Exim 4.86.2 - SECURITY

Thanks both for your reply.

But exim.dkim.conf is present and .include_if_exists /etc/exim.dkim.conf is present in exim.conf.
I've checked that before posting.
 
Since updating from 4.85 to 4.86.2 we now have users that when forwarding mail internally on the domain no longer see the envelope-to headers being added.

I do confirm exim.conf has "envelope_to_add" in the following sections:

local_delivery:
virtual_localdelivery:
address_file:

In checking the backups I have of exim.conf these three declarations have not changed at all.

For context, the customer BCC's every sent email and based on the "envelope-to" header is able to perform some filtering after it's POP'd down to a workstation.

After the update that header is now missing.
 
It also looks like forwards are going through Dovecot?

Received: from minor.server.com
by minor.server.com (Dovecot) with LMTP id

Could Dovecot be stripping it out?
 
So in checking:

Code:
dovecot_lmtp_udp:
  driver = lmtp
  socket = /var/run/dovecot/lmtp
  #maximum number of deliveries per batch, default 1
  batch_max = 200
  return_path_add

...its missing!

Code:
dovecot_lmtp_udp:
  driver = lmtp
  socket = /var/run/dovecot/lmtp
  #maximum number of deliveries per batch, default 1
  batch_max = 200
  envelope_to_add
  return_path_add

...and a restart of EXIM and my customer says everything is peachy again...

Can we get this added to the files server so it persists over upgrades?

Thank you =)
 
New installations of DirectAdmin still require the exim.conf to be modified manually, even a month after the patch. Is there any ETA on when this will be fixed?
 
Hello,

I'm assuming you're referring to if you were to update the exim binary, but leave the 2.1.1 exim.conf untouched.

I've just updated the CB2 such that the exim.conf compile will also do a check for the variable, and things it based on the exim version and exim.conf version.
This is done with a new function "ensure_keep_environment", called with the current exim.conf version.
But, if you were use ./build exim_conf, the same function is called, but with the eximconf_release setting from the options.conf, as that should be correctly matching.

Uploaded on files1, let me know if you still have issues, or are referring to something else.

John
 
This is done with a new function "ensure_keep_environment", called with the current exim.conf version.
Is this done automatically? Or do we need to add this line in the exim.conf?
I also make some additions to Log_selector. Are they kept too or is this only for the dovecot settings?
 
Hello,

I'm assuming you're referring to if you were to update the exim binary, but leave the 2.1.1 exim.conf untouched.

I've just updated the CB2 such that the exim.conf compile will also do a check for the variable, and things it based on the exim version and exim.conf version.
This is done with a new function "ensure_keep_environment", called with the current exim.conf version.
But, if you were use ./build exim_conf, the same function is called, but with the eximconf_release setting from the options.conf, as that should be correctly matching.

Uploaded on files1, let me know if you still have issues, or are referring to something else.

John

Hi John,

What I mean is that for -new- DirectAdmin installations it defaults to eximconf_release 2.1. This configuration does not have the keep_environment line added, so whenever we do new installs now every time we have to add this line manually. I can understand it not being added for existing installs when eximconf=no, but for new installs it should be there by default.

I haven't checked files1 specifically I think, when installing I always pick the option to find the fastest download mirror, that might not be files 1. I'll try picking files1 specifically next install to see if that one has the above already added. Obviously if it does it'd be great if it was added on all the mirrors :-)
 
Last edited:
Correct, but none of the services tar.gz packs install 4.86.2 by default.
If we were to include it in the exim.conf by default, all of the default exim binaries would fail to start up.
CB2 will add the keep_env option when the exim binary is compiled/updated... so I'm a bit confused why there is an issue.
Let me know what I'm missing :)

Perhaps you're using CB1.2? Let me know.

John

Note: files1 is the master, all other mirrors would get all of those changes within 24 hours via rsync.
 
Correct, but none of the services tar.gz packs install 4.86.2 by default.
If we were to include it in the exim.conf by default, all of the default exim binaries would fail to start up.
CB2 will add the keep_env option when the exim binary is compiled/updated... so I'm a bit confused why there is an issue.
Let me know what I'm missing :)

Perhaps you're using CB1.2? Let me know.

John

Note: files1 is the master, all other mirrors would get all of those changes within 24 hours via rsync.

Thanks for the response - for me, even completely new installs (with CB2) will end up with version 4.87 but without the keep_environment line. I see in the code the ensure_keep_environment you added, next install I'll try to debug why it doesn't add the line for me. I'll get back to you on this with an update.
 
If the line "keep_environment" should be placed in the exim.conf then on my servers which I upgraded to 4.87 it's not present nore a "ensure_keep_environment" line. So it did not add it for me either on any of the servers (Centos 6).
 
Thanks for the info. I'm assuming then, the exim=yes is enabled at install time.

Can you see if:
Code:
./build exim
is adding the line? That's essentially what would happen at install time, so is the first step to narrow it down.
The build script will call the doExim() function, and should have a call to
Code:
    ECV=`exim_conf_version`
    EC_MAJ_V=`echo $ECV | cut -d. -f1,2`
    ensure_keep_environment ${EC_MAJ_V}
so that's where we'd need to focus our attention.

Another way we can debug would be to leave all default CB2 settings, or just keep exim=no at install time, then after the install is done, use exim=yes and ./build exim, and see if that adds the line.
If you've got eximconf=no, and have the 2.x version, then this would be the code that the script is running to check the exim.conf:
Code:
            COUNT_KEEP_ENV=`grep -c 'keep_environment' /etc/exim.conf`
            if [ "${COUNT_KEEP_ENV}" -gt 0 ]; then
                echo "Uncommenting variable keep_environment in /etc/exim.conf.";
                perl -pi -e 's/^#keep_environment=/keep_environment=/' /etc/exim.conf
            else
                echo "Adding variable keep_environment to /etc/exim.conf.";
                perl -pi -e 's/^perl_startup/keep_environment=PWD\nperl_startup/' /etc/exim.conf
            fi
which means it would be inserting the line just before the perl_startup line... so it's likely somewhere in there.
Hopefully this will help track it down.

John
 
We got 1 server having eximconf=yes in options.conf and we use the version 4.x spamblocker exim.conf.
I did a ./build exim and did not see any call with the word "environment" in it. After compile the line is still not present.

So I tried on another server, which had eximconf=no and changed that to yes and did ./build update and ./build exim.
Same result.
The only thing I do see is a line saying "exim.conf already exists" and the issue I reported for the 4.87 version of Exim, which we can probably ignore?
2016-04-18 11:57:00 Warning: No server certificate defined; TLS connections will fail.
Suggested action: either install a certificate or change tls_advertise_hosts option

But no environment lines in exim.conf.

Even when exim.conf is set to yes on this server, the exim.conf was not overwritten. Some manual place lines in there are still present. Which might be explained by the "exim.conf already exists". Maybe this is causing the line not being added? I don't know, I'm not a programmer.
 
Last edited:
@Richard G, I believe you need to do ./build exim_conf , not only ./build exim
 
Hmm, yes, as ditto mentioned, exim_conf adds 4.4... and it's not going to be in the /etc/exim.conf, it will be in /etc/exim.variables.conf.
So for the broken state, what is the version of the /etc/exim.conf? Was that changed aftwards or set during install time?
I'm still confused as to what the exact steps to duplicate (what values on vs off, and versions), are in the options.conf, and when they're put there.

John
 
Hmm, yes, as ditto mentioned, exim_conf adds 4.4... and it's not going to be in the /etc/exim.conf, it will be in /etc/exim.variables.conf.
So for the broken state, what is the version of the /etc/exim.conf? Was that changed aftwards or set during install time?
I'm still confused as to what the exact steps to duplicate (what values on vs off, and versions), are in the options.conf, and when they're put there.

John


Okay, so I've been busy debugging this issue on a new freshly installed Custombuild 2 installation.

In the build script on line 6541 the following happens:
Code:
6541         ECV=`exim_conf_version`
6542         EC_MAJ_V=`echo $ECV | cut -d. -f1,2`
6543         ensure_keep_environment ${EC_MAJ_V}

Here, the exim_conf_version function returns 0 because it does a head -n1 /etc/exim.conf and tries to get the version from there. However the first line is all ########.
Then it will enter the ensure_keep_environment function with an parameter of 0:
Code:
exim_conf_version() {
	COUNT=0
	if [ -e /etc/exim.conf ]; then
		COUNT=`head -n1 /etc/exim.conf | grep -c 'Version'`
	fi
	if [ "${COUNT}" -gt 0 ]; then
		T_EXIMCONFV="`head -n1 /etc/exim.conf | awk '{ print $6 }'`"
	else
		T_EXIMCONFV=0
	fi
	echo $T_EXIMCONFV
}
ensure_keep_environment()
{
	EXIMV="`exim_version`"

	#this might be the current exim.conf, or the exim.conf being installed.
	#set by whichever is calling the function.
	FOR_EXIM_CONF_VER=$1
	
	if [ "${FOR_EXIM_CONF_VER}" != "2.1" ] && [ "${FOR_EXIM_CONF_VER}" != "4.2" ]; then
[b][color=red]# Because FOR_EXIM_CONF_VER is 0, it ends up in this block, which is the wrong one. It should end up in the else block further below[/color][/b]
		#for newer exim.conf files with exim.variables.conf:
		
		#remove variables from the default that don't work with older versions of exim.
		if [ "`version_cmp ${EXIMV} 4.86.2 'exim ver for keep_environment'`" -lt 0 ]; then
			echo "Exim ${EXIMV} is older than 4.86.2. Removing variable keep_environment.";
			perl -pi -e 's/^keep_environment=.*$\n//' /etc/exim.variables.conf.default
			perl -pi -e 's/^keep_environment=.*$\n//' /etc/exim.variables.conf
		fi
	else
		#older exim.conf files without extra files.
	
		#remove variables from the exim.conf that don't work with older versions of exim.
		if [ "`version_cmp ${EXIMV} 4.86.2 'exim ver for keep_environment'`" -lt 0 ]; then
			echo "Exim ${EXIMV} is older than 4.86.2. Removing variable keep_environment from /etc/exim.conf.";
			perl -pi -e 's/^keep_environment=/#keep_environment=/' /etc/exim.conf
		else
			#else enable the feature, if available.
			echo "Exim ${EXIMV} is at least 4.86.2.";
			COUNT_KEEP_ENV=`grep -c 'keep_environment' /etc/exim.conf`
			if [ "${COUNT_KEEP_ENV}" -gt 0 ]; then
				echo "Uncommenting variable keep_environment in /etc/exim.conf.";
				perl -pi -e 's/^#keep_environment=/keep_environment=/' /etc/exim.conf
			else
				echo "Adding variable keep_environment to /etc/exim.conf.";
				perl -pi -e 's/^perl_startup/keep_environment=PWD\nperl_startup/' /etc/exim.conf
			fi
		fi
	fi
}

So the actual error is in the exim_conf_version() function which returns 0. Hardcoding this to 2.1 will make it work properly.

I've never used eximconf 3/4, so I'm not sure how they look like and how the exim_conf_version should look, but fwiw this is how the header looks like of the eximconf 2 file (/etc/exim.conf):
Code:
######################################################################
#                 SpamBlocker.exim.conf.2.1.1-release                #
#                             05-Jun-2007                            #
#   Runtime configuration file for DirectAdmin/Exim 4.24 and above   #
#          Requires exim.pl dated 20-Apr-2007 17:09 or later         #
######### IMPORTANT ########## IMPORTANT ########## IMPORTANT ########
# WARNING! Be sure to back up your previous exim.conf file before    #
# attempting to use this exim.conf file.                             #
#                                                                    #
# Do may not use this exim.conf Exim configuration file unless you   #
# make the required modifications to your Exim configuration         #
# following the instructions in the README file included in this     #
# distribution.                                                      #
#                                                                    #
# This is version "2.0 of the SpamBlocker exim.conf file as          #
# distributed by NoBaloney Internet Services for DirectAdmin based   #
# servers.                                                           #
#                                                                    #
# More information about NoBaloney.net may be found at:              #
#  http://www.nobaloney.net/                                         #
#                                                                    #
# More information about DirectAdmin may be found at:                #
#  http://www.directadmin.com/                                       #
#                                                                    #
# This Exim configuration file has been modified from the original   #
# as distributed with Exim 4.  The modifications have been made by:  #
#                                                                    #
# Jeff Lasman                                                        #
# NoBaloney Internet Services                                        #
# Post Office Box 52200                                              #
# Riverside, CA 92517-3200                                           #
# [email protected]                                          #
# (951) 643-5345                                                     #
#                                                                    #
# The SpamBlocker exim.conf file has been modified from the original #
# exim.conf file as distributed with Exim 4, which includes the      #
# following copyright notice:                                        #
#                                                                    #
# Copyright (C) 2002 University of Cambridge, Cambridge, UK          #
#                                                                    #
# Portions of the file are taken from the exim.conf file as          #
# distributed with DirectAdmin (http://www.directadmin.com/),        #
#                                                                    #
# Copyright(C)2003-2007 JBMC Software, St Albert, AB, Canada T8N 5C9 #
#                                                                    #
# Portions of this file are written by Jeff Lasman, of               #
# NoBaloney Internet Services and are copyright as follows:          #
#                                                                    #
# Copyright (C) 2004-2007 NoBaloney Internet Services,               #
# Riverside, Calif., USA                                             #
#                                                                    #
# The entire Exim 4 distribution, including the exim.conf file, is   #
# distributed under the GNU GENERAL PUBLIC LICENSE, Version 2,       #
# June 1991. If you do not have a copy of the GNU GENERAL            #
# PUBLIC LICENSE you may download it, in it's entirety, from         #
# the website at:                                                    #
#                                                                    #
# http://www.nobaloney.net/exim/gnu-gpl-v2.txt                       #
#                                                                    #
######################################################################
#                                                                    #
# The most recent version of this SpamBlocker exim.conf file may     #
# always be downloaded from the website at                           #
#                                                                    #
# http://www.nobaloney.net/exim/exim.conf.spamblocked                #
#                                                                    #
######### IMPORTANT ########## IMPORTANT ########## IMPORTANT ########
#                                                                    #
# Whenever you change Exim's configuration file, you *must* remember #
# to HUP the Exim daemon, because it will not pick up the new        #
# configuration until you do. However, any other Exim processes that #
# are started, for example, a process started by an MUA in order to  #
# send a message, will see the new configuration as soon as it is in #
# place.                                                             #
#                                                                    #
# You do not need to HUP the daemon for changes in auxiliary files   #
# that are referenced from this file. They are read every time they  #
# are used.                                                          #
#                                                                    #
# It is usually a good idea to test a new configuration for          #
# syntactic correctness before installing it (for example, by        #
# running the command "exim -C /config/file.new -bV").               #
#                                                                    #
### MODIFICATION INSTRUCTIONS ########## MODIFICATION INSTRUCTIONS ###
#                                                                    #
# YOU MUST MAKE THE CHANGES TO THIS SpamBlocked exim.conf file as    #
# documented in the README file.                                     #
#                                                                    #
# The README file for this version is named:                         #
# README.SpamBlocker.exim.conf.2.1                                   #
#                                                                    #
######################################################################
#   update information: changed blockists 29-May-2007 version 2.1    #
######################################################################

Hopefully this is enough information for you to resolve the issue!
 
@Ditto: Oh wel then it was DA's support fault who said to do a ./build exim in their reply. :)
At the moment on all servers this is what's in my exim.variables.conf:
Code:
keep_environment=PWD
However there is no ensure_keep_environment present anywhere after a ./build exim_conf. And it isn't present at the server with eximconf=yes after a ./build exim_conf.

On the server with eximconf=no after changing to yes and building exim.conf, same result.
I had that set to exim version 4.3 though, so I set it to 4.4 hoping that might fix things, but the "ensure_environment" line is still not present in the exim.variables.conf.

This is the heading of a spamblocker 4 configuration file if this might be of any help:
Code:
# SpamBlockerTechnology* powered exim.conf, Version 4.4.2
# Dec 5, 2015
# Exim configuration file for DirectAdmin
# Requires exim.pl as distributed by DirectAdmin here:
# http://files.directadmin.com/services/exim.pl version 21 or higher
# ClamAV optional
# SpamAssassin optional
# Dovecot/IMAP Mandatory
# *SpamBlockerTechnology is a Trademark of NoBaloney Internet Services:
# http://www.nobaloney.net
#
# WARNING! Do NOT use this exim.conf Exim configuration file unless you
# make the required modifications to your Exim configuration
# following the instructions in the README file included in this
# distribution:
# README-SpamBlockerVersion4exim.conf.txt
#
# The original exim.conf file distributed with Exim 4, includes the
# following copyright notice:
#
# Copyright (C) 2002 University of Cambridge, Cambridge, UK
#
# Portions of the file are taken from the exim.conf file as
# distributed with DirectAdmin (http://www.directadmin.com/)
#
# Copyright (C) 2003-2011 JBMC Software, St Albert, AB, Canada
#
# Portions of this file are written by NoBaloney Internet Services
# and are copyright as follows:
#
# Copyright (C) 2004-2011 NoBaloney Internet Services, Riverside, Calif., USA
#
# The entire Exim 4 distribution, including the exim.conf file, is
# distributed under the GNU GENERAL PUBLIC LICENSE, Version 2,
# June 1991. If you do not have a copy of the GNU GENERAL PUBLIC LICENSE
# you may download it, in it's entirety, from the website at:
#
# http://www.nobaloney.net/exim/gnu-gpl-v2.txt
#
# Thanks to all the members of the DirectAdmin community and of the exim
# community who have given their # much needed and appreciated help.
#
# The most recent version of this file may always downloaded from the website
# at: http://www.nobaloney.net/downloads/spamblocker
#
# MODIFICATION INSTRUCTIONS
#
# YOU MUST MAKE THE CHANGES TO THIS
# SpamBlockerTechnology* powered exim.conf, Version 4.0
# file as documented in the README file.
#
# The README file for this version is named:
# README-SpamBlockerVersion4exim.conf.txt

# CONFIGURATION STARTS HERE

Addition:
What is the version of the /etc/exim.conf? Was that changed aftwards or set during install time?
In my case always changed after the installation and version 4.4.2.
 
Last edited:
Ah, thanks nielsh! That's it.
I've fixed the exim_conf_version to look like this, which should handle both version cases, and also log to the custombuild.log if it's not able to figure it out
Code:
exim_conf_version() {
    COUNT=0
    T_EXIMCONFV=0
    if [ -e /etc/exim.conf ]; then
        COUNT=`head -n1 /etc/exim.conf | grep -c 'Version'`
        if [ "${COUNT}" -gt 0 ]; then
            T_EXIMCONFV="`head -n1 /etc/exim.conf | awk '{ print $6 }'`"
        fi
        
        if [ "${T_EXIMCONFV}" = "0" ]; then
            COUNT=`head -n2 /etc/exim.conf | grep -c release`
            if [ "${COUNT}" -gt 0 ]; then
                T_EXIMCONFV="`head -n2 /etc/exim.conf | grep release | awk '{ print $2 }' | cut -d. -f4,5,6 | cut -d- -f1`"
            fi
        fi
    fi
    
    if [ "${T_EXIMCONFV}" = "0" ]; then
        writeLog "exim_conf_version: Cannot determine version of /etc/exim.conf";
    fi


    echo $T_EXIMCONFV
}
Added to files1, other mirrors within 24 hours.

Thanks for the find!
John
 
Back
Top