Am 25.07.25 um 04:32 schrieb Moritz Orbach via Exim-users:
Hi all,
I don't trust libspf2 anymore because after almost 2 years it's still
unclear to me if CVE-2023-42118 is fixed or not (e.g.
https://bugs.gentoo.org/916493#c2).
In an attempt to replace it I wrote an ACL that checks SPF alignm
Am 17.06.25 um 05:11 schrieb Viktor Dukhovni via Exim-users:
posttls-finger: < 220 begin TLS negotiation
posttls-finger: server certificate verification failed for
smtp.altice.prod.cloud.openwave.ai[66.179.105.209]:587: num=62:hostname mismatch
posttls-finger: smtp.altice.prod.clo
Am 16.06.25 um 09:14 schrieb AC via Exim-users:
I've added a rule in acl_smtp_connect to block connections from failed
rDNS but occasionally one seemingly slips through. I suspect it's
going through a different pathway but why would acl_smtp_connect not
block the below event? There's no indic
Am 06.06.25 um 15:22 schrieb Viktor Dukhovni via Exim-users:
You have to more specific, Fedora's `s_client` is*more* restrictive
than OpenSSL upstream without the crypto-policy patches.
but the used s_client is the Fedora s_client which was LESS restrictive
I think this should be best disc
Am 06.06.25 um 12:22 schrieb Jeremy Harris via Exim-users:
On 2025/06/06 10:55 AM, Viktor Dukhovni via Exim-users wrote:
250 DSN
quit
221 2.0.0 Bye
I'm not convinced that was Exim; our EHLO response always has "HELP"
as the final element. DSN, if present, would be on a continuat
Am 06.06.25 um 11:55 schrieb Viktor Dukhovni via Exim-users:
Perhaps, Exim disables the "kRSA" ciphers/
I pretty sure, you are right about the RSE Kx limitation , but s_client
should enforce that too???
You're still muddled.
No, not any longer \o/ : Found it.
In my case, sending mails out
Am 06.06.25 um 10:21 schrieb Viktor Dukhovni via Exim-users:
On Fri, Jun 06, 2025 at 09:37:27AM +0200, Cyborg via Exim-users wrote:
Exim returns:
TLS session: (SSL_connect): error:0A00018A:SSL routines::dh key too small
when connecting with s_client to that server, a wired connection is
Hi,
interessting situation:
Exim returns:
TLS session: (SSL_connect): error:0A00018A:SSL routines::dh key too small
when connecting with s_client to that server, a wired connection is
established:
New, TLSv1.2, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation
Am 02.06.25 um 11:27 schrieb Niels Dettenbach via Exim-users:
may be, but:
- that the GDPR "enforce" TLS 1.2+ as "state of the art" (and no other mechanism /
setup) is your / just one interpretation of "state of the art".
True, the words TLS 1.2 are not mentioned in it, because any country ha
Am 29.05.25 um 12:04 schrieb Kai Bojens via Exim-users:
On Sonntag, 25. Mai 2025 13:54:29 Mitteleuropäische Sommerzeit Mike Cardwell
via Exim-users wrote:
I don't know what the generally accepted config is for SMTP TLS these
days, but bare in mind that a connecting MTA may decide to fall back t
Am 29.05.25 um 03:06 schrieb Viktor Dukhovni via Exim-users:
In that case, PQ
keyshares aren't sent and STARTTLS works with "boeing.com" (still
hangs with default TLS 1.3 connections under OpenSSL 3.5).
anyone using tls 1.2 only servers in 2025 ( 7y after 1.3 introduction )
deserves to not get
Am 28.05.25 um 22:41 schrieb Jeremy Harris via Exim-users:
Short answer: Yes: Exim can do just about whatever you want; it's
a Simple Matter Of Programming.
It can not be said often enough: Exim is indeed great!
My favorite serversoftware triple: ul{ OpenSSH, Apache httpd, Exim }/ul
i.E.
Am 14.05.25 um 09:59 schrieb Viktor Ustiuhov via Exim-users:
Reading a little more, I see that I should use:
auth_advertise_hosts = ${if eq{$tls_cipher}{}{*}{*}}
That doesn't make sense. Maybe you meant
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
you are both wrong with this suggestio
Am 14.05.25 um 11:35 schrieb Viktor Ustiuhov via Exim-users:
I do not see any requirement in the task to limit the version of TLS, so
the solution fully complies with the conditions of the task.
IMHO the task was to have real encrypted traffic, not something a 15y
old can crack on it's laptop.
Am 06.04.25 um 22:01 schrieb Mark Elkins via Exim-users:
In MYSQL - try:-
SELECT GROUP_CONCAT(domain SEPARATOR ':') AS domain FROM mail_domains
On 2025/04/06 21:43, Ray O'Donnell via Exim-users wrote:
I do the same thing using PostgreSQL - my lookup looks like this
(built with help from this
Am 21.02.25 um 13:25 schrieb Heiko Schlittermann via Exim-users:
Exim 4.98.1 is released to the public.
It addresses a SQL injection. Please read
https://exim.org/static/doc/security/CVE-2025-26794.txt
to decide whether you need to rush.
Fedora 40 tested: SQLite not used for HintsDB.
(we
Am 27.01.25 um 01:47 schrieb Andrew Bernard via Exim-users:
Using the exim4 package o Ubuntu 24.04 I consistently get:
TLS session: (cert/key setup:
cert=/etc/letsencrypt/archive/xxx.space/fullchain1.pem
key=/etc/letsencrypt/archive/xxx.space/fullchain1.pem): The requested
data were not av
Am 04.10.24 um 20:04 schrieb Johnnie W Adams via Exim-users:
I'm grasping at straws here, I suppose, but I'm wondering: How
reliable is exim logging on a not-very-busy machine? Pretty reliable, I
figure, but these results make me wonder.
It can't/won't log any connection attempt, that does
Am 28.09.24 um 19:12 schrieb Ivor Durham via Exim-users:
I don't know enough about exim configuration and retry rules. So is there a
way to not try the other four Yahoo IP addresses immediately when the
response is for "unusual volume" or "user complaints". I gather that exim
Another label for
Am 09.09.24 um 18:39 schrieb Andreas Metzler via Exim-users:
Hello,
I am not 100% sure what the best/correct dependencies for Debian's
systemd unit (Type=exec) are.
For reference exim git has:
Requires=network.target
After=networking.target
while Fedora, Gentoo, Opensuse use
After=network.targ
Am 21.08.24 um 20:27 schrieb Evgeniy Berdnikov via Exim-users:
On Wed, Aug 21, 2024 at 12:55:37PM -0300, Ronaldo Luiz via Exim-users wrote:
Hi Sirs,
I need a help to install on my Linux Server an Archive Email software
management.
Exim send around 15.000 billing e-mails each month, receive ar
Am 14.08.24 um 15:31 schrieb Kurt Jaeger via Exim-users:
Hi!
Recently, I came upon a problem without a solution:
If I trigger an autoreply (for example because of vacations),
how do I get the system to add a DKIM-header for the proper domain ?
Because of the <> envelope-from, how can the prop
Am 05.08.24 um 17:18 schrieb Odhiambo Washington via Exim-users:
2024-08-05 18:06:01 1sazHd-0001Wy-0y **odhia...@gmail.com R=outbound
T=remote_smtp: message has lines too long for transport
Typical:
Mail-Headerlines have a max length of 1000(24) chars, the INDEX Header
from Outlook/Exchange
Am 29.07.24 um 09:25 schrieb Francois Sauterey via Exim-users:
Well, my @gmail.com messages are coming in, so let's not talk about it
anymore, even if my logs are polluted.
But that doesn't solve my REAL problem: I can't receive messages from
@gmail.com!
So I'm reposting the message I got in
Am 27.06.24 um 15:48 schrieb Jeff Brown via Exim-users:
2024-06-27 15:26:07 H=([192.168.1.55]) [165.165.192.254]
X=TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128 CV=no
F= rejected RCPT : relay not
permitted
You already found the cause: your external connection does not use
SM
Am 02.05.24 um 04:38 schrieb Thomas Krichel via Exim-users:
Jeremy Harris via Exim-users writes
You mailed person A. A has their mails configured, at the MX for A,
to be forwarded to B. You don't have control over that configuration;
it is entirely A's choice. He wanted it to be done.
Bu
Am 09.03.24 um 22:26 schrieb Julian Bradfield via Exim-users:
Following an idle-moment post on mailop, I wonder:
From the default config:
---
acl_check_rcpt:
accept hosts = :
denydomains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
message = Restricte
Am 21.01.24 um 00:39 schrieb Cyborg via Exim-users:
OS: Fedora 38
While receiving bigger emails, i.e. 5 MB+ i see a lot of these messages:
2024-01-21 00:36:09 1rRKsd-0006BkG-0P8F bad internal_store_malloc
request (2147483632 bytes) from function_store_get 66
As you can clearly see, it
Am 04.03.24 um 15:50 schrieb Fabien LUCE via Exim-users:
Thanks!
Yes I will take care of it as much as I can.
In that case, you would use a database connection, which simplifys the
entire task and saves a lot of cpu cycles.
Starting a python interpreter for every mail is just a waste of a lo
OS: Fedora 38
While receiving bigger emails, i.e. 5 MB+ i see a lot of these messages:
2024-01-21 00:36:09 1rRKsd-0006BkG-0P8F bad internal_store_malloc
request (2147483632 bytes) from function_store_get 66
As you can clearly see, it wants to allocate 2 GB, for a 5-20 MB Email.
Has th
Am 12.01.24 um 11:40 schrieb Jeremy Harris via Exim-users:
If they're not willing to do that, and reissue the exim binary, a hack
in the perl
of exiqgrep is feasible...
\s*(?(?:\w{6}-\w{6}-\w{2}|\w{6}-\w{11}-\w{4})) # old, 2023
msgid formats
becomes
\s*(?(?:\w{6}-\w{6}-\w{2}|\w{6}-\w{11
Am 12.01.24 um 09:28 schrieb Niels Kobschätzki:
There is a tool for converting old message-ids to new ones.
Or you wait until all messages with the old IDs are out of the queue.
It's not the message ids.
it's this => \s+(?<.*?>) part of the regexp.
As soon as you remove that part, it work
Hi all,
Fedora pushed an exim 4.97.1 update last night and now exiqgrep -cz
shows this error message, which breaks the munin plugin für the mailqueue.
[~]# mailq
9h 2.2K 1rO3sE-005JbF-1D-H <> *** frozen ***
xxx...@.de
[~]# exiqgrep -cz
Line mismatch: 9h 2.2K 1rO3
BIG THANKS TO SLAVKO :D
Am 05.01.24 um 14:38 schrieb Slavko via Exim-users:
Dňa 5. januára 2024 13:15:37 UTC používateľ Cyborg via Exim-users
napísal:
Exim(-> openssl) does not accept one specific TLS 1.2 cipher on incoming
connections anymore.
Fact checked with s_client -tls
Hi All,
Am 05.01.24 um 11:26 schrieb Cyborg via Exim-users:
TLS error on connection from . (SSL_accept): error:0AC1:SSL
routines::no shared cipher
The interessting part is, the server that now fail to supply a valid
cipher could use TLS 1.2 with a correct TLS 1.2 cipher in mid
Hi All,
I'm noticing an increasing amount of failed connections with :
TLS error on connection from . (SSL_accept): error:0AC1:SSL
routines::no shared cipher
SSL on the server has not changed nor did exim, so I'm sure it's an
issue on the remote side.
The interessting part is, the
Am 02.01.24 um 17:52 schrieb list2--- via Exim-users:
4.95 and newer versions are compiling just fine and running smoothly,
but there is no delivery taking place mostly because of permission on
mail folder issue.
Main log show arrival but panic log is another thing.
"2024-01-02 03:36:46 S
Am 22.12.23 um 11:37 schrieb Bjoern Franke via Exim-users:
Hi,
I didn't see anything in the archives regarding this:
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Ok, i have issues seeing this as an "attack" at all, as you just can use
the "evil" FROM as
Am 29.11.23 um 16:51 schrieb John Levine via Exim-users:
Strange but true, sending mail to this list via IPv6 does not work:
2023-11-29 10:35:50.715699500 new msg 271522
2023-11-29 10:35:50.715750500 info msg 271522: bytes 2558 from
qp 83701 uid 82
2023-11-29 10:35:50.726425500 starting delive
Am 19.10.23 um 22:24 schrieb brunoc68 via Exim-users:
*transport_filter = /usr/bin/altermime --input=-
--disclaimer=/etc/exim4/textdisclaimer
--disclaimer-html=/etc/exim4/htmldisclaimer
size_addition = 1
*
To find out, if it's really the "wrong" sorting of dkim and filtering,
you can war
Am 15.10.23 um 18:17 schrieb Heiko Schlittermann via Exim-users:
- The remaining issue with `libspf2`, raised as CVE against Exim, can't
be addressed by us, as it seems to happen inside the library's code.
Library fixes are available.
Hi,
AFAIK that has already been adressed (at least fo
Am 03.10.23 um 13:04 schrieb Paul Vinkenoog via Exim-users:
But so far, nothing has shown up.
I'm wondering now: should I wait a little more (risky?) or replace my
version (from Almalinux 9) with the fixed version that was brought out
yesterday?
Isn't it a fork of Redhat? Have you checked th
Am 02.10.23 um 21:53 schrieb Christof Meerwald via Exim-users:
But my understanding here is that fixes were actually already done in
May 2023, see
https://git.exim.org/exim.git/commit/7bb5bc2c6592e062bf0b514cc71afd2d93e2e0dd
Auths: fix possible OOB write in external authenticator. Bug 2999
autho
Am 02.10.23 um 19:38 schrieb Christof Meerwald via Exim-users:
"Please why?
+ do you use AUTH (NTLM/EXTERNAL) on port 25?"
So I was asking if these details were indeed available somewhere
before Sunday evening.
A lance for security:
The Trend Micro abstracts had already enough inf
Hi,
a short report from our cluster:
Every system has been hit with this "test" :
2023-10-02 04:48:31 SMTP call from (hello) [152.32.233.30] dropped: too
many syntax or protocol errors (last command was "AUTH NTLM
TlRMTVNTUAABB4IIAAA=", C=EHLO,HELP,AUTH)
"TlRMTVNTU
Am 23.09.23 um 11:30 schrieb Mario Emmenlauer via Exim-users:
Hi,
I'd like to reject emails that are not sent from a valid DKIM-enabled
acl_smtp_dkim = acl_check_dkim
acl_check_dkim:
# skip if it's from an authenticated user
accept condition = ${if eq{$authenticated_id}{} {
## No help required , this is just an info for you guys ##
Hi,
we have a new kind of spammer at our mailborder:
1qOF7T-002mUk-2Y H=(timesquareas.yachts) [216.9.227.107] Warning:
processing file "" for "To: X -> From:
ATTENTION\360\237\222\245-30%%\360\237\222\245 /
R=ATTENT
Am 15.07.23 um 15:02 schrieb Jeremy Harris via Exim-users:
On 14/07/2023 08:16, Cyborg via Exim-users wrote:
2023-07-13 22:08:16 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
O== Feature Request:
Could you pls add the connection data to it? That would help a
Hi all,
just one more thing about the logline:
2023-07-13 22:08:16 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
There seems to be different code for creating the logline, as i also see:
2023-07-14 05:41:22 TLS error on connection from m240-158.my-hammer.de
Am 13.07.23 um 16:09 schrieb Viktor Dukhovni via Exim-users:
You should reconfigure your Let's Encrypt setup to obtain a chain that's
rooted at the ISRG CA. With certbot, add to the
Found it. Thanks Victor.
In case someone need this:
/dehydraded -c --preferred-chain "ISRG Root X1" -d $HOSTNA
Am 13.07.23 um 16:09 schrieb Viktor Dukhovni via Exim-users:
If the issue is observed on the MX host for your domain, note that its
certificate chains up to the already expired "DST Root CA X3":
where do you see an expired cert here? Or did you mean "soon to be
reaching eol" ?
Certific
Hi all,
Am 13.07.23 um 15:58 schrieb Viktor Dukhovni via Exim-users:
If the connection is lost in mid encryption, openssl may send the wrong
error message. Means: I think the "bad certificate" message is false, as
the cert is valid and correct.
You're mistaken. Connection "loss" is normal when
Am 13.07.23 um 10:55 schrieb Jeremy Harris via Exim-users:
On 13/07/2023 09:21, Cyborg via Exim-users wrote:
O== What happened?
As you removed all the surrounding context, hard to tell.
it's production system, so i can't give you everything we logged there.
I can filter out some
openssl 3.0.9
Exim 4.96
Good Morning,
a "sort of" post mortem for you:
O== What happened?
Since 08:15 CEST Exim is spitting out these errors:
2023-07-13 08:15:41 TLS error (SSL_read): error:0A000412:SSL
routines::sslv3 alert bad certificate
2023-07-13 08:15:53 TLS error (SSL_read): error:0A0
Am 02.07.23 um 19:16 schrieb john via Exim-users:
It is true that the server does not offer TLS support and I do not
expect it
to!
The question is why the new machine is different despite running the same
exim binary and identical conf ecxcept for the primary_hostname and
how do I
fix it?
I
Hi,
Am 28.05.23 um 23:32 schrieb Jeremy Harris via Exim-users:
Or you could consider an escalating delay, every time you detect the
condition.
Can you point on a good example for such a tearpit , I thought about
using those on servers that have nothing else to do, just to troll the
attacker
Am 28.05.23 um 04:04 schrieb AC via Exim-users:
I was searching through the lists and reading the documentation but
I'm coming up short on blocking IP only senders.
I've seen ACLs checking sender_helo_name using isip{} but that doesn't
seem to do anything for the case of a literal IP:
H=([18
Am 23.05.23 um 16:38 schrieb Jeremy Harris via Exim-users:
On 23/05/2023 09:40, Cyborg via Exim-users wrote:
I saw a lot of these messages in the logs:
2023-05-09 17:46:31 TLS error on connection from
p4ff64002.dip0.t-ipconnect.de [79.246.64.2] (SSL_accept):
error:0A000126:SSL routines
Hi Guys,
I saw a lot of these messages in the logs:
2023-05-09 17:46:31 TLS error on connection from
p4ff64002.dip0.t-ipconnect.de [79.246.64.2] (SSL_accept):
error:0A000126:SSL routines::unexpected eof while reading
2023-05-09 17:47:46 TLS error on connection from
p4ff64002.dip0.t-ipco
Am 13.05.23 um 11:41 schrieb Andrew C Aitchison:
I suggest to choose your timeout for the kill wisely, as some servers
send a big chunk of data slow as hell, but a reasonable amount would
be 30s.
In addition, the netstat output could give out, if any data is in the
connection buffer as an ind
Am 12.05.23 um 17:23 schrieb Slavko via Exim-users:
Dňa 12. mája 2023 14:36:23 UTC používateľ Jeremy Harris via Exim-users
napísal:
Your short setting for smtp_receive_timeout is probably the best
way (despite violating standards).
IMO that standars violating is not true, RFC 6409 allows sho
61 matches
Mail list logo
