Re: [exim] converting from debian package to source

[Zakaria via Exim-users]

   It seems you are right indeed. Compatibility has to be taken into
   consideration, using OpenDMARC library version that is accessible from
   headers, I guess a mere of an if statement should handle two code
   blocks for post to 1.3.2 and up to 1.3.2, in relation to this specific
   " few arguements " compiling failure which I've encountered, during
   building against 1.4, I think must of if there will be any changes more
   or less similar to this.
   Although, I would love to get it sorted if I can by myself yet I don't
   think I'm qualified enough to contribute with a proper fix, therefore I
   will leave it to Jeremy and the rest of the contributors.
   With all due appreciation to their dedication.

   On 9 Jan 2022 17:16, Andreas Metzler via Exim-users
wrote:

 On 2022-01-09 Zakaria via Exim-users  wrote:
 >> On 9 Jan 2022, at 11:44, Jeremy Harris via Exim-users
  wrote:
 >> On 08/01/2022 18:30, Edwin Balani via Exim-users wrote:
 >>> Can't you rely on OPENDMARC_LIB_VERSION?  It's defined in
 dmarc.h:

 >> Quite possibly.  Now, is the changed API documented? Or are we
 >> supposed to inspect the libdmarc code and watch for API-breaking
 >> changes, evermore?
 [...]
 > I spent an amount of time trying to get latest DMARC work against
 master EXIM, over last few weeks. It was only one method DMARC has
 refactored, with extra parameter, and EXIM integration isn't it
 taking into account.

 > I found this bug issue opened on
 > https://github.com/trusteddomainproject/OpenDMARC/issues/167

 [...]

 Hello,

 Well, it does not build a lot of trust in the maintainance of the
 shared
 library if a change which breaks both API and ABI ends up in a
 stable
 release and a bugreport does not get any response.

 I can understand Jeremy's reluctance here.

 Please note that this is not completely fixable on exim's side, a
 exim
 binary built against OpenDMARC 1.3 will (probably) crash when
 OpenDMARC
 is upgraded to 1.4 without rebuilding all reverse dependencies.

 cu Andreas
 --
 `What a good friend you are to him, Dr. Maturin. His other friends
 are
 so grateful to you.'
 `I sew his ears on from time to time, sure'

 --
 ## List details at
 https://lists.exim.org/mailman/listinfo/exim-users
 ## Exim details at http://www.exim.org/
 ## Please use the Wiki with this list - http://wiki.exim.org/
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Andreas Metzler via Exim-users]

On 2022-01-09 Zakaria via Exim-users  wrote:
>> On 9 Jan 2022, at 11:44, Jeremy Harris via Exim-users  
>> wrote:
>> On 08/01/2022 18:30, Edwin Balani via Exim-users wrote:
>>> Can't you rely on OPENDMARC_LIB_VERSION?  It's defined in dmarc.h:

>> Quite possibly.  Now, is the changed API documented? Or are we
>> supposed to inspect the libdmarc code and watch for API-breaking
>> changes, evermore? 
[...]
> I spent an amount of time trying to get latest DMARC work against master 
> EXIM, over last few weeks. It was only one method DMARC has refactored, with 
> extra parameter, and EXIM integration isn’t it taking into account.

> I found this bug issue opened on
> https://github.com/trusteddomainproject/OpenDMARC/issues/167

[...]

Hello,

Well, it does not build a lot of trust in the maintainance of the shared
library if a change which breaks both API and ABI ends up in a stable
release and a bugreport does not get any response.

I can understand Jeremy's reluctance here.

Please note that this is not completely fixable on exim's side, a exim
binary built against OpenDMARC 1.3 will (probably) crash when OpenDMARC
is upgraded to 1.4 without rebuilding all reverse dependencies.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Zakaria via Exim-users]

Also, the EXIM reference of opendmarc_policy_store_dkim its in 
https://github.com/Exim/exim/blob/e3e281ccf9d8777d0df98ddd644720573e0343d1/src/src/dmarc.c

“
libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain, 
dkim_result, US"");
"

While following new OpenDMARC method 

"
opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain, “OpenDMARC 
expects u_char *selector here” , dkim_result, US"”);
“

I think its DKIM selector, can be found in DNS records, and I presume it must 
be already retrieved yet couldn’t find in which variable its stored and would 
it be accessible.

Someone fully understanding EXIM, should be able to determine.

I think this is my stride end, hopefully its help at least to Jeremy, anyone 
can take on from here? 

With thanks :)


> On 9 Jan 2022, at 11:44, Jeremy Harris via Exim-users  
> wrote:
> 
> On 08/01/2022 18:30, Edwin Balani via Exim-users wrote:
>> Can't you rely on OPENDMARC_LIB_VERSION?  It's defined in dmarc.h:
> 
> Quite possibly.  Now, is the changed API documented? Or are we
> supposed to inspect the libdmarc code and watch for API-breaking
> changes, evermore?  And *guess* from the variable names used
> what the new semantics might be?  Or read deeply enough into the
> libdmarc implementation to verify the changed behaviour?
> 
> Who will put this effort in?
> 
> What about exim regression testsuite support for dmarc, something
> we currently don't have?  And the maintenance of that, and the the
> ongoing monitoring of testsuite runs and fixing of things found?
> 
> Volunteers?  I'm expecting a deathly hush, as usual.
> 
> -- 
> Cheers,
>  Jeremy
> 
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Zakaria via Exim-users]

I spent an amount of time trying to get latest DMARC work against master EXIM, 
over last few weeks. It was only one method DMARC has refactored, with extra 
parameter, and EXIM integration isn’t it taking into account.

I found this bug issue opened on 
https://github.com/trusteddomainproject/OpenDMARC/issues/167 


Also this bug report, its claiming to resolve it yet not sure why EXIM still 
breaking when compiling against 1.4, refer to 
https://bugs.exim.org/show_bug.cgi?id=2728 


Note as per EXIM configuration file documentation, DMARC 1.3.2, at 
https://github.com/trusteddomainproject/OpenDMARC/tree/rel-opendmarc-1-3-2 
, 
works perfectly fine yet, when I compile EXIM against 1.4, I get “ few argument 
passed to function “ failure in opendmarc_policy_store_dkim function, that is 
referenced in following files,

https://github.com/trusteddomainproject/OpenDMARC/blob/2aafb015a56d40e8a1949dc6d2ab0057aaf8b32f/libopendmarc/dmarc.h
 

https://github.com/trusteddomainproject/OpenDMARC/blob/2aafb015a56d40e8a1949dc6d2ab0057aaf8b32f/libopendmarc/opendmarc_policy.c
 

https://github.com/trusteddomainproject/OpenDMARC/blob/7c1503119854da500a35ec74b5153e83d222cc0e/opendmarc/opendmarc.c

The changes that is breaking its in this commit
https://github.com/trusteddomainproject/OpenDMARC/commit/dbd87868f2ca9c2ef11529cd757d1cc5ab228833#diff-e2a20f3fdec887360a43680caeaa8f7b69fa376bd05371b4fe866204ff2f061d

EXIM, references to opendmarc_policy_store_dkim function it should integrate 
the handling for the new argument of “ u_char *selector. "

I would very much appreciate if someone is fully understanding how DMARC works, 
would integrate a fix, certainly with thanks.

Zakaria.


> On 9 Jan 2022, at 11:44, Jeremy Harris via Exim-users  
> wrote:
> 
> On 08/01/2022 18:30, Edwin Balani via Exim-users wrote:
>> Can't you rely on OPENDMARC_LIB_VERSION?  It's defined in dmarc.h:
> 
> Quite possibly.  Now, is the changed API documented? Or are we
> supposed to inspect the libdmarc code and watch for API-breaking
> changes, evermore?  And *guess* from the variable names used
> what the new semantics might be?  Or read deeply enough into the
> libdmarc implementation to verify the changed behaviour?
> 
> Who will put this effort in?
> 
> What about exim regression testsuite support for dmarc, something
> we currently don't have?  And the maintenance of that, and the the
> ongoing monitoring of testsuite runs and fixing of things found?
> 
> Volunteers?  I'm expecting a deathly hush, as usual.
> 
> -- 
> Cheers,
>  Jeremy
> 
> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Jeremy Harris via Exim-users]

On 08/01/2022 18:30, Edwin Balani via Exim-users wrote:

Can't you rely on OPENDMARC_LIB_VERSION?  It's defined in dmarc.h:


Quite possibly.  Now, is the changed API documented? Or are we
supposed to inspect the libdmarc code and watch for API-breaking
changes, evermore?  And *guess* from the variable names used
what the new semantics might be?  Or read deeply enough into the
libdmarc implementation to verify the changed behaviour?

Who will put this effort in?

What about exim regression testsuite support for dmarc, something
we currently don't have?  And the maintenance of that, and the the
ongoing monitoring of testsuite runs and fixing of things found?

Volunteers?  I'm expecting a deathly hush, as usual.

--
Cheers,
  Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Sabahattin Gucukoglu via Exim-users]

On 8 Jan 2022, at 14:07, Julian Bradfield via Exim-users  
wrote:
> My mail servers run, and have run for decades, on Debian, and I've
> always used the Debian package for exim4, though I don't use debconf
> for my own additions, but just edit the conf.template file as if it
> were a .conf file.
> 
> The pain of dealing with Debian's antiquated versions (4.92) and
> gratuitous messing around with upstream's configuration (most recent
> annoyance, not supporting built-in SPF) is prompting me to think about
> switching to using the primary source.
> 
> I wonder if anybody on this list has done such a conversion recently,
> and would have time to share the chief gotchas they encountered.

I wasn’t clear about whether you understood this, but, of course, nothing 
obliges you to use debconf, split configuration, or the template to configure 
Exim; the Debian binaries look for /etc/exim4/exim4.conf first, before the 
autogenerated file. Ignore the *-conf package altogether and simply put your 
configuration into that one file. Consult the EDITME provided with the binary 
to see how it’s compiled. This is the approach I take, because it turns out 
that building an Exim binary package whenever it’s updated, and especially for 
one distro on another, is sufficiently hard in practice that I can’t be arsed 
and I'd rather simply work around the limitations of the Debian build. As 
others have suggested, run-time SPF checking is something I wouldn’t recommend 
doing anyway in a world of DMARCs.

If you want to do it anyway, then get the Debian source package and look at the 
included docs and rules for creating your own “-custom” binary package. You can 
build your own .deb and then install it, which will give you correct tracking 
for your build, and will generate the correct dependency list for your shared 
library dependencies. I would not advise simply replacing the system binary; 
you should try hard to do the job properly. As I said, I think you may find 
that the compromise of working with the existing binary distribution and your 
own configuration is acceptable. The only reason I wanted to recompile was to 
go from GnuTLS to OpenSSL, which is a decision I have since rescinded. Of 
course, if it ever turns out that Debian’s Exim gets dynamic loading of shared 
libraries, I might just rethink that.

Good luck on your travels.

Cheers,
Sabahattin


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Heiko Schlittermann via Exim-users]

Hi Julian,

Julian Bradfield via Exim-users  (Sa 08 Jan 2022 15:07:01 
CET):
> My mail servers run, and have run for decades, on Debian, and I've
> always used the Debian package for exim4, though I don't use debconf
> for my own additions, but just edit the conf.template file as if it
> were a .conf file.

For several reasons I was unhappy with the Exim packages Debian ships.
So I started my own attempts to package Exim as close as possible to the
original Exim and as close as possible to that what a seasoned Debian
Admin would expect.

https://gitea.schlittermann.de/heiko/exim4-exim.org/src/branch/debian/bullseye

But, be ware, it is in a "works-for-me" status. I use the built packages
on several hosts of my own and my customers infrastructure.

> I wonder if anybody on this list has done such a conversion recently,
> and would have time to share the chief gotchas they encountered.

Currently the worst thing is the libopendmarc issue (Debian ships a
version which is not compatible with the latest Exim versions. So I put
the version Exim needs as a patch into the package and it gets installed 
in and linked from /usr/lib/exim4/libopendmarc or so.)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Jasen Betts via Exim-users]

On 2022-01-08, Odhiambo Washington via Exim-users  wrote:
> On Sat, Jan 8, 2022 at 5:26 PM Julian Bradfield via Exim-users <
> exim-users@exim.org> wrote:
>
>> My mail servers run, and have run for decades, on Debian, and I've
>> always used the Debian package for exim4, though I don't use debconf
>> for my own additions, but just edit the conf.template file as if it
>> were a .conf file.
>>
>> The pain of dealing with Debian's antiquated versions (4.92) and
>> gratuitous messing around with upstream's configuration (most recent
>> annoyance, not supporting built-in SPF) is prompting me to think about
>> switching to using the primary source.
>>
>> I wonder if anybody on this list has done such a conversion recently,
>> and would have time to share the chief gotchas they encountered.
>>
>> If you reply to me, I will summarize to the list.
>>
>
> There are times I have simply grabbed the source tarball and compiled it
> manually.
> As long as you make the right edits to the Local/Makefile. You can always
> toss away the default /etc/exim4 and replace the contents
> with your own version of configs, while still being able to use the system
> control scripts to start/stop exim.
> I have never liked the split configurations I see on Debian and its
> derivates. I use the monolithic config everywhere.

The main benefits for the split config is to allow users to separate
custom from stock config (which makes upgrades less painful), and to
allow packages containing companion services (eg: mailscanner or dbmail)
to ship exim config changes.

It also makes things like adding procedurally generated config
sections easier.

-- 
  Jasen.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Julian Bradfield via Exim-users]

On 2022-01-08, Slavko (tblt) via Exim-users  wrote:
>>So I suppose the question is: if I drop the master-source-built binary
>>on top of the Debian one, what can I expect to break?

> AFAIK spfquery is used in debian's exim for years, thus i am confused, why it 
> is problem for you right now,

Because today I wanted to log the spf status in order to look at issues with
other sites. 
I haven't until now bothered with SPF on incoming mail at all.
I do record the DKIM status in incoming mail for the MUA to look at,
and I wanted to do the same with SPF.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Evgeniy Berdnikov via Exim-users]

  Hello.
  
On Sat, Jan 08, 2022 at 03:27:45PM +, Julian Bradfield via Exim-users wrote:
> Specifically, I don't like the idea of installing an external tool
> spfquery and using the slightly clunky config snippet to use it,
> rather than using the built-in spf - I like things in the exim4 manual
> to work in my installation!
> 
> However, I also don't like fiddling with systems more than necessary -
> sysadmin is not my job, it's just what I have to do to make things
> work. If I have to go the trouble of building my own Debian package, I
> might as well lose all the debian changes and just install exim from
> source, which is easy to repeat on all systems I might use.

 If you are not sysadmin and not programmer then idea to build and install
 Exim from sources looks as understimation of time required for this task.
 And if you are not sysadmin then you shouldn't bother about SPF,
 users generally don't know what is it.

 Package mainteiners do lot of hard work, Exim is not an exception.
 
 Debian package comes with user-friendly configuration system, which is
 designed with aim to provide easy customization. With "split config"
 you can live for years with running updates (both binaries and configs)
 while your own configuration items continue to work.

> I guess I could just try it and see on a quiet day :)

 Really. It's useful to make notes how much time you spent on the
 compilation, tuning and resolution of problems, then compare with
 use of Debian package and/or price list of nearest mail hoster.
-- 
 Eugene Berdnikov

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Edwin Balani via Exim-users]

On Sat, Jan 08, 2022 at 05:02:10PM +, Jeremy Harris via Exim-users wrote:

The dmarc library project appears to have changed their API
in a incompatible fashion.  It's difficult to tell, because
there is no visible documentation and no obvious way to discover
the library version at build time.

At least, last time I looked.


Can't you rely on OPENDMARC_LIB_VERSION?  It's defined in dmarc.h:

  
https://github.com/trusteddomainproject/OpenDMARC/blob/9cebf724/libopendmarc/dmarc.h#L19

Worth noting that 0 is a placeholder value is replaced for versioned 
releases with the proper value (I think this is in the release 
scripting), like so:


  
https://github.com/trusteddomainproject/OpenDMARC/blob/9cebf724/configure.ac#L72
  
https://github.com/trusteddomainproject/OpenDMARC/blob/9cebf724/Makefile.am#L32

Exim uses this too:

  https://github.com/Exim/exim/blob/ef2e5890/src/src/dmarc.c#L56-L64

Something like #if ((OPENDMARC_LIB_VERSION & 0xu) >= 0x0104) 
would catch too-new library versions, I reckon.


~ Edwin

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Andreas Barth via Exim-users]

* Julian Bradfield via Exim-users (exim-users@exim.org) [220108 16:36]:
> However, I also don't like fiddling with systems more than necessary -
> sysadmin is not my job, it's just what I have to do to make things
> work. If I have to go the trouble of building my own Debian package, I
> might as well lose all the debian changes and just install exim from
> source, which is easy to repeat on all systems I might use.

"Building my own Debian package" is what is *less* work for me,
because everything like uids, dependencies on and from other packages
continue to work, etc. So this is my prefered route, because it's
usually just downloading the source package, making the changes I
need, adjusting the changelog (plus using a version number that makes
sure my package is not overriden by an upgrade), compiling and it just
works as it should. But that might be influnced that I'm quite
familiar with Debians package format. However I'm happy I hadn't need
to do that for quite some time now.



Andi

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Andrew C Aitchison via Exim-users]

On Sat, 8 Jan 2022, Julian Bradfield via Exim-users wrote:


On 2022-01-08, Andreas Barth via Exim-users  wrote:

* Julian Bradfield via Exim-users (exim-users@exim.org) [220108 15:18]:

The pain of dealing with Debian's antiquated versions (4.92) and
gratuitous messing around with upstream's configuration (most recent
annoyance, not supporting built-in SPF) is prompting me to think about
switching to using the primary source.


Debian stable uses 4.94, as well as oldstable-backports.


True. I hadn't thought of installing from backports. (My servers are
on buster.) But I'm not sure whether there's anything in 4.94+ that I
need now, it's just all the warnings I see about 4.92 being very obsolete.


If you could elaborate on your problems, perhaps there is an fix
available. Otherwise it's of course trivial to build your own debian
package, but I never felt the need to do so for exim.


Specifically, I don't like the idea of installing an external tool
spfquery and using the slightly clunky config snippet to use it,
rather than using the built-in spf - I like things in the exim4 manual
to work in my installation!

However, I also don't like fiddling with systems more than necessary -
sysadmin is not my job, it's just what I have to do to make things
work. If I have to go the trouble of building my own Debian package, I
might as well lose all the debian changes and just install exim from
source, which is easy to repeat on all systems I might use.

But there are things I know I might need to watch for: UIDs
(Debian-exim vs exim), for example.

So I suppose the question is: if I drop the master-source-built binary
on top of the Debian one, what can I expect to break? (Tainting is the
main thing I'm aware of as a risk.)


If you compile from source and drop the binary on top of the Debian one
it will miss. Debian calls it "exim4" and the upstream source calls it "exim".
Maybe you know this; if not it might be enough fun for one day.


I guess I could just try it and see on a quiet day :)


--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Jeremy Harris via Exim-users]

On 08/01/2022 16:31, Slavko (tblt) via Exim-users wrote:

new version of DMARC lib, which fails
to build with exim



The dmarc library project appears to have changed their API
in a incompatible fashion.  It's difficult to tell, because
there is no visible documentation and no obvious way to discover
the library version at build time.

At least, last time I looked.

Dmarc support in Exim may become untenable.
--
Cheers,
  Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Zakaria via Exim-users]

   Hi Julian,
   I installed exim from source, and here is my input.
   Expect to start with all configuration being set in one file when you
   install from source. I used Dovecot as IMAP server, for security
   purposes disabled startttls in port 587 for smtp in exim and 143 +
   startttls for IMAP in dovecot.
   You will have to configure your own systemd service in centos, I
   believe its equivalent you can retrieve it from your own debian
   package.
   In exim routers you will need lmtp router set either via tcp or unix
   socket and transports, you will need lmtp transport as well as the
   typical smtp one.
   For authentication, you will need to require encryption via
   acl_check_auth.
   Setting up spam scanning e.g. using SA its similar to older releases.
   Same configurations,
   Also, keep in mind I noticed interface option in transports name has
   changed from older releases, it could be applicable to yours.
   If you were using dovecot their documentation about configuring lmtp
   and authentication authenticators with exim its clear and straight
   forward.
   Also, make sure in Local/Makefile from begining to enable needed
   settings including LMTP transport, spf, dmarc, dkim, dsearch module you
   will need it for DKIM configuration, openssl etc. If you want to
   compile against latest openssl, make sure you install it too from
   source, I have openssl 3.1.0-dev, and its working perfectly so far.
   Dont forget to configure log file directory in Makefile, so to be able
   to use logrotate on particularly in selinux enforced environment, if
   log are outside of log directory, its other directory context might
   cause permissions issues.
   Also, refer to sidn.nl tutorials on configuring SPF, DKIM, DMARC, DANE
   in exim. I followed them, and were extremely helpful, note they are
   strict ones, you probably will want to loosen their usage of deny to
   warn and handle such flagged emails with add_header via detect perhaps
   using pigeonhole in dovecot to be forwarded to spam folder.
   If you come across compiling and configuring issues, I certainly might
   be able to help. Let me know.
   Good luck.
   Zakaria.
   On 8 Jan 2022 14:07, Julian Bradfield via Exim-users
wrote:

 My mail servers run, and have run for decades, on Debian, and I've
 always used the Debian package for exim4, though I don't use debconf
 for my own additions, but just edit the conf.template file as if it
 were a .conf file.
 The pain of dealing with Debian's antiquated versions (4.92) and
 gratuitous messing around with upstream's configuration (most recent
 annoyance, not supporting built-in SPF) is prompting me to think
 about
 switching to using the primary source.
 I wonder if anybody on this list has done such a conversion
 recently,
 and would have time to share the chief gotchas they encountered.
 If you reply to me, I will summarize to the list.
 Thanks,
 Julian.
 --
 ## List details at
 https://lists.exim.org/mailman/listinfo/exim-users
 ## Exim details at http://www.exim.org/
 ## Please use the Wiki with this list - http://wiki.exim.org/
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Slavko (tblt) via Exim-users]

Dňa 8. januára 2022 15:27:45 UTC používateľ Julian Bradfield via Exim-users 
 napísal:


>So I suppose the question is: if I drop the master-source-built binary
>on top of the Debian one, what can I expect to break?

IMO nothing will break, except two things:

+ many ACL & routers presets, which may be missing in default config -- 
carefuly check after change
+ security updates from debian -- you will have to watch and apply them by self

AFAIK spfquery is used in debian's exim for years, thus i am confused, why it 
is problem for you right now,
especially when most important sites uses SPF in conjunction with DMARC, and 
you will have problem
to build exim with DMARC support in debian after buster, as it has new version 
of DMARC lib, which fails
to build with exim (it requires <1.4).

Anyway, checking (pure) SPF only for DMARC enabled sites can leads to false 
positive/negative results,
especially with forwarding... Phishers already know that RFC5321_From is not 
shown for users, thus can
be set to something which will pass SPF, i see them daily...

I abandon rejecting mails based on SPF fail some time ago, for now it is logged 
only (and filled into A-R
header) and i do not remember any one failed SPF, which is not rejected latter 
due multiple RBL listing...

For full SPF/DKIM/DMARC chceks i use rspamd...

regards

-- 
Slavko

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Jeremy Harris via Exim-users]

On 08/01/2022 15:27, Julian Bradfield via Exim-users wrote:

(Tainting is the
main thing I'm aware of as a risk.)


It's also a major benefit, because it shows up places in your
config where you have coded in a manner vulnerable to attack.

--
Cheers,
  Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Jeremy Harris via Exim-users]

On 08/01/2022 15:27, Julian Bradfield via Exim-users wrote:

I like things in the exim4 manual
to work in my installation!


The manuals for old releases are available on the Exim website.
--
Cheers,
  Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Julian Bradfield via Exim-users]

On 2022-01-08, Andreas Barth via Exim-users  wrote:
> * Julian Bradfield via Exim-users (exim-users@exim.org) [220108 15:18]:
>> The pain of dealing with Debian's antiquated versions (4.92) and
>> gratuitous messing around with upstream's configuration (most recent
>> annoyance, not supporting built-in SPF) is prompting me to think about
>> switching to using the primary source.
>
> Debian stable uses 4.94, as well as oldstable-backports.

True. I hadn't thought of installing from backports. (My servers are
on buster.) But I'm not sure whether there's anything in 4.94+ that I
need now, it's just all the warnings I see about 4.92 being very obsolete.

> If you could elaborate on your problems, perhaps there is an fix
> available. Otherwise it's of course trivial to build your own debian
> package, but I never felt the need to do so for exim.

Specifically, I don't like the idea of installing an external tool
spfquery and using the slightly clunky config snippet to use it,
rather than using the built-in spf - I like things in the exim4 manual
to work in my installation!

However, I also don't like fiddling with systems more than necessary -
sysadmin is not my job, it's just what I have to do to make things
work. If I have to go the trouble of building my own Debian package, I
might as well lose all the debian changes and just install exim from
source, which is easy to repeat on all systems I might use.

But there are things I know I might need to watch for: UIDs
(Debian-exim vs exim), for example.

So I suppose the question is: if I drop the master-source-built binary
on top of the Debian one, what can I expect to break? (Tainting is the
main thing I'm aware of as a risk.)

I guess I could just try it and see on a quiet day :)


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Odhiambo Washington via Exim-users]

On Sat, Jan 8, 2022 at 5:26 PM Julian Bradfield via Exim-users <
exim-users@exim.org> wrote:

> My mail servers run, and have run for decades, on Debian, and I've
> always used the Debian package for exim4, though I don't use debconf
> for my own additions, but just edit the conf.template file as if it
> were a .conf file.
>
> The pain of dealing with Debian's antiquated versions (4.92) and
> gratuitous messing around with upstream's configuration (most recent
> annoyance, not supporting built-in SPF) is prompting me to think about
> switching to using the primary source.
>
> I wonder if anybody on this list has done such a conversion recently,
> and would have time to share the chief gotchas they encountered.
>
> If you reply to me, I will summarize to the list.
>

There are times I have simply grabbed the source tarball and compiled it
manually.
As long as you make the right edits to the Local/Makefile. You can always
toss away the default /etc/exim4 and replace the contents
with your own version of configs, while still being able to use the system
control scripts to start/stop exim.
I have never liked the split configurations I see on Debian and its
derivates. I use the monolithic config everywhere.

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", egrep -v '^$|^.*#' :-)
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Jeremy Harris via Exim-users]

On 08/01/2022 14:07, Julian Bradfield via Exim-users wrote:

I wonder if anybody on this list has done such a conversion recently,
and would have time to share the chief gotchas they encountered.


Not directly, but:  ALWAYS read the ChangeNotes file when changing
versions.  It's there for good reason.

The NewStuff file might also be of interest.

--
Cheers,
  Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] converting from debian package to source

[Andreas Barth via Exim-users]

* Julian Bradfield via Exim-users (exim-users@exim.org) [220108 15:18]:
> The pain of dealing with Debian's antiquated versions (4.92) and
> gratuitous messing around with upstream's configuration (most recent
> annoyance, not supporting built-in SPF) is prompting me to think about
> switching to using the primary source.

Debian stable uses 4.94, as well as oldstable-backports.

If you could elaborate on your problems, perhaps there is an fix
available. Otherwise it's of course trivial to build your own debian
package, but I never felt the need to do so for exim.


Andi

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

[exim] converting from debian package to source

[Julian Bradfield via Exim-users]

My mail servers run, and have run for decades, on Debian, and I've
always used the Debian package for exim4, though I don't use debconf
for my own additions, but just edit the conf.template file as if it
were a .conf file.

The pain of dealing with Debian's antiquated versions (4.92) and
gratuitous messing around with upstream's configuration (most recent
annoyance, not supporting built-in SPF) is prompting me to think about
switching to using the primary source.

I wonder if anybody on this list has done such a conversion recently,
and would have time to share the chief gotchas they encountered.

If you reply to me, I will summarize to the list.

Thanks,
Julian.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/