Gabor Kovacs | 22 Oct 15:54 2014
Picon

CHECK_RCPT_REMOTE_LOCALPARTS "bug"?

Dear All,

I'm new to exim, can sy explain it to me pls?

 From exim configuration file:
   # The second rule applies to all other domains, and its default is
   # considerably less strict.
   # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[ <at> %!`#&?] : ^.*/\\.\\./
   # It allows local users to send outgoing messages to sites
   # that use slashes and vertical bars in their local parts. It blocks
   # local parts that begin with a dot, slash, or vertical bar, but allows
   # these characters within the local part. However, the sequence /../ is
   # barred. The use of some other non-alphanumeric characters is blocked.
   # Single quotes might probably be dangerous as well, but they're
   # allowed by the default regexps to avoid rejecting mails to Ireland.
   # The motivation here is to prevent local users (or local users' malware)
   # from mounting certain kinds of attack on remote sites.

It's confusing, because it says "local users", but local users sending 
mails from command line can use any character, because 
CHECK_RCPT_REMOTE_LOCALPARTS only used in acl_smtp_rcpt.

(I don't get why there isn't acl_not_smtp_rcpt which of course wouldn't 
be able to deny individual addresses, but would be able to drop the 
whole mail)

Thanks
   Gabor

--

-- 
(Continue reading)

Jan Dijk | 22 Oct 15:34 2014
Picon

Using senders= to send to seperate smarthosts based upon a lsearch

Hello All,

I am working to resolve the following issue for a while and I am really stuck.

The Case:

We use on several hosting servers DirectAdmin, and this has Exim default installed, all works great until I
try to integrate our SpamExperts gateway's
I would like to deliver outgoing mail to a smart host based upon the senders domain and I would like to do a
dynamic lookup in a text file for domains that are valid.
So if the domain name in a text file would match then it would use the appropriate smart host and if not it will
go to a next or use the lookup host.

The problem i am facing is that I cannot get it to work with a file lookup (lsearch) but I can get it to work with a
direct entry

Example1:  (working)
This is working with a direct config on the senders line: "senders =
^.* <at> domain1<mailto:%5e.* <at> domain1>.com : ^.* <at> domain2.com<mailto:%5e.* <at> domain2.com>"
Only the listed domains on the line are now send to the smart host, and other domains not.

----
spamexperts_smarthost_router:
  driver = manualroute
  domains = ! +local_domains

#search in file
senders = ^.* <at> domain1<mailto:%5e.* <at> domain1>.com : ^.* <at> domain2.com<mailto:%5e.* <at> domain2.com>

  ignore_target_hosts = 127.0.0.0/8
(Continue reading)

Robert Steiner | 22 Oct 10:02 2014
Picon
Picon

Build exim with DBM in custom path


   Hello everybody,

   I have compiled the Berkeley DB 4.8.30 from source into a custom path
   and now try to use that with exim.
   I made no changes of any defaults for DB except
   "--prefix=/custom_path"
   (BTW, the whole documentation does not mention versions 5 and 6 of the
   Berkeley DB - are those compatible as well? Are those recommended or
   should I use the latest version of 4?)

   I have tried the following settings in Local/Makefile:

   === 1:

   DBMLIB=/custom_path/lib/libdb-4.8.a

   === Result:

   libdb-4.8.a(os_yield.o): In function `__os_yield':
   os_yield.c:(.text+0x51): undefined reference to `pthread_yield'
   /FALK/sys/ext/lib/libdb-4.8.a(mut_pthread.o): In function
   `__db_pthread_mutex_init':
   mut_pthread.c:(.text+0x6d): undefined reference to
   `pthread_mutexattr_destroy'
   mut_pthread.c:(.text+0x106): undefined reference to
   `pthread_mutexattr_init'
   mut_pthread.c:(.text+0x124): undefined reference to
   `pthread_mutexattr_setpshared'
   mut_pthread.c:(.text+0x1a1): undefined reference to
(Continue reading)

Cybernet Administrador | 21 Oct 15:56 2014
Picon

Exim asking for auth login screen

Hi,

I use exim for a long time on a CentOS with cPanel as mailserver.

Las month Outlook clients are asking for auth login screen and "sometimes" I
got and 550 error.

- - - - - - - - - - - - - - - - - - - - - - - - - 

Server Error: 550

Server Answer: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - 

If I access using a webmail all works well.

I use POP: 110 and SMPT 587 ports without SSL connections.

Could anyone help me with this strange behavior?

Thanks  for any help.

Ronaldo Luiz

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
(Continue reading)

Ronaldo Luiz de Carvalho | 21 Oct 19:53 2014
Picon

Exim asking for auth login screen

Hi,

I use exim for a long time on a CentOS with cPanel as mailserver.

Since last month Outlook clients are asking for auth login screen and
"sometimes" I got and 550 error.

- - - - - - - - - - - - - - - - - - - - - - - - - 

Server Error: 550

Server Answer: 550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - 

If I access using a webmail all works well.

I use POP: 110 and SMPT 587 ports without SSL connections.

Could anyone help me with this strange behavior?

Thanks  for any help.

Ronaldo Luiz

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
(Continue reading)

Matthias Hank | 21 Oct 13:09 2014
Picon

TLS Cipher list - sorting?

Hi,

i have the requirement that my exim sends outgoing mails with at least
256 bit encryption cipher.
This works for most hosts, but some servers reject my connection because
they say that there would be only a 128 bit encryption cipher.

Is there a possibility how i can sort the cipher list to announce 256 bit
ciphers on client side first?

In my exim4.conf i have:

tls_require_ciphers = NORMAL:!VERS-SSL3.0:!AES-128-CBC

but as i understand this is required only when receiving mails.

Thanks in advanced and greetings!

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

mtrainer | 21 Oct 11:20 2014

Throttle incoming connections without stopping smtp auth logins


Hi All, 

I need to limit incoming smtp mail connections and defer
additional smtp connections whenever we have a peak of mail / spam. I
want to do this without limiting smtp auth connections as our users need
to be able to relay mail out via the exim servers all the time. Anyone
know how to achieve this with exim settings? 

Thanks 

Murray 

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Anoop John | 18 Oct 10:48 2014
Picon

DDOS on SMTP port by large number of new connections from random IPs

Hello,

I have run into a problem on my server with a DDOS attack on port 25. The
server is getting large number of connection requests on port 25 from
random IPs continuously preventing any access to the SMTP port by valid
users. Also the server reaches the limit of 100 simultaneous SMTP
connections within seconds of restarting the server. The server is
configured to require authentication before sending mails via SMTP so there
is no spamming / relay attempt via the server.

Is there some setting in exim that can drop connections if there is no
authentication within a timeout or something like that?

Thanks in advance for your help / guidance in this regard.

Thanks
Anoop
--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

TPCexim | 16 Oct 18:49 2014
Picon

Problem disabling SSLv3 ciphers on Exim 4.72 to deal with Poodle vunerability (CVE-2014-3566)

Dear All,
	I have been going round and round in circles trying to do this :-{. I have tried lots of different
incantations using tls_require_ciphers but without success.  
My exim which came ready built in an RPM is linked with OpenSSL rather than GnuTLS. I am using 'nmap --script
ssl-enum-ciphers -p 465' to see what ciphers are offered.

Without a tls_require_ciphers statement I get the following protocols offered; SSLv3, TLSv1.0,
TLSv1.1, TLSv1.2; each with at least 13 ciphers included.  Ideally I would 
like to just eliminate all the SSLv3 ones.  The closest I have been able to come to doing this is to get only
TLSv1.2 protocol with the following four ciphers
(TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 only).  External relay
machines 
delivering mail (eg. Microsoft's FOPE servers) do not find an acceptable choice amongst these.

I am at a loss to know why 'tls_require_ciphers = All:!SSLv2:!SSLv3' does not do what I want.  It just results
in no ciphers being offered.

Below is the full list of every combination I tried in /etc/exim.conf, together with an appended one line
summary of what resulting ciphers were offered as available.

I would like to get the system secured against SSLv3 ASAP.  Please help!

System details: 
 OS: SLC6 (derivative of RHEL6).
 Arch: X86_64

Thanks
Tom Crane

(Continue reading)

Alexandre | 19 Oct 23:20 2014
Picon

Re: Create aliases before rewrite domain

Thank you very much Jeremy. Your configuration works perfectly!

Exemple :
---
smarthost_test_fr:
         domains = test.fr
         driver = manualroute
         transport = remote_smtp
         route_list = * smtp.test.com:smtp2.test.com
---

I added a file in 999_test_router in /etc/exim4/conf.d/router and 
aliases works too.

Thank you.

Alexandre

On 19/10/14 22:55, Jeremy Harris wrote:
> On 19/10/14 21:46, Alexandre wrote:
>> Thank you Jeremy. Would you have a sample configuration?
>>
>>
>> I test this configuration but I do not understand how to operate it.
>>
>> ---
>> smarthost_test:
>
>>     condition = ${if eq {${lc:$sender_address_domain}} {test.fr} {true}
>> fail }
(Continue reading)

Ted Cooper | 18 Oct 17:05 2014
Picon

Re: Disabling SSLv3 on Exim 4.75

On 19/10/14 00:49, Cyborg wrote:
> Openssl has announced a workaround for sslv3. I'm not sure about what it
> does, but maybe you don't need to change exim's config at all.

The update to OpenSSL has enabled TLS_FALLBACK_SCSV protocol extension
which prevents MITM attackers from being able to force a protocol
downgrade. Both the client and the server must be upgraded to support
this protocol for it to be of any use.

You're still better off disabling SSLv3 since the udpate only helps
servers which have been upgraded, and run OpenSSL. Other implementations
may not support the extension.

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


Gmane