Exim 4.86.2 - SECURITY

I get these errors after update (exim restarts fine):
2016-03-06 14:28:16 Received from [email protected] H=mx210.g.outbound.createsend.com [103.28.42.210] P=esmtp S=58862 [email protected] T="Your Signature Guide to Luxury - March 2016"
2016-03-06 14:28:19 [email protected] F=<[email protected]> R=spamcheck_director T=spamcheck: Child process of spamcheck transport returned 2 from command: /usr/sbin/exim
Process failed (1) when writing error message to [email protected] (frozen)2016-03-06 14:30:48 [email protected] F=<[email protected]> R=spamcheck_director T=spamcheck: Child process of spamcheck transport returned 2 from command: /usr/sbin/exim

OS FreeBSD 9.1.


Version:

root@srv:/usr/local/directadmin/custombuild # /usr/sbin/exim -bV
Exim version 4.86.2 #1 built 06-Mar-2016 14:29:37
Copyright (c) University of Cambridge, 1995 - 2015
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2015
Probably Berkeley DB version 1.8x (native mode)
Support for: crypteq IPv6 use_setclassresources Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime DNSSEC PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim.conf


I think my exim.conf got "broken" after the update from custombuild.
 
Last edited:
I have one server keep showing this error:
exim: error while loading shared libraries: libsrs_alt.so.1: cannot open shared object file: No such file or directory

I have run

./build clean
./build update
./build libsrs_alt
./build exim
./build exim_conf

No error after building, but exim is broken. I am using CB2 (rev: 1516). Checking files, and there are same files with other servers:

# ls -l /usr/local/lib/libsrs_alt.so*
lrwxrwxrwx 1 root root 19 Mar 7 03:19 /usr/local/lib/libsrs_alt.so -> libsrs_alt.so.1.0.0
lrwxrwxrwx 1 root root 19 Mar 7 03:19 /usr/local/lib/libsrs_alt.so.1 -> libsrs_alt.so.1.0.0
-rwxr-xr-x 1 root root 48695 Mar 7 03:19 /usr/local/lib/libsrs_alt.so.1.0.0

Any idea?
Thanks.
 
Last edited:
Hi Wattie,

I had the same. I decided to change some stuff manualy for now.
So I commented out spamassasin in total for now.
Now went back to exim_conf 2.1 and the problems are gone.
Going to try and see what happens if I go up 1 version.
 
So what do we do with new installations of DirectAdmin? Do we have to keep changing exim.conf manually?
 
Hi together.

i have patched the exim and the exim.conf over custombuild.

when i used now the command line mailq i get an error.

mailq
2016-03-10 16:45:04 Exim configuration error in line 21 of /etc/exim.variables.conf:
main option "keep_environment" unknown

in my /etc/exim.variables.conf i have
#Do not edit this file directly
#edit /etc/exim.variables.conf.custom

disable_ipv6=true
message_size_limit=50M
smtp_receive_timeout=5m
smtp_accept_max=100
message_body_visible=3000
print_topbitchars=true
smtp_accept_max_nonmail=10
smtp_accept_max_per_host=10
recipients_max=150
smtp_accept_queue_per_connection=10
smtp_accept_max_per_connection=100
deliver_queue_load_max=10.0
queue_only_load=100.0
queue_run_max=5
ignore_bounce_errors_after=2d
timeout_frozen_after=3d
trusted_users=mail:majordomo:apache:diradmin
split_spool_directory=yes
keep_environment=PWD

in the directadmin under Mail Queue Administration it works perfect.

Any Ideas ?
 
@getUP: Until we change the default exim binaries for the install, that is correct.

@Marwen: Your /usr/sbin/exim binaries are not 4.86.2. Confirm by typing:
Code:
/usr/sbin/exim -bV
The exim binary might be somewhere here:
Code:
ls -la /usr/sbin/exim*
so if you find it there (sometimes with a version number in the name), rename it to "exim" and chown to root:root, then chmod to 4755.

John
 
Hey John.

/usr/sbin/exim -bV
Exim version 4.86.2 #2 built 09-Mar-2016 10:42:52
Copyright (c) University of Cambridge, 1995 - 2015
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2015
Berkeley DB: Berkeley DB 4.7.25: (September 22, 2015)
Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime DNSSEC PRDR OCSP Experimental_SPF Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb
Authenticators: cram_md5 dovecot plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim.conf



ls -la /usr/sbin/exim*
-rwsr-xr-x 1 root root 1176508 Mar 9 10:42 /usr/sbin/exim
-rwxr-xr-x. 1 root root 4605 Mar 9 10:42 /usr/sbin/exim_checkaccess
-rwxr-xr-x. 1 root root 4605 Mar 9 10:42 /usr/sbin/exim_checkaccess.O
-rwxr-xr-x. 1 root root 14144 Mar 9 10:42 /usr/sbin/exim_dbmbuild
-rwxr-xr-x. 1 root root 14144 Mar 9 10:42 /usr/sbin/exim_dbmbuild.O
-rwxr-xr-x. 1 root root 19718 Mar 9 10:42 /usr/sbin/exim_dumpdb
-rwxr-xr-x. 1 root root 19718 Mar 9 10:42 /usr/sbin/exim_dumpdb.O
-rwxr-xr-x. 1 root root 25801 Mar 9 10:42 /usr/sbin/exim_fixdb
-rwxr-xr-x. 1 root root 25801 Mar 9 10:42 /usr/sbin/exim_fixdb.O
-rwxr-xr-x. 1 root root 17542 Mar 9 10:42 /usr/sbin/exim_lock
-rwxr-xr-x. 1 root root 17542 Mar 9 10:42 /usr/sbin/exim_lock.O
-rwxr-xr-x. 1 root root 20659 Mar 9 10:42 /usr/sbin/exim_tidydb
-rwxr-xr-x. 1 root root 20659 Mar 9 10:42 /usr/sbin/exim_tidydb.O
-rwxr-xr-x. 1 root root 150933 Mar 9 10:42 /usr/sbin/eximstats
-rwxr-xr-x. 1 root root 150933 Mar 9 10:42 /usr/sbin/eximstats.O
 
Ok, that's fine. Perhaps the new configs were updated before exim was restarted..
If the errors have stopped being added, you're probably fine.
Just make sure you see 4.86.2 if you telnet to port 25.

John
 
Another problem is Sender Rewriting Scheme (SRS). With this enabled in Exim, email forwarder is rewritten to something likes
SRS0=Dk+SLg=PG=sender-domain.com=sender-name@destination-domain.com

With SpamExperts outgoing filters, the sender verification will be failed, and email is not sent out.
 
Is it possible/advisable at all to try and update Exim with CB 1.2?


EDIT:
Did the Exim-update and manual "keep_environment=PWD"-mod in exim.conf.
No issues or errors noticed as of yet.
 
Last edited:
To get it, run:
Code:
cd /usr/local/directadmin/custombuild
./build update
./build exim[/QUOTE]

doesn't work over here:

[CODE]spf.c: In function 'spf_process':
spf.c:119: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
gcc srs.c
srs.c: In function 'eximsrs_init':
srs.c:51: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
srs.c:53: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
srs.c:56: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
srs.c:59: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
srs.c:62: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
srs.c:74: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
srs.c:107: warning: passing argument 1 of 'string_nextinlist' from incompatible pointer type
functions.h:426: note: expected 'const uschar **' but argument is of type 'uschar **'
gcc utf8.c
gcc version.c
gcc -o exim
/usr/bin/ld: cannot find -lperl
collect2: ld returned 1 exit status
make[1]: *** [exim] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.86.2/build-Linux-x86_64'
make: *** [all] Error 2

*** The make has failed, would you like to try to make again? (y,n):

On Debian 6 servers already running Exim version 4.86 #2. Debian 7 servers seem to update ok fortunately.

Also, when running a regular ./build update_versions with CB 2 with eximconf=yes the exim.variables.conf isn't updated so it will result in warnings in the Exim mainlog about the missing keep_environment and add_environment.
 
Last edited:
doesn't work over here:

Code:
gcc -o exim
/usr/bin/ld: cannot find -lperl
collect2: ld returned 1 exit status
make[1]: *** [exim] Error 1
make[1]: Leaving directory `/usr/local/directadmin/custombuild/exim-4.86.2/build-Linux-x86_64'
make: *** [all] Error 2

*** The make has failed, would you like to try to make again? (y,n):

Try the manual method:
http://help.directadmin.com/item.php?id=125

where you might need to manually set the correct values from this
Code:
[COLOR=#000000][FONT=courier new]echo "PERL_CC=`/usr/bin/perl -MConfig -e 'print $Config{cc}'`"; [/FONT][/COLOR]
[COLOR=#000000][FONT=courier new]echo "PERL_CCOPTS=`/usr/bin/perl -MExtUtils::Embed -e ccopts`"; [/FONT][/COLOR]
[COLOR=#000000][FONT=courier new]echo "PERL_LIBS=`/usr/bin/perl -MExtUtils::Embed -e ldopts`"[/FONT][/COLOR]
into your exim-4.86.2/Local/Makefile, in case the default values aren't working.

John
 
DKIM invalid after updating to latest exim

Updated exim and exim config today.
Mail sending and receiving is working, but now Thunderbird (add ons, DKIM Verifier 1.4.1) complains I do not have a valid DKIM signature. Before updating to latest exim this was ok.

This is what I have done.
Enabling exim, eximconf and eximconf_release in custombuild plugin.
As root I ran the following:
cd /usr/local/directadmin/custombuild
./build update
./build exim
./build exim_conf

When I noticed DKIM was invalid I tried:
echo "action=rewrite&value=dkim" >> /usr/local/directadmin/data/task.queue

Still invalid though.:(

How can I fix DKIM?

My options.conf
Code:
#PHP Settings
php1_release=5.6
php1_mode=php-fpm
php2_release=7.0
php2_mode=php-fpm
opcache=yes
htscanner=yes
php_ini=no
php_timezone=Europe/Amsterdam
php_ini_type=production
ioncube=no
zend=no
suhosin=no
x_mail_header=yes

#MySQL Settings
mysql=5.6
mysql_inst=no
mysql_backup=yes
mysql_backup_dir=/usr/local/directadmin/custombuild/mysql_backups
mysql_force_compile=no

#WEB Server Settings
webserver=nginx_apache
litespeed_serialno=trial
modsecurity=no
modsecurity_ruleset=no
apache_ver=2.4
apache_mpm=auto
mod_ruid2=no
harden_symlinks_patch=yes
use_hostname_for_alias=no
redirect_host=host.nieuwskop.nl
redirect_host_https=no

#WEB Applications Settings
phpmyadmin=yes
phpmyadmin_ver=4
squirrelmail=no
roundcube=yes
webapps_inbox_prefix=no

#ClamAV-related Settings
clamav=no
clamav_exim=yes
modsecurity_uploadscan=no
proftpd_uploadscan=no
pureftpd_uploadscan=no
suhosin_php_uploadscan=no

#Mail Settings
exim=yes
eximconf=yes
eximconf_release=4.4
blockcracking=no
easy_spam_fighter=no
spamassassin=no
dovecot=yes
dovecot_conf=yes
pigeonhole=no

#FTP Settings
ftpd=pureftpd

#Statistics Settings
awstats=no
webalizer=yes

#CustomBuild Settings
custombuild=2.0
autover=no
bold=yes
clean=yes
cleanapache=yes
clean_old_tarballs=yes
clean_old_webapps=yes
downloadserver=files6.directadmin.com

#Cronjob Settings
cron=no
cron_frequency=weekly
[email protected]
notifications=yes
da_autoupdate=no
updates=no
webapps_updates=yes

#CloudLinux Settings
cloudlinux=no
cagefs=no

#Advanced Settings
autoconf=yes
automake=yes
libtool=yes
curl=no
new_pcre=no

mariadb=10.0
sa_update=no
userdir_access=yes
 
Updated exim and exim config today.

Had the same thing happen to me.
Most likely exim.conf has been overwritten by the CB 'update' of exim.conf, which has deleted the DKIM-lines that probably have been edited in there before.

Look down the page at **REQUIRED CHANGES**:
http://www.directadmin.com/features.php?id=1189


Perhaps it's possible CB makes a backup first of the configfiles it 'updates' (overwrites with an 'old' conf file on the DA-server).
 
Back
Top