Re: [exim] issue with ${reduce and ${extract

2017-02-26 Thread Phil Pennock via Exim-users
On 2017-02-25 at 22:25 -0500, Phil Pennock wrote: > 20fcb1e7be45177beca2d433f54260843cc7c2f6 is the first bad commit > commit 20fcb1e7be45177beca2d433f54260843cc7c2f6 > At this point, I suspect that the issue is the current line 4974 of > expand.c, where `lookup_value = NULL` while skipping, but

Re: [exim] MySQL Connection errors – SSL?

2018-05-14 Thread Phil Pennock via Exim-users
On 2018-05-14 at 14:12 +0200, Kai Bojens via Exim-users wrote: > 1. Does Exim close the MySQL connection properly? One explanation I > found suggested that this could pose a problem. It should be closing it. There might be a leak, that is something we'd probably fix given sufficient information.

[exim] DANE example (Re: Exim & DANE .. status ?)

2018-05-23 Thread Phil Pennock via Exim-users
On 2018-05-22 at 18:09 +0200, Cyborg via Exim-users wrote: > the german office of security ( BSI ) has given out a policy, that > secure emailserver should have implemented DANE. > > So, whats the status of DANE for Exim? > > Any usefull selfexplaning examples at hand ? :) Outbound or inbound?

Re: [exim] Rspamd-Proxy error with exim

2018-06-15 Thread Phil Pennock via Exim-users
On 2018-06-15 at 11:51 +, Emanuel Gonzalez via Exim-users wrote: > "In fact, it is Exim who SHOULD drop fucking legacy protocol support. > But I cannot convince its developers to do that. I have fixed this > issue at some point in the past but I have no Exim to test that." For the record:

Re: [exim] Rspamd-Proxy error with exim

2018-06-15 Thread Phil Pennock via Exim-users
On 2018-06-15 at 17:26 -0400, Phil Pennock via Exim-users wrote: > On 2018-06-15 at 11:51 +, Emanuel Gonzalez via Exim-users wrote: > > "In fact, it is Exim who SHOULD drop fucking legacy protocol support. > > But I cannot convince its developers to do that. I have fixed th

Re: [exim] Rspamd-Proxy error with exim

2018-06-14 Thread Phil Pennock via Exim-users
On 2018-06-14 at 18:31 +, Emanuel Gonzalez via Exim-users wrote: > Here the log: > > https://github.com/vstakhov/rspamd/files/2102038/rspamdserver.log The rspamd proxy is replying with an HTTP response, not an RSPAM protocol response. Since I saw logic in the proxy source-code to handle

Re: [exim] unable to get local issuer certificate cert

2018-06-14 Thread Phil Pennock via Exim-users
On 2018-06-15 at 03:56 +0200, krz...@gmail.com via Exim-users wrote: > SSL verify error: depth=1 error=unable to get local issuer > certificate cert=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert > SHA2 High Assurance Server CA > > Its the same error for every receiver and I belive error

Re: [exim] Rspamd-Proxy error with exim

2018-06-13 Thread Phil Pennock via Exim-users
On 2018-06-13 at 18:44 +, Emanuel Gonzalez via Exim-users wrote: > rspamd-proxy doesn't work with Exim v4.87. Connection works etc but exim > can't parse the response. Interesting. From the rspamd log attached to your ticket against rspamd it looks as though rspamd thinks things succeeded?

Re: [exim] exim4 Versions above about 4.80 Don't Talk to my ISP's smarthost.

2018-05-31 Thread Phil Pennock via Exim-users
On 2018-05-31 at 21:41 -0500, Martin McCormick via Exim-users wrote: > The last part of this long message is the log of the > delivery attempt. As you see, I do now log in to the smarthost > and the only reason for the failure is that the sender name gets > changed. > > The ISP knows

Re: [exim] setting up purchased SSL certificates on existing system

2018-04-30 Thread Phil Pennock via Exim-users
On 2018-04-30 at 14:58 +0100, Gary Stainburn via Exim-users wrote: > I have now purchased (through 123-reg) a SSL certificate and I am trying to > install it on the server. Which method did you use to buy the cert, and are you a "shared hosting package" customer? > My problem is that from my

Re: [exim] Exim-users Digest, Vol 165, Issue 9 [verification failed - body hash mismatch]

2018-02-12 Thread Phil Pennock via Exim-users
On 2018-02-12 at 14:04 +, Jeremy Harris via Exim-users wrote: > On 12/02/18 12:12, Martin Nicholas via Exim-users wrote: > > I notice this from "Exim-users Digest, Vol 165, Issue 9": > > > > DKIM: d=exim.org s=d201802 c=relaxed/relaxed a=rsa-sha256 b=1248 > > [verification failed - body hash

Re: [exim] Exim-users Digest, Vol 165, Issue 9 [verification failed - body hash mismatch]

2018-02-13 Thread Phil Pennock via Exim-users
On 2018-02-12 at 18:53 -0500, Phil Pennock via Exim-users wrote: > > On 12/02/18 12:12, Martin Nicholas via Exim-users wrote: > > > I notice this from "Exim-users Digest, Vol 165, Issue 9": > I've subscribed another address to the mailing-list, in digest mode, to

Re: [exim] [META/OT] DKIM sender rewriting [Was: TLS error in incoming emails from *.outlook.com]

2018-02-13 Thread Phil Pennock via Exim-users
On 2018-02-12 at 19:45 -0800, Ian Zimmerman via Exim-users wrote: > I note with horror that now I am also a 'via Exim-users' despite > intentionally NOT using DKIM for list messages, including this one. > Why? Is the rewriting now done regardless? Yes. I don't know who/why. from_is_list has

Re: [exim] send mail based on origin domain

2018-02-16 Thread Phil Pennock via Exim-users
On 2018-02-16 at 12:21 -0300, Nicolas Leonel via Exim-users wrote: > I apologizes but my exim knowledge is extremely limited, can you share an > example on how to setup two different users with that example. I did. In the linked message: > >

Re: [exim] TLS BEAST attack on exim

2018-02-16 Thread Phil Pennock via Exim-users
On 2018-02-16 at 10:27 +0100, Cyborg via Exim-users wrote: > has anyone ever heared, that Beast worked against TLSv1 on mailservers ? I wrote a post to exim-announce at the time, analysing the situation. A Google search for (exim beast) turned this up as the first result:

Re: [exim] Get the value of an external script in a condition

2018-02-22 Thread Phil Pennock via Exim-users
On 2018-02-20 at 13:54 +, Andrew C Aitchison via Exim-users wrote: > Interesting idea to use the whois database to detect spammers. > Since whois data has expiry info and doesn't change every day, > I wonder how easy it would be to cache the results. The jwhois client does this; it's a GNU

Re: [exim] Question TLS

2018-02-24 Thread Phil Pennock via Exim-users
On 2018-02-22 at 17:34 +, Luciano InfoCultura via Exim-users wrote: > How do I make connections initiated on ports 25 or 587 in plain text only > allow the sending of messages after using STARTTLS. > my brief configuration:The message exchange is between servers and do not use >

[exim] Future OpenSSL configuration: sketch 1

2018-04-08 Thread Phil Pennock via Exim-users
Folks, The way we configure OpenSSL and the amount of special stuff we have to do is a bit of a mess. GnuTLS is a bit better, because you can put TLS protocol versions into the Priority String, but with OpenSSL, we're stuck trying to support every last thing and caught when some folks stuck

Re: [exim] Future OpenSSL configuration: sketch 1

2018-04-09 Thread Phil Pennock via Exim-users
On 2018-04-09 at 08:14 +0200, Kirill Miazine via Exim-users wrote: > Hi, Phil > * Phil Pennock via Exim-users [2018-04-08 17:24]: > [...] > > We've said "we only support versions of OpenSSL supported by the > > upstream project", so now it's time to take adva

Re: [exim] Assistance requested with $if foray{...

2018-04-18 Thread Phil Pennock via Exim-users
On 2018-04-18 at 11:42 +, Robert Bannocks via Exim-users wrote: > I want to search a file for decreasingly specific forms of an address > that come from a given host and do some specialist routing thereafter. > To this end I have constructed the following confition: Can you change the stored

[exim] Next Exim: TLS: changed smarthost example config

2018-04-20 Thread Phil Pennock via Exim-users
Folks, I've committed and pushed a change to the default Exim configuration file for the next Exim release. This change has the example SMTP Transport used for _smarthosts_, such as talking to an ISP, using TLS by default, with _strong_ TLS enabled, and certificate verification, and sending SNI.

Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-21 Thread Phil Pennock via Exim-users
On 2018-04-20 at 22:38 -0400, Viktor Dukhovni via Exim-users wrote: > I'd make that: > > HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd > > Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0. No matter what we tell people and how much we push towards 1.0.2 as a minimum,

Re: [exim] Next Exim: TLS: changed smarthost example config

2018-04-21 Thread Phil Pennock via Exim-users
On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote: > Personally I am not convinced that this is the right way for trying to > enforce stronger encryption standards on mail providers. It's not about that. It's about providing people relying upon defaults with worthwhile security,

Re: [exim] compiling 4.91 under FreeBSD

2018-04-16 Thread Phil Pennock via Exim-users
On 2018-04-16 at 20:21 +0200, Max Kostikov via Exim-users wrote: > I had this > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227560 The experimental DMARC support hard-requires SPF support. NewStuff: 4. SPF support is promoted from Experimental to mainline status. The template

Re: [exim] Exim 4.91: option "hosts_try_dane" unknown

2018-04-16 Thread Phil Pennock via Exim-users
On 2018-04-16 at 20:47 +0200, Max Kostikov via Exim-users wrote: > Is this option deprecated now? > Found nothing about this in ChangeLog and NewStuff. > (system is FreeBSD 11.1-RELEASE-p9) With the benefit of 20/20 hindsight, there's a couple of things which could have gone into README.UPDATING.

Re: [exim] compiling 4.91 under FreeBSD

2018-04-16 Thread Phil Pennock via Exim-users
On 2018-04-16 at 12:14 -0500, Larry Rosenman via Exim-users wrote: > http://home.lerctr.org:/data/live-host-ports/2018-04-16_11h54m01s/logs/errors/exim-4.91.log Enable OCSP support. It's on by default in Exim and our test suite isn't good at ensuring we still compile when various things are

[exim] DKIM dual-signing RSA+Ed25519 working

2018-04-15 Thread Phil Pennock via Exim-users
Just so folks see it can be done: dual-DKIM signing, and verification, with Exim. Jeremy did all the Exim code to manage this, I'm acting purely as a sysadmin in deploying this. Exim 4.91, using OpenSSL 1.1.1-pre4, is the MTA for spodhuis.org; and is the next-exim for exim.org, so is the version

Re: [exim] Fw: paniclog after upgrade from 4.90_1 to 4.91

2018-04-23 Thread Phil Pennock via Exim-users
On 2018-04-23 at 21:20 +0200, Sławomir Dworaczek via Exim-users wrote: >> Afertupgrade from exim version 4.90_1 to 4.91 messages not sending to >> external host >> Panic log : Delivery status for user@external_domain.com got 0 of 7 bytes >> (pipeheader) from transport process 13323 for transport

Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list

2018-03-28 Thread Phil Pennock via Exim-users
On 2018-03-28 at 21:11 -0400, Phil Pennock via Exim-users wrote: > $smtp_found_dane or something? Note that DANE support is Experimental > and feedback and requests are a good thing (patches even better!). Uh ... DANE graduated from Experimental, I forgot. Sorry. Am tentatively th

Re: [exim] Exclude TLS_RSA_WITH_SEED_CBC_SHA from cipher list

2018-03-28 Thread Phil Pennock via Exim-users
On 2018-03-28 at 11:43 +0200, Mark Elkins via Exim-users wrote: > Begs the question, do DANE enabled machine therefore perhaps require a > stronger encryption - as their owners should know what they are doing? > > I've no idea if its possible to allow weaker encryption for > opportunistic

[exim] DANE / TLS ciphersuite improvements

2018-03-30 Thread Phil Pennock via Exim-users
On 2018-03-28 at 21:29 -0400, Phil Pennock via Exim-users wrote: > On 2018-03-28 at 21:11 -0400, Phil Pennock via Exim-users wrote: > > $smtp_found_dane or something? Note that DANE support is Experimental > > and feedback and requests are a good thing (patches even better!). &

Re: [exim] detecting DMARC-protected domain

2018-07-07 Thread Phil Pennock via Exim-users
On 2018-07-07 at 18:56 +0100, Julian Bradfield via Exim-users wrote: > Is there a way to detect, in the Exim configuration file, whether a > sender domain has a DMARC record? Use a `dnsdb` lookup, look for the DMARC DNS record. The rest of your mail leads me to suggest a better approach, but to