On 2020-10-01 at 13:24 +0700, Victor Sudakov via Exim-users wrote:
> Could you please help me unite the following two ACL expressions into one:
>
> accept condition =
> ${lookup{$local_part@$domain}lsearch{/etc/dovecot/aliases}{yes}}
> accept condition =
>
On 2020-07-15 at 10:02 +0100, Jeremy Harris via Exim-users wrote:
> On 14/07/2020 18:57, Johnnie W Adams via Exim-users wrote:
> > Now I'm replacing that box with a newer one and wondering how to move
> > the queue of frozen mail from the old machine to the new--or if I'm better
> > off just
On 2020-06-17 at 19:51 -0400, Felipe Gasper wrote:
> > On Jun 17, 2020, at 6:22 PM, Phil Pennock via Exim-users
> > wrote:
> > because TLS1.3 mandates SNI.
>
> Phil, do you have a citation for this? I skimmed the RFC just now, and the
> only mandatory d
On 2020-06-17 at 15:34 -0400, John R. Levine via Exim-users wrote:
> For example, here's where you can find the MTA-STS for my iecc.com:
>
> https://mta-sts.iecc.com/.well-known/mta-sts.txt
My stance on MTA-STS is that it's reasonable to advertise to get the big
players talking to you, but
On 2020-04-16 at 16:00 -0400, Viktor Dukhovni via Exim-users wrote:
> On Thu, Apr 16, 2020 at 07:53:08PM +0100, Jeremy Harris via Exim-users wrote:
> > On 15/04/2020 18:46, Viktor Dukhovni via Exim-users wrote:
> > > I read this to mean that the new "trust-ad" option, if set, causes the
> > >
On 2020-03-25 at 13:10 -0400, Phil Pennock via Exim-users wrote:
> On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote:
> > We recently received many of our end users complains that they are having
> > problem sending email to *.gov.hk with this exim error:
> > DA
On 2020-03-23 at 20:54 +0800, daniel via Exim-users wrote:
> We recently received many of our end users complains that they are having
> problem sending email to *.gov.hk with this exim error:
> DANE ERROR: TLSA LOOKUP DEFER
Their DNS is broken.
> However we have contacted our government and
On 2020-03-10 at 17:11 -0400, Robert Blayzor via Exim-users wrote:
> Would this be a valid design and what are the caveats? What would a
> better design option be?
Caveat: the guarantee of SMTP is that you have responsibility once you
accept the message, so think carefully about the resiliency of
On 2020-03-05 at 09:02 +, Graham McAlister via Exim-users wrote:
> Suspect my distro build uses openssl instead of gnutls and my version
> of openssl is 1.1.0 but ed25519 support is in 1.1.1
>
> So, either I build exim to use gnutls, or I upgrade openssl to 1.1.1
>
> That's my plan, and will
On 2020-03-04 at 09:06 +, Graham McAlister via Exim-users wrote:
> Has anyone successfully used Exim and DKIM with ed25519 keys? Any pointers?
Yes. I dual-sign. It's amusing to see all the status reports from
systems which don't implement Ed25519. At least most of them now will
accept
On 2019-09-18 at 23:05 +0200, Heiko Schlittermann via Exim-users wrote:
> Wouldn't it be better to integrate it into Exim itself?
> Can't we use the authenticators for this? Write a new
> driver, xoauth2, and use it in the transport section?
If recollection serves, XOAUTH2 can require prompting
On 2019-09-07 at 08:23 +0200, Heiko Schlittermann wrote:
> Phil Pennock (Sa 07 Sep 2019 02:52:56 CEST):
> > The connect ACL won't protect you against STARTTLS usage, which is far
> > more common for email than TLS-on-connect.
> >
> > I myself use the HELO ACL.
>
> This doesn't seem to be
On 2019-09-06 at 22:04 +0200, Heiko Schlittermann via Exim-users wrote:
> The HELO ACL doesn't help either, as the first EHLO comes before
> STARTTLS, and the second EHLO doesn't have to come, the client may send
Oh pox. My memory is going. I hadn't realized that my protection
against this
On 2019-09-06 at 20:50 +0200, Sebastian Nielsen wrote:
> Shouldn't this be in connect ACL?
> How would the deny in MAIL FROM prevent the exploit? What I have understand
> is that there is exploit in the SNI of the TLS negotiation, thus the whole
> connect attempt must be rejected right?
The
On 2019-08-14 at 12:24 -0400, Phil Pennock via Exim-users wrote:
> On 2019-08-14 at 12:54 +0100, Jeremy Harris via Exim-users wrote:
> > Do we need a fast/poor quota method for cases where the size-file
> > cannot be used?
>
> Just to raise the possibility to see if other
On 2019-08-14 at 12:54 +0100, Jeremy Harris via Exim-users wrote:
> Do we need a fast/poor quota method for cases where the size-file
> cannot be used?
Just to raise the possibility to see if others can spot approaches which
make this feasible rather than a giant can of worms: direct support for
On 2019-06-26 at 10:42 -, Jasen Betts via Exim-users wrote:
> alternatively in ACL_AUTH
>
> drop
> set acl_c_auth_count = ${eval: $acl_c_auth_count + 1}
> condition = ${if >{1}{$acl_c_auth_count }}
> message = "go away"
>
> which will allow only one attempt at auth per connect.
On 2019-06-20 at 14:26 +0200, Frank Richter via Exim-users wrote:
> after upgrading to exim-4.92 (EPEL exim-4.92-1.el6.x86_64) our gssapi
> authenticator doesn't work any more.
Debugging permissions and interactions and libraries automatically
dropping access for setuid programs was such a
On 2019-05-19 at 16:05 +0200, Arno Thuber via Exim-users wrote:
> From chapter 55 of the Exim documentation I see that Exim delivery drops
> rights which it has as a server but I don't fully understand it - or I
> don't understand Unix access rights. With user Debian-exim member of
> privkey_users
On 2019-05-19 at 19:17 +0100, Richard Jones via Exim-users wrote:
> # egrep -o 'X=TLS[^ ]+' /var/log/exim4/mainlog | sort | uniq -c | sort -n |
> tail
That will include all the outbound, and also all the spammers whom you
ended up rejecting (because yes spammers use TLS nowaways).
$ pcregrep
On 2019-05-08 at 00:39 +0100, Mike Tubby via Exim-users wrote:
> Which suggests I need something like:
>
> user_filter:
> driver = forwardfile
> data = ${lookup mysql{SELECT rule FROM users LEFT JOIN domains \
> ON domains.id=users.domain_id LEFT JOIN filters \
> ON
On 2019-03-31 at 19:12 +0100, Mike Tubby via Exim-users wrote:
> no IP address found for host bazar2.conectiva.com.br
Some Googling suggests that this host used to run a Mailman instance
popular for hosting some Brazilian mailing-lists.
Seems like the sort of thing which might end up
On 2019-03-29 at 13:44 +, Richard Jones via Exim-users wrote:
> I was hoping to be able to validate them, yes. It just seems overkill to
> also offer every root CA installed.
>
> If it's a choice of one cert or all, then clearly this isn't the end of
> the world, and thanks!
This is a crypto
On 2019-01-31 at 10:10 +, Jeremy Harris via Exim-users wrote:
> On 31/01/2019 09:47, sqit via Exim-users wrote:
> > Forgive me if there has already been a thread on this but I didn't see one.
> > Is MTA-STS policy validation being considered for the Exim development
> > roadmap?
>
> Not by
On 2019-01-29 at 10:30 +0100, Heiko Schlittermann via Exim-users wrote:
> - The tcpdump show a V4 SETATTR, but only for the owner (I'd have
> expected the group too), AND the owner is numerical, not user@domain,
> as I would have expected. The pcap file is attached.
It's showing a GETATTR,
On 2019-01-28 at 15:09 +, Andrew C Aitchison via Exim-users wrote:
> I see many header lines like:
>
> Received: from smtp.spodhuis.org ([2a02:898:31:0:48:4558:736d:7470]:34422
> helo=mx.spodhuis.org)
> by hummus.csx.cam.ac.uk with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
> (Exim 4.91)
On 2018-12-14 at 17:22 +, Jeremy Harris via Exim-users wrote:
> Possibly the main-config option openssl_options?
>
> The docs list possibilities including
> no_tlsv1
> no_tlsv1_1
>
> so I'd be tempted to try those without the "no_".
Alas, no. You'd want `-no_tlsv1` but I doubt that
On 2018-09-11 at 11:05 -0400, Viktor Dukhovni via Exim-users wrote:
> On Tue, Sep 11, 2018 at 03:37:12PM +0100, Jeremy Harris via Exim-users wrote:
> > They may well find that applications just refuse to change.
>
> Debian Stretch ships with 1.1.0, applications are moving along.
My proposal to
On 2018-08-30 at 12:27 +0200, Mark Elkins via Exim-dev wrote:
> What this is telling me is someone at 157.0.116.189 is making
> connections to my mail server - presumable to see if they can detect the
> accounts of users on my machine?
This really belongs on exim-users, not exim-dev (bcc'd)
Folks,
Everyone here provides help on the mailing-lists on a volunteer basis.
That's part of how open source projects work. If you get value from the
code and give help back in return, everyone benefits. If the developers
give help here, that's nice of them; any developer who thinks the
Folks,
I seriously messed up and didn't test enough scenarios when making a
change to Exim configs for exim.org on Tuesday. I then spent yesterday
heads-down on work and didn't see Jeremy's report to me.
I broke things such that sender verification failed for almost
everybody.
Sorry.
I've
On 2018-07-07 at 18:56 +0100, Julian Bradfield via Exim-users wrote:
> Is there a way to detect, in the Exim configuration file, whether a
> sender domain has a DMARC record?
Use a `dnsdb` lookup, look for the DMARC DNS record. The rest of your
mail leads me to suggest a better approach, but to
On 2018-06-15 at 17:26 -0400, Phil Pennock via Exim-users wrote:
> On 2018-06-15 at 11:51 +, Emanuel Gonzalez via Exim-users wrote:
> > "In fact, it is Exim who SHOULD drop fucking legacy protocol support.
> > But I cannot convince its developers to do that. I have fixed th
On 2018-06-15 at 11:51 +, Emanuel Gonzalez via Exim-users wrote:
> "In fact, it is Exim who SHOULD drop fucking legacy protocol support.
> But I cannot convince its developers to do that. I have fixed this
> issue at some point in the past but I have no Exim to test that."
For the record:
On 2018-06-15 at 03:56 +0200, krz...@gmail.com via Exim-users wrote:
> SSL verify error: depth=1 error=unable to get local issuer
> certificate cert=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> SHA2 High Assurance Server CA
>
> Its the same error for every receiver and I belive error
On 2018-06-14 at 18:31 +, Emanuel Gonzalez via Exim-users wrote:
> Here the log:
>
> https://github.com/vstakhov/rspamd/files/2102038/rspamdserver.log
The rspamd proxy is replying with an HTTP response, not an RSPAM
protocol response.
Since I saw logic in the proxy source-code to handle
On 2018-06-13 at 18:44 +, Emanuel Gonzalez via Exim-users wrote:
> rspamd-proxy doesn't work with Exim v4.87. Connection works etc but exim
> can't parse the response.
Interesting. From the rspamd log attached to your ticket against rspamd
it looks as though rspamd thinks things succeeded?
On 2018-05-31 at 21:41 -0500, Martin McCormick via Exim-users wrote:
> The last part of this long message is the log of the
> delivery attempt. As you see, I do now log in to the smarthost
> and the only reason for the failure is that the sender name gets
> changed.
>
> The ISP knows
On 2018-05-22 at 18:09 +0200, Cyborg via Exim-users wrote:
> the german office of security ( BSI ) has given out a policy, that
> secure emailserver should have implemented DANE.
>
> So, whats the status of DANE for Exim?
>
> Any usefull selfexplaning examples at hand ? :)
Outbound or inbound?
On 2018-05-14 at 14:12 +0200, Kai Bojens via Exim-users wrote:
> 1. Does Exim close the MySQL connection properly? One explanation I
> found suggested that this could pose a problem.
It should be closing it. There might be a leak, that is something we'd
probably fix given sufficient information.
On 2018-04-30 at 14:58 +0100, Gary Stainburn via Exim-users wrote:
> I have now purchased (through 123-reg) a SSL certificate and I am trying to
> install it on the server.
Which method did you use to buy the cert, and are you a "shared hosting
package" customer?
> My problem is that from my
On 2018-04-23 at 21:20 +0200, Sławomir Dworaczek via Exim-users wrote:
>> Afertupgrade from exim version 4.90_1 to 4.91 messages not sending to
>> external host
>> Panic log : Delivery status for user@external_domain.com got 0 of 7 bytes
>> (pipeheader) from transport process 13323 for transport
On 2018-04-20 at 22:38 -0400, Viktor Dukhovni via Exim-users wrote:
> I'd make that:
>
> HIGH:!aNULL:!aDSS:!kECDHr:!kECDHe:!kDHr:!kDHd
>
> Because, the ciphers are already sensibly ordered as of OpenSSL 1.0.0.
No matter what we tell people and how much we push towards 1.0.2 as a
minimum,
On 2018-04-21 at 11:23 +0200, Andreas Metzler via Exim-users wrote:
> Personally I am not convinced that this is the right way for trying to
> enforce stronger encryption standards on mail providers.
It's not about that. It's about providing people relying upon defaults
with worthwhile security,
Folks,
I've committed and pushed a change to the default Exim configuration
file for the next Exim release. This change has the example SMTP
Transport used for _smarthosts_, such as talking to an ISP, using TLS by
default, with _strong_ TLS enabled, and certificate verification, and
sending SNI.
On 2018-04-18 at 11:42 +, Robert Bannocks via Exim-users wrote:
> I want to search a file for decreasingly specific forms of an address
> that come from a given host and do some specialist routing thereafter.
> To this end I have constructed the following confition:
Can you change the stored
On 2018-04-16 at 12:14 -0500, Larry Rosenman via Exim-users wrote:
> http://home.lerctr.org:/data/live-host-ports/2018-04-16_11h54m01s/logs/errors/exim-4.91.log
Enable OCSP support. It's on by default in Exim and our test suite
isn't good at ensuring we still compile when various things are
On 2018-04-16 at 20:21 +0200, Max Kostikov via Exim-users wrote:
> I had this
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227560
The experimental DMARC support hard-requires SPF support.
NewStuff:
4. SPF support is promoted from Experimental to mainline status. The template
On 2018-04-16 at 20:47 +0200, Max Kostikov via Exim-users wrote:
> Is this option deprecated now?
> Found nothing about this in ChangeLog and NewStuff.
> (system is FreeBSD 11.1-RELEASE-p9)
With the benefit of 20/20 hindsight, there's a couple of things which
could have gone into README.UPDATING.
Just so folks see it can be done: dual-DKIM signing, and verification,
with Exim. Jeremy did all the Exim code to manage this, I'm acting
purely as a sysadmin in deploying this.
Exim 4.91, using OpenSSL 1.1.1-pre4, is the MTA for spodhuis.org;
and is the next-exim for exim.org, so is the version
On 2018-04-09 at 08:14 +0200, Kirill Miazine via Exim-users wrote:
> Hi, Phil
> * Phil Pennock via Exim-users [2018-04-08 17:24]:
> [...]
> > We've said "we only support versions of OpenSSL supported by the
> > upstream project", so now it's time to take adva
Folks,
The way we configure OpenSSL and the amount of special stuff we have to
do is a bit of a mess. GnuTLS is a bit better, because you can put TLS
protocol versions into the Priority String, but with OpenSSL, we're
stuck trying to support every last thing and caught when some folks
stuck
On 2018-03-28 at 21:29 -0400, Phil Pennock via Exim-users wrote:
> On 2018-03-28 at 21:11 -0400, Phil Pennock via Exim-users wrote:
> > $smtp_found_dane or something? Note that DANE support is Experimental
> > and feedback and requests are a good thing (patches even better!).
&
On 2018-03-28 at 21:11 -0400, Phil Pennock via Exim-users wrote:
> $smtp_found_dane or something? Note that DANE support is Experimental
> and feedback and requests are a good thing (patches even better!).
Uh ... DANE graduated from Experimental, I forgot. Sorry.
Am tentatively th
On 2018-03-28 at 11:43 +0200, Mark Elkins via Exim-users wrote:
> Begs the question, do DANE enabled machine therefore perhaps require a
> stronger encryption - as their owners should know what they are doing?
>
> I've no idea if its possible to allow weaker encryption for
> opportunistic
On 2018-02-22 at 17:34 +, Luciano InfoCultura via Exim-users wrote:
> How do I make connections initiated on ports 25 or 587 in plain text only
> allow the sending of messages after using STARTTLS.
> my brief configuration:The message exchange is between servers and do not use
>
On 2018-02-20 at 13:54 +, Andrew C Aitchison via Exim-users wrote:
> Interesting idea to use the whois database to detect spammers.
> Since whois data has expiry info and doesn't change every day,
> I wonder how easy it would be to cache the results.
The jwhois client does this; it's a GNU
On 2018-02-16 at 12:21 -0300, Nicolas Leonel via Exim-users wrote:
> I apologizes but my exim knowledge is extremely limited, can you share an
> example on how to setup two different users with that example.
I did. In the linked message:
> >
On 2018-02-16 at 10:27 +0100, Cyborg via Exim-users wrote:
> has anyone ever heared, that Beast worked against TLSv1 on mailservers ?
I wrote a post to exim-announce at the time, analysing the situation.
A Google search for (exim beast) turned this up as the first result:
On 2018-02-12 at 18:53 -0500, Phil Pennock via Exim-users wrote:
> > On 12/02/18 12:12, Martin Nicholas via Exim-users wrote:
> > > I notice this from "Exim-users Digest, Vol 165, Issue 9":
> I've subscribed another address to the mailing-list, in digest mode, to
On 2018-02-12 at 19:45 -0800, Ian Zimmerman via Exim-users wrote:
> I note with horror that now I am also a 'via Exim-users' despite
> intentionally NOT using DKIM for list messages, including this one.
> Why? Is the rewriting now done regardless?
Yes. I don't know who/why.
from_is_list has
On 2018-02-12 at 14:04 +, Jeremy Harris via Exim-users wrote:
> On 12/02/18 12:12, Martin Nicholas via Exim-users wrote:
> > I notice this from "Exim-users Digest, Vol 165, Issue 9":
> >
> > DKIM: d=exim.org s=d201802 c=relaxed/relaxed a=rsa-sha256 b=1248
> > [verification failed - body hash
On 2017-02-25 at 22:25 -0500, Phil Pennock wrote:
> 20fcb1e7be45177beca2d433f54260843cc7c2f6 is the first bad commit
> commit 20fcb1e7be45177beca2d433f54260843cc7c2f6
> At this point, I suspect that the issue is the current line 4974 of
> expand.c, where `lookup_value = NULL` while skipping, but
63 matches
Mail list logo