Re: [exim] CVE-2019-15846: Exim - local or remote attacker c…

Top Page

Reply to this message
Author: Jan Ingvoldstad
Date:  
To: exim users
Subject: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges
I've had another variant for years:

acl_check_mail:
  deny
    message = no HELO given before MAIL command
    condition = ${if def:sender_helo_name {no}{yes}}
    delay = 60s


The delay is a nice touch, if you have the TCP connections to spare.

Jan

On Mon, Sep 9, 2019 at 4:10 PM Phillip Carroll via Exim-users <
exim-users@???> wrote:

> my configuration has had something similar for years. Is there any
> significant difference?
>
> acl_check_mail:
>    # deny any mail without helo name
>    deny    message = HELO required before MAIL
>            condition = ${if eq{$sender_helo_name}{} {1}}

>
> (Yours obviously simpler to read)
>
> On 9/6/2019 6:16 PM, Phil Pennock via Exim-users wrote:
> > On 2019-09-06 at 22:04 +0200, Heiko Schlittermann via Exim-users wrote:
> >> The HELO ACL doesn't help either, as the first EHLO comes before
> >> STARTTLS, and the second EHLO doesn't have to come, the client may send
> >
> > Oh pox. My memory is going. I hadn't realized that my protection
> > against this comes from long-standing local configuration, not Exim
> > defaulting to enforcing this:
> >
> > acl_check_mail:
> >    deny    message       = 503 Bad sequence of commands - must send
> HELO/EHLO first
> >            condition     = ${if !def:sender_helo_name}

> >
> > If anyone wants to protect against stupidity: I've been using that guard
> > for "longer than the five years that the current mail-server is running"
> > and I'm not going diving through git history to find when it was
> > introduced to my older server.
> >
> > To the best of my knowledge, that has never blocked legitimate mail.
> > Everyone does EHLO after STARTTLS.
> >
> > Exim drops pre-TLS sender_helo_name after negotiating TLS. This is
> > required by RFC 3207 (section 4.2) but not explicitly mentioned in the
> > Exim Spec, AFAICT.
> >
> > -Phil
> >
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>



--
Jan