Moritz Wilhelmy wrote:
> Hello,
>
> Just for the record:
>
> On Mon, May 02, 2011 at 03:49:55PM +0000, W B Hacker wrote:
>> Before you go any further, PLEASE upgrade to the current Exim release!
>> There were serious security issues in pre 4.7X versions.
>
> I assume he is using exim 4.69 on oldstable/lenny (I remember lenny had 4.69
> and I know squeeze has 4.72. wheezy currently has 4.75). I assume the debian
> guys "fixed" these bugs by patching them out downstream, because the debian way
> to do it is not to bump versions until the next stable release.
Perhaps.
BUT ... if not, and/or some barrier is perceived to rolling in the
latest for some obscure reason, (modified source in my case), what I do
for the last remaining unpatched 4.69 on one of my boxes, is:
- remove the setuid root bit on the binary. Not needed if all users are
virtual -and shell holders can easily be made to be so. or just not
*allowed* mail (by their login UID).
- mount /var and wherever the mailstore is as:
nosetuid, noexec,
- adjust 'log_selector =' to include:
-rejected_header
- if one or more of the above not possible, consider, for rejections
within acl_smtp_data, ONLY, temporarily switching to using a 'defer'
(forever) instead of a 'deny'. CAVEAT: Very much 'Not optimal', but
might save an older rev from grief, as it is the quickest fix to apply.
I still recommend the upgrade to 4.7X in any case.
It isn't JUST for the improved security. Full DKIM support, to name one,
only came in with (IIRC) 4.71.
>
>> Even so..
>>
>> Any system that uses that generated split-config toolset
>> (Debian-only AFAIK) comes complete with extensive docs.
>
> Debian and everything based (i.e. Ubuntu etc.) on it. And the documentation is
> located in /usr/share/doc/exim4-base/
>
>> More historical information, and more specific current help, are
>> available on the Debian specific mailing list (also pointed to in
>> your on-box docs).
>>
>> MOST, though not all, on THIS list use the standard monolithic Exim
>> ~/configure file, which may be less 'automated', but otherwise
>> simpler.
>
> I agree. I was glad when I noticed the "original" exim configuration file was
> quite simple in contrary to the macro hell on debian.
>
It CAN be, but as experience and (alleged) cleverness | deviousness
accumulate, that goes away. I have had them grow to over 3,000 lines of
text, even with terse comments. And that with a good deal of the
'cleverness' offloaded to PostgreSQL.
The quasi-automated split config has had a good deal of kraft -
conveyed experience - built into it, and 'should' work quite well for
the inexperienced doing simpler basic installs.
I disagree more with the method than the effort or goal.
IMNSHO, better a collection of known-compatible modules to concatenate
in proper sequence into one 'ordinary' file - ELSE be left OUT
altogether, than the split files and so many .ifdefs...
IF ONLY .. because the resulting output would be the same sort of
monolithic ~/configure most often referenced HERE, and altered in the
same manner. Editor of choice for fine-tuning, start the concatenation
chooser from scratch otherwise..
Familiar structure [1] to more hands and eyes = easier to support 'quickly'.
>> AFAIK, that is also an option on Debian.
>
> It is, but you have to supply your own. As far as I know, debian does not ship
> the default config in any of these /usr/share/doc/exim4-* directories. So you
> will probably need to download it from [1]. For more information please see
> update-exim4.conf(8)[2].
>
> Best regards,
>
> Moritz
>
> [1] http://git.exim.org/exim.git/blob/HEAD:/src/src/configure.default
> [2] http://pwet.fr/man/linux/administration_systeme/update_exim4_conf
>
I thought I had seen posts to the effect that both WERE shipped?
But don't rely on a aged 4-flavor *BSD to grok aleph-null flavor Penguin
variants...
;-)
Bill
[1] 'Familiar' as in a ~/configure file originally built for 4.4X and
carried over for years with many changes - even to the underlying OS -
but only a very few of those changes required to cover version shifts
such as settings and variable nomenclature/usage, or new/retired features.
