Re: [exim] Adding authentication-results header field only locally
On 18 Sep 2020, at 17:09, Jeremy Harris via Exim-users wrote: On 17/09/2020 23:30, Jim Fenton via Exim-users wrote: So instead I have tried putting into my mail_spool transport: headers_add = ${authresults {$primary_hostname}} but I'm not seeing the header field in locally-delivered messages (yes, I am using mail_spool local delivery). Is this the wrong approach? It's not one I'd considered. My assumption was that since one does authentication in the various ways as Exim accepts the message, that was when the results would be recorded. Obviously I wasn't thinking hard enough. I think it will mostly, but not quite all, work. Bits of the ARC info, for example, I think will not. Basically, all the items that are made available as exim variables will be ok (because they get passed along with the message even in spool files). Other info will not. That’s what happened; the DKIM authentication results were not included when the header field was added in this manner. You could, in acl, plonk the header string into a variable which this one transport then used to add it as a header. This must be the way to go (haven’t done this yet). But when I put the above line into the appropriate router config, an Exam process crashed with a segmentation violation when I locally sent a message to myself (the message was queued, and this happened on each queue run). Apparently those variables aren’t always populated. I’m not sure whether this would be considered a bug or just a misconfiguration, but I’m happy to create a bug report if appropriate. -Jim -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Limit Inbound E-mail to Certain IP Range Per cPanel Domain
Am 21.09.20 um 21:34 schrieb Danielle McLeod via Exim-users: > Hello, > > I'm trawling through the Exim ACL documentation but don't think I can > find a way to for this to work. > > I'm trying to make it so only a certain IP range will be allowed > through Exim to a specific domain, with other domains unaffected by > this ACL. > > Is something like this possible? If so, where might I start looking? > For more context, this is in cPanel, though I imagine that just adds > an unnecessary layer of complexity to the question. > Database SQL lockup with a regex match on the IP-Range: -> something <- like this: ACCEPT condition = ${if eq{1}{${lookup mysql{SELECT '1' FROM ipranges WHERE '${quote_mysql:${domain}}' = domain AND $sender_ip REGEXP range limit 1 }}}{yes}{no}} DENY condition = ${if eq{0}{${lookup mysql{SELECT '1' FROM whitelistdomains WHERE '${quote_mysql:${domain}}' = domain limit 1 }}}{yes}{no}} best regards, Marius -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On Mon, Sep 21, 2020 at 02:07:00PM -0600, Dan Egli via Exim-users wrote: > You didn't answer my main question of how do I determine if I need to > upgrade my LetsEncrypt certificates. If you're not using DANE, there's nothing special you need to do with your Let's Encrypt certificates. Just run "certbot" or your preferred ACME client on a regular basis to make sure the certs have not expired. > And although I'm going to google it, What the %$&@%$* is DANE? :-[ https://tools.ietf.org/html/rfc7672#section-1.3 -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On 9/21/2020 2:39 AM, Jeremy Harris via Exim-users wrote: On 21/09/2020 09:34, Dan Egli via Exim-users wrote: Forgive me for being a bit dense, but I'm new to the SSL world. I have certificates by LetsEncrypt, generated about a month ago. Where and how do I look to determine if I need new certificates. And what's with the TLSA DNS entries? I've never heard of a TLSA record. TLSA records are part of DANE. If you're not using DANE, you don't need them. You didn't answer my main question of how do I determine if I need to upgrade my LetsEncrypt certificates. And although I'm going to google it, What the %$&@%$* is DANE? :-[ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] Limit Inbound E-mail to Certain IP Range Per cPanel Domain
On 21/09/2020 20:34, Danielle McLeod via Exim-users wrote: > I'm trying to make it so only a certain IP range will be allowed through > Exim to a specific domain, with other domains unaffected by this ACL. OK, ACL's chapter in the docs. And you're looking at the sender's IP. This is available is any ACL you fancy... you may as well hit it early. Is there a neat condition that looks at the sender, that you could use? You probably want a "deny everything but such-and-such" construct - so think in term of a condition which selects what IPs you want to permit, negated. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Limit Inbound E-mail to Certain IP Range Per cPanel Domain
Hello, I'm trawling through the Exim ACL documentation but don't think I can find a way to for this to work. I'm trying to make it so only a certain IP range will be allowed through Exim to a specific domain, with other domains unaffected by this ACL. Is something like this possible? If so, where might I start looking? For more context, this is in cPanel, though I imagine that just adds an unnecessary layer of complexity to the question. Thank you, -- Danielle M -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On Monday, 21 September 2020 6:39:35 PM AEST Jeremy Harris via Exim-users wrote: > On 21/09/2020 09:34, Dan Egli via Exim-users wrote: > > Forgive me for being a bit dense, but I'm new to the SSL world. I have > > certificates by LetsEncrypt, generated about a month ago. Where and how > > do I look to determine if I need new certificates. And what's with the > > TLSA DNS entries? I've never heard of a TLSA record. > > TLSA records are part of DANE. If you're not using DANE, you > don't need them. DANE is a means of publishing trust information in the DNS with DNSSEC signatures as an alternative to the CAs acting as a trusted 3rd party. This helps in email as many MX records are not able to be tied to a common name and/or subject alternative name that would match the domain of the email recipient that could be verified by the sender. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On 21/09/2020 09:34, Dan Egli via Exim-users wrote: > Forgive me for being a bit dense, but I'm new to the SSL world. I have > certificates by LetsEncrypt, generated about a month ago. Where and how > do I look to determine if I need new certificates. And what's with the > TLSA DNS entries? I've never heard of a TLSA record. TLSA records are part of DANE. If you're not using DANE, you don't need them. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On 9/21/2020 1:51 AM, Viktor Dukhovni via Exim-users wrote: https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane that the "backup" CAs should also be listed, as LE might need to switch to using them in an emergency without prior notice. Therefore the full list of DANE-TA(2) digests to publish (when relying on these rather than "3 1 1" records) is: ; (These can be retired soon, but not just yet) ; ; letsencryptauthorityx3.pem ; letsencryptauthorityx4.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18 _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B ; (May not be needed if your leaf cert is RSA, ECDSA certs ; will I expect be soon signed with one of these). ; ; lets-encrypt-e1.pem ; lets-encrypt-e2.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270 ; (May not be needed if your leaf cert is ECDSA, once ; ECDSA certificate issuance cuts over to e1/e2). ; ; lets-encrypt-r3.pem ; lets-encrypt-r4.pem Forgive me for being a bit dense, but I'm new to the SSL world. I have certificates by LetsEncrypt, generated about a month ago. Where and how do I look to determine if I need new certificates. And what's with the TLSA DNS entries? I've never heard of a TLSA record. Thanks! -- Dan Egli on my Test Site -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
On Mon, Sep 21, 2020 at 04:23:55AM -0200, Viktor Dukhovni via Exim-users wrote: > Links to the actual certificates can be found at: > > https://letsencrypt.org/certificates/ > https://letsencrypt.org/certs/lets-encrypt-r3.pem > https://letsencrypt.org/certs/lets-encrypt-e1.pem > > The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, > re-compute these for yourself): > > ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 > ; > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D > > ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 > ; > _25._tcp.smtp.example.org. IN TLSA 2 1 1 > 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 It was correclty noted in: https://community.letsencrypt.org/t/dane-and-upcoming-le-issuer-certs/134172/2?u=ietf-dane that the "backup" CAs should also be listed, as LE might need to switch to using them in an emergency without prior notice. Therefore the full list of DANE-TA(2) digests to publish (when relying on these rather than "3 1 1" records) is: ; (These can be retired soon, but not just yet) ; ; letsencryptauthorityx3.pem ; letsencryptauthorityx4.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18 _25._tcp.smtp.example.org. IN TLSA 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B ; (May not be needed if your leaf cert is RSA, ECDSA certs ; will I expect be soon signed with one of these). ; ; lets-encrypt-e1.pem ; lets-encrypt-e2.pem ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 _25._tcp.smtp.example.org. IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422E0C89270 ; (May not be needed if your leaf cert is ECDSA, once ; ECDSA certificate issuance cuts over to e1/e2). ; ; lets-encrypt-r3.pem ; lets-encrypt-r4.pem -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E1". https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant "2 1 1" records need to be augmented soon with additional records matching the new "R3" and "E1", in advance of these reissuing your certificates. Failure to act in time is likely to result in an outage once renewals switch to signing via "R3" or "E1". Links to the actual certificates can be found at: https://letsencrypt.org/certificates/ https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-e1.pem The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, re-compute these for yourself): ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 The above were computed with the attached "tlsagen" script, but it is prudent to also check with tools from other sources, this email message could well have been a forgery (I hope your copy matches what I sent). -- Viktor. tlsagen Description: Binary data -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/