Re: [exim] Exim 4.80.1 security release - details

Góra strony
Delete this message
Reply to this message
Autor: Mike Ridgers
Data:  
Dla: 'Exim-users'
Temat: Re: [exim] Exim 4.80.1 security release - details
Hi Phil,
This is my first post to this list (as far as I remember).
Firstly may I say a great many thanks to all who help maintain this great email server.
I have used Exim for the past 10 years with few issues. I have never felt the need to post before (The book is so good). But I would just like to query one thing Re the new 4.80.1 security release:

I always use the Exim RPMs at the Atrpms repo but they seem not to have the updated or patched package for Centos 5 Re this update. So I have decided to use the workaround you announced here:
https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html
Quote:

"put this at the start of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt:
warn control = dkim_disable_verify"

My (probably silly) question is:

Is there anything wrong with me adding 'warn control = dkim_disable_verify' under my 'acl_check_rcpt:' line if I have also have 'control = dkim_disable_verify' stated separately against each 'accept' in the ACL below it thus ? :

--------------------------------
acl_check_rcpt:
        warn control = dkim_disable_verify


# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

  accept  hosts = :
          control = dkim_disable_verify    


deny    message       = Restricted characters in address
          domains       = +local_domains : +relay_to_domains
          local_parts   = ^[.] : ^.*[@%!/|]


deny    message       = Restricted characters in address
          domains       = !+local_domains : !+relay_to_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./


require verify        = sender


accept  hosts         = +relay_from_hosts
          control       = submission
          control       = dkim_disable_verify


accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify


require message = relay not permitted
          domains = +local_domains : +relay_to_domains


require verify = recipient

accept
--------------------------

My guess is that I can happily remove the three 'control = dkim_disable_verify' lines under each 'accept' that were there in the default conf file so long as I retain my 'warn control = dkim_disable_verify' at the top of the ACL ? But also that I was covered before in any case by having 'control = dkim_disable_verify' stated under each 'accept' ?

Hope that makes sense,

Best regards,
Mike.


On 2012-12-03 01:21, Phil Pennock wrote:
> On 2012-12-02 at 18:33 +0000, Jeremy Harris wrote:
> > On 10/26/2012 09:35 AM, Phil Pennock wrote:
> > > [...] a remote code
> > > execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM
> > > handling. This can be triggered by anyone who can send you email from a
> > > domain for which they control the DNS, and gets them the Exim run-time
> > > user.
> >
> > Should this be added to https://github.com/Exim/exim/wiki/EximSecurity ?
>
> Er, yes. Done.
>
> Also, updated https://github.com/Exim/exim/wiki/EximRelease so that this
> doesn't get skipped in future.
>
> Thanks,
> -Phil
>
>