Re: [exim] Re (2): Configuring for non-encrypted MUA to localhost. TLS-on-connect, exim to smarthost.
Peter via Exim-users (Fr 31 Mär 2023 15:40:35 CEST):
> From: Jeremy Harris via Exim-users
> Subject: Re: [exim] Configuring for non-encrypted MUA to localhost.
> TLS-on-connect, exim to smarthost.
> > Debian has a configuration wizard. In what respect is
> > not offering what you need?
>
> MUA to exim is OK.
>
> The configuration appears to impose STARTTLS to the smarthost
> while the smarthost is requiring TLS-on-connect.
> Consequently exim queues outgoing messages but can not send to
> smarthost.
Try adding
protocol = smtps
to your smtp transport.
+-+
|protocol|Use: smtp|Type: string|Default: smtp|
+-+
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Andreas Metzler via Exim-users (Do 16 Mär 2023 18:28:49 CET): > Thanks to all the involved parties for clearing this up (and obviously > for handling the whole thing in the first place)! The missing CVE text is online since yesterday. https://www.exim.org/static/doc/security/CVE-2021-38371.txt The website repo https://git.exim.org/exim-website.git commit ba0da048589d0c808f3161ea03de19d3bb2adc17 Author: Heiko Schlittermann (HS12-RIPE) Date: Mon Mar 20 11:14:19 2023 +0100 chg: add note about CVE-2021-38371 about not being a problem commit 2fae8e2e6a9d5606ac7eb7c94003d59756a1281a Author: Andrew Aitchison Date: Mon Mar 20 11:13:22 2023 +0100 add: CVE-2021-38371 -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2021-38371 (was: CVE-2022-37452)
Hi Andrew,
Andrew C Aitchison via Exim-users (Mi 15 Mär 2023
21:00:11 CET):
> > > www.exim.org/static/doc/security/CVE-2021-38371.txt
I'll publish your announcement there. Thank you, Andrew, for
preparing it. *But*, as we do not see this as a practical security
issue, we'll place a notice there: "The Exim developers do not consider
this CVE as a security problem." (Suggestions on better wording are
welcome.)
Yesterday JGH and me had a short public IRC chat on this.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to cofigure exim config about spf
Hi,
TomNewChao via Exim-users (Fr 10 Mär 2023 03:00:13 CET):
> Hello, When I compiled exim, spf was enabled, and I used the libspf2 library.
> How can I configure spf in /etc/exim.conf, it is only setting CHECK_RCPT_SPF
> = true , and else ?
> The exim config is below:
> .ifdef CHECK_RCPT_SPF
> deny
…
> condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
> ${quote:$sender_host_address} --identity \
> ${if def:sender_address_domain \
> {--scope mfrom --identity ${quote:$sender_address}}\
> {--scope helo --identity ${quote:$sender_helo_name\
> {no}{${if eq {$runrc}{1}{yes}{no
If I'm not mistaken, this is nothing, the upstream provides. What's the
origin of this configuration?
> Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL TLS_resume
> Content_Scanning DANE DKIM DMARC DNSSEC Event OCSP PIPECONNECT PRDR PROXY
> Queue_Ramp SOCKS SPF TCP_Fast_Open
Since you've SPF compiled in, all you need to do is reading the Spec
file and configuring the *built-in* SPF functionality. No need for
external program invocations. The Spec, near section 58.4 contains
information on this topic.
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-dkim_spf_srs_and_dmarc.html
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de -------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] renewing the SSL certificate doesn't work
Gary Stainburn via Exim-users (Mo 27 Feb 2023 11:21:56 CET): > > However, when I install the new files I get SSL errors. > > TLS error on connection from mail14.atl281.mcsv.net [198.2.143.14] > (SSL_CTX_use_PrivateKey_file file=/etc/pki/tls/certs/ringways.co.uk.key): > error:0906D06C:PEM routines:PEM_read_bio:no start line Try openssl rsa -in /etc/pki/tls/certs/ringways.co.uk.key -noout If should read the key, if it works, try the same as the Exim runtime user sudo -u $(exim -n -bP exim_user) openssl rsa -in /etc/pki/tls/certs/ringways.co.uk.key -noout both commands must not produce any error message, in fact, they must not produce any output. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Issue with Exim on an IPv6-only host
Sebastian Tennant via Exim-users (Di 21 Feb 2023 12:59:57 CET): > Hello Jeremy, > > hosts_require_auth = $host_address $host_address likely contains colons, which confuses the parser here. Use … = <; $host_address -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS authentication
Ian Zimmerman via Exim-users (Di 14 Feb 2023 01:40:52
CET):
> With OpenSSL the certificates specified explicitly either by file or
> directory are added to those given by the system default location.
>
> Is it at all possible with OpenSSL to stop the "system" location from
> being checked? If not, that seems to make the use of TLS for client
> authentication impossible because any certificate presented by
> e.g. Google will pass verification. Am I reading this correctly?
IMHO it shouldn't be sufficient accept any client that just has a
verified certificate ("authenticated"). You should check, if the client
is "authorized", by checking required certificate attributes (issuer,
subject, …)
Maybe I got you wrong.
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] New install EXIM + Dovecot - auth permission error
Hi, I may be totally wrong, but… Gary Stainburn via Exim-users (Mi 01 Feb 2023 14:02:06 CET): > driver = dovecot > public_name = LOGIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 > > dovecot_plain: > driver = dovecot > public_name = PLAIN > server_socket = /var/run/dovecot/auth-client > server_set_id = $auth1 Sure about $auth1? Isn'tit $auth2 in case of the PLAIN driver? > 2023-02-01 12:50:11 dovecot_login authenticator failed for hub. > ([10.1.1.103]) [**.**.**.**]: 435 Unable to authenticate at present: unable > to connect to UNIX socket (/var/run/dovecot/auth-client): Permission denied Yes, Exim connects to the socket as the Exim runtime user, but the permissions on the socket are a way to tight. I think, either set the socket to 666, or make 660 and assign it to a group, Exim belongs to (though I'm not sure, if Exim "joins" its supplementary groups (aka initgroups(3)) for auth purpose.) I'm not sure about the security impact of widening the permissions on this socket. In theory it can be used to do mass-checking of auth credentials. The permissions and ownership of the socket can be set in the dovecot config file. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] local delivery fails after server move
This router is ran for all your local domains. If it creates a new
address @+local_domains, there is no chance to get to the routers
further down the chain: A new address means, the routing starts again at
the very first router, and eventually it will reach your pgsql_aliases
again, which doesn't create a new address (declines), but, as "no_more"
is set, the address won't tried with the following routers.
You can either drop the "no_more" option, or, if the outcome of the
pgsql_aliases can *always* be handled by the routers further down in the
chain, you can use "redirect_router = userforward" in your pgsql_aliases
routers.
> pgsql_aliases:
> debug_print = "R: pgsql alias $local_part @ $domain"
> driver = redirect
> domains = +local_domains
> allow_fail
> allow_defer
> data = ${lookup pgsql{select a_target from current_alias_list \
> where a_localpart = '${quote_pgsql:$local_part}' \
> and domain='${quote_pgsql:$domain}'}}
> file_transport = address_file
> pipe_transport = address_pipe
> no_more
>
> userforward:
> debug_print = "R: User Forward"
> driver = redirect
> check_local_user
…
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim 4.96 stopping because postfix is starting?
Johnnie W Adams via Exim-users (Mo 19 Dez 2022 18:22:34 CET): > Hi, folks, > > Twice recently, my outbound SMTP server has stopped working for no > apparent reason. There's nothing in the logs but this: Can you, please, provide the unit files for Exim and Postfix? systemctl cat exim\* postfix\* -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Storing messages in Maildir format with symmetric encryption
Dengler, Gabriel (Do 24 Nov 2022 00:19:42 CET):
> > somewhere for later use as encryption/decryption key?
> yeah, that's my main idea. For clearness, a "normal" communication profile
> would look like this:
> * An external sender sends an e-mail to our local Exim Server.
> * The Exim Server saves the message, e.g. via Maildir, encrypted with the
> password of the receiver.
Ok, but how does Exim know the password of the receiver? You've access
to the password hashes only, I suppose.
> * When the receiver wants to access the message, e.g., via IMAP, he/she
> encrypts the saved message again via its private password.
Wouldn't it be better to use asymmetric encryption, then Exim doesn't
need to know a shared secret, but only a public key. The mailbox user
then can decrypt the message using a private key.
Having a shared secret that's known to Exim (except during the
verification of a PLAIN or LOGIN auth), creates an unnecessary attack
surface.
> I think I have to sleep about this concept one more night, but besides:
> would the general setup be possible with transport_filter if the passwords
> are not hashed (although this is obviously a security issue)?
BTW, I *think* I read that Dovecot supports encrypted mailboxes. And in
the ideal world Exim doesn't know anything about how to store messages,
but simply passes the messages to a MDA (mail delivery agent), e.g.
directly via a local pipe (dovecot-deliver, cyrdeliver, …), or via a protocol
like LMTP
(which is supported by Dovecot and Cyrus too).
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Storing messages in Maildir format with symmetric encryption
Hi Gabriel,
Dengler, Gabriel via Exim-users (Mi 23 Nov 2022 01:16:19
CET):
> I want to store the incoming e-mails using the Maildir file format encrypted
> by using some symmetric encryption using the user's password (e.g., AES). So
> in the end, Exim should write the encrypted files directly on the disk.
> Furthermore, it would be convenient if the actual password is solely
> persistent saved as a hash (for checking at authentication), the real
> password - and therefore the en-/decryption key - is only temporarily
> available during the login session.
Mybe I'm missing the point. The on-disk representation of the password
is a hash. That can't be used for symmetric encryption/decryption.
You want to "grab" the real password during user login, and save it
somewhere for later use as encryption/decryption key?
IMHO no source modification is necessary, $auth2, $auth3 (depending on
the AUTH scheme you use (needs to be PLAIN or LOGIN) contain the
password. You're free to save it whereever you want (using SQL, using
embedded Perl code, using any external command, using readsocket, …)
The encryption I'd do with a "transport_filter", which basically is
can be an "aes-pipe" or similiar.
> Therefore, I wanted to modify the Exim source code directly but was
> confronted with a large amount of code, e.g., the differentiation between
> the different transport types or the many cases considered in the appendfile
> protocol. So I have some questions, where you might help me in the "big
> picture":
As stated, all transports can use a "transport_filter", which should be
able to processing your message on-the-fly, while writing it to the
mailbox file.
> * How to enforce that a user has to authenticate him-/herself with a
> password?
Use ACL to check if the user is authenticated. You should find it in the
example config. Watch out for "authenticated = *".
> * Where is a good point of "grabbing out" the password from the user and how
> to "carry" it to the point where the encryption happens?
The authenticators (authenticators section of the config) have the
password, and the server_condition does string expansion, so you can do
whatever you need there.
# example, *unchecked*, just served from memory, likely to be
# wrong
begin authenticators
plain:
driver = plain
server_advertise_condition = ${if def:tls_in_cipher}
server_condition = use $auth2 (user name) and $auth3
(password) in a creative way
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 2 System in / out Virtual Domain mail service
The Doctor via Exim-users (Mo 14 Nov 2022 19:34:05 CET): > Quick question! > I have on my incoming server , virtual e-mail working correct. > Can I safely copy to the outbound server? It depends. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim MariaDB and SSL
Brent Clark via Exim-users (Fr 04 Nov 2022 13:38:18 CET): > > All I did was, I created the file /etc/mysql/conf.d/my,cnf > > With the contents. > [exim] > host= $IP_OF_PROXYSQL > port= $PORT > user=$USERNAME > password=$PASSWORD > database=$DATABASE > ssl_cert=/etc/ssl/server-cert.pem > ssl_key=/etc/ssl/server-key.pem > ssl_ca=/etc/ssl/ca-cert.pem For Exim the host, port, user, and password are not necessary, if configured in Exim's config, right? Did you duplicate it from there, or did you omit these settings from Exim's config? Check this commit please, if it fits your expectations: 7d5dcdd4cbee9e980e9c2d2e72e3bf76e6c39a87 https://git.exim.org/exim.git/commit/7d5dcdd4cbee9e980e9c2d2e72e3bf76e6c39a87 -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim in Gramine: defining search path for loading dynamic libraries
Dengler, Gabriel via Exim-users (Mi 02 Nov 2022 19:03:34
CET):
> About the security caveats: do you think that there could be bigger security
> issues if the code runs in an isolated environment like Gramine is? Or can
> you sketch how a possible security attack could look?
If I remember well, until we introduced keep_environment and
add_environment, the following was possible as an unprivileged user
("hans"):
$ export PERL5LIB=/home/hans
$ /usr/sbin/exim …
In the above scenario the Exim config used Perl functions,
loaded from external Perl modules (assuemed to be in one of the
default Perl library paths),
By the above modification an unprivileged user was able get more
privileges by "injecting" malicious Perl functions.
I can imagine that a similar approach will work with LD_LIBRARY_PATH.
But … doesn't the loader clean the LD_LIBRARY_PATH if the RUID differs
from the EUID?
See ld.so(8) for LD_LIBRARY_PATH. Given that, I'm curious why setting
this variable works in your environment.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim MariaDB and SSL
Jeremy Harris via Exim-users (Di 01 Nov 2022 11:24:45 CET): > On 01/11/2022 06:28, Brent Clark via Exim-users wrote: > > I would like to run exim to use MariaDB's inherent TLS / SSL functions. > > > > Is this possible with exim? I changed the '/etc/my.cnf' '[client]' section > > to define the key/cert/csa, and Dovecot picked it up great, but exim > > doesn't seem to. > > > > I checked the exim docs under MySQL and didn't see any reference to SSL. Is > > it not possible to use MySQL's native SSL support with exim? > JGH is right. We have for the mysql_servers option: ::()[]/// (I missed the related function call in Exim's sources.) So having TLS options in one of the my.cnf should work. Maybe you used the wrong option group (as JGH guessed), or the wrong file, or wrong permissions on the file, or any combination of all these. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim MariaDB and SSL
Heiko Schlittermann via Exim-users (Di 01 Nov 2022 08:00:55 CET): > Good Morning, > Brent Clark via Exim-users (Di 01 Nov 2022 07:28:42 > CET): > > I would like to run exim to use MariaDB's inherent TLS / SSL functions. > ... > > I checked the exim docs under MySQL and didn't see any reference to SSL. Is > > it not possible to use MySQL's native SSL support with exim? > > I checked the sources and it seems that Exim doesn't support encrypted > connections with MySQL servers. But we should provide it. This could help us: https://mariadb.com/kb/en/mysql_optionsv/ But currently we do not use it and I'm not sure about backward compatibility. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim MariaDB and SSL
Good Morning,
Brent Clark via Exim-users (Di 01 Nov 2022 07:28:42 CET):
> I would like to run exim to use MariaDB's inherent TLS / SSL functions.
...
> I checked the exim docs under MySQL and didn't see any reference to SSL. Is
> it not possible to use MySQL's native SSL support with exim?
I checked the sources and it seems that Exim doesn't support encrypted
connections with MySQL servers. But we should provide it.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] licensing and SPDX
Jeremy Harris via Exim-users (So 30 Okt 2022 13:22:25
CET):
> Does anyone have opinions on the licensing of Exim?
I didn't think about Exim's licensing ever. For me Exim is just Free and
Open Source, whatever this means in detail, but *personally* most
important: no restrictions are applied to Exim's use. (Which means, even
if you're a spammer or terrorist (from my limited point of view), you're
free to use Exim, I may hate you doing so, but I won't deny it.)
But, leaving this private thing aside…
> a) Do we care? Should we label every text file in sight?
>Or not take any action?
I wouldn't care too much right now.
> b) Do existing licence conditions mentioned in specific file matter?
>For example: a few files are commented (my precis) "GPLv2 or later",
>some with "open source, do what you want".
>We could
>- not label such files
>- try to use a label matching the existing text
>- label with the project choice of licence
In theory I'd say the file's license overrides the one provided
globally. But from practial point of view I wouldn't expect a user to
check every single file for the license. (But probably that's what SPDX
then could make a bit easier.)
> c) What license should we label with?
>- Given the dates above, I'm tempted to say that GPLv2-only
> should be taken as the original intent. But I don't know
> how much freedom we have for change, nor what (if any)
> might be preferred.
From a legal point of view (but IANAL by any means), we probably could
find an SPDX identifier matching the *current* license statement of each
individual file, to match the *current* intent. This implicates that
the *current* license is compatible with any previous one or is
confirmed by the holder of the previous license.
Changing *all* files might be doable, but I wouldn't feel comfortable
doing so, because it would require me to understand the licensing
details of every single file.
1) require *new* files having the SPDX identifier
2) (in a 2nd step) require modified files having that identifier
Both should be doable with hooks in our Git repo.
> d) What are the legal implications of doing this labelling?
>Specifically, when different files are differently (not)labelled?
Not sure at all.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS session is required, but an attempt to start TLS failed
Patrick Porteous via Exim-users (Di 18 Okt 2022 14:58:49 CEST): > I've recently started receiving the following message in my log files when > sending to one host: > > 2022-10-18 07:12:45 H=example.com [###.###.###.199]: a TLS session is > required, but an attempt to start TLS failed … > > The error is causing email addressed to this host to hang in my queue and > then fail to be delivered after the time out period. My exim.config is > setup with the following options enabled: > > tls_advertise_hosts = * > tls_certificate = /usr/local/ssl/apache-selfsigned.crt > tls_privatekey = /usr/local/ssl/apache-selfsigned.key This is for your Exim acting as a server, but I understand, that you're sending *to another* host, so it irrelevant here. > verify error:num=18:self signed certificate … this can be an issue, depending on the TLS settings of your remote transport. Find the transport exim -bt and review the transport configuration (or share it with us). Normally Exim should fallback to clear text communication if TLS isn't possible, so I suspect you having some TLS related transport settings. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Thread-Index header too long
Heiko Schlittermann (Mo 17 Okt 2022 23:58:03 CEST): > how do you deal whith incoming messages having a Thread-Index header (an > other header indicates that the originating MUA was MS Outlook 16.0) > with about 1200 chars. To be more precise: The one I have is 1000 chars w/o the header field name and w/o the line ending terminator. It then continues on the next (indented) line, which is ok. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Thread-Index header too long
Hi,
how do you deal whith incoming messages having a Thread-Index header (an
other header indicates that the originating MUA was MS Outlook 16.0)
with about 1200 chars.
The regular Exim config doesn't forward this (and probably can't bounce
it, as a copy of the headers would make it into the bounce message,
which in turn has an oversized header then too.)
Yes, we could reject it in the DATA ACL already, but I'm not asking how
to block it.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Hint for build farmers of "pony" (krot) and "boar" (univie)
Jeremy Harris via Exim-users (So 16 Okt 2022 13:06:06 CEST): > On 16/10/2022 11:06, Heiko Schlittermann via Exim-users wrote: > Also animals marmot & goundhog > - which I suspect means any Debian 9 platform. Yes, that are mine :) and I'm in progress updating them from Debian 9 via 10 to 11. So they should turn green in some minutes (I was out for this afternoon, so no progress in updating). -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Hint for build farmers of "pony" (krot) and "boar" (univie)
Kirill Miazine via Exim-users (So 16 Okt 2022 18:34:19 CEST): > • Heiko Schlittermann via Exim-users [2022-10-16 12:06]: > > Hi, > > > > a recent change in the dmarc.c makes your animals failing the DMARC > > checks for tests using HEAD (default branch "master"). > > As for pony (FreeBSD): none of my animals have DMARC enabled, but both > pony (FreeBSD) and mole (OpenBSD) are referencing *DANE* in errors. Didn't I see there DMARC related build errors? Hm. If that was my fault, just ignore "pony" and my mail :) -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Backup/Restore Messages in the Input Queue
Patrick Porteous via Exim-users (So 16 Okt 2022 12:24:27
CEST):
> Hello,
>
> I am trying to troubleshoot a sending issue on my server. I have a few
> hundred messages that are stuck in the /var/spool/exim/input queue. Can I
> shutdown the exim server process and move those files to another location
> and then move them back if that doesn't resolve the issue? Here are the
> exact steps I plan to follow:
Once there is no Exim process running anymore, it is safe to remove/move
the queued files (there are two files per message, -H, and -D). In a
perfect world you'll move/remove the msglogs too.
> 1. Shutdown Exim
> 2. Move all messages in /var/spool/exim/input to a backup location
> 3. Start Exim server
> 4. Send a few test messages to see if my sending issue is corrected
> 5. Shutdown Exim
> 6. Move the messages back into the /var/spool/exim/input folder a few
>at a time
> 7. Start Exim server
> 8. Manually force a queue run
Without deeper insight into how Exim works, this approach is safe. There
are some shortcuts possible, but this requires knowledge about the
inner workings (locked files, …)
If you want to operatate on a more abstract level (as the spool
hierarchy should be considered as a kind of black box to the avarage
operator), you can use Exim's named queues feature and move the messages
into an alternative queue using the Exim command line:
exim -MG hold ID...
later you can inspect this queue:
exim -qGhold -bp
and move the messages back
exim -qGhold -MG '' ID…
> My goal is retain the queued messages and not force my users resend the
> messages that are hung in the queue presently. My suspicion is that I have
> a malformed message in the queue that is causing the other messages to hang
> up.
The queue runners that process your queued messages should not fail
totally if there is one "bad" messages, as they start at random messages
in your queue and should manage to empty the queue over the time, just
leaving the bad message there.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Hint for build farmers of "pony" (krot) and "boar" (univie)
Hi,
a recent change in the dmarc.c makes your animals failing the DMARC
checks for tests using HEAD (default branch "master").
If you link against the 1.3.x libopendmarc, you need an additional
Local/Makefile option "DMARC_API=100300" (see the "src/EDITME" file).
This should enable the "legacy" function call. The default is now to use
the 1.4.x API. Unfortunately the OpenDMARC project doesn't provide a
suitable macro/definition for easy autodetection.
References:
- Exim Bug 2728: https://bugs.exim.org/show_bug.cgi?id=2728
- OpenDMARC Issue 167:
https://github.com/trusteddomainproject/OpenDMARC/issues/167
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] How to make proxy support work in exim
Hi,
Andrey via Exim-users (So 09 Okt 2022 17:39:39 CEST):
> Nginx and Exim on the same host, Nginx runs as a smtp proxy for exim.
> Nginx v1.22.0 config fragment:
Despite the fact that I do not need to understand why you want to have
the proxy on the same host (probably debugging/development purpose?),
your config looks quite plausible. But never I used nginx as a proxy. I
used haproxy.
> ```
> (Exim v4.96, compiled with SUPPORT_PROXY). Exim config:
>
> ```
> hostlist hosts_proxy = <; 127.0.0.1; 192.46.111.11
> ```
There is no sense in defining a host list w/o using it.
Defining a hostlist as above just creates a list of host items, named
"hosts_proxy".
This doesn't imply any use of the list.
However, there is a main config option "hosts_proxy", which accepts a
host list - that is, a list of host items, or a list that was defined as
a host list previously:
Given your config from above
# referring to the hostlist "hosts_proxy" defined above
hosts_proxy = +hosts_proxy
or
hosts_proxy = <; 127.0.0.1; 192.168.111.11
should work.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Suggestion for Antivirus to use with Exim
Luca Bertoncello via Exim-users (Di 27 Sep 2022 14:19:01
CEST):
> Currently, at office, we use Kaspersky, Avast and ClamAV as Antivirus
> programs.
> All these programs will be used within Exim, to check all inbound and
> outbound E-Mails.
> Now, we know, Kaspersky/Russia/problem/etc...
> So, we must search an alternative to Kaspersky.
I do not see any relation between the items above. But that is another
topic.
virustotal provides an API, it should require only little effort to
integrate this with Exim. (I'm not sure about implications for privacy.)
> Now the question to you: can someone suggest me one (or more!) product to
> use in enteprise context to protect our E-Mails?
> Very important: the scan _must_ be done within Exim to allow us to reject
> infected E-Mails.
"Within" Exim should work almost everything you can control via a simple
command line. Plus the some scanners that have a client built into Exim.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS "certificate expired" warnings on inbound connections
Hi Tim,
Tim Jackson via Exim-users (Di 31 Mai 2022 20:33:19 CEST):
>
> TLS error on connection from r209.notifications.natwest.com
> [130.248.154.209]:44104 I=[167.235.252.255]:25 (SSL_accept):
> error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
Is there any chance that the client tries to present you a certificate,
even if you do not request it?
I'm a bit suprised that Exim drops the connection (doesn't it?) seeing
the expired certificate, but this isn't very unlikely. I'd you a packet
capture to check the certificates from both sides.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow
Hi folks,
this message
Heiko Schlittermann via Exim-users (Mo 16 Mai 2022
18:21:30 CEST):
>Hello there,
>After you've rev-iewed all these documents, we can -easily talk abou-t
>the following steps:
…
>2019-09-28 Release 4.92.3, Release-Announcements to
>exim-{announce,users,maintainers}, oss-security
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
wasn't sent by me. If I'm not mistaken, then there was nothing wrong
with he message (From: doesn't use *my* domain, Sender didn't use *my*
domain, they just abused my display name (not even sure about this,
nobody can tell if there isn't a duplicate of my natural name ;).)
Unfortunately mailman cuts away the addresses (to allow passing DMARC
checks on your end).
Authentication-Results: exim.org;
iprev=pass (srv16-61.benzahosting.cl) smtp.remote-ip=131.72.236.61;
spf=pass smtp.mailfrom=segurytech.cl;
dkim=pass header.d=segurytech.cl header.s=default
header.a=rsa-sha256;
dmarc=none header.from=segurytech.cl; arc=none
Received: from srv16-61.benzahosting.cl ([131.72.236.61]:56041)
by hummus.exim.org with esmtps (TLS1.3) tls TLS_AES_256_GCM_SHA384
(Exim 4.94.2-31-g503e55a2c) (envelope-from )
id 1nqdUG-0005f4-3N
for exim-users@exim.org; Mon, 16 May 2022 16:22:26 +
Received: from [204.138.26.219] (port=36586 helo=srv16.benzahosting.cl)
by srv16.benzahosting.cl with esmtpsa (TLS1.3) tls
TLS_AES_128_GCM_SHA256
(Exim 4.95) (envelope-from )
id 1nqdTV-00EfP2-6f for exim-users@exim.org;
Mon, 16 May 2022 12:21:36 -0400
Date: Mon, 16 May 2022 08:21:30 -0800
X-Priority: 3 (Normal)
To: exim-users@exim.org
Message-ID: <5quvqrbobunhvyiplqb5x6nms4oxf...@segurytech.cl>
So Exim on Hummus didn't have any chance to detect the fake.
We we need to re-think which of our mailing lists will be closed.
BTW, message from me are GPG signed. Always. And if not, then please do
not trust the message.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] [oss-security] Exim CVE-2019-16928 RCE using a heap-based buffer overflow
Hello there,
After you've rev-iewed all these documents, we can -easily talk abou-t
the following steps:
https://gachthefree.ga/loci/eiantmev199333608
https://onedrive.live.com/download?cid=U4CQ9MH4G9SZ79GE=U4CQ9MH4G
9SZ79GE%27854=4okpM9ufCr8w-sV
** Exim 4.92.3 released (security release) ** CVE ID: CVE-2019-16928
Date: 2019-09-27 (CVE assigned) Version(s): from 4.92 up to and
including 4.92.2 Reporter: QAX-A-TEAM Reference:
bugs.exim.org/show_bug.cgi?id=2449 Issue: Heap-based buffer overflow in
string_vformat, remote code execution seems to be possible Conditions
to be vulnerable === All versions from (and
including) 4.92 up to (and including) 4.92.2 are vulnerable. Details
=== There is a heap-based buffer overflow in string_vformat
(string.c). The currently known exploit uses a extraordinary long EHLO
string to crash the Exim process that is receiving the message. While
at this mode of operation Exim already dropped its privileges, other
paths to reach the vulnerable code may exist. Mitigation ==
There is - beside updating the server - no known mitigation. Fix ===
Download and build the fixed version 4.92.3 Tarballs:
ftp.exim.org/pub/exim/exim4/ Git: github.com/Exim/exim.git (mirror)
git://git.exim.org/exim.git - tag exim-4.92.3 - branch
exim-4.92.3+fixes The tagged commit is the officially released version.
The +fixes branch isn't officially maintained, but contains the
security fix *and* useful fixes. The tarballs, the Git tag, and the Git
commits are signed with my GPG key (same as I used to sign this mail.)
If you can't install the above versions, ask your package maintainer
for a version containing the backported fix. On request and depending
on our resources we will support you in backporting the fix. (Please
note, the Exim project officially doesn't support versions prior the
current stable version.) Timeline = - 2019-09-27 Report as Bug
2499 - 2019-09-28 Announcement to exim-maintainers, oss-security -
2019-09-28 Release 4.92.3, Release-Announcements to
exim-{announce,users,maintainers}, oss-security
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Taint checking and exim 4.96rc0
Andrew C Aitchison via Exim-users (Fr 29 Apr 2022
18:16:45 CEST):
> To which Jeremy replied:
> > The trouble with that is that it means the coverage of tracking
> > tainted data use can never be extended.
> >
> > The commit for that removal is fairly extensive:
> - see https://lists.exim.org/lurker/message/20220427.174941.443df2eb.en.html
> for the 27 reverts and 35 files changed.
>
> Given that taint checking appeared in Exim 4.93 and
> allow_insecure_tainted_data in Exim 4.95,
> this (Exim 4.96) would be the first time that allow_insecure_tainted_data
> would actually be helpful.
>
> Is it just me, or are others worried about the new taint checking
> having unexpected consequences and no way to disable it for debugging ?
The "allow_insecure_tainted_data" was introduced to ease the migration
from 4.94 to 4.95, giving you/us a timeframe to upgrade existing
configurations to be taintproof.
Before upgrading to 4.96 you should have a taintproof (secure)
configuration. The deprecation of "allow_insecure_tainted_data" was
announced with the advent of this option already.
Which point did I miss? Do we have *new* taintchecks that break
configurations that were considered secure with 4.95?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Controlling SA-exim logging
Ken via Exim-users (Do 03 Mär 2022 23:20:35 CET):
> I use exim4 and spamassassin (sa-exim) on Debian 10.
Sure that sa-exim is still supported?
That's the ancient content scanner interface, outside of the ACL
processing, isn't it?
> About a dozen Google searches have failed to locate information on how to
> control the logging level of Spamassassin in that configuration. Maybe I'm
> having a bad search-fu day, but can anyone here point me to appropriate
> documentation?
Anyway, the log leven of SA should be configured in its configuration,
not in Exim.
The current interface to spamassassin is using the ACL and the `spam`
condition. Then none of SA's logs appear in Exim's mainlog, but only
what you decide to log.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] converting from debian package to source
Hi Julian,
Julian Bradfield via Exim-users (Sa 08 Jan 2022 15:07:01
CET):
> My mail servers run, and have run for decades, on Debian, and I've
> always used the Debian package for exim4, though I don't use debconf
> for my own additions, but just edit the conf.template file as if it
> were a .conf file.
For several reasons I was unhappy with the Exim packages Debian ships.
So I started my own attempts to package Exim as close as possible to the
original Exim and as close as possible to that what a seasoned Debian
Admin would expect.
https://gitea.schlittermann.de/heiko/exim4-exim.org/src/branch/debian/bullseye
But, be ware, it is in a "works-for-me" status. I use the built packages
on several hosts of my own and my customers infrastructure.
> I wonder if anybody on this list has done such a conversion recently,
> and would have time to share the chief gotchas they encountered.
Currently the worst thing is the libopendmarc issue (Debian ships a
version which is not compatible with the latest Exim versions. So I put
the version Exim needs as a patch into the package and it gets installed
in and linked from /usr/lib/exim4/libopendmarc or so.)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Unix user / and group(s) of the process doing the SMTP delivery to a remot MTA?
Michael Naef via Exim-users (Fr 07 Jan 2022 17:23:38 CET): > Hi everyone > > I'm testing to offer a TLS client Cert when Exim acts as an SMTP client to a > remote MTA. When Exim runs as an SMTP client, it should perform the actual delivery as the Exim runtime user/group. Try running exim -bP exim_user exim_group to check the actual values. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Running our own email server on GCP
Terrance Devor via Exim-users (Di 28 Dez 2021 00:28:37
CET):
> I have read that google blocks port 25 and 465. We absolutely need to run
> our email own email servers on GCP using our Kubernetes cluster. Did anyone
> succeed in this?
Your message is a bit vague.
- blocks ingress our egress?
- mailserver for ingress (MX) or egress?
- read - where? Any reference?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Redirection for dmarc reports
Hi,
Mauricio Lopez via Exim-users (Do 16 Dez 2021 16:31:19
CET):
>
> All dm...@everydomainhosted.com messages should be redirected to
> dm...@mydomain.com
>
> This would be some kind of pseudo code:
>
> forward:
> driver = redirect
> domains = +local_domains
> local_parts = "dmarc"
> data = dm...@mydomain.com
>
> I really appreciate your help with this
Not sure what kind of help you're seeking. The above config snippet
looks ok, but it depends where you put it. It is a router configuration,
and for routers the order matters.
(And I'd omit the quotes ("), they're not necessary here.)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de -------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Certificate name mismatch over VPN
Probably a way too late :)
Alain D D Williams via Exim-users (Fr 30 Jul 2021
23:40:24 CEST):
…
> I do not think that I can do that here. The certificate is given to me by
> Let's
> Encrypt (le). Le verifies the (SNI) name by asking the agent to upload a nonce
> (a file with 86 random bytes) to where it can see it via a web server.
>
> Unfortunately mint-vpn.phcomp.co.uk should only be visible via the VPN so LE
> will not verify it and so not generate & sign a certificate that contains it.
>
> I suppose that I could hack Apache to allow an exception to
> /.well-known/acme-challenge/ from externally.
IMHO more elegant is to use LE's DNS challenge. The only precondition
is, that you need to own the DNS entry you want to have the certificate
for. (Actually you need write access to the `_acme-challenge.`. DNS entry only once, if you drop there a CNAME to a writable DNS
entry.)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Catch friendly Name from $h_from
Hi,
keep in mind that From: may contain multiple addresses.
(But, actually, DMARC restricts it to have only one address.)
Mueller via Exim-users (Mi 08 Dez 2021 07:45:10 CET):
> I try to catch the friendly name from within $h_from (ex h_from:
> "Tester").
> I have set it in acl_check_data with no success:
…
>condition = ${if match{$h_from:}{"tester.*<"}}
…
> What do I miss?
"match" is case sensitive.
exim -bem /tmp/eml '${if match{$h_from:}{tester.*<}}'
vs.
exim -bem /tmp/eml '${if match{$h_from:}{(?i)tester.*<}}'
(with a given /tmp/eml containing nothing more than
From: Tester
)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de -------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Catch friendly Name from $h_from
Heiko Schlittermann (Mi 08 Dez 2021 09:20:11 CET):
>
> exim -bem /tmp/eml '${if match{$h_from:}{(?i)tester.*<}}'
I'd better try to remove the working part of the address from the
header and then match the remaining part.
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim always expands sender_rcvhost to unverified IP
Heiko Schlittermann via Exim-users (Mi 17 Nov 2021 13:17:33 CET): > Typo? What do you mean with "sender_rcvhost"? Mea culpa. You're talking about the variable to be expanded inside the Received header. But given this, I still can't see any issue with the logs you provided. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim always expands sender_rcvhost to unverified IP
Matt Corallo via Exim-users (Di 16 Nov 2021 17:47:22 CET):
> Like the title says, for some reason exim 4.94.2-7 (Debian stable) is
> refusing to ever expand sender_rcvhost to a verified hostname. The below
Typo? What do you mean with "sender_rcvhost"?
> shows a simple email inbound from github, as well as the relevant DNS
> traffic from exim to the DNS server (with spamd stopped to ensure we're not
> confusing spamd queries with exim queries).
>
> Possibly-relevant config entries are:
>
> dkim_verify_signers = :
> host_lookup = *
> dns_dnssec_ok = 1
> slow_lookup_log = 250
>
> "options trust-ad" is set in resolv.conf.
>
> Exim log:
>
> Nov 16 16:36:55 mail exim[789201]: 2021-11-16 16:36:55 1mn1S3-003JJ3-Bt
> H=out-25.smtp.github.com (smtp.github.com) [192.30.252.208] Warning: ACL
> "warn" statement skipped: condition test deferred
> Nov 16 16:36:55 mail exim[789201]: 2021-11-16 16:36:55 1mn1S3-003JJ3-Bt <=
> nore...@github.com H=out-25.smtp.github.com (smtp.github.com)
> [192.30.252.208] P=esmtps
Here Exim was able to resolve the client IP to a hostname, as indicated
by H=.
> X=TLS1.2:ECDHE_X25519__ECDSA_SHA512__AES_256_GCM:256 CV=no S=6196
> DKIM=github.com id=bitcoin/bitcoin/pull/23496/review/807558...@github.com
> Nov 16 16:36:55 mail exim[789202]: 2021-11-16 16:36:55 1mn1S3-003JJ3-Bt =>
> btccore F=
> R=maildrop_router T=maildrop_pipe
> Nov 16 16:36:55 mail exim[789202]: 2021-11-16 16:36:55 1mn1S3-003JJ3-Bt
> Completed
All that looks totally fine, so probably I'm missing your point.
If it is the "warn" you're complaining about, then please provide that
part of the ACL.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim4 delay at boot
JHM via Exim-users (So 14 Nov 2021 11:43:17 CET):
> Hello:
>
> [code]
> IPv6 socket creation failed: Address family not supported by protocol
> [/code]
IMHO that's not the reason for a 30s delay.
> Without any editing of the exim4.conf.template file, I invariably got that
> paniclog message:
> (yes, I am now aware that this file is a matter for Debian packagers to solve)
>
> Adding the line disable_ipv6 = true to the the 'Main' section of the
> exim4.conf.template file
> immediately solved the problem I was having.
>
> ie: no 30s delay and no panic log message.
Yes, this (again IMHO) disables queries for records. But, repeating
myself, I suppose, that a correctly working resolver should respond to
such queries immediatly. No matter, if you've IPv6 enabled or not.
And Exim, in case it got an IPv6 adress for a host to connect to, should
get an immediate "connection refused" or similar error from your host's
OS and then retry the other addresses (IPv4 being among them) without
any delay.
Please provide logs, strace output or tcpdump PCAP files captured during
the startup phase of Exim.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim4 delay at boot
JHM via Exim-users (Fr 12 Nov 2021 22:14:12 CET): > [code] > disable_ipv6 = true > [/code] Shooting into the dark as well. If IPv6 is enabled, Exim tries to resolve names as A and as records. Independend on your system's IPV6 setup. The gethostinfo(3) depends on your system's setup and doesn't even attempt lookups if there is no chance to use the information, but in parts of the code Exim doesn't rely on the gethostinfo(3) call, but talks directly to the resolver (found in /etc/resolv.conf). So, if you resolver behaves strange (imposing a 30s delay by e.g. not responding to queries), the root cause of delay is outside of Exim, while disable_ipv6 = true is a good mitigation. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim4 delay at boot
Hi JHM via Exim-users (Mo 08 Nov 2021 14:20:44 CET): > My box runs Devuan Beowulf and within it runs a (VBox) Devuan ascii virtual > machine set up > to start up automatically when I boot. > > It is not kept on 24/07 but is booted up a few times every 24 hours. > > The Devuan ascii virtual machine runs PI-Hole as a recursive DNS server. > It is all working as it should but there's a 'snag in the weave' so to speak: > > When booting, I'm getting a (not too) short delay at "Starting MTA:" which > is when (as I > understand it) Exim4 does a reverse DNS check. IMHO Exim doesn't do (reverse) DNS-checks per se. So it depends on your configuration, whether Exim tries to resolve anything at startup already. > The problem is that my DNS (unbound) runs on the Devuan ascii virtual machine > which I set > up to start up automatically at boot but it is not yet up and running when > Exim4 does the > reverse DNS check. Maybe you can ask your „exim box“ using another resolver and then try to capture the DNS traffic, to get an idea about the queries that are sent. Or, simpler, switch on logging on your resolver and check the queries it receives, if it is Exim, it should either be visible in the resolver logs, or Exim will write a short notice to its panic- or mainlog. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Adam D. Barratt via Exim-users (Sa 16 Okt 2021 17:43:57 CEST): > > > > This hh.schlittermann.de runs the latest Exim, and probaby sends you > > an SNI your server for some reason doesn't accept? > > FWIW, I've also seen two of these, at 23:53:41UTC yesterday and > 11:08:41UTC today. The server in question is running Debian's 4.92- > 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log > selector. > > The log entries for the second failed connection are: > > 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP connection > count = 1) > 2021-10-16 11:08:41 TLS error on connection from hh.schlittermann.de > [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been > received. > 2021-10-16 11:08:41 SMTP connection from hh.schlittermann.de [213.128.132.49] > closed by EOF > 2021-10-16 11:08:41 no MAIL in SMTP connection from hh.schlittermann.de > [213.128.132.49] D=0s C=EHLO,STARTTLS > > The same server has received 21 successful connections from > hh.schlittermann.de in the past couple of days. Interesting. Can you tell *what* SNI the server hh sent? That's what the hh server uses as the transport: remote_smtp: driver = smtp tls_sni = $host dnssec_request_domains = * hosts_try_dane = * hosts_require_dane = +require_dane hosts_try_fastopen = So, it sends you *your* hostname as an SNI. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Slavko via Exim-users (Sa 16 Okt 2021 11:14:45 CEST): > I am not sure if it is related to migration, but recently i start to see > something as this in my exim log: > > TLS error on connection from hh.schlittermann.de [213.128.132.49] > (gnutls_handshake): A disallowed SNI server name has been received. > > The recent one was today at 2021-10-16 01:51:16. While it is related to the migration, it seems to be a side effect of mitigating (hotmail/live/outlook)'s blacklist for the IP the "new exim site" is using now. We're sending the mails via a server that has better reputation at MS. This hh.schlittermann.de runs the latest Exim, and probaby sends you an SNI your server for some reason doesn't accept? -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] messages from this list to outlook.com and hotmail.com users
Hi *@{outlook,hotmail}.com,
unfortunately the IP, our new infrastructure server is sending the list
mails from, seems to be on a MS blacklist.
Some (if not all) of our subscribers using hotmail.com or outlook.com
addresses where unsubscribed automatically, as the messages bounced.
While Graeme F is in contact with MS and the hoster of the
infrastructure server, we try to bypass this limitation by using another
visible sending IP.
I re-subscribed the addresses that we unsubscribed due to excessive
bounces.
Please give as a short notice if there is some indication that the issue
persists (which is hard to detect if you're affected) or if the issue
seems to be solved.
Thank you.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Randy Bush (Do 14 Okt 2021 21:02:56 CEST):
> readdressing the key server use fixed it
>
> server 37.221.193.62 { keys {
> hummus-exim-rip.psg.com;
> }; };
> server 2a03:4000:8:637::2 { keys {
> hummus-exim-rip.psg.com;
> }; };
>
> my bad. i missed any memo about the move and was hacking.
Ok. I believe, my co-worker, who did the move, tried to contact you
or any responsible person, but I'm not sure, if he succeeded. Anyway, it
is solved now and we are happy again :)
Thank you for serving as a secondary.
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Randy Bush (Do 14 Okt 2021 20:49:37 CEST): > rip.psg.com:/root# dig +norec @37.221.193.62 exim.org. axfr According to the name server configuration you need a TSIG key to initiate the AXFR. dig -k … or did -y … -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
Don't you want to try AXFR instead of AXF? -- Heiko Schlittermann (unterwegs) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim.org still incorrectly configured
I'll check if we can see what the issue is. -- Heiko Schlittermann (unterwegs) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Relayed Message: problems sending to list
Laura Williamson via Exim-users (Mi 13 Okt 2021 12:31:36
CEST):
> just got this back
>
> The response was:
> The certificate is not valid according to the STS policy
What about caching? The relevant files look good for me, and at least
one MTA-STS validator is happy with exim.org
https://esmtp.email/tools/mta-sts/
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Relayed Message: problems sending to list
Andreas Metzler via Exim-users (Di 12 Okt 2021 18:24:02 CEST): > Hello Heiko, > > thank you, afaict MTA-STS is fine now. Could you also fix the TLS > certificate? The MX record points to hummus.exim.org but the > certificate is only for mx.exim.org without SAN for hummus. We generated a cert for hummus.exim.org now, please re-check. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Relayed Message: problems sending to list
> I'm working on it, it may be caused by the migration of the Exim main
> site to another (physical and network) location.
The relevant files are updated now, please retry. (I suppose there is a
cache time, so you may need to force reloading your copy of the mta-sts
policy file(s)).
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Relayed Message: problems sending to list
Cyborg via Exim-users (Di 12 Okt 2021 11:07:12 CEST):
> This is a forward from:
> Laura Williamson
>
>Delivery incomplete
>
> There was a temporary problem while delivering your message to
> *exim-users@exim.org*. Gmail will retry for 47 more hours. You'll be
> notified if the delivery fails permanently. The response was:
>
> *The MX host does not match any MX allowed by the STS policy. *
> I cannot write to the mailing list for the above reason, tried twice :-)
I'm working on it, it may be caused by the migration of the Exim main
site to another (physical and network) location.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] test test test
This is a test message after moving the infrastructure to a new
location and new IP address.
Thank you for ignoring this message.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.95 released
Dear Exim users and maintainers,
we're proud to announce the release of Exim 4.95.
New stuff we've added since 4.94:
- From previous experimental support:
- fast-ramp queue run
- native SRS
- TLS resumption
- LMDB lookups with single key
- New:
- smtp transport option "message_linelength_limit"
- optionally ignore lookup caches
- quota checking for appendfile transport during message reception
- sqlite lookups allow a "file=" option
- lsearch lookups allow a "ret=full" option
- command line option for the notifier socket
- faster TLS startup
- new main config option "proxy_protocol_timeout"
- expand "smtp_accept_max_per_connection"
- log selector "queue_size_exclusive"
- main config option "smtp_backlog_monitor"
- main config option "hosts_require_helo"
- main config option "allow_insecure_tainted_data"
- Removed:
- support for MacOS
All fixes from the 4.94.2+fixes branch (this includes the "21 nails" CVEs) are
included too.
If you upgrade from previous versions <4.94: the new taint checks are likely to
make your runtime configuration unusable. Read about the mitigation via the
"allow_insecure_tainted_data" first or make your configuration "taint check
proof".
If you upgrade from 4.94.2, nothing should break.
For those who used 4.95-RC2, a list changes that were introduced since RC2:
* 780ea2a5c - OpenBSD: disable compiler-time param checking for
string_sprintf() etc (8 days ago)
* 8b78698fa - Docs: fix closed-mailinglist example (8 days ago)
* 8f0d0a313 - DCC: fix loop expression (2 weeks ago)
* 48505c2b8 - TLS: build dependency for LibreSSL (2 weeks ago)
* 6c706bde1 - Docs: tidying (3 weeks ago)
* 889894461 - Fix validation of domain-literals in Message_ID: headers.
Bug 2805 (3 weeks ago)
* 8dcd5efb1 - Avoid using CLOCK_MONOTONIC for $received_time. Bug 2615 (4
weeks ago)
Exim 4.95 is available
- as tarball:https://ftp.exim.org/pub/exim/exim4
- directly via Git: https://git.exim.org/exim.git
tag exim-4.95
The tarball checksums are signed using the same GPG key as I used to
sign this message (Key-ID: D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142),
as the tag and tagged commit are.
Thank you and all contributors for your support. Especially thanks to
Jeremy, as he does the vast majority of coding and support.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Question regarding TLS SNI Certificates
Sherin A via Exim-users (Fr 17 Sep 2021 06:41:15 CEST):
> Hello,
>
> So the only option is to use a perl function.
A simple ${run…} would do probably also. But be careful, there may be
security implications, as the received SNI ($tls_in_sni) is not under
your control but under control of a potential attacker.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Question regarding TLS SNI Certificates
Sherin A via Exim-users (Do 16 Sep 2021 14:54:39 CEST):
> Hello,
>
> I am configuring exim with a number of domains to use SNI certificates. I
> have domains which use lets encrypt and commercial ssl certificates. The
> certificates and keys as follows,
>
> For the domain foo.com with user foouser :
>
> Lets encrypt ssl certificate =
> /etc/letsencrypt/live/foo.com/fullchain.pem
> Lets encrypt ssl key = /etc/letsencrypt/live/foo.com/privkey.pem
> Commercial ssl certificate =
> /var/panel/userdata/foouser/ssl/foo.com-combined.pem
> Commercial ssl key file =
> /var/panel/userdata/foouser/ssl/foo.com-key.pem
First you can save some configuration lines if you store cert, bundle,
and key in one file per certname.
And for your question: yes, the * doesn't work, as "exists" doesn't do
globbing, it simply checks the existence of a path.
But, as I suppose, you won't have colliding SNI names, why not creating
a common directory to store all the cert(+bundle+key) files? Optionally
by having a symlink forest to the physical location of the files?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim can't handle 521 response from remote MX
Hi,
krzf83--- via Exim-users (Fr 27 Aug 2021 13:10:01 CEST):
> Large email provider in my country uses 521 response at their MX for
> some kind of delaying. They don't care that its against rfc1846
>
> rfc1846 says:" A host which sends a 521 greeting message MUST NOT be
> listed as an MX record for any domain"
>
> # nc mx.poczta.onet.pl 25
> 220-mx.poczta.onet.pl ESMTP
> 521 5.7.1 Service unavailable; client [144.76.50.172] blocked using
> postscreenbl.opbl.onet.pl.local
From m PoV, they clearly state that they do not want connections from
your IP. Not now, and not later.
> Exim can't handle this and does not even log anything in that
> situation. Exim does not retry delivery and after 72 hours fails and
> returns message with
I believe, Exim logs that.
> all hosts for 'onet.pl' have been failing for a long time (and
> retry time not reached)
>
> How can I make exim to log those delivery attempts that end with 521
> response? How can I make exim retry deliveries that ended with 521
> response?
5xx means: permanent failure. Period. If their intention is something
else, it is up to them.
Maybe some of them is reading on the mailops list. Try contacting them
there.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] build problems
Chad Leigh via Exim-users (Mi 25 Aug 2021 23:30:49 CEST): > > Hi > > (I normally am c...@shire.net but my smtp server is down at the moment and is > the reason for this post) > > I screwed something on on my SmartOS (Solaris) based system that was running > exim4. I updated some system librarues and my existing build was not finding > the stuff it was looking for. I wanted to update to the latest anyway and I > use my own build due to some site specific stuff I build in. I got the > latest 4.94.2 and am trying to do a “make” on it. > > I am getting a bunch of basic errors that look like language errors…I > have tried with gcc49, gcc6, and gcc9 > > This is what I am seeing (and a lot more) and I am not sure what to do next. > I would expect that the default codebase should build with gcc. > > > # make > /bin/sh scripts/source_checks > `Makefile' is up to date. > > make[1]: Entering directory '/opt/build/exim-4.94.2/build-SunOS5-5.11-i386' > gcc -DMACRO_PREDEF macro_predef.c > In file included from exim.h:526:0, > from macro_predef.c:12: > dbstuff.h:693:3: error: unknown type name 'BOOL' >BOOL expired; /* Retry time has expired */ After having a short glance, it seems the file src/mytypes.h having the typedef for BOOL. - Are you missing that file? - Did you try a `make clean` first? - Try not using parallelity in make (so: do NOT use -j…) - Where did you get the source from? (tarball, git, …?) - Can you try with pristine source and simply copy the src/EDITME to Local/Makefile, then iterativly set the required options (should be about 3…5) and retry? -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.95-RC2 released
Dear Exim users and maintainers,
thank you for the feedback we got since the recent release candidate.
Especially thanks to Wolfgang B (Uni Vienna) who reported the DKIM stuff around
b367453a0.
We expect this RC being the last one before the final release.
Changes between RC1 and RC2:
* 6b69b7102 - Fix small typo (26 minutes ago)
* 87f15ee44 - Logging: specific error for tainted tag in debug filename
(4 days ago)
* 8de97e5b7 - DKIM: Avoid spurious tls read timeout after signing
failure (7 days ago)
* 4c51d3e7c - Fix name of option in error log line (12 days ago)
* 593107c7f - Docs: addition mention of lookup caching option (12 days
ago)
* bb0b94392 - Docs: fix option crossref (12 days ago)
* b367453a0 - DKIM: fix verify under TLS & chunking, with pipelined
next command (13 days ago)
* 15a44d749 - Testsuite: testcases for DKIM under TLS (13 days ago)
* 5078e5337 - Testsuite: testcase shuffling (13 days ago)
* 7712454eb - Drop support for MacOS (darwin) (13 days ago)
* dd9ac646f - Drop support for MacOS (darwin) (2 weeks ago)
* 9614a79a3 - Fix ClamAV command send (2 weeks ago)
* 60a4ceafe - Testsuite: add missing mask / ipv6 expansion (2 weeks
ago)
* 730acb140 - Docs: add warning on use of envelope_to_add (2 weeks ago)
* 86d51a7b1 - Builtin macros for ACL conditions & modifiers (3 weeks
ago)
* 0ac642d41 - Update comments in example config file to match current
default for TLS (4 weeks ago)
The commit b367453a0 has been backported to 4.94.2+fixes, as the bug
actually exists there.
As usual we ask *you* to do as much testing as possible and provide us
feedback. This covers build issues with unusual libraries, runtime
issues in unusual environments and any other kind of things that should
be fixed.
The Exim 4.95-RC2 is available
- as tarball:https://ftp.exim.org/pub/exim/exim4/test
- directly from Git: https://git.exim.org
tag exim-4.95-RC2
The tarball checksums are signed using the same GPG key as I used to
sign this message (Key-ID: D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142),
as the tag and tagged commit are.
For changes since the previous stable version, please see the RC0
announcement:
https://lists.exim.org/lurker/message/20210715.212328.6bec444b.en.html
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.95-RC1 released
Good Morning,
> On FreeBSD 13-RELEASE (clang version 11.0.1 -f that matters), I had to
> back out of RC0 to 4.94.2 because my paniclog was filled with several lines
> of:
>
> *2021-07-24 18:16:23 SIGSEGV (maybe attempt to write to immutable memory)*
>
> I have just installed RC1 and will report if anything strange happens.
I'm afraid the issue isn't solved yet, see the thread starting at
https://lists.exim.org/lurker/message/20210723.150306.145a081e.en.html
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.95-RC1 released
Hi *,
Thank you for the feedback we got since RC0, especially to Andreas
Metzler who helped discovering and testing stuff around dbbc1c20b.
We just released the next release candidate. Commits since RC0 are:
* 03fc05ca1 - (HEAD -> master, tag: exim-4.95-RC1, origin/master,
origin/HEAD) Docs: tidy variables lists (5 days ago)
* 27d03dca1 - DKIM: fix build with older GnuTLS (5 days ago)
* dbbc1c20b - TLS: fix tls_verify_certificates handling of "system" (5 days
ago)
* 1c18b2f73 - Testsuite: output chnges resulting (5 days ago)
* 25f3b885d - typo (7 days ago)
* 651acf8b3 - Docs: enhance SPF description (7 days ago)
* 32451e8a6 - Docs: remove extraneous file copy (8 days ago)
* f9d167e05 - typo (10 days ago)
* 9138b6973 - ALPN: not supported under LibreSSL (10 days ago)
* 32c45e838 - Fix no-TLS bulid (10 days ago)
* d083e3f2a - ALPN: feature macro (10 days ago)
* b634f8eaf - typo (10 days ago)
* dbad58950 - typo (10 days ago)
* c4b408623 - TLS: ALPN options (10 days ago)
* f7ea5ba10 - Remove the must-helo check from the example config given that
there is now a default-set option and hard code (2f8e0a5f6b) (11 days ago)
* c968a17cc - NewStuff typo (12 days ago)
* 26916dc75 - Docs: Clarify $acl_verify_message lifetime (12 days ago)
* 1f76af318 - Docs: fix formatting (2 weeks ago)
As usual we ask *you* to do as much testing as possible and provide us
feedback. This covers build issues with unusual libraries, runtime
issues in unusual environments and any other kind of things that should
be fixed.
The Exim 4.95-RC1 is available
- as tarball:https://ftp.exim.org/pub/exim/exim4/test
- directly from Git: https://git.exim.org
tag exim-4.95-RC1
The tarball checksums are signed using the same GPG key as I used to
sign this message (Key-ID: D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142),
as the tag and tagged commit are.
This is the last chance for new features, as starting with RC2 (planned
around Aug 5th) we won't add any new features to the upcoming release.
If you have anything that should make it into the official release, and
is mature enough to be included in this phase, please contact us.
For changes since the previous stable version, please see the RC0
announcement:
https://lists.exim.org/lurker/message/20210715.212328.6bec444b.en.html
@David Restall, @Thomas Noll: I'm not sure if we'll manage to fix the
source of the compiler warnings for this release, but we'll try.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification broken
Andreas Metzler via Exim-users (Fr 23 Jul 2021 07:56:30 CEST): > Good morning, > > thank you, looks good and works for me with GnuTLS 3.7.1. I did not test > the fallback though. (Even Debian LTS - Stretch/Debian 9 has GnuTLS > 3.5.x). Thanks, as soon as it is on master, I'll prepare RC1. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.95-RC0 released
Hi *
Too much time has gone since 4.94, we released 4.94.2, supported several
fixes for the unofficial 4.94.2+fixes release, fixed the "21 nails" CVEs
and now it is time to prepare Exim 4.95.
As usual we'll publish several release candidates and we ask *you* to do
as much testing as possible and provide us feedback. This covers build
issues with unusual libraries, runtime issues in unusual environments
and any other kind of things that should be fixed.
The Exim 4.95-RC0 is available
- as tarball:https://ftp.exim.org/pub/exim/exim4/test
- directly from Git: https://git.exim.org
tag exim-4.95-RC0
The tarball checksums are signed using the same GPG key as I used to
sign this message (Key-ID: D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142),
as the tag and tagged commit are.
There is no feature freeze yet. If you have anything that should make
it into the official release, and is mature enough to be included in
this phase, please contact us.
New stuff we've added since 4.94:
- from previous experimental support:
- fast-ramp queue run
- native SRS
- TLS resumption
- LMDB lookups with single key
- new:
- smtp transport option "message_linelength_limit"
- optionally ignore lookup caches
- quota checking for appendfile transport during message reception
- Sqlite lookups allow a "file=" option
- Lsearch lookups allow a "ret=full" option
- command line option for the notifier socket
- faster TLS startup
- new main config option "proxy_protocol_timeout"
- expand "smtp_accept_max_per_connection"
- log selector "queue_size_exclusive"
- main config option "smtp_backlog_monitor"
- main config option "hosts_require_helo"
- main config option "allow_insecure_tainted_data"
All fixes from the 4.94.2+fixes branch (this includes the "21 nails"
CVEs) are included too.
If you upgrade from previous versions <4.94: the new taint checks are
likely to make your runtime configuration unusable. Read about the
mitigation via the "allow_insecure_tainted_data" first or make your
configuration "taint check proof".
If you upgrade from 4.94.2, nothing should break.
A note on MacOS support: We're not sure about the demand. Please
contact us, in case you need to run Exim on MacOS. We might ask you then for
running a build farm animal and helping us more than usual, as we do not
own a MacOS based machine.
Thank you for using Exim.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] route authenticated mail via a smarthosts and non authenticated out another.
Brent Clark via Exim-users (Di 13 Jul 2021 11:35:39 CEST):
> Good day Guys
>
> Where I work, we have a story where we need to route authenticated mail via
> a smarthosts and non authenticated out another smarthost.
>
> Would anyone perhaps have a suggestion of how I can achieve this.
> My Googling is not of much use today.
And then use this as a router condition
begin routers
smarthost:
driver = manualroute
route_data = ${if def:authenticated_id {SMART_AUTH}
{SMART_NOAUTH}}
…
But, this is untested, just meant as a sketch.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Strange problem with the communication to ClamAV
Luca Bertoncello via Exim-users (Do 08 Jul 2021 14:32:25
CEST):
>
> As you see, I already tried to give a huge timeout in the communication
> between Exim and ClamAV, but it does not solve the problem...
>
Do these issues have correlation to the freshclam triggered clamav
reloads?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 14:00:02 CEST): > > > > ...beside exims "ratelimiting" (which is just lowering the impact at the > > cost > > of all users) > > actually depending on how the rate limiting works it doesn’t impact all users > and I can whitelist users that are legitimate but would be hit by the > rate-limiting. I think, if you follow the initial suggestion, limiting the pure number of distinct addresses per interval, the impact should be relativly low. Users sending tons of mails to the same destination are not impacted, users sending a newsletter to a ton of destinations are not impacted, if you choose a well balanced rate (e.g. for Exim's ratelimit "engine" it's a subtle difference between 60/1m and 3600/1h. And, as the ratlimit condition is expanded, you can do what ever your creativity dictates (e.g. lookup the limits in a database). -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Niels Kobschätzki (Mo 05 Jul 2021 13:54:47 CEST): > > > addresses the users sends mails to in a given time frame. > > > > ratelimit = … / per_addr > > According to the documentation: “The per_addr option is like the per_rcpt > option, except it counts the number of different recipients that **the > client** has sent messages to in the last time period.” > What is a client? Does sending 10 mails with 50 recipients each from one > sender with like a webmailer count like 500 addresses or like 10x 50 > addresses because there will probably always be a new connect? It depends on you, what you use as a key for counting. ratelimit = 300 / 1d / per_addr / $authenticated_id Untested! But I'm sure you got the idea :) -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Better way to deal with phished users?
Hi Niels,
Niels Kobschätzki via Exim-users (Mo 05 Jul 2021 05:40:04
CEST):
> I have again and again problems with phished users. I want to try a new way
> to deal with them but I worry that I mess up parts of our monitoring.
If you want to try a *new* way, what's the *old* approach?
> One sign of a phished user (if they do not try to log in from lots of
> different countries) is that they amass in a short time quite some time in my
> mail queue. Thus my idea is to check if there is such a user via my
> monitoring system and when one is detected, there is a handler that will
> freeze that user and all their current mail in the queue. The part of
> detecting the spam-user via their count of mails in the queue is tested and
> already gave us far better reaction times, the hit ratio is like 90% of the
> time it is a spammer, the other times it is a legitimate user with some other
> problem (and mails from users who regularly generate messages like spammers
> by newsletters and such are already automatically moved to another
> mail-server)
One way to detect phished accounts is by ratelimiting the count of uniqe
addresses the users sends mails to in a given time frame.
ratelimit = … / per_addr
> Iirc exim introduced multiple queues a while ago, do I remember correctly?
> Could I move those mails from such a user to a new queue, so that for example
> exim -bpc won’t count them? Or is there a better way than my idea above?
So somewhere in the RCPT acl
ratelimit = … / per_addr
queue = …
could to the trick.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Error while reading cert or key file
Adrian via Exim-users (So 04 Jul 2021 22:48:08 CEST):
> I'm setting up exim4 on a new server, to be as similar as possible to
> an existing server where exim4 works well. Both are running Debian
> buster with split config files.
>
> I'm getting the following error in the mainlog
> TLS error on connection from email-test.had.dnsops.gov [129.6.100.206]
> (cert/key setup:
> cert=/etc/letsencrypt/live/example.com/fullchain.pem
> key=/etc/exim4/privkey.pem): Error while reading file.
First of all: make sure that the certificate matches the key:
Compare the modulus of they used for the cert with the modulus of the
key in your key file, do this as the Exim runtime user:
cd /
sudo -u Debian-exim openssl x509 -in
/etc/letsencrypt/live/example.com/fullchain.pem -noout -modulus
sudo -u Debian-exim openssl rsa -in /etc/exim4/privkey.pem -noout
-modulus
> The cert file path is a symlink to the actual file
> in /etc/letsencrypt which is world-readable.
>
> The key file is /etc/exim4/privkey.pem which is a COPY of the live
> one in /etc/letsencrypt. When the key is renewed by certbot a script
> recreates the copy in /etc/exim4 and runs the following script
>
> chgrp Debian-exim /etc/exim4/privkey.pem
> setfacl -m g:Debian-exim:r /etc/exim4/privkey.pem
> # setfacl -m g:Debian-exim:x /etc/exim4 seems not needed for this dir
> systemctl restart dovecot
~~~
Why dovecot? If, then Exim. But Exim reads the cert *on demand*, each
time for each connection, so there is no need to restart-or-reload Exim
because of a certificate change. (Of course, as long as the path doesn't
change.)
> Is there a way to increase debug verbosity? E.g. so that exim4
> confirms which file it can't read, the cert or the key file.
You can start the daemon in the forground with TLS debugging, on a
"private" port (if TLS doesn't suffice, try -d+tls, and then -d+all
instead of -d-all+tls)
exim -d-all+tls -bdf -oX 2525
and then connect using a SSL client:
openssl s_client -connect localhost:2525 -starttls smtp << ..or anything else, even brief relaxation of permissions, that might
> help identify where the problem lies.
You can do chmod a+r on the key and the cert for testing purpose, Exim
doesn't check the permissions (and the SSL libraries don't check either,
I believe)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Disable Links in Body
Patrick Porteous via Exim-users (Mi 09 Jun 2021 21:58:24
CEST):
> Hello,
>
> I would like to set up a filter to disable all external links in received
> messages. Can someone point me to where to to start looking into that type
> of filtering?
I wouldn't even think about manipulating the mail body. It is asking for
endless trouble. You won't be able to do it in a perfect way, signatures
will be broken, replies will contain dysfunctional links.
If you want to protect your users, restrict their access to external
resources (e.g. force them to use a proxy under your control).
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack
Cyborg via Exim-users (Mi 09 Jun 2021 21:13:43 CEST):
> Don#t get me wrong, exim is at the top of this "best of the worse" list,
> because it stops after 3 retriesm but other server like proftpd have already
> reacted to this by implementing countermeasures. This can also be seen in
> the mentioned figure.
The "3" is configurable:
|smtp_max_synprot_errors|Use: main|Type: integer|Default: 3|
So, if you worry about the abuse of your bandwidth and your Exim server,
then set this to zero. Should be enough to not be a part of this attack
vector, shouldn't it?
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] missing logline, as if the delivery crashed
Hi,
Cyborg via Exim-users (Mi 02 Jun 2021 08:49:21 CEST):
>
> Exim: 4.94.2 Fedora 33
> Openssl: 1.1.1k-1
>
> Hi,
>
> Problem 1:
>
> since an os upgrade of fedora, where the security policy changed, this
> happens to some connections:
>
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG <= u...@senderdomain.de
> H=nx222.node01.secure-mailgate.com [89.22.108.222] P=esmtps
> X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no K S=19127
> id=504f250e-1b94-40f6-3d26-2011d5f54...@senderdomain.de
> 2021-06-02 07:02:58 1loJ1s-006Qmo-BG Completed
- What's your log_file_path?
- Can you extract all lines containing the Message-ID?
- An early version of the "taintwarn" patches had issues with lost log
lines (for local deliveries, though), maybe we've a re-incarnation of
this bug?
> You will notice, that the delivery line is missing.
If I remember well, it is the delivery process which is accessing the
log, and this process isn't privileged, it runs as the Exim runtime user.
For writing to the log no extra privilege is needed, but who knows…
> There is no error, no warning, no nothing that explains what happens.
Try adding syslog to your logfile path, if the line you're missing
appears there.
> As i can't reproduce it with any of our other exims as source, how can we
> find out what happened to this mails?
> What log option is to enable to get more infos here?
So you *can* reproduce it on F33 with the Exim package F provides?
> Problem 2:
>
> This may be strong evidence for the policy change: TLS session:
> (SSL_connect): error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
> small
I think, this isn't related to Exim directly, as we do not require
special key sizes in the default configuration. So maybe library
defaults changed?
Again: I'm not an expert at all, so all my assumptions are only this:
assumptions.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim-4.94.2+taintwarn - when will it be EOL?
Hello Chris,
Chris Siebenmann (Mo 31 Mai 2021 17:59:23 CEST):
> >> To rephrase it:
> >
> > ¹) It is not decided yet, what "future" means. It may or may not be 4.96.
>
> Although I understand that the Exim project may not want to wait that
> long, from my perspective it would be ideal if the taintwarn feature
> lasted long enough to make it into LTS Linux releases. Otherwise, from
> the perspective of LTS people who use distribution packages, the feature
> basically won't exist; they will jump straight into a version that breaks
> their setup (if they haven't already[*]).
We're aware of this and when it is time to think about dropping "taintwarn",
we'll seek for advice from the distro users, to avoid breaking things
badly.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] IRC channel for Exim
Cyborg via Exim-users (Do 27 Mai 2021 16:08:53 CEST):
> Am 26.05.21 um 10:55 schrieb Jeremy Harris via Exim-users:
> > If anyone wants to comment, please raise a hand.
>
> I shall ask you, the community, if you would adopt Matrix as an IRC
> alternative.
> You should know, that there was a bridge to Matrix already working in the
> freenodesystem. it had some minor bugs, but all was mirrored from irc to
> matrix.
For me this bridge was unidirectional only, it didn't send my Matrix
messages to IRC/freenode.
> It's possible to host this for the Exim Community, used to the sole purpose
> of offering some public channels,
> which can be visted by any Matrix Account on any homeserver out there in the
> federation.
*By any Matrix account* - I'm not sure if I'd want to register an
account for the sole purpose to get Exim help. IRC seems to be more open
here. But that's just *my* point of view. Matrix doesn't seem to be
widely established as a support channel yet, at least - again - from my
limited point of view.
> The Exim team could/should have accounts on this server to use some internal
> devs/security channels
> and connect to each other easier. It's also possible to have distro-sec
> channel there. No limits.
We have mailing lists. And for short ping-pong messages IRC just served
the purpose.
Please don't get me wrong - I do not vote against Matrix, but I do not
see a good reason to drop IRC. But - if we setup a Matrix server, I'd
use it and we can see if this gets more users than the #exim channel on
libera.chat.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] IRC channel for Exim
Jeremy Harris via Exim-users (Do 27 Mai 2021 10:35:05 CEST): > The libera.chat #exim channel is now registered for > the Exim project. I'll be on there, and will cease > watching the Freenode channel if and when relevant > discussinon dies away. There are still more usernames > listed there than on libera. I'll place a hint on our exim.org website, about the #exim at libera.chat. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] exim-4.94.2+taintwarn - when will it be EOL?
Paul Muster via Exim-users (Di 25 Mai 2021 16:36:26 CEST):
…
> > > telling people about possible config breaking.
> > 4.95 is a major release.
Some clarification: The *branch* will be merged, but the "taintwarn"
feature won't disappear with 4.95.
But everybody should read the big red announcement that accompanies the
"taintwarn" feature: A *future* version of Exim will ignore this new (and
deprecated already now) option. Currently it is not clear, what "future"
means.
The option is meant as mitigation in case you upgrade from <4.94 to
>=4.94. In theory everybody should run 4.94.2 now (as all other versions
are not secure anymore. In practice backports to previous versions exist
(I know of 4.92.3 + security patches, others might exist.) So in theory
everybody now has the chance to make the configuration secure until we
release an Exim w/o the "taintwarn" feature.
But that's theory, as "officially" the "taintwarn" doesn't even exist.
It creeped into the 4.94.2+fixes branch silently, some may have it,
others may not have it. (Debian has it, e.g. And Debian was the reason
for me to develop it, as they want to ship 4.94, and w/o "taintwarn"
this would ask for trouble with all letters capitalized.)
> > And the intent of the taintwarn
> > addition is to not break anything.
>
> Yes, sure. But _EoL_ _of the taintwarn feature_ finally *will* break running
> configs. Therefore the taintwarn feature has been built - to make a step
> inbetween "works" and "breaks", the phase "warns". Isn't it?
We're not talking about EOL of the taintwarn feature right now. But its
EOL will be definitly in one of the next releases. But *not* in 4.95.
To rephrase it:
- Exim 4.95 will contain "taintwarn"
- It is meant as support for upgrading your config, w/o breaking your
setup instantly.
- With a future¹ release of Exim we will drop the "taintwarn" support.
- If you failed to upgrade your config, your setup will be broken with a
future¹ release of Exim.
¹) It is not decided yet, what "future" means. It may or may not be 4.96.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] ACL blocking & senders conditional check?
Hi Paul,
Paul Key via Exim-users (Mi 19 Mai 2021 16:41:49 CEST):
> Hi,
>
> Using an acl_check_rcpt in exim.conf we are trying to both block and
> whitelist incoming email addresses in the same acl.
>
> Currently we have:
>
> deny message = $sender_host_address is listed in user blocking list
>
> condition = ${lookup
> {$sender_address}wildlsearch{/etc/exim/whitelist.senders} {no}{yes}}
> condition = ${lookup {$sender_address}wildlsearch{/etc/exim/blocking_list}
> {yes}{no}}
>
> in whitelist.senders we have an email address "example@example.cloud" which
> we want to allow through but in blocking_list we have an entry "*@*.cloud".
> So first we check the whitelist - which matches in the case of receiving an
> email from "example@example.cloud" but if no match then should move onto the
> blocking_list.
yes, and if there is a match, your lookup returns "no", which should
stop processing *this* ACL block
> However it looks like the acl is just evaluating the first condition and not
> processing the second condition whatever the condition result is.
How can you tell? Did you test debugging this? The simplest way is doing
something like
swaks -q rcpt -f example@example.cloud -t f...@example.com --pipe 'exim
-bh 0.0.0.0'
> Is their syntax for an ACL something like:
> If AND NOT
>
> To provide one evaluation result for acl_check_rcpt searching both a
> blocking_list and a whitelist?
The expressions of a "block" are evaluated in order, *until* an
expression returns "false". If all expressions return true, the block's
verb is executed, otherwise ACL processing jumps to the next block.
Exceptions are
- the verb "require": if *all* expressions are true, the processing
continues with the next block, otherwise an error (e.g. 5xx) is
returned.
- the expression "endpass"
I used the following example config:
acl_smtp_rcpt = acl_check_rcpt
begin acl
acl_check_rcpt:
deny
message = $sender_host_address is listed in user blocking list
condition = ${lookup
{$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
condition = ${lookup
{$sender_address}wildlsearch{$config_dir/blocking_list} {yes}{no}}
With these additional files:
# whitelist.senders
f...@example.com
# blocking_list
*@*.com
and ran the following command
swaks -f 'f...@example.com' -t b...@example.com --pipe 'exim -C
/tmp/x.conf -bh 0.0.0.0' -q rcpt
which produced this output (as expected):
…
<- 250-SMTPUTF8
<- 250 HELP
-> MAIL FROM:
<- 250 OK
-> RCPT TO:
>>> using ACL "acl_check_rcpt"
>>> processing "deny" (/tmp/x.conf 6)
>>> message: $sender_host_address is listed in user blocking list
>>> f...@example.com in "f...@example.com"? yes (matched "f...@example.com")
>>> check condition = ${lookup
{$sender_address}wildlsearch{$config_dir/whitelist.senders} {no}{yes}}
>>> = no
>>> deny: condition test failed in ACL "acl_check_rcpt"
>>> end of ACL "acl_check_rcpt": implicit DENY
LOG: H=(x1.schlittermann.de) [0.0.0.0] F= rejected RCPT
<** 550 Administrative prohibition
-> QUIT
<- 221 x1 closing connection
=== Connection closed with child process.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 4.94 router configuration
Hi,
a. roars via Exim-users (Mo 17 Mai 2021 20:31:30 CEST):
> Hello,
>
> I hope I can get some help with the router configuration. This
> configuration worked for previous versions of exim but not with the current
> one.
Variables populated with "external" data are not trusted anymore.
Their values are considered "tainted", and are insecure.
Tainted values can not be used to construct file paths anymore.
You need to rework the configuration to make it secure. (As a mitigation
the "allow_insecure_tainted_data" main config option might help, if your
copy of Exim includes the relevant patch (SuSE and Debian do include
it)).
> archive_out:
> driver = redirect
> senders = ! :
> data = ${if
> exists{/etc/valiases/$sender_address_domain}{${lookup{archive.$sender_address}lsearch{/etc/valiases/${sender_address_domain}
> unseen
After playing around a while I came up with the following:
archive_out:
driver = redirect
address_data =
${lookup{$sender_address_domain}dsearch,ret=full{$config_dir/valiases}{$value}fail}
data = ${lookup{archive.$sender_address}lsearch{$address_data}}
I'm pretty sure there are more elegant ways to achive the same result.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] smtp transport and interface=
Hi Jim, Jim Pazarena via Exim-users (Sa 15 Mai 2021 07:55:24 CEST): > I have a server with three IP numbers of the same subnet . my smtp transport > specifies the specific outbound IP number . > Yet other servers complain of an ssl mis-match because they are seeing one > of the other IPs which are not in the " interface = " line . They complain about SSL mis-matches? Do you use SSL client certificates? Best would be if you can do a tcpdump on your physical interface having the 3 IP addresses. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] 4.94.2+taintwarn branch failing to compile
Paul Griffith via Exim-users (Do 13 Mai 2021 18:33:54
CEST):
>
>
> -- Original Message --
> >Paul
>
> I am able to go into the build directory and run "make exim" and the
> exim binary is able to be compiled.
You are not expected to chdir into the build directory. You are expected
to be *above* the build directory.
heiko@x1:…/src $ ls
LICENSE Local Makefile build-… src …
And, additionally try a "make distclean" before doing anything else.
(This will let your Local/Makefile* inplace. So, no pain is expected.)
> build-Linux-x86_64]# make exim_fixdb
…
Again, first, you're not expected to sit in the build* directory, and
2nd, you're not expected to "make …" each tool individually.
I can't reproduce your issue. but this:
> /cs/local/bin/ld: exim_fixdb.o: in function `is_tainted2':
> exim_dbutil.c:(.text+0x178): undefined reference to
> `allow_insecure_tainted_data'
> collect2: error: ld returned 1 exit status
> make: *** [Makefile:655: exim_fixdb] Error 1
reads as if somewhere an outdated *.a is hanging around. (or a broken
compile cache?)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94 new config for routers (Tainted filename for search)
SysAdmin EM via Exim-users (Di 11 Mai 2021 21:07:02 CEST):
> I tried modifying the router as follows but I get an error of "Unrouteable
> address"
Try using:
pipe_transport = virtual_address_pipe
retry_use_local_part
domains = dsearch,ret=full;//opt/exim/valiases
- local_parts = lsearch;$domain_data
+ local_parts = lsearch;/opt/exim/valiases/$domain_data
unseen
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Building 4.94-2 from source on RHEL 6.10
Hi Richard,
Richard Gilbert via Exim-users (Mo 10 Mai 2021 18:31:17
CEST):
> I have been installing Exim from source since I started using it in
> 1996 after hearing Philip Hazel talking about Exim at a meeting in
> Aberdeen. 4.94-2 is the first one where I have had to tell it to use
> gcc and to specify CFLAGS += -std=gnu99.
Yes, the -std=gnu99 (c99 should suffice) is necessary now, as it seems,
that we use things like
for (int i=…; …; …)
And older compilers seem to require the `-std=c99` flag, newer one
probably have other defaults and accept such code per default.
> gcc acl.c
> acl.c: In function ‘acl_check_condition’:
> acl.c:3202: warning: assignment discards qualifiers from pointer target type
>
> exim.c: In function ‘main’:
> exim.c:4823: warning: assignment discards qualifiers from pointer target type
The warnings are not normal, but it's a slow process removing them.
And it doesn't seem to be possible to make *all* compilers happy with
the same code, except creating a jungle of #ifdef … (But I'm not an
expert for portable code at all.)
> CentOS8 servers to replace them but the installed packaged version of
> 4.94 had a bug -- https://bugs.archlinux.org/task/66894 -- which
> prevented the use of AUTH PLAIN with PAM, so we decided to keep the
> old servers going for another year.)
Generally Exim should build on ancient systems (but I'm not sure how
"ancient" ancient is allowed to be. Some parts of the build environment
probably need Perl 5.10. (or 5.8?)
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] "allow_insecure_tainted_data = yes" - was: tainted data issues
Chris Edwards via Exim-users (Sa 08 Mai 2021 13:15:45
CEST):
> On Tue, 6 Apr 2021, Heiko Schlittermann via Exim-users wrote:
>
> > Currently I'm running this on a production systems without any issues so
> > far. You're invited to do tests in your systems too.
>
> Trying this version, with allow_insecure_tainted_data set, then this:
>
> testlist:
> driver = redirect
> data = :include:/some/where/${local_part}
>
> fails with error:
>
> LOG: MAIN PANIC DIE
> Taint mismatch, Ustrncpy: parse_forward_list 1393
>
> It looks like the :include: might be the issue.
>
> Not a problem here as I've now detainted this, but thought to report back.
Thanks, I'll try to reproduce it, and fix it.
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Hi Konstantin,
Konstantin Boyandin via Exim-users (Do 06 Mai 2021
14:54:37 CEST):
> On 04.05.2021 20:40, Heiko Schlittermann via Exim-users wrote:
> > We have prepared a security release, tagged as "exim-4.94.2".
> >
> > This release contains all changes on the exim-4.94+fixes branch plus
> > security fixes.
>
> I wonder whether current Exim maintainer at EPEL reads this list.
The initial heads-up notification was sent to oss-security@openwall, ,
distros@vs.openwall and exim-maintainers. It contained a schedule.
The announcement of the limited access to the security repo was sent to
distros@… on Apr 27th, the announcement of the public release was sent
to oss-security@…, and exim-users, and, with some delay to
exim-announce.
I'm not exactly sure how to notify the individual distros in a more reliable
way.
(I got reports that Fedora's packages where stuck on some test server.
(?))
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Feature Request: react on HTTP
Cyborg via Exim-users (Do 06 Mai 2021 11:43:58 CEST): > > 2021-05-06 11:07:58 no host name found for IP address 68.183.80.168 > 2021-05-06 11:07:58 SMTP call from [68.183.80.168] dropped: too many > unrecognized commands (last was "Accept-Encoding: gzip, deflate") … > I suggest: > > not to wait for the usual error treshhold of smtp related errors, but > instead auto disconnect and block the IP for a few minutes , because, as > seen, they come back as often as you let them. Shouldn't the enforcement of syncronisation already prevent this? Hm, maybe we've a mid-air collision of our banner and their HTTP request. Don't we have a max_invalid_smtp_commands threshould? Or what point I'm missing here? -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 22:45:34 CEST): > and I THINK it's okay. Problem is that I'm encountering another issue that > prevents me from saying all is well. I have my updated exim binary as > exim_new and the updated config as exim_new.conf, but when I try to submit a > message exim conks out saying I passed a bad or incomplete argument: Try setting the binary name exim_path = … in your new config. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Victor Ustugov via Exim-users (Mi 05 Mai 2021 22:29:32 CEST): > >> git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git > > > > Sorry my fault, far too many branches, merges, and tags during the > > recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes > > and the taintwarn feature. > > Thank you. > > As far as I can see, the exim-4.94.2+taintwarn branch includes the code > from the exim-4.94.2+fixes branch, doesn't it? Exactly. It does include all the stuff in exim-4.94.2+fixes. Please be aware, the taintwarn feature is only for mitigation. It will be ignored in one of the future versions. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Victor Ustugov via Exim-users (Mi 05 Mai 2021 20:01:56
CEST):
> Heiko Schlittermann via Exim-users wrote on 05.05.2021 19:11:
>
> > In case you didn't notice. We've added a new but already deprecated main
> > config option:
> >
> > allow_insecure_tainted_data = yes
> >
> > For this option you need to get exim-4.94.2+fixes. This option isn't
> > part of 4.94.2!
>
> Did you mean
>
> git clone --branch exim-4.94.2+fixes https://github.com/Exim/exim.git
Sorry my fault, far too many branches, merges, and tags during the
recent days. Branch is exim-4.94.2+taintwarn, which includes the +fixes
and the taintwarn feature.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted data issues
Sander Smeenk via Exim-users (Mi 05 Mai 2021 17:10:39
CEST):
> Quoting Jeremy Harris via Exim-users (exim-users@exim.org):
>
> > It is far to easy for someone to write a matcher which just
> > untaints everything, disabling the security. Three people
> > would do that, and one would post it on serverfault. Then
> > it would be cargo-culted forever.
>
> You mean like this 'hack'?
> https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/
>
>
> TL;DR:
>
> Late to the party i see, but i was bitten by the new 'tainted
> data'-feature yesterday and after reading this thread, i too would
> really like to see that ${untaint{}{}} idea implemented.
In case you didn't notice. We've added a new but already deprecated main
config option:
allow_insecure_tainted_data = yes
For this option you need to get exim-4.94.2+fixes. This option isn't
part of 4.94.2!
This option allowes you to turn the taint errors into warnings and is
provided to help you in reworking your config into a more secure one.
Future Exim release (not sure about "future" though) will ignore this
option.
Debian 11 includes this patch already. Exim 4.95 will kind of offically
suppport this option too. But, as said above, it is deprecated already
today.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Exim 4.94.2 - security update released
Cyborg via Exim-users (Mi 05 Mai 2021 16:56:44 CEST):
> Am 04.05.21 um 15:40 schrieb Heiko Schlittermann via Exim-users:
> > The details about the vulnerabilities*will* be published in the near
> > future (onhttp://exim.org/static/doc/security/), but not today. This
> > should give you the chance to update your systems.
> Time has run up:
> https://www.qualys.com/2021/05/04/21nails/21nails.txt
It is linked on https://exim.org already since about yesterday.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 14:48:20
CEST):
> Heiko Schlittermann via Exim-users wrote on 05.05.2021 14:57:
> > Victor Ustugov via Exim-users (Mi 05 Mai 2021
> > 13:21:55 CEST):
> >>> I'd just refuse to create a bloated 4.94+fixes, instead of releasing
> >>> 4.95 as soon as possible.
> >>
> >> Yesterday I built exim 4.94.2 with adapted code from Jeremy's commit.
> >> It works as expected on FreeBSD (exim 4.94.2 from ports with my patches)
> >> and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches).
> >
> > What did you do?
>
> I built exim 4.94.2 with patch
> https://mta.org.ua/exim-4.94-conf/patches/exim-4.94%2Bfixes-fix-sqlite-tainted-filename/patch-src__exim-4.94%2Bfixes-fix-sqlite-tainted-filename.patch
>
> As I remember patch for exim 4.94 based on:
>
> https://git.exim.org/exim.git/patch/44644c2e404a3ea0191db0b0458e86924fb240bb
This one isn't related to the file= feture
These both I located too and "backported" to 4.94.2 (as did too,
probably):
> https://git.exim.org/exim.git/patch/4a7dca52352d0976f200b89a50825433b7551554
> https://git.exim.org/exim.git/patch/b8514d1960e259d49ab2c84c89eba52ab993da3f
See the attached patches.
@Odhiambo: as it seems you're building your own version of Exim, we
recommend you the patches from Victor or my (attached). Currently we do
not plan to do the backport officially, because we'll start working
to release 4.95 as soon as possible.
--
Heiko
From 7ecb8213b1c9a6d9db1886d54cce8a60c5b0b55a Mon Sep 17 00:00:00 2001
From: Jeremy Harris
Date: Sat, 6 Jun 2020 14:45:47 +0100
Subject: [PATCH 1/2] Refactor lookup argument shuffling
(cherry picked from commit 4a7dca52352d0976f200b89a50825433b7551554)
---
src/src/expand.c| 20 +++-
src/src/functions.h | 1 +
src/src/match.c | 17 +
src/src/search.c| 36
4 files changed, 41 insertions(+), 33 deletions(-)
diff --git a/src/src/expand.c b/src/src/expand.c
index 05de94c49..ad9f54402 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -4391,7 +4391,7 @@ if (is_tainted(string))
goto EXPAND_FAILED;
}
-while (*s != 0)
+while (*s)
{
uschar *value;
uschar name[256];
@@ -4777,7 +4777,7 @@ while (*s != 0)
int save_expand_nmax =
save_expand_strings(save_expand_nstring, save_expand_nlength);
- if ((expand_forbid & RDO_LOOKUP) != 0)
+ if (expand_forbid & RDO_LOOKUP)
{
expand_string_message = US"lookup expansions are not permitted";
goto EXPAND_FAILED;
@@ -4876,21 +4876,7 @@ while (*s != 0)
file types, the query (i.e. "key") starts with a file name. */
if (!key)
-{
- Uskip_whitespace();
-key = filename;
-
-if (mac_islookup(stype, lookup_querystyle))
- filename = NULL;
-else
- if (*filename == '/')
- {
- while (*key && !isspace(*key)) key++;
- if (*key) *key++ = '\0';
- }
- else
- filename = NULL;
-}
+ key = search_args(stype, name, filename, );
/* If skipping, don't do the next bit - just lookup_value == NULL, as if
the entry was not found. Note that there is no search_close() function.
diff --git a/src/src/functions.h b/src/src/functions.h
index e22fd4f99..a4914b730 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -448,6 +448,7 @@ extern voidroute_init(void);
extern gstring * route_show_supported(gstring *);
extern voidroute_tidyup(void);
+extern uschar *search_args(int, uschar *, uschar *, uschar **);
extern uschar *search_find(void *, const uschar *, uschar *, int,
const uschar *, int, int, int *, const uschar *);
extern int search_findtype(const uschar *, int);
diff --git a/src/src/match.c b/src/src/match.c
index dfb4b5148..eb8315b46 100644
--- a/src/src/match.c
+++ b/src/src/match.c
@@ -286,22 +286,7 @@ if (!cb->use_partial) partial = -1;
/* Set the parameters for the three different kinds of lookup. */
-keyquery = semicolon + 1;
-Uskip_whitespace();
-
-if (mac_islookup(search_type, lookup_absfilequery))
- {
- filename = keyquery;
- while (*keyquery && !isspace(*keyquery)) keyquery++;
- filename = string_copyn(filename, keyquery - filename);
- Uskip_whitespace();
- }
-
-else if (!mac_islookup(search_type, lookup_querystyle))
- {
- filename = keyquery;
- keyquery = s;
- }
+keyquery = search_args(search_type, s, semicolon+1, );
/* Now do the actual lookup; throw away the data returned unless it was asked
for; partial matching is all handled inside search_find(). Note that there is
diff --git a/src/src/search.c b/src/src/search.c
index f8aaacb04..125dd1c48 100644
--- a/src/src/search.c
+++ b/src/src/search.c
@@ -217,6 +217,42 @@ return stype;
}
+/* Set the parameters for the three different kinds
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 14:04:10 CEST):
> > What did you do? I just cherry-picked the mentioned commit
> > 4a7dca52352d0976f200b89a50825433b7551554
> >
> > But the error didn't disappear. I'll check in more detail now.
>
> seems to be relevant too:
> b8514d1960e259d49ab2c84c89eba52ab993da3f
Yes, then it behaves as expected, but serveral conflicts I get in the
for the docbook-source.
Question now is, if we want to "officially" backport these fixes. I'll
ask Jeremy.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 CEST): > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > 4.95 as soon as possible. > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). What did you do? I just cherry-picked the mentioned commit 4a7dca52352d0976f200b89a50825433b7551554 But the error didn't disappear. I'll check in more detail now. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Heiko Schlittermann (Mi 05 Mai 2021 13:57:32 CEST): > Victor Ustugov via Exim-users (Mi 05 Mai 2021 13:21:55 > CEST): > > > I'd just refuse to create a bloated 4.94+fixes, instead of releasing > > > 4.95 as soon as possible. > > > > Yesterday I build exim 4.94.2 with adapted code from Jeremy's commit. > > It works as expected on FreeBSD (exim 4.94.2 from ports with my patches) > > and Ubuntu (exim 4.94.2-1 built from Debian deb-src with my patches). > > What did you do? I just cherry-picked the mentioned commit > 4a7dca52352d0976f200b89a50825433b7551554 > > But the error didn't disappear. I'll check in more detail now. seems to be relevant too: b8514d1960e259d49ab2c84c89eba52ab993da3f -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] tainted filname issue
Dan Egli via Exim-users (Mi 05 Mai 2021 02:41:38 CEST):
> I just upgraded to 4.94.2, and most everything is working fine. But I'm
> getting an issue on DKIM signings with tainted filename. I looked over the
> list and tried to apply the same fix I've seen used before, but I guess I'm
> not understanding it. Here's my dkim_private_key statement:
>
> dkim_private_key = ${if
> exists{/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}\
> {/etc/exim/DKIM/${lc:$sender_address_domain}/dkim.private.key.pem}{0}}
>
> So how do I correct this? Thanks!
You didn't run 4.94 before, did you?
The $sender_address_domain is considered tainted. Now (since >= 4.94)
Exim refused to use tainted data for filenames. The "exists" doesn't
de-taint the data. You need to perform a kind of lookup first, to
"clean"/"de-taint" the data.
# determine the domain to be used for signing (use the rfc5322.From
# or schlittermann.de as a fallback
dkim_domain =
${lookup{${domain:${address:$h_from:}}}dsearch{$config_dir/dkim}{$value}{schlittermann.de}}
dkim_selector = ${lookup{$dkim_domain}lsearch{$config_dir/dkim/selector}}
# use the found signing domain and it's selector to get
# the private key
dkim_private_key = $config_dir/dkim/$dkim_domain/$dkim_selector.pem
--
Heiko
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Sqlite Lookup absolute filename (was Exim 4.94.2 - security update released)
Jeremy Harris via Exim-users (Mi 05 Mai 2021 00:11:59 CEST): > Having made me go and look... that is what I did, in b8514d1960 > (which is since 4.94). A comma-sep option "file=/foo" after > the word "sqlite". Yes, that's what I found. But I can't see this neither in 4.94, or 4.94+fixes. @Victor: Yes, the commit *can* be backported, but first I'd like to understand how this syntax worked for Odhiambo with 4.94. And I do not want to drop the support for queries do different SQLite databases, but again - I'd like to understand why Odhiambo sees this working with 4.94. I'd just refuse to create a bloated 4.94+fixes, instead of releasing 4.95 as soon as possible. -- Heiko signature.asc Description: PGP signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
