Results 1 to 14 of 14

Thread: Security: New exim.pl with improved filtering

  1. #1

    Security: New exim.pl with improved filtering

    Hello,

    I've added some extra filtering to the /etc/exim.pl versions to improve security with posted data.

    The versions that have been updated are:
    16 -> 16 http://files.directadmin.com/services/exim.pl.16
    17 -> 17 http://files.directadmin.com/services/exim.pl.17
    23 -> 24 http://files.directadmin.com/services/exim.pl.24

    To confirm you have the fix (nobody will have it by default), run:
    Code:
    grep -c safe_name /etc/exim.pl
    which should show more than 0 (usually between 7 and 9).

    To check your current /etc/exim.pl version, type:
    Code:
    grep VERSION /etc/exim.pl
    so that you know which file to update to.

    We'll add extra code to CustomBuild 2.0 to check this and remind you, in case you don't catch it.

    You can reference this chart to know which exim.pl version goes with your /etc/exim.conf:
    http://files1.directadmin.com/services/SpamBlocker/

    and your /etc/exim.conf version should be visible at the top of that file.
    We always recommend using the latest version of your current family.
    The most recent versions are:
    2.1.2
    4.3.6
    4.4.8
    4.5.7

    To Update

    You can either manually download the updated exim.pl.XX version over top of your /etc/exim.pl file, eg for 23 to 24:
    Code:
    wget -O /etc/exim.pl http://files.directadmin.com/services/exim.pl.24
    grep -c safe_name /etc/exim.pl
    service exim restart
    OR

    CustomBuild 2.0 can be used to update your exim.conf *and* exim.pl for you:
    https://help.directadmin.com/item.php?id=51

    set the eximconf_release to the desired SpamBlocker (/etc/exim.conf) version, based on what you already have, or what you want to have.

    The most updated, most current version is 4.5.7, and if you're going that route anyway (if SpamAssassin is already running), I'd also recommend the other tools:
    https://help.directadmin.com/item.php?id=576

    But if SpamAssassin is not yet running, we'd recommend you first install it (as it can be tricky)
    https://help.directadmin.com/item.php?id=36
    and ensure spamd is running, before enabling EasySpamFighter/BlockCracking, and installing them with SpamBlocker (exim.conf).

    John

  2. #2
    Update: CustomBuild 2.0.0 (rev: 1747) now automatically detects and warns of security issues, eg:
    Code:
    [root@servercustombuild]# ./build versions
    Latest version of DirectAdmin: 1.52.1
    Installed version of DirectAdmin: 1.51.1
    
    DirectAdmin 1.51.1 to 1.52.1 update is available.
    ...
    Security update is available.: Update DirectAdmin to 1.52.0 or higher: https://www.directadmin.com/features.php?id=2036
    
    
    Security update is available.: Update your exim.pl version for better filtering: https://forum.directadmin.com/showthread.php?t=55502
    
    
    If you want to update all the available versions run: ./build update_versions
    So any of the "Security update is available" will show up in the ./build versions output.

    Then if you want to have CB attempt to address them automatically, run
    Code:
    ./build update_versions
    The exim.pl update will only go through if you have eximconf=yes set in the options.conf, but if you don't, then you'll get a warning.
    If it is set, and the exim.pl version can be seen in /etc/exim.pl, then CB2 will automatically download an updated version of the exim.pl.

    Note: If you set eximconf=yes, but never actually ran ./build eximconf, and your /etc/exim.conf version does not match your options.conf eximconf_release=X.X, then you might run into issues, as the setting wouldn't match what you've got.

    ---
    Same idea for the exim security check, it will check for end-of-life operating systems, or failed updates, and if it cannot update DA to the latest version, then it will disable the mentioned feature in id=2036.
    The attempted DA update for the security check does not respect the options.conf da_autoupdate=no setting, as it's an important update, so will attempt the update anyway, as if we've pushed an update request, as we have been for 1.52.0.

    However, it does respect the:
    Admin Settings -> Allow the latest version of DirectAdmin to be pushed to this server, as needed.
    so if you disabled that, then the security update to get the newer DA is not run, and the id=2036 feature is disabled to prevent issues.

    John

  3. #3
    Join Date
    Jan 2017
    Location
    Nederlands
    Posts
    33
    Thanks John

    We updated exim.conf 2.1 to 4.5 on a test box which gave us the helo bounce error below when sending mail
    HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)

    The (See the readme file for more information) in post : https://help.directadmin.com/item.php?id=51 is not working anymore
    we wanted to look for the entries in the /etc/exim.conf that should be manually set for our system
    Last edited by Deeefje; 11-06-2017 at 08:19 AM.

  4. #4
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,057
    which gave us the helo bounce error below when sending mail
    Are you still on CB 1.1? It's best to upgrade to CB 2.0 which makes life lots easier.
    Check intodns and check your hostname and mx records.
    https://help.directadmin.com/item.php?id=405
    Exim will use the hostname as helo/ehlo name normally so if that might be a reason you are getting this issue. Might be something else too, but this is the most common reason.

    We updated exim.conf 2.1 to 4.5 on a test box
    Checked that your exim.pl version is v24 too?
    Greetings, Richard.

  5. #5
    Join Date
    Jan 2017
    Location
    Nederlands
    Posts
    33
    Thanks for your reply

    We are on CB 2.0 ofcourse
    the HELO bounce message was because we had to tick the box in outlook for SMTP verification.
    Is this always needed in latest exim.conf from 4.5 ?

  6. #6
    Join Date
    Jan 2017
    Location
    Nederlands
    Posts
    33
    Ive found out it's related to roundcube settings with ipv6
    2017-11-06 19:36:32 H=localhost [::1] rejected EHLO or HELO : Bad HELO - Host impersonating hostname

    Is there a proper solution to get roundcube working then?
    Simular to this post: http://forum.directadmin.com/showthread.php?t=53299
    We cant use roundcube then.

  7. #7
    Quote Originally Posted by Deeefje View Post
    Ive found out it's related to roundcube settings with ipv6
    2017-11-06 19:36:32 H=localhost [::1] rejected EHLO or HELO : Bad HELO - Host impersonating hostname

    Is there a proper solution to get roundcube working then?
    Simular to this post: http://forum.directadmin.com/showthread.php?t=53299
    We cant use roundcube then.
    Check your /etc/hosts file.
    We don't want to see localhost on the ::1 line (localhost6 and other "6" variants are fine)
    "localhost" should only be on the 127.0.0.1 line.

    John

  8. #8
    Join Date
    Jan 2017
    Location
    Nederlands
    Posts
    33
    Quote Originally Posted by DirectAdmin Support View Post
    Check your /etc/hosts file.
    We don't want to see localhost on the ::1 line (localhost6 and other "6" variants are fine)
    "localhost" should only be on the 127.0.0.1 line.

    John
    Thanks John

    as well no localhost.localdomain on ::1 ?

  9. #9
    localhost.localdomain is not equal to just "localhost", so it would be fine for ::1
    I've never seen anyone connect to "localhost.localdomain" anyway, so wouldn't matter much

    John

  10. #10
    Join Date
    Jan 2013
    Posts
    117
    So my current hosts file looks like this:
    Code:
    # Generated by SolusVM
    127.0.0.1       localhost localhost.localdomain
    ::1     localhost localhost.localdomain
    178.21.20.xxx   host.xxx.nl
    2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl
    And it needs to be?:
    Code:
    # Generated by SolusVM
    127.0.0.1       localhost localhost.localdomain
    ::1     localhost.localdomain
    178.21.20.xxx   host.xxx.nl
    2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl
    Please advice.
    Ex-Ads, exchange text ads

  11. #11
    Join Date
    Jan 2017
    Location
    Nederlands
    Posts
    33
    Quote Originally Posted by Wanabo View Post
    So my current hosts file looks like this:
    Code:
    # Generated by SolusVM
    127.0.0.1       localhost localhost.localdomain
    ::1     localhost localhost.localdomain
    178.21.20.xxx   host.xxx.nl
    2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl
    And it needs to be?:
    Code:
    # Generated by SolusVM
    127.0.0.1       localhost localhost.localdomain
    ::1     localhost.localdomain
    178.21.20.xxx   host.xxx.nl
    2a00:1ca8:e:101:101:101:xxxx:xxxx       host.xxx.nl
    Please advice.

    Yes
    Just remove localhost from :11 and it works fine

  12. #12
    Join Date
    Jan 2013
    Posts
    117
    Quote Originally Posted by Deeefje View Post
    Yes
    Just remove localhost from :11 and it works fine
    Thanks for confirming.
    Ex-Ads, exchange text ads

  13. #13
    Join Date
    Jun 2017
    Posts
    5

    version 21

    I got version 21 so i can't update this fix.

    How can i have version 21 when CS says im up2date ?

  14. #14
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,057
    What does "while CS im up2date" mean? What is CS? Or do you mean CB?

    In that case it's not updated when you don't have both:
    Code:
    eximconf=yes
    eximconf_release=4.5
    in your options.conf, because then it won't get updated.

    You can update exim.pl manually however:
    Code:
    wget -O /etc/exim.pl http://files.directadmin.com/services/exim.pl.24
    since we're at version 24 of exim.pl at the moment.
    Greetings, Richard.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •