Re: [exim] short host name in local_domains
On 6 June 2019 17:21:41 BST, Marc Haber via Exim-users
wrote:
>That would be legal syntax as in
>
>|local_domains =
>@:localhost:${extract{1}{.}{$primary_hostname}}:other.domain.example
>
>?
That's how I read the docs on list-expansion;
they're string-expanded first.
As always, test.
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] short host name in local_domains
On Thu, 06 Jun 2019 18:21:41 +0200, Marc Haber via Exim-users
wrote:
>That would be legal syntax as in
>
>|local_domains =
>@:localhost:${extract{1}{.}{$primary_hostname}}:other.domain.example
>
>?
Indeed, and it even makes its way through Debian's magic scripts,
making
|dc_other_hostnames='${extract{1}{.}{$primary_hostname}}'
valid and working in /etc/exim4/update-exim4.conf.conf
Greetings
Marc
--
-- !! No courtesy copies, please !! -
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] short host name in local_domains
On Thu, 6 Jun 2019 16:05:14 +0100, Jeremy Harris via Exim-users
wrote:
>On 06/06/2019 15:07, Marc Haber via Exim-users wrote:
>> Am I doing things wrong by adding the short host name to
>> local_domains?
>
>If it works, it's hard to call it wrong.
It's a matter of personal style, I know, and I would like to know of
any situations where this might be a stupid idea.
>> Why does @ only expand to the FQDN and not to FQDN and
>> the short host name?
>
>Someone would be bound to complain, and ask for a way
>of making it only one or the other.
>
>> Why is there not q special expansion item
>> expanding to the short host name?
>
>Nobody's asked for one?
>People regard the FQDN as being more "real" for the host name?
>
>I'm guessing, only.
Obviously ;-)
>If you're wanting this for ease of deployment across many systems,
>use something like ${extract{1}{.}{$primary_hostname}}
That would be legal syntax as in
|local_domains =
@:localhost:${extract{1}{.}{$primary_hostname}}:other.domain.example
?
Greetings
Marc
:
--
-- !! No courtesy copies, please !! -
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] short host name in local_domains
On 06/06/2019 15:07, Marc Haber via Exim-users wrote:
> in Debian, local_domains gets seeded with "@:localhost" plus whatever
> the local administrator has entered to augment the list of
> local_domains.
>
> I am usually entering the short hostname of the host in that list, so
> that my local_domains usually ends up being like "@:localhost:myhost",
> knowing that @ gets expanded to myhost.domain.example by virtue of
> primary_hostname. This allows stupid local apps to send mail to
> localuser@myhost instead of localuser@myhost.domain.example to have
> localuser aliased away in the /etc/aliases file. Without myhost in
> local_domains, Mail to localuser@myhost would not be considered local
> and probably sent away to a smarthost without the virtue of having the
> local alias file consulted.
>
> Am I doing things wrong by adding the short host name to
> local_domains?
If it works, it's hard to call it wrong.
> Why does @ only expand to the FQDN and not to FQDN and
> the short host name?
Someone would be bound to complain, and ask for a way
of making it only one or the other.
> Why is there not q special expansion item
> expanding to the short host name?
Nobody's asked for one?
People regard the FQDN as being more "real" for the host name?
I'm guessing, only.
If you're wanting this for ease of deployment across many systems,
use something like ${extract{1}{.}{$primary_hostname}}
--
Cheers,
Jeremy
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] short host name in local_domains
Hi, in Debian, local_domains gets seeded with "@:localhost" plus whatever the local administrator has entered to augment the list of local_domains. I am usually entering the short hostname of the host in that list, so that my local_domains usually ends up being like "@:localhost:myhost", knowing that @ gets expanded to myhost.domain.example by virtue of primary_hostname. This allows stupid local apps to send mail to localuser@myhost instead of localuser@myhost.domain.example to have localuser aliased away in the /etc/aliases file. Without myhost in local_domains, Mail to localuser@myhost would not be considered local and probably sent away to a smarthost without the virtue of having the local alias file consulted. Am I doing things wrong by adding the short host name to local_domains? Why does @ only expand to the FQDN and not to FQDN and the short host name? Why is there not q special expansion item expanding to the short host name? Greetings Marc, having been a bit out of touch with e-mail servers for the last years -- -- !! No courtesy copies, please !! - Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Am 06.06.19 um 14:07 schrieb Heiko Schlittermann via Exim-users:
> Hi,
>
> Cyborg via Exim-users (Do 06 Jun 2019 13:24:21 CEST):
>> As the Advisiory is a bit unspecific for a protection, shouldn't a check
>> for "$" in
>>
>> deny message = Restricted characters in address
>> domains = +local_domains
>> local_parts = ^[.] : ^.*[\$@%!/|]
> Yes, from my POV it suffices. As Jeremy said, for non-SMTP the same
> sould be done.
>
> But, for the 2nd exploit, you should do the same with the sender's
> address.
>
Before anyone asks : for the seconds exploit :
acl_check_mail:
...
drop message = Restricted characters in address
condition = ${if match{$sender_address}{\N.*\$.*run.*\N}{1}{0}}
# BEFORE : IMPORTANT!
accept hosts = +relay_from_hosts
"\$.*run" because some Bulkmail put "$randomids$randomids" into
bounceemailaddresses.
best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Am 06.06.19 um 14:25 schrieb Spencer Marshall via Exim-users: > why is this only being applied to +local_domains? why not everything? > denymessage = Restricted characters in address >local_parts = ^[.] : ^.*[\$@%!/|] > > Because there are two Restricted Char rules, one for your domain, and for other domains and the Regex match differs a bit. YOU can shrink that down if you like. Honestly, i wondered myself why there a two rules, but adding to it to two rules isn't that much more work, so i left it as it was. (2 rules patched,1 added for exploit#2 ) Best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On 6 Jun 2019, at 13:25, Spencer Marshall via Exim-users wrote: > why is this only being applied to +local_domains? why not everything? > denymessage = Restricted characters in address > local_parts = ^[.] : ^.*[\$@%!/|] Primarily because you’re not in control of what remote systems consider to be valid or invalid characters in the local part of their email addresses. You are in total control of your own (“local”) domains; if the specific instance of Exim only ever talks to systems you control, you can apply it across the board. If you have emails routing through it to remote, external domains outside your control… there be dragons. Graeme -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
why is this only being applied to +local_domains? why not everything?
denymessage = Restricted characters in address
local_parts = ^[.] : ^.*[\$@%!/|]
Hi,
Cyborg via Exim-users (Do 06 Jun 2019 13:24:21 CEST):
> As the Advisiory is a bit unspecific for a protection, shouldn't a check
> for "$" in
>
> denymessage = Restricted characters in address
> domains = +local_domains
> local_parts = ^[.] : ^.*[\$@%!/|]
Yes, from my POV it suffices. As Jeremy said, for non-SMTP the same
sould be done.
But, for the 2nd exploit, you should do the same with the sender's
address.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On 06/06/2019 12:56, Cyborg via Exim-users wrote: >> exim -bV | grep -i support > Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL > Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open > > Does that "Event" mean, the code is in it or is it part of another string? It means "the support for Events is present". -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Incoming mails sometimes with no headers.
Hi Jeremy, Exim is connecting via 127.0.0.1:783 to SA, so it is just glancing at it, not messing around with it (as far as I understand). And since headers are already missing in SA, cyrus can be ruled out. Best regards, --- Jan. Am 06.06.19 um 14:00 schrieb Jeremy Harris via Exim-users: > On 06/06/2019 12:43, Jan Kriesten via Exim-users wrote: >> Occasionally, the inbound header is stripped (no to, from, subject) > Any pattern you can see among the occurrences? > > As well as SA being involved, you seem to be delivering via cyrus, > so there are multiple possible places for breakage. Is your SA > passing the message through, or just glancing at it as it > goes past? What interface to Exim is SA using? > signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Hi,
Cyborg via Exim-users (Do 06 Jun 2019 13:24:21 CEST):
> As the Advisiory is a bit unspecific for a protection, shouldn't a check
> for "$" in
>
> deny message = Restricted characters in address
> domains = +local_domains
> local_parts = ^[.] : ^.*[\$@%!/|]
Yes, from my POV it suffices. As Jeremy said, for non-SMTP the same
sould be done.
But, for the 2nd exploit, you should do the same with the sender's
address.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Incoming mails sometimes with no headers.
On 06/06/2019 12:43, Jan Kriesten via Exim-users wrote: > Occasionally, the inbound header is stripped (no to, from, subject) Any pattern you can see among the occurrences? As well as SA being involved, you seem to be delivering via cyrus, so there are multiple possible places for breakage. Is your SA passing the message through, or just glancing at it as it goes past? What interface to Exim is SA using? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Hi Jeremy, Am 06.06.19 um 13:40 schrieb Jeremy Harris via Exim-users: > exim -bV | grep -i support Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open Does that "Event" mean, the code is in it or is it part of another string? I really hoped for something like this for apache: (httpd -V) ... Server compiled with -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/httpd" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_PIDLOG="/run/httpd/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" but if rejecting addresses with "$" is all "for now", i have enough informations until the exim upgrade is run throu. Thx. best regards, marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
On 06/06/2019 12:24, Cyborg via Exim-users wrote: > As the Advisiory is a bit unspecific for a protection, shouldn't a check > for "$" in > > deny message = Restricted characters in address > domains = +local_domains > local_parts = ^[.] : ^.*[\$@%!/|] That would suffice. You'd want to do the equivalent in the non-smtp ACL also, and I'd personally not restrict it to local domains. > Is it possible/pausible that fedora build it with "DISABLE_EVENT" defined, > so the vulnerable code is not in there? > > any way to check that ( did not find the show compile settings on the web ) ? exim -bV | grep -i support -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Incoming mails sometimes with no headers.
Hey! I've got something quite strange going on with our exim installation: Occasionally, the inbound header is stripped (no to, from, subject) and the only thing left is like following: === Return-Path: Received: from service ([unix socket]) by service (Cyrus v2.4.20) with LMTPA; Thu, 06 Jun 2019 13:07:34 +0200 X-Sieve: CMU Sieve 2.4 Envelope-to: f...@dc.ba Delivery-date: Thu, 06 Jun 2019 13:07:34 +0200 Received: from us-smtp-delivery.somedomain.com ([xxx.xxx.xxx.xxx]) by service with esmtps (TLSv1.2:ECDHE-RSA-AES256-SHA384:256) (Exim 4.92) (envelope-from ) id 1hYqF3-0007I9-JF for f...@dc.ba; Thu, 06 Jun 2019 13:07:34 +0200 === I run exim 4.92 w/ SpamAssassin and the spam-Check already is missing the headers, too: [Exim-log] 2019-06-06 13:07:34 1hYqF3-0007I9-JF <= a...@cd.ef H=uus-smtp-delivery.somedomain.com [xxx.xxx.xxx.xxx] P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no S=9865 2019-06-06 13:07:34 1hYqF3-0007I9-JF => fe R=cyrus_vdom T=cyrus_ltcp C="250 2.1.5 Ok SESSIONID=" [spamd-log] Jun 6 13:07:34 service spamd[23669]: spamd: result: . -94 - MISSING_DATE,MISSING_FROM,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,TVD_SPACE_RATIO,USER_IN_WHITELIST scantime=0.2,size=9949,user=nobody,uid=65534,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36240,mid=(unknown),autolearn=disabled [cyrus-log] Jun 6 13:07:34 service cyrus/lmtpunix[28007]: Delivered: to mailbox: user.fe So, it looks to me, that those headers are already missing when delivered to our server. However, this mail got BCC'ed to a GMail-Host and there all headers were availabe! It seems to have something to do with adding BCC or CC to the recipient list on the sender site, but I haven't been able to really find the point on where and why it is failing. Anyone any ideas? Best regards, Jan. signature.asc Description: OpenPGP digital signature -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
Am 05.06.19 um 17:17 schrieb Heiko Schlittermann via Exim-users:
> The fix for CVE-2019-10149 is public now.
>
As the Advisiory is a bit unspecific for a protection, shouldn't a check
for "$" in
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[\$@%!/|]
and the none local domains block, prevent such an attack on any version?
Like in this working example i executed 10 minutes ago:
[root@c1 ~]# nc 127.0.0.1 25
220 mytestserver.de ESMTP Exim 4.90_1 Thu, 06 Jun 2019 12:50:11 +0200
HELO d1.ret.de
250 mytestserver.de Hello localhost [127.0.0.1]
MAIL FROM:
250 OK
RCPT TO: <${run{id}}@mytestserver.de>
550 Restricted characters in address
Tested on a live server.
The advisory also says :
/Because expand_string() recognizes the "${run{ }}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, //*a local attacker can simply send a mail to
"${run{...}}@...alhost"
(where "localhost" is one of Exim's local_domains)*//and execute arbitrary
commands, as root (deliver_drop_privilege is
false, by default):///
I did this, and nothing happend in an unprotected server config.
strace did not show an execution of the given command at all.
Is it possible/pausible that fedora build it with "DISABLE_EVENT" defined,
so the vulnerable code is not in there?
any way to check that ( did not find the show compile settings on the web ) ?
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] CVE-2019-10149: 4.87 to 4.91 are vulnerable
El mié, 05-06-2019 a las 17:17 +0200, Heiko Schlittermann via Exim- users escribió: > The fix for CVE-2019-10149 is public now. > > > > https://git.exim.org/exim.git > > Branch exim-4_91+fixes. > > > > Thank you to > > - Qualys for reporting it. > > - Jeremy for fixing it. > > - you for using Exim. Thank you Qualys, Jeremy and Heiko, really. greetings -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Trouble compiling Exim 4.92
Am 06.06.2019 10:28, schrieb Niels Dettenbach via Exim-users: Hi Niels Do you have -lspf2 in LOOKUP_LIBS too? It seems, i need this. You may even try to enable. EXPERIMENTAL_SPF=yes SUPPORT_SPF=yes Got it! ;) I added "-l spf2" in LOOKUP_LIBS and "EXPERIMENTAL_SPF=yes" and now I can compile Exim! Thanks a lot Luca Bertoncello (lucab...@lucabert.de) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Trouble compiling Exim 4.92
Am Donnerstag, 6. Juni 2019, 10:09:20 CEST schrieb Luca Bertoncello via Exim- users: > I have these lines in Local/Makefile: > > SUPPORT_SPF=yes > CFLAGS += -I/usr/include > LDFLAGS += -L/usr/lib -lspf2 > > and of course I have libspf2 (and dev...) installed. > I'm using a Debian Jessie. Do you have -lspf2 in LOOKUP_LIBS too? It seems, i need this. You may even try to enable. EXPERIMENTAL_SPF=yes SUPPORT_SPF=yes and (just for sure) dont forget to do a make clean before try another build with this. hth best regards, niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Trouble compiling Exim 4.92
Hi list! I'm trying to compile Exim 4.92, but I get this error: gcc -o exim drtables.o: In function `init_lookup_list': drtables.c:(.text+0x20e): undefined reference to `spf_lookup_module_info' collect2: error: ld returned 1 exit status Makefile:645: recipe for target 'exim' failed make[1]: *** [exim] Error 1 make[1]: Leaving directory '/home/download/exim/exim-4.92/build-Linux-x86_64' Makefile:35: recipe for target 'all' failed make: *** [all] Error 2 I have these lines in Local/Makefile: SUPPORT_SPF=yes CFLAGS += -I/usr/include LDFLAGS += -L/usr/lib -lspf2 and of course I have libspf2 (and dev...) installed. I'm using a Debian Jessie. Any idea? Thanks Luca Bertoncello (lucab...@lucabert.de) -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
