Re: [exim] CVE-2019-15846: Exim - local or remote attacker c…

Top Page

Reply to this message
Author: Konstantin Boyandin
Date:  
To: exim-users
Subject: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges
Hello Jan,

"delay" means tarpitting, in this context?

I wonder how efficient that is.

Sincerely,
Konstantin

On 09.09.2019 21:16, Jan Ingvoldstad via Exim-users wrote:
> I've had another variant for years:
> 
> acl_check_mail:
>   deny
>     message = no HELO given before MAIL command
>     condition = ${if def:sender_helo_name {no}{yes}}
>     delay = 60s
> 
> The delay is a nice touch, if you have the TCP connections to spare.
> 
> Jan
> 
> On Mon, Sep 9, 2019 at 4:10 PM Phillip Carroll via Exim-users <
> exim-users@???> wrote:
> 
>> my configuration has had something similar for years. Is there any
>> significant difference?
>>
>> acl_check_mail:
>>    # deny any mail without helo name
>>    deny    message = HELO required before MAIL
>>            condition = ${if eq{$sender_helo_name}{} {1}}
>>
>> (Yours obviously simpler to read)
>>
>> On 9/6/2019 6:16 PM, Phil Pennock via Exim-users wrote:
>>> On 2019-09-06 at 22:04 +0200, Heiko Schlittermann via Exim-users wrote:
>>>> The HELO ACL doesn't help either, as the first EHLO comes before
>>>> STARTTLS, and the second EHLO doesn't have to come, the client may send
>>>
>>> Oh pox.  My memory is going.  I hadn't realized that my protection
>>> against this comes from long-standing local configuration, not Exim
>>> defaulting to enforcing this:
>>>
>>> acl_check_mail:
>>>    deny    message       = 503 Bad sequence of commands - must send
>> HELO/EHLO first
>>>            condition     = ${if !def:sender_helo_name}
>>>
>>> If anyone wants to protect against stupidity: I've been using that guard
>>> for "longer than the five years that the current mail-server is running"
>>> and I'm not going diving through git history to find when it was
>>> introduced to my older server.
>>>
>>> To the best of my knowledge, that has never blocked legitimate mail.
>>> Everyone does EHLO after STARTTLS.
>>>
>>> Exim drops pre-TLS sender_helo_name after negotiating TLS.  This is
>>> required by RFC 3207 (section 4.2) but not explicitly mentioned in the
>>> Exim Spec, AFAICT.
>>>
>>> -Phil