Re: [exim] CVE-2019-15846: Exim - local or remote attacker c…

Top Page

Reply to this message
Author: Jan Ingvoldstad
Date:  
To: exim-users
Subject: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges
Hello Konstantin,

Please look at https://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html and look at the description after “
delay = <time>


Jan

(Sorry for top posting, editing sucks on cell)

> 9. sep. 2019 kl. 16:37 skrev Konstantin Boyandin via Exim-users <exim-users@???>:
>
> Hello Jan,
>
> "delay" means tarpitting, in this context?
>
> I wonder how efficient that is.
>
> Sincerely,
> Konstantin
>
>> On 09.09.2019 21:16, Jan Ingvoldstad via Exim-users wrote:
>> I've had another variant for years:
>>
>> acl_check_mail:
>>  deny
>>    message = no HELO given before MAIL command
>>    condition = ${if def:sender_helo_name {no}{yes}}
>>    delay = 60s

>>
>> The delay is a nice touch, if you have the TCP connections to spare.
>>
>> Jan
>>
>> On Mon, Sep 9, 2019 at 4:10 PM Phillip Carroll via Exim-users <
>> exim-users@???> wrote:
>>
>>> my configuration has had something similar for years. Is there any
>>> significant difference?
>>>
>>> acl_check_mail:
>>>   # deny any mail without helo name
>>>   deny    message = HELO required before MAIL
>>>           condition = ${if eq{$sender_helo_name}{} {1}}

>>>
>>> (Yours obviously simpler to read)
>>>
>>>> On 9/6/2019 6:16 PM, Phil Pennock via Exim-users wrote:
>>>>> On 2019-09-06 at 22:04 +0200, Heiko Schlittermann via Exim-users wrote:
>>>>> The HELO ACL doesn't help either, as the first EHLO comes before
>>>>> STARTTLS, and the second EHLO doesn't have to come, the client may send
>>>>
>>>> Oh pox. My memory is going. I hadn't realized that my protection
>>>> against this comes from long-standing local configuration, not Exim
>>>> defaulting to enforcing this:
>>>>
>>>> acl_check_mail:
>>>>   deny    message       = 503 Bad sequence of commands - must send
>>> HELO/EHLO first
>>>>           condition     = ${if !def:sender_helo_name}

>>>>
>>>> If anyone wants to protect against stupidity: I've been using that guard
>>>> for "longer than the five years that the current mail-server is running"
>>>> and I'm not going diving through git history to find when it was
>>>> introduced to my older server.
>>>>
>>>> To the best of my knowledge, that has never blocked legitimate mail.
>>>> Everyone does EHLO after STARTTLS.
>>>>
>>>> Exim drops pre-TLS sender_helo_name after negotiating TLS. This is
>>>> required by RFC 3207 (section 4.2) but not explicitly mentioned in the
>>>> Exim Spec, AFAICT.
>>>>
>>>> -Phil
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/