[packages/exim] Rel 4; more from upstream default config; fix local_delivery that was using tainted data (and thus p

arekm arekm at pld-linux.org
Tue Jun 22 09:09:33 CEST 2021 

commit 324d5d7cb72b411be08a85aee01ed953a531b8fb
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue Jun 22 09:09:09 2021 +0200

    Rel 4; more from upstream default config; fix local_delivery that was using tainted data (and thus preventing mail delivery)

 exim.spec  |  2 +-
 exim4.conf | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 85 insertions(+), 4 deletions(-)
---
diff --git a/exim.spec b/exim.spec
index 1b9814c..d03f5b1 100644
--- a/exim.spec
+++ b/exim.spec
@@ -24,7 +24,7 @@ Summary(pl.UTF-8):	Agent Transferu Poczty Uniwersytetu w Cambridge
 Summary(pt_BR.UTF-8):	Servidor de correio eletrônico exim
 Name:		exim
 Version:	4.94.2
-Release:	3
+Release:	4
 Epoch:		2
 License:	GPL v2+
 Group:		Networking/Daemons/SMTP
diff --git a/exim4.conf b/exim4.conf
index ff7c908..7ac4944 100644
--- a/exim4.conf
+++ b/exim4.conf
@@ -108,6 +108,7 @@ hostlist   relay_from_hosts = localhost
 # checking incoming messages. The names of these ACLs are defined here:
 
 acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_data_prdr = acl_check_prdr
 acl_smtp_data = acl_check_data
 
 # You should not change those settings until you understand how ACLs work.
@@ -154,6 +155,9 @@ tls_advertise_hosts =
 # tls_certificate = /etc/ssl/exim.crt
 # tls_privatekey = /etc/ssl/exim.pem
 
+# For OpenSSL, prefer EC- over RSA-authenticated ciphers
+# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
 # case these users need to send email from a network that blocks port 25.
@@ -230,11 +234,16 @@ commandline_checks_require_admin = true
 
 host_lookup = *
 
-
 # Advertise DSN for these hosts
 #
 dsn_advertise_hosts = *
 
+# The setting below causes Exim to try to initialize the system resolver
+# library with DNSSEC support.  It has no effect if your library lacks
+# DNSSEC support.
+
+dns_dnssec_ok = 1
+
 # The settings below cause Exim to make RFC 1413 (ident) callbacks
 # for all incoming SMTP calls. You can limit the hosts to which these
 # calls are made, and/or change the timeout that is used. If you set
@@ -253,6 +262,11 @@ dsn_advertise_hosts = *
 # Enable an efficiency feature.  We advertise the feature; clients
 # may request to use it.  For multi-recipient mails we then can
 # reject or accept per-user after the message is received.
+# This supports recipient-dependent content filtering; without it
+# you have to temp-reject any recipients after the first that have
+# incompatible filtering, and do the filtering in the data ACL.
+# Even with this enabled, you must support the old style for peers
+# not flagging support for PRDR (visible via $prdr_requested).
 #
 prdr_enable = true
 
@@ -429,6 +443,20 @@ acl_check_rcpt:
 
   require verify        = sender
 
+  # Reject all RCPT commands after too many bad recipients
+  # This is partly a defense against spam abuse and partly attacker abuse.
+  # Real senders should manage, by the time they get to 10 RCPT directives,
+  # to have had at least half of them be real addresses.
+  #
+  # This is a lightweight check and can protect you against repeated
+  # invocations of more heavy-weight checks which would come after it.
+
+  deny    condition     = ${if and {\
+                        {>{$rcpt_count}{10}}\
+                        {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+          message       = Rejected for too many bad recipients
+          logwrite      = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+
   # Accept if the message comes from one of the hosts for which we are an
   # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
   # so we set control=submission to make Exim treat the message as a
@@ -506,11 +534,42 @@ acl_check_rcpt:
   # require verify = csa
   #############################################################################
 
+  #############################################################################
+  # If doing per-user content filtering then recipients with filters different
+  # to the first recipient must be deferred unless the sender talks PRDR.
+  #
+  # defer  !condition     = $prdr_requested
+  #        condition      = ${if > {0}{$receipients_count}}
+  #        condition      = ${if !eq {$acl_m_content_filter} \
+  #                                  {${lookup PER_RCPT_CONTENT_FILTER}}}
+  # warn   !condition     = $prdr_requested
+  #        condition      = ${if > {0}{$receipients_count}}
+  #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #############################################################################
+
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
 
   accept
 
+# This ACL is used once per recipient, for multi-recipient messages, if
+# we advertised PRDR.  It can be used to perform receipient-dependent
+# header- and body- based filtering and rejections.
+# We set a variable to record that PRDR was active used, so that checking
+# in the data ACL can be skipped.
+
+acl_check_prdr:
+  warn  set acl_m_did_prdr = y
+
+  #############################################################################
+  # do lookup on filtering, with $local_part@$domain, deny on filter match
+  #
+  # deny      set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #           condition    = ...
+  #############################################################################
+
+  accept
+
 
 # This ACL is used after the contents of a message have been received. This
 # is the ACL in which you can test a message's headers or body, and in
@@ -526,6 +585,14 @@ acl_check_data:
   # we should never receive one such via SMTP.
   #
   deny    condition  = ${if > {$max_received_linelength}{998}}
+          message    = maximum allowed line length is 998 octets, \
+                       got $max_received_linelength
+
+  # Deny if the headers contain badly-formed addresses.
+  #
+  deny    !verify =     header_syntax
+          message =     header syntax
+          log_message = header syntax ($acl_verify_message)
 
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
@@ -543,6 +610,20 @@ acl_check_data:
   #                      X-Spam_bar: $spam_bar\n\
   #                      X-Spam_report: $spam_report
 
+  #############################################################################
+  # No more tests if PRDR was actively used.
+  # accept   condition  = ${if def:acl_m_did_prdr}
+  #
+  # To get here, all message recipients must have identical per-user
+  # content filtering (enforced by RCPT ACL).  Do lookup for filter
+  # and deny on match.
+  #
+  # deny      set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+  #           condition    = ...
+  #############################################################################
+
+
+
   # Accept the message.
 
   accept
@@ -735,7 +816,7 @@ begin transports
 
 remote_smtp:
   driver = smtp
-#  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
 
 
 # This transport is used for local delivery to user mailboxes in traditional
@@ -747,7 +828,7 @@ remote_smtp:
 
 local_delivery:
   driver = appendfile
-  file = /var/mail/$local_part
+  file = /var/mail/$local_part_data
   delivery_date_add
   envelope_to_add
   return_path_add
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/exim.git/commitdiff/324d5d7cb72b411be08a85aee01ed953a531b8fb

More information about the pld-cvs-commit mailing list