs, but all was mirrored from 
irc to matrix.


It's possible to host this for the Exim Community, used to the sole 
purpose of offering some public channels,
which can be visted by any Matrix Account on any homeserver out there in 
the federation.


No other registration is needed, than your own matrix account somewhere 
else.


The Exim team could/should have accounts on this server to use some 
internal devs/security channels
and connect to each other easier. It's also possible to have distro-sec 
channel there. No limits.


The service of the needed server/service would be free of charge ( 
sponsered ).


It would be a permanent home for Exim.

Alternative szenario:

The matrix service is hosted on the same server than the exim webpage ( 
gives cooler domainnames für the matrix accounts ;) ).



Advantages of a Matrix server:

- E2EE
- Audio/Video support via E2E-Peers.
- No need to hop between irc networks anymore
- no third party dependencys
- next to no administration effort, once the init setup is done.
- Rights management
- cryptostorage
- Groupchannel for Security, Distrosupport etc.

Community, please give your feedback for it.

best regards,
Marius



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] IRC channel for Exim

[Cyborg via Exim-users]

Am 26.05.21 um 10:55 schrieb Jeremy Harris via Exim-users:

Hi All,

We have used Freenode for an IRC channel (#exim) for many years.
Recent developments are making me consider a move, possibly
to irc.libera.chat (port 6697 for SSL; #exim).  The channel
exists but I've not yet gotten it confirmed as representing
the Exim project.

If anyone wants to comment, please raise a hand.


Reminder: The Freenode Bridge to Matrix (#freenode_#exim:matrix.org ) 
must be established from LibraChat.



The next question is easy to guess.. why not switching to Matrix? It 
would be the perfect moment.


As one already there, it's great :)


Matrix has some benefits:

It's easy to self host i.e. on exim.org. This way the channel will 
persist as long as exim lives.
If the room is made public, anyone with a matrixaccount can join, no 
additional setup required.

No trouble with NICKSERV anymore.

Matrix has a build in Rightsmanagement:

You can have private & secure group channels i.e. for devs & maintainers 
only

Moderators for the public rooms.

In common clients, E2EC is implemented, which makes it pretty secure to 
exchange security related informations about Exploits etc.


Matrix also supports exchange of media files, in case it's needed and 
i.e. inside fedora sig mobility, we make use of it a lot. But i can 
forsee that this is to limited use in an exim group ;)


Matrix offers a history of the channel, so you do not miss anything 
important, if offline.


If you use a modern full featured client, Audio & Videocalls between 
users are possible.


Adhoc videoconferencing is possible. This comes in very handy for dev 
meetings.


Bridging to Signal, Skype, IRC, Telegram and others is possible.




--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim 4.94.2 - security update released

[Cyborg via Exim-users]

Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users:

On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote:

We have prepared a security release, tagged as "exim-4.94.2".

This release contains all changes on the exim-4.94+fixes branch plus
security fixes.

I wonder whether current Exim maintainer at EPEL reads this list.

The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It
wasn't difficult to build Exim from sources and replace insecure EPEL
version, but it's not exactly my understanding of fun.

(yes, no problem building Exim package(s) for EPEL, once I understand
the exact way to to that)

Go to Fedora koji and download your files manually. I have seen EL7 
already on tuesday, but they are kept in the testfarm until they reach a 
good karma.


Best regards,
Marius



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Feature Request: react on HTTP

[Cyborg via Exim-users]

Am 06.05.21 um 14:14 schrieb Paul Muster via Exim-users:


Use fail2ban to detect these attempts in Exim's logfiles and ban the 
source on IP basis.




Of course we do this too, but the point is, the logfile is written with 
a delay. If you have 10 connections in parallel,
it would be easier if the server would handle it internally. Reading & 
parsing the logs  also takes time, so, in the end,

fail2ban kicks in late.

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] Feature Request: react on HTTP

[Cyborg via Exim-users]

Hi,

Everyone of us sees this in their logsfiles :

2021-05-06 11:07:57 no host name found for IP address 68.183.80.168
2021-05-06 11:07:58 no host name found for IP address 68.183.80.168
2021-05-06 11:07:58 SMTP call from [68.183.80.168] dropped: too many 
unrecognized commands (last was "Accept-Encoding: gzip, deflate")

2021-05-06 11:07:59 no host name found for IP address 68.183.80.168
2021-05-06 11:07:59 SMTP call from [68.183.80.168] dropped: too many 
unrecognized commands (last was "Accept-Encoding: gzip, deflate")

2021-05-06 11:08:00 no host name found for IP address 68.183.80.168
2021-05-06 11:08:00 SMTP call from [68.183.80.168] dropped: too many 
unrecognized commands (last was "Accept-Encoding: gzip, deflate")

2021-05-06 11:08:01 no host name found for IP address 68.183.80.168
2021-05-06 11:08:01 SMTP call from [68.183.80.168] dropped: too many 
unrecognized commands (last was "Accept-Encoding: gzip, deflate")


these are clients, that send "GET /..whatever HTTP/1.0"  as greeting.

I suggest:

not to wait for the usual error treshhold of smtp related errors, but 
instead auto disconnect and block the IP for a few minutes , because, as 
seen, they come back as often as you let them.


I think, that exim could be reliable detect and implement this without 
breaking any existing config. As a result, the world will be a better 
place and less hamsters got wasted in the cpus around the world. This 
also is a small benefit for the worlds climate, by lesser consumption of 
energy ;)



best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Exim 4.94.2 - security update released

[Cyborg via Exim-users]

Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users:

The details about the vulnerabilities*will*  be published in the near
future (onhttp://exim.org/static/doc/security/), but not today. This
should give you the chance to update your systems.


Time has run up:

https://www.qualys.com/2021/05/04/21nails/21nails.txt

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] RELAY NOT PERMITED exim4

[Cyborg via Exim-users]

Am 17.04.21 um 13:49 schrieb Douba Samuel DIARRA via Exim-users:

Hello
I was using Exim 4, in office (differents sites) but I was using vsat system 
for interconnecting sites. I put private adresses to configure exim in 
differents sites.
Since I published my servers on internet, I have this kind of error message and 
i cannot send mails. the message is : RELAY NOT PERMITED

Need some advices please




Three reasons:

A) you check for a valid SMTP-AUTH on the server and did not use it in 
your mailclient's config.


B) you made a typo in one of your local domainnames, you want to send 
mail to, so exim "thinks" it shall send it to the external domain and 
requests SMTP-AUTH for it (  --> A ) to avoid beeing an open relay.


C) you forgot to change your relay_hosts entries to you new IPs ( maybe 
a typo )


A+B are very common problems.

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Number of header lines in reject log

[Cyborg via Exim-users]

Am 29.03.21 um 13:45 schrieb iforbes-exim--- via Exim-users:
However exim has a limit on the number of header lines that are 
written into the reject log, if the number of headers exceed this the 
log is truncated. We find that some senders, like Outlook 365, include 
many lines of proprietary headers. This adds to the number of lines 
getting logged and the log can get truncated before lines added by our 
spam assassin filter are written to the log.


If you refer to SpamAssassin, it logs his results to /var/log/mail ( on 
my box ), so do not need the header of the actual email. There is a 
message-id referenz in the log to easy correlate mails and results.


Best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Mail with thousands recipients takes exponential longer time

[Cyborg via Exim-users]

Am 12.03.21 um 10:21 schrieb Jeremy Harris via Exim-users:


I have a static linear timeframe from one recipient to another 
appearing in the log file, once the actual delivery from thunderbird 
ended.
strace says, it's due to my SQL select i use. it would go faster if 
the SQL result would be cached, instead of repeating itself.



Could you show us the ACL line?



it was a simple one like this:

"select 1 from eximconfig where  '${quote_mysql:${domain:$item}}' REGEXP 
\Nconcat('^',domain,'$')\N and name='' and value='1' LIMIT 1


As all those 3000 recipients where to the same domain ( 
test1...test3000@domainname ) it was defacto the same SQL query. I do 
not expect a sql cache in exim,
as it would be a very very complex issue and is not really the 
bottleneck here.


BTW: Test done on

Name    : exim
Version : 4.94
Release : 1.fc32
Architecture: x86_64

best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Mail with thousands recipients takes exponential longer time

[Cyborg via Exim-users]

Am 12.03.21 um 08:27 schrieb Andrew C Aitchison via Exim-users:



Any ideas what's happening here ?


The increasing delays remind me of the delays for failed logins.
Is there some sort of authentication, or similar pam or SMB access,
to check the existence of each recipient ?



i made a test mail with 3000 recipients in CC.

Exim is increasing it's CPU Usage the more recipients are used until 
100% CPU Core usage is reached:



    PID USER  PR  NI    VIRT    RES    SHR S  %CPU  %MEM TIME+ COMMAND
1378404 root  20   0   66084  55300  10632 R  98,7   1,1 8:59.99 
/usr/sbin/exim -Mc 1lKd2y-005m5p-3V



I have a static linear timeframe from one recipient to another appearing 
in the log file, once the actual delivery from thunderbird ended.
strace says, it's due to my SQL select i use. it would go faster if the 
SQL result would be cached, instead of repeating itself.


Conclusion:

a) the ( recipient ) listfunction in exim needs a redo, to improve 
performance.


This is a very basic list optimization problem, you learn in data 
structures at the university.


b) the setup in question has an additional problem, increasing the time 
exponential .


because the core is reaching 100%, it's at it's max.. at that point, 
things slow down even more.


c) time to make exim multi-threaded

best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] autoreply once on multiple systems

[Cyborg via Exim-users]

Am 28.01.21 um 18:01 schrieb Cyborg via Exim-users:


   drop condition = ${if eq{${lookup mysql {SELECT '1' FROM 
mail_responders WHERE sender=... and receiver=... and  ( date+86400 < 
unix_timestamp(NOW()) )  LIMIT 1 }}}{1} {1}{0}}
       log_message = Responder database said, we should drop 
this mail.




UPS:

 drop condition = ${if eq{${lookup mysql {SELECT '1' FROM 
mail_responders WHERE sender=... and receiver=... and  ( date+86400 > 
unix_timestamp(NOW()) )  LIMIT 1 }}}{1} {1}{0}}
       log_message = Responder database said, we should drop 
this mail.


Wrong comparison :)

Best regads,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] autoreply once on multiple systems

[Cyborg via Exim-users]

Am 28.01.21 um 17:30 schrieb Kai Bojens via Exim-users:

Hello everybody,
is there an easy solution to share the autoreply "once" data between 
multiple hosts? The documenation mentions a file or a DBM database in 
which these can be stored. I'd like to set up multiple Exim hosts in 
order to spread the load with an identical configuration and don't 
want host B to also autoreply when host A has already sent the autoreply.


Kai

In this case, you will need a central sql database that stores the 
sender and receiver with a timestamp and if your acl finds an entry 
within your given timeframe,

will need redirect the message to :blackhole:

To reduce the stress inside exim, I put that part in my autoresponder 
script. But that's just a suggestion, exim will do fine on it's own.


First  you check if you have an old entry: I.E.

   drop condition = ${if eq{${lookup mysql {SELECT '1' FROM 
mail_responders WHERE sender=... and receiver=... and  ( date+86400 < 
unix_timestamp(NOW()) )  LIMIT 1 }}}{1} {1}{0}}
       log_message = Responder database said, we should drop 
this mail.


If the mail passes, you put it into the database, so the next message 
will be dropped until ( in this example ) 24h have passed.


   warn    log_message   = logging "${quote_mysql:$authenticated_id}" 
in with ip "$sender_host_address" ${lookup mysql {INSERT IGNORE INTO 
mail_responders SET [[enter here what you need to identify sender and 
receiver]],date=unix_timestamp(NOW())}}  ***


***) you can have an additional lockup to clean the database of old 
entries. But you can also use a cronjob to clean the db periodically.


This is not an example you just copy & paste, as you need to make 
modifications on the who sends to whom part and if it shall be droppend 
at all, becaue it'a responder address. Means: you will need an 
additional condition in each block to run it only if the receiver is an 
autoresponder. ok?


And: This examples drops the incoming email, instead of redirecting it 
to :blackhole: which "should" to the job too.


best regards,
Marius





--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] auth disclosure on auth rejects in logfiles

[Cyborg via Exim-users]

Exim: 4.94-1  Fedora 32 Build

Hi,

I just found out that exim logs the authcredentials in case they get 
rejected due to bruteforce rules:


2021-01-25 10:15:47 H= (EHLO STRING) [IP ADDRESS] 
X=TLS1.3:TLS_AES_128_GCM_SHA256:128 CV=no rejected AUTH PLAIN 
BASE64STRING : authentication is allowed only once per message in order 
to slow down bruteforce cracking


This config part:

acl_check_auth:
  drop  message = authentication is allowed only once per message in 
order \

  to slow down bruteforce cracking
    set acl_m_auth = ${eval10:0$acl_m_auth+1}
    condition = ${if >{$acl_m_auth}{2}}
    delay = 22s


I don't see a good reason to print that info into the log, as in the 
case I found, the mailclient just made a mistake and it was not an 
attacker.


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Virus/Malware errors: extra odd behavior

[Cyborg via Exim-users]

Am 19.01.21 um 08:32 schrieb Dan Egli via Exim-users:
While testing, I noticed something else completely bizzare. If I run 
the malware test as root and place the test file in /root (i.e. # exim 
-bmalware ~/eicar.com.txt) get the error I mentioned.


Exim runs als none privileged user "exim". Ergo: no access to /root/ .

best read in the exim manpage or docs :

-bmalware 
 This debugging option causes Exim to scan the given 
file or directory (depending on the used scanner
 interface),  using the malware scanning framework. The 
option of av_scanner influences this option,
 so if av_scanner's value is dependent upon an 
expansion then  the  expansion  should  have  defaults
 which  apply  to this invocation.  ACLs are not 
invoked, so if av_scanner references an ACL variable
 then that variable will never be populated and 
-bmalware will fail.


 Exim will have changed working directory before 
resolving the filename,  so  using  fully  qualified
 pathnames  is  advisable. *Exim  will  be running as 
the Exim user when it tries to open the file,**
** rather than as the invoking user.*  This option 
requires admin privileges.



Best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] av_scanner is broken suddenly?

[Cyborg via Exim-users]

Am 29.12.20 um 12:03 schrieb Victor Sudakov via Exim-users:



I can't imagine how to produce such
  behaviour with socket API.

Neither do I. Moreover, the problem began after upgrading the OS from
FreeBSD 11 to 12.2-RELEASE-p1, and exim to exim-4.94_4. Maybe the OS is
to blame.



If you are on it, check if firewalld got installed and is running. It 
has it's own firewall and some VERY illlogical settings. a "iptables -L" 
won't help you with that.


Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] transport compression for port 25, 143, 110

[Cyborg via Exim-users]

Am 12.12.20 um 14:54 schrieb Jeremy Harris via Exim-users:

Billions of emails would also require
extra energy to process them. 

they also would save 97% energy  while transiting on each and any hop.

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] transport compression for port 25, 143, 110

[Cyborg via Exim-users]

Hi,

I was wondering, do modern smtp/imap/pop connections support compression ?

If not, why not?

For SMTP it would be easy:

CDAT
OK
[length]{8B}
[gzipdata]{length}
.
OK

same for imap/pop, more or less, peanutcode.

For IMAP someone already made an rfc : 
https://datatracker.ietf.org/doc/rfc4978/


I know that TLS compression is somehow bad for security, but bzip is 
used in https webserver all the time, so it can't be a big problem, when 
we compress data and then encrypt it, in general.


Why do i think it's a good idea in times of 100+ Mb/s at home? Billions 
of emails get transported. If only 30% of all connections use it,

we get a 28% reduction in traffic used for mails.

What do you think?


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Android Outlook App

[Cyborg via Exim-users]

Am 04.12.20 um 12:55 schrieb Andreas via Exim-users:

Hello List,

we have a problem with this app. A customer loves M$. So he tries to
connect to exim as outgoing connection. The IMAP part ist ok, there is
dovecot.

All error messages from the app are wrong, if you give wrong passwords
it gave wrong certificate, correct data gives wrong password and so on...

In the exim log you can see:
2020-12-04 11:36:21 SMTP protocol synchronization error (input sent
without waiting for greeting): rejected connection from xxx I=[xxx]:25
input="\026\003\001"

I think it tries SSL/TLS and it doesn't matter what port you give in the
it does .. when i need to guess : SSLv3 . This won't work von Port 25. 
And it should not work ever again on any other port ;)


best regards,
Marius


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Local spam exclusion script

[Cyborg via Exim-users]

Am 25.11.20 um 13:40 schrieb The Doctor via Exim-users:

IS there a scripts that could

a) Examine a spam/junk Mailbox for the origin of spam
and parse the IP of origin

and

b) Tell exim to block such IP addresses?

As Exim just delivers the mails to a box, it doesn't know anything about 
besides the format: no.


You have to do it yourself.

Ofcourse you can do this with the help of exim, as I do it. Just call a 
script anytime to use a certain spambox router or transport and add the 
ip in your firewall.


I block brute-forcers that way, if they test nonexisting mailaddresses:

  drop  message = blacklisted for bruteforce cracking attempt
       set acl_c_authnomail = ${eval10:0$acl_c_authnomail+1}
       condition = ${if >{$acl_c_authnomail}{4}}
       condition = ${run{/addspam 
$sender_host_address}{yes}{$value}}


do sanity checks before you use a variable as argument.


best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Best practices - distribution groups

[Cyborg via Exim-users]

Am 21.10.20 um 11:42 schrieb Gary Stainburn via Exim-users:
>
>    host mx-eu.mail.am0.yahoodns.net [188.125.72.74]
>    Delay reason: SMTP error from remote mail server after end of data:
>    421 [IPTS04] Messages from x.x.x.x temporarily deferred due to
> unexpected volume or user complaints - 4.16.55.1; see
> https://postmaster.verizonmedia.com/error-codes
>
> As I'm only emailing members who asked to join the group I doubt that
> they have had complaints so it must be down to the high volume.
>

Your mail provider for your company account will be whitelisted at yahoo
and others to relax rate limits for him.

Your own mailservice is not whitelistet and therefor under rate limit.
You could contact yahoo and fillout the whitelist form,
or don't send out as much mails per second as you do now.  On this list
should enough examples how to rate limit yourself for a specific
external mailserver.

best regards,
Marius

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 421 lost input connection, not logged?

[Cyborg via Exim-users]

Am Do, Okt 8, 2020 at 20:39 schrieb Jeremy Harris via Exim-users 
:

On 08/10/2020 17:50, Cyborg via Exim-users wrote:

 Am 08.10.20 um 17:11 schrieb Graeme Fowler via Exim-users:
 ...but if the client never managed to actually connect to Exim, 
there is nothing to log.
 In this case, you could see the messages exim sent for the smtp 
session

 with tcpdump, but it never showed up in the logs.


Ah, but tcpdump taken where?  On the server? client?  Some middlebox,
which (as Cyborg) pointed out) could be replacing the TLS connection?



Directly at the server. The AV programm was on the clients pc.

Grüße,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] 421 lost input connection, not logged?

[Cyborg via Exim-users]

Am 08.10.20 um 17:11 schrieb Graeme Fowler via Exim-users:
> ...but if the client never managed to actually connect to Exim, there is 
> nothing to log.
In this case, you could see the messages exim sent for the smtp session
with tcpdump, but it never showed up in the logs.

and honestly, I don't need it to, as shodan and other vul scanners out
there, never intend to send a messages and they are a pest on scanning
mailservers. If any scan of them shows up in the logs, they will produce
a mess IMHO.

Jeremy:  FR = Feature Request ;) I don't consider this a bug, but i
maybe alone with this.


best regards,
Marius

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/