Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users: (yes, no problem building Exim package(s) for EPEL, once I understand the exact way to to that) fedpkg clone --anonymous exim cd exim git checkout epel8 # tweak exim.spec fedpkg mockbuild Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 14:54 schrieb Konstantin Boyandin via Exim-users:
The last known EPEL Exim version is 4.94 #2, built on March 25, 2021. It
wasn't difficult to build Exim from sources and replace insecure EPEL
version, but it's not exactly my understanding of fun.
Exim updates are in epel-testing:
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-dad1996f63
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2021-beed69126f
The pages above contain information on how to apply the update to your system.
If you leave positive feedback ("karma") the update will reach all users
faster (stable channel).
Felix
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Am 06.05.21 um 15:35 schrieb Heiko Schlittermann via Exim-users: (I got reports that Fedora's packages where stuck on some test server. (?)) Updates are not "stuck" but in a testing repo. This is meant to check that we only push actually working software to users. I'm not sure why the Fedora/EPEL maintainer chose to use testing also for that security release. As it is right now the updates will go to stable once there is enough positive feedback by users: https://bodhi.fedoraproject.org/updates/?packages=exim Fedora 33 already has this in stable as we had enough positive feedback. Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94: "Tainted filename for search: 'select'"
Am 19.06.20 um 14:27 schrieb Jeremy Harris via Exim-users:
> On 18/06/2020 13:20, Felix Schwarz via Exim-users wrote:
>> sqlite_dbfile = /path/to/user.db
>>
>> domainlist local_domains = sqlite;select DISTINCT domain from users where
>> domain='${quote_sqlite:$domain}' and is_enabled=1;
>
> Two problems.
>
> - the syntax only applies for
> single-key lookup types. sqlite is a query-style.
> - that probably leads into the tainting problem, so I'll ignore that
Thank you - I was not aware of that distinction so I learned something new.
I modified the config to retrieve the list of domains from sqlite like this:
domainlist local_domains = \
${lookup sqlite{ SELECT DISTINCT domain || ':' FROM users WHERE is_enabled=1;
}}
Do you see an obvious problem with that?
I was a bit surprised that Exim seems to concatenate multiple result values to
a single string (containing \n?) but it seems that I can add the list
separator ":" manually.
Also my exim config is now more secure than before due to all the taint
warnings. However it would be less stressful for me if there was at least one
release which just raised some warnings about tainting values (or a flag to
convert taint errors into warnings) to ease the migration.
Exim 4.94 was pushed to EPEL 7 stable without any announcement and I suspect
that explains the influx of questions about tainting on this mailing list. I
was caught by surprise as one of my SMTP servers stopped working after it
applied the update automatically...
again, thank you for your time :-)
Felix
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.94: "Tainted filename for search: 'select'"
Hey,
(sorry for starting a new thread - I was not subscribed previously so I could
not reply in the old thread).
After upgrading to 4.94 I got the ominous error message:
Tainted filename for search: 'select'
As far as I understood "sqlite_dbfile" should solve the problem for me but it
does not.
This is likely the important part of my configuration
sqlite_dbfile = /path/to/user.db
domainlist local_domains = sqlite;select DISTINCT domain from users where
domain='${quote_sqlite:$domain}' and is_enabled=1;
...
acl_check_rcpt:
...
require domains = +local_domains :
message = relay not permitted
Still exim 4.94 complains:
SMTP<< rcpt TO:
using ACL "acl_check_rcpt"
processing "require" (…)
message: relay not permitted
check domains = +local_domains :
╭considering: sqlite;select DISTINCT domain from users where
domain='${quote_sqlite:$domain}' and is_enabled=1;
╭considering: $domain}' and is_enabled=1;
├──expanding: $domain
╰─result: site.example
╰──(tainted)
├──expanding: sqlite;select DISTINCT domain from users where
domain='${quote_sqlite:$domain}' and is_enabled=1;
╰─result: sqlite;select DISTINCT domain from users where
domain='site.example' and is_enabled=1;
╰──(tainted)
LOG: MAIN PANIC
Tainted filename for search: 'select'
I assumed that "quote_sqlite" would untain the $domain value but it does not?
How can I retrieve the
Felix
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Rspamd-Proxy error with exim
Hi, Am 26.06.2018 um 21:50 schrieb Andrew Lewis via Exim-users: >> If it is correct that rspamd (in current versions) not longer operates >> with Exim then we should cease claiming it does (until and if >> someone develops new support), and may as well remove the nonfunctional >> code. > > That's not correct. I still use Rspamd with Exim and have been upgrading > through the various releases. It seems there has been some terrible > miscommunication. > > The Rspamd proxy is an optional interface to Rspamd- Exim users doesn't need > it. That said I have tested it with the stable release of Rspamd and found no > problems (proxying of the legacy protocol works as far as I see). Thanks for pointing it out. Just yesterday I compiled the latest rspamd to check if the main daemon is actually incompatible with Exim now but didn't get to post my results. Sorry for not speaking up sooner but I was not 100% sure and did not want to spread false information. So while the old rspamd protocol might be eliminated in the future it still works right now. Long term the ideal solution is of course to support HTTP+json. Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Routing email to different smarthosts accordin to a "percentage"
Am 04.12.2017 um 10:22 schrieb Diego Bellini: > I am writing to ask for any suggestion in relation to this > > Let say I have 3 smarthosts: smarthost0, smarthost1, smarthost2 > > Smarthost0 receives all the emails and then routes, let say, the 10 percent > of the emails via smarthost1 and the 90 percent via smarthost2 > > There is a way to do this with exim? > > I would like to implement something like this as a way to warm up/or keep > warm an IP There is (almost) always a way with exim: https://lists.exim.org/lurker/message/20170215.104521.34635a7a.pt-BR.html Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.90 RC3 uploaded
Am 30.11.2017 um 12:03 schrieb Frank Elsner: > Can you please tell me to which package > /usr/include/mysql/private/ssl_compat.h belongs? mariadb-devel You can get that info very easily with dnf, e.g.: sudo dnf info /usr/include/mysql/private/ssl_compat.h Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Blocking chunking
Am 28.11.2017 um 11:13 schrieb Sebastian Nielsen via Exim-users: > I got hit with the security news about chunking (...) > Exim version 4.86_2 #2 built 03-Jun-2017 05:07:28 Exim 4.86 does not have the chunking feature so you can disable it (and you are not affected by the security vulnerability) :-) fs -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Discard spam
Am 10.11.2017 um 15:59 schrieb Александр Кириллов via Exim-users: > I'm trying to reduce backscatter which is a side effect of incoming spam. > If you know of any other politically correct ways of solving this please > share your experience. TIA. Very likely discarding messages is not what you should do in this situation. Rejecting spam during the SMTP dialog is good because the sender gets immediate feedback. For example this can be helpful for bigger providers who may monitor their outgoing connections and lock accounts if too many messages are rejected. Also legitimate senders don't have to worry about opaque "inboxing" rates. More to the point "backscatter" is a rejection AFTER the SMTP dialog. This mostly happens if you have multiple servers in a cascade and one machine starts rejecting spam. This should be avoided because the previous MTA creates a bounce message to the "sender" address which might be faked. If you try to prevent backscatter configure your servers so that only the first one does any rejections. If you just reject spam messages when getting them the first time there is no "backscatter" problem. If you can not control/reconfigure the first machine you must deal with "spam folders". Personally I'd *strongly* advise against discarding messages (and if you really need it you don't need to read my post). Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Round robin for outgoing connections
Am 28.08.2017 um 12:57 schrieb Luca Bertoncello:
> I'm trying to balance the outgoing connection using two IPs with exim 4.89...
> Unfortunately I didn't find any way, in the documentation, to do that...
>
> I see the "hosts_randomize", but it seems to just work with "route_list" and
> not with "interface"...
>
> Has someone any suggestion?
Seems like I asked a very similar question in February ("how to distribute
outbound mail over multiple hosts?").
The solution for me was to have multiple outbound routers with a condition (in
our case it included a random number):
new_outbound:
driver = manualroute
condition =
fs
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Ongoing email issues
Am 27.02.2017 um 22:16 schrieb Daryl Richards via Exim-users: > I don't know if this is related to any of the other crash issues reported > lately, so I'll start a new message in case it isn't. > > Two different servers, both on FreeBSD 10.3, both with latest exim port > (exim-4.88_2) are often having the exim process crash during mail delivery. In > my system log, I see many of: Did you try to disable chunking? (put "chunking_advertise_hosts =" in your exim.conf). This workaround resolved the crashes I saw in 4.88. fs -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.88 segfault on CentOS 6
Am 27.02.2017 um 11:42 schrieb Kunszt Árpád via Exim-users: > Thank you. I downloaded the RPM package. As far as I understand your patch > disables the chunking by default, am I right? Yes you are right. Actually I should have mentioned that you should just add chunking_advertise_hosts = in your exim.config. Sorry, has been a few days since I ran the build so I pushed details like that out of my brain to focus on other issues. fs -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.88 segfault on CentOS 6
Hey, Am 27.02.2017 um 11:18 schrieb Kunszt Árpád via Exim-users: > I'm using Exim from the EPEL repository on CentOS 6. After I upgraded to > 4.88 I'm starting to have some segfaults in the logs. I guess this is due to https://bugzilla.redhat.com/show_bug.cgi?id=1421736 I added a koji build for EL6 so you could try these binaries. (If that helps please post your findings in bugzilla, maybe we can ping the EPEL exim maintainer so he includes my patch.) fs -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] how to distribute outbound mail over multiple hosts?
Hey, Heiko, Jeremy: thank you for your quick answers - seems like I can build exactly the solution I had in mind :-) Am 15.02.2017 um 12:06 schrieb Heiko Schlittermann: > And, if then all outbound traffic gets forwarded to the new servers, you > need to reconfigure your application servers to use the new outbound > server? (Just for me, to get it clear.) sort of: We plan to run old+new in parallel for a time even though the old server will just forward 100% of its traffic to the new one. When we are ready to do the final switch we will just update the DNS to put the old machine out of the mail flow. > new_outbound: > driver = manualroute > condition = Exactly what I was looking for :-) Thank you. Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] how to distribute outbound mail over multiple hosts?
Hey, I'm planning on migrating one of my outbound mail servers to a new datacenter so we will get a new IP as well. Judging from the past we should allow for some "warm up" time before switching over to the new system completely and I'm looking for ways how to achieve that with Exim. Ideally (from my point of view) the old outbound server would get a new router which forwards some messages to the new server. This "some" should be based on a configurable percentage (starting with maybe 1% of the traffic and then manually ramping up depending on the results). I strongly prefer to configure the mail flow at the current outbound servers instead of applying something at our application servers (diverse operating systems and just a bigger number of systems to take care of). I guess many more people experienced this problem as well, especially if you need a "backup" outbound server (which should be "hot" all the time according to best practices). How are you solving that problem? Felix -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
