Would it (temporary) help to restrict authentication via
auth_advertise_hosts?
- oliver
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@l
On Fri, 29 Sep 2023 15:17:05 +, Some Guy via Exim-users wrote:
> Hi, I'm running an appliance which includes an Exim MTA and now I'm
> wondering, if I should be worried because of the RCE with CVSS 9.8 described
> at the Zero Day Initiative homepage here:
>
> https://www.zerodayinitiative.com
On Sat, 30 Sep 2023, Andrew C Aitchison via Exim-users:
I've seen some second hand reports (eg on the mailop list,
which 1) has a closed archive, and 2) seems unreachable this evening)
that the vulnerabilities are in SPA (Microsoft, NTLM) authentication and
libspf2.
So for authentication, only
Am Samstag, 30. September 2023, 10:34:14 CEST schrieb Andrew C Aitchison via
Exim-users:
> Yesterday Heiko posted
> https://seclists.org/oss-sec/2023/q3/254
> in one of the security lists.
For me, it would be helpful if at least the timelines would be properly
communicated to the users,
* Rainer Dorsch via Exim-users (exim-users@lists.exim.org) [231001 15:02]:
> Am Samstag, 30. September 2023, 10:34:14 CEST schrieb Andrew C Aitchison via
> Exim-users:
> > Yesterday Heiko posted
> > https://seclists.org/oss-sec/2023/q3/254
> > in one of the security lists.
>
> For me, it
Summary
---
Six 0day exploits were filed against Exim.
None of these issues is related to transport security (TLS) being
on or off.
* 3 of them are related to SPA/NTLM, and EXTERNAL auth. If you do not use
SPA/NTLM, or EXTERNAL authentication, you're not affected.
These issues are fixed.
I did not want to say that I want to migrate to postfix because it is handling
security issues better than exim4.
I stopped the exim4 service on servers with port 25 accessible from the
internet, but since I cannot do that for a long time, migrating to postfix
would be an emergency fix, since
On Sun, Oct 01, 2023 at 05:50:00PM +0200, Andreas Barth via Exim-users wrote:
> I have seen the security side as debian release manager for quite many
> software products. And I doubt much that postfix would do it much
> different.
Coordinated release of security updates is standard industry prac
Dňa 1. októbra 2023 17:49:26 UTC používateľ Rainer Dorsch via Exim-users
napísal:
>I stopped the exim4 service on servers with port 25 accessible from the
>internet
Please why?
+ do you use AUTH (NTLM/EXTERNAL) on port 25?
+ do you have untrusted proxy in front?
+ you have not reliable resolv
On Sun, 01 Oct 2023 19:50:43 +, Slavko via Exim-users wrote:
> Dňa 1. októbra 2023 17:49:26 UTC používateľ Rainer Dorsch via Exim-users
> napísal:
>>I stopped the exim4 service on servers with port 25 accessible from the
>>internet
>
> Please why?
>
> + do you use AUTH (NTLM/EXTERNAL) on por
Dňa 1. októbra 2023 20:07:45 UTC používateľ Christof Meerwald via Exim-users
napísal:
>This was only officially confirmed today (which is very unfortunate),
That is true only in this ML, othervise it was confirmed in Friday:
https://www.openwall.com/lists/oss-security/2023/09/29/5
But yes
On Sun, 01 Oct 2023 20:35:48 +, Slavko via Exim-users wrote:
> Dňa 1. októbra 2023 20:07:45 UTC používateľ Christof Meerwald via Exim-users
> napísal:
>>This was only officially confirmed today (which is very unfortunate),
>
> That is true only in this ML, othervise it was confirmed in Friday
12 matches
Mail list logo
