[exim] Re: SMTP smuggling and Exim

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: [exim] Re: SMTP smuggling and Exim
On 12/23/23 19:15, Ian Z via Exim-users wrote:
> On Sat, Dec 23, 2023 at 10:27:02AM +0000, Jeremy Harris via Exim-users wrote:
>> Some changes in that direction are already available.
>
> An intriguing statement ;-) Available in 4.97, on master, on another
> branch?


In the git master.

> Are there build time or run time configuration setting changes
> needed to enable taking an installation in that direction?
>
> I already disable pipelining and chunking. Anything else I can do to
> get the strictest, most boring implementation of SMTP possible? I have
> no need to cater to broken clients.


Sure. You'd need to fine-tooth both the Makefile and your config,
thinking hard about every feature and the relation to your security
posture.

I can't really advise on specifics. For example, just supporting
TLS is a massive increase in compiled code and therefore attack surface.
Personally I prefer to have it available, but YMMV.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/