Re: [exim] Exim 4.95 released
On Fri, Oct 01, 2021 at 01:00:09PM -0400, Viktor Dukhovni via Exim-users wrote: > > > I'd like to ask, if I may, how TLS resumption interacts with DANE or > > > other authenticated TLS policy, [...] > > > > If enabled for a target host (default being no) then the session > > cache lookup key is the unadorned IP. Meanwhile, if haven't misuderstood your response, or failed to grasp the complete picture, I think that Exim 4.95 users who want to support outbound DANE should not enable TLS resumption, and likely the documentation should advise them of the potential negative interactions. When a session was cached for resumption (based on policy to cache sessions for a particular destination), what determines whether that cached session would later be used? Does the current destination (would that be a domain, a host, an IP address... ?) need to explicitly opt-in for resumption, or is presence of the matching IP address in the cache sufficient to trigger session reuse? -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.95 released
On Fri, Oct 01, 2021 at 02:15:05PM +0100, Jeremy Harris via Exim-users wrote: > On 28/09/2021 23:41, Viktor Dukhovni via Exim-users wrote: > >>- fast-ramp queue run > >>- native SRS > >>- TLS resumption > > > > I'd like to ask, if I may, how TLS resumption interacts with DANE or > > other authenticated TLS policy, assuming potential earlier > > unauthenticated TLS connections to the same IP:port or name:port on > > behalf of some other domain (or via an alternate "router") which did not > > require an authenticated connection, or otherwise had a different set of > > TLS requirements. > > If enabled for a target host (default being no) > then the session cache lookup key is the unadorned IP. I guess you won't be surprised if I suggest you should consider a more security-aware design, that takes the extant security policy parameters into account when constructing the lookup key. Otherwise, when a e.g. a connection to a DANE-enabled destination follows a connection to an unauthenticated opportunistic TLS connection with the same underlying host IP, the DANE connection is subject to MiTM if the original connection was successfully compromised. Security aside, we also found it useful to salt the lookup key with the remote "EHLO" response name, in order to work better with Microsoft's SMTP servers which have split caches: S: 220 ... C: EHLO amnesiac S: 250- [ junk] S ... S: 250 STARTTLS We include the in the cache lookup key, so that we can find the "right" session for split caches behind a load balancer. The Google SMTP servers have a shared session ticket key and respond with a common . If you're curious how Postfix computes the lookup key, I can point you at the code. Basically it computes a SHA256 digest of all relevant destination and security parameters and uses that in the key... > >>- faster TLS startup > > > > May I ask what this means? > > Caching of the CA bundle, and similar setup, by loading it in the > daemon process (which forks for receive processes). Makes sense, thanks. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.95 released
On 28/09/2021 23:41, Viktor Dukhovni via Exim-users wrote: - fast-ramp queue run - native SRS - TLS resumption I'd like to ask, if I may, how TLS resumption interacts with DANE or other authenticated TLS policy, assuming potential earlier unauthenticated TLS connections to the same IP:port or name:port on behalf of some other domain (or via an alternate "router") which did not require an authenticated connection, or otherwise had a different set of TLS requirements. If enabled for a target host (default being no) then the session cache lookup key is the unadorned IP. - faster TLS startup May I ask what this means? Caching of the CA bundle, and similar setup, by loading it in the daemon process (which forks for receive processes). -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.95 released
On 30/09/2021 15:43, Sabahattin Gucukoglu via Exim-users wrote: On 28 Sep 2021, at 22:19, Heiko Schlittermann via Exim-users wrote: - Removed: - support for MacOS This makes me sad. Was there any particular reason? Nobody was maintaining the sole resgression-testing system, and despite appeals nobody stepped up to run a new one. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.95 released
On 28 Sep 2021, at 22:19, Heiko Schlittermann via Exim-users wrote: > - Removed: > - support for MacOS This makes me sad. Was there any particular reason? I appreciate that it’s not a server platform but being able to compile Exim from a tree in your home prefix and use it as a very effective MSP was a primary use for me for a while. Nowadays I’d probably be inclined to use OpenSMTPD for which a MacPorts port is available. Cheers, Sabahattin -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.95 released
On Tue, Sep 28, 2021 at 11:19:34PM +0200, Heiko Schlittermann via Exim-users wrote: > New stuff we've added since 4.94: > > - From previous experimental support: > - fast-ramp queue run > - native SRS > - TLS resumption I'd like to ask, if I may, how TLS resumption interacts with DANE or other authenticated TLS policy, assuming potential earlier unauthenticated TLS connections to the same IP:port or name:port on behalf of some other domain (or via an alternate "router") which did not require an authenticated connection, or otherwise had a different set of TLS requirements. In Postfix, Wietse and I had to take care in the session cache design to avoid resumption across distinct client TLS "policies" (PKI type, authentication, cipher list, allowed protocol versions, sorted DANE TLS RRset, ...). Does Exim also partition the session cache by a security policy fingerprint? > - faster TLS startup May I ask what this means? -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.95 released
Dear Exim users and maintainers, we're proud to announce the release of Exim 4.95. New stuff we've added since 4.94: - From previous experimental support: - fast-ramp queue run - native SRS - TLS resumption - LMDB lookups with single key - New: - smtp transport option "message_linelength_limit" - optionally ignore lookup caches - quota checking for appendfile transport during message reception - sqlite lookups allow a "file=" option - lsearch lookups allow a "ret=full" option - command line option for the notifier socket - faster TLS startup - new main config option "proxy_protocol_timeout" - expand "smtp_accept_max_per_connection" - log selector "queue_size_exclusive" - main config option "smtp_backlog_monitor" - main config option "hosts_require_helo" - main config option "allow_insecure_tainted_data" - Removed: - support for MacOS All fixes from the 4.94.2+fixes branch (this includes the "21 nails" CVEs) are included too. If you upgrade from previous versions <4.94: the new taint checks are likely to make your runtime configuration unusable. Read about the mitigation via the "allow_insecure_tainted_data" first or make your configuration "taint check proof". If you upgrade from 4.94.2, nothing should break. For those who used 4.95-RC2, a list changes that were introduced since RC2: * 780ea2a5c - OpenBSD: disable compiler-time param checking for string_sprintf() etc (8 days ago) * 8b78698fa - Docs: fix closed-mailinglist example (8 days ago) * 8f0d0a313 - DCC: fix loop expression (2 weeks ago) * 48505c2b8 - TLS: build dependency for LibreSSL (2 weeks ago) * 6c706bde1 - Docs: tidying (3 weeks ago) * 889894461 - Fix validation of domain-literals in Message_ID: headers. Bug 2805 (3 weeks ago) * 8dcd5efb1 - Avoid using CLOCK_MONOTONIC for $received_time. Bug 2615 (4 weeks ago) Exim 4.95 is available - as tarball:https://ftp.exim.org/pub/exim/exim4 - directly via Git: https://git.exim.org/exim.git tag exim-4.95 The tarball checksums are signed using the same GPG key as I used to sign this message (Key-ID: D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142), as the tag and tagged commit are. Thank you and all contributors for your support. Especially thanks to Jeremy, as he does the vast majority of coding and support. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --- key ID: F69376CE - signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/