Security: New exim.pl with improved filtering

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,158
Hello,

I've added some extra filtering to the /etc/exim.pl versions to improve security with posted data.

The versions that have been updated are:
16 -> 16 http://files.directadmin.com/services/exim.pl.16
17 -> 17 http://files.directadmin.com/services/exim.pl.17
23 -> 24 http://files.directadmin.com/services/exim.pl.24

To confirm you have the fix (nobody will have it by default), run:
Code:
grep -c safe_name /etc/exim.pl
which should show more than 0 (usually between 7 and 9).

To check your current /etc/exim.pl version, type:
Code:
grep VERSION /etc/exim.pl
so that you know which file to update to.

We'll add extra code to CustomBuild 2.0 to check this and remind you, in case you don't catch it.

You can reference this chart to know which exim.pl version goes with your /etc/exim.conf:
http://files1.directadmin.com/services/SpamBlocker/

and your /etc/exim.conf version should be visible at the top of that file.
We always recommend using the latest version of your current family.
The most recent versions are:
2.1.2
4.3.6
4.4.8
4.5.7

To Update

You can either manually download the updated exim.pl.XX version over top of your /etc/exim.pl file, eg for 23 to 24:
Code:
wget -O /etc/exim.pl http://files.directadmin.com/services/exim.pl.24
grep -c safe_name /etc/exim.pl
service exim restart

OR

CustomBuild 2.0 can be used to update your exim.conf *and* exim.pl for you:
https://help.directadmin.com/item.php?id=51

set the eximconf_release to the desired SpamBlocker (/etc/exim.conf) version, based on what you already have, or what you want to have.

The most updated, most current version is 4.5.7, and if you're going that route anyway (if SpamAssassin is already running), I'd also recommend the other tools:
https://help.directadmin.com/item.php?id=576

But if SpamAssassin is not yet running, we'd recommend you first install it (as it can be tricky)
https://help.directadmin.com/item.php?id=36
and ensure spamd is running, before enabling EasySpamFighter/BlockCracking, and installing them with SpamBlocker (exim.conf).

John
 
Update: CustomBuild 2.0.0 (rev: 1747) now automatically detects and warns of security issues, eg:
Code:
[root@servercustombuild]# ./build versions
Latest version of DirectAdmin: 1.52.1
Installed version of DirectAdmin: 1.51.1

DirectAdmin 1.51.1 to 1.52.1 update is available.
...
Security update is available.: Update DirectAdmin to 1.52.0 or higher: https://www.directadmin.com/features.php?id=2036


Security update is available.: Update your exim.pl version for better filtering: https://forum.directadmin.com/showthread.php?t=55502


If you want to update all the available versions run: ./build update_versions
So any of the "Security update is available" will show up in the ./build versions output.

Then if you want to have CB attempt to address them automatically, run
Code:
./build update_versions

The exim.pl update will only go through if you have eximconf=yes set in the options.conf, but if you don't, then you'll get a warning.
If it is set, and the exim.pl version can be seen in /etc/exim.pl, then CB2 will automatically download an updated version of the exim.pl.

Note: If you set eximconf=yes, but never actually ran ./build eximconf, and your /etc/exim.conf version does not match your options.conf eximconf_release=X.X, then you might run into issues, as the setting wouldn't match what you've got.

---
Same idea for the exim security check, it will check for end-of-life operating systems, or failed updates, and if it cannot update DA to the latest version, then it will disable the mentioned feature in id=2036.
The attempted DA update for the security check does not respect the options.conf da_autoupdate=no setting, as it's an important update, so will attempt the update anyway, as if we've pushed an update request, as we have been for 1.52.0.

However, it does respect the:
Admin Settings -> Allow the latest version of DirectAdmin to be pushed to this server, as needed.
so if you disabled that, then the security update to get the newer DA is not run, and the id=2036 feature is disabled to prevent issues.

John
 
Thanks John

We updated exim.conf 2.1 to 4.5 on a test box which gave us the helo bounce error below when sending mail
HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)

The (See the readme file for more information) in post : https://help.directadmin.com/item.php?id=51 is not working anymore
we wanted to look for the entries in the /etc/exim.conf that should be manually set for our system
 
Last edited:
which gave us the helo bounce error below when sending mail
Are you still on CB 1.1? It's best to upgrade to CB 2.0 which makes life lots easier.
Check intodns and check your hostname and mx records.
https://help.directadmin.com/item.php?id=405
Exim will use the hostname as helo/ehlo name normally so if that might be a reason you are getting this issue. Might be something else too, but this is the most common reason.

We updated exim.conf 2.1 to 4.5 on a test box
Checked that your exim.pl version is v24 too?
 
Thanks for your reply

We are on CB 2.0 ofcourse
the HELO bounce message was because we had to tick the box in outlook for SMTP verification.
Is this always needed in latest exim.conf from 4.5 ?
 
Ive found out it's related to roundcube settings with ipv6
2017-11-06 19:36:32 H=localhost [::1] rejected EHLO or HELO : Bad HELO - Host impersonating hostname

Is there a proper solution to get roundcube working then?
Simular to this post: http://forum.directadmin.com/showthread.php?t=53299
We cant use roundcube then.
 
Ive found out it's related to roundcube settings with ipv6
2017-11-06 19:36:32 H=localhost [::1] rejected EHLO or HELO : Bad HELO - Host impersonating hostname

Is there a proper solution to get roundcube working then?
Simular to this post: http://forum.directadmin.com/showthread.php?t=53299
We cant use roundcube then.
Check your /etc/hosts file.
We don't want to see localhost on the ::1 line (localhost6 and other "6" variants are fine)
"localhost" should only be on the 127.0.0.1 line.

John
 
localhost.localdomain is not equal to just "localhost", so it would be fine for ::1
I've never seen anyone connect to "localhost.localdomain" anyway, so wouldn't matter much :)

John
 
So my current hosts file looks like this:
Code:
# Generated by SolusVM
127.0.0.1       localhost localhost.localdomain
::1     [B]localhost[/B] localhost.localdomain
178.21.20.xxx   host.xxx.nl
2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl

And it needs to be?:
Code:
# Generated by SolusVM
127.0.0.1       localhost localhost.localdomain
::1     localhost.localdomain
178.21.20.xxx   host.xxx.nl
2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl

Please advice.
 
So my current hosts file looks like this:
Code:
# Generated by SolusVM
127.0.0.1       localhost localhost.localdomain
::1     [B]localhost[/B] localhost.localdomain
178.21.20.xxx   host.xxx.nl
2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl

And it needs to be?:
Code:
# Generated by SolusVM
127.0.0.1       localhost localhost.localdomain
::1     localhost.localdomain
178.21.20.xxx   host.xxx.nl
2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl

Please advice.


Yes
Just remove localhost from :11 and it works fine
 
version 21

I got version 21 so i can't update this fix.

How can i have version 21 when CS says im up2date ?
 
What does "while CS im up2date" mean? What is CS? Or do you mean CB?

In that case it's not updated when you don't have both:
Code:
eximconf=yes
eximconf_release=4.5
in your options.conf, because then it won't get updated.

You can update exim.pl manually however:
Code:
wget -O /etc/exim.pl http://files.directadmin.com/services/exim.pl.24
since we're at version 24 of exim.pl at the moment.
 
Not using exim, still being nagged with security updates

Hi,

We have 2 servers with DA. On the first server we have disabled exim, since it's a server for static content. On the second server we use postfix, so we also disabled exim. When we use the build script to fetch updates and new versions we still get nagged with security updates for Exim, that can't be installed automagically due to eximconf=no. What is the most neat way to exclude these updates?
 
Just to be sure, how did you disabled exim? Because eximconf=no does not disable Exim, it only disables Exim configuration files.
If you want to disable Exim updates to be disabled you have to also set "exim=no". I presume you have it like this, so I only write it just to be sure.
 
Hmm.. there is already a file check
Code:
    EXIM_PL_IS_INSECURE=false
    if [ -s /etc/exim.pl ]; then
        C=`grep -c safe_name /etc/exim.pl`
        if [ "$C" = "0" ]; then
            EXIM_PL_IS_INSECURE=true
        fi
    fi
so just make sure you've deleted the exim.pl if you're not using exim.
 
Just to be sure, how did you disabled exim? Because eximconf=no does not disable Exim, it only disables Exim configuration files.
If you want to disable Exim updates to be disabled you have to also set "exim=no". I presume you have it like this, so I only write it just to be sure.

Yes I disabled it this way.
 
4.89.1 is the stable, when i update it with CB2 the version show 4.89_1.
Is this ok?
 
Back
Top