:: Re: [DNG] Exim 4.94 (Daedalus backp…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Nick Rickard
Date:  
À: dng
Sujet: Re: [DNG] Exim 4.94 (Daedalus backports) heads-up
With big security caveats, if you need a hack to get your mailserver
quickly back up and running whilst you work through and detaint your
custom rules in slower time, this might be of use:

https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/

Nick.


On 30/08/2024 09:52, Brad Campbell via Dng wrote:
> I upgraded all of my machines and vms to Daedalus earlier in the week. My man outbound mail relay & secondary server had "backports" enabled inadvertently and exim broke in non-obvious ways because I have some custom routers I wrote about 10 years ago.
> When I say non obvious, exim was running but rejecting any mail that relied on these routers. Thankfully as a secondary I just blocked inbound at the firewall until I can fix this mess.
>
> Relevant message excerpt from the Exim-users list from about 4 years ago :
>
> =======
> As many of you may have noticed, with the release of 4.94 we introduced
> strict checks for the data Exim uses in expansions. This broke old
> configurations that used "tainted" data.
>
> Unfortunately the introduction of these taint checks wasn't communicated
> very well, and as not all of you were able to test the release
> candidates, we understand that this "breaking" change was unexpected to
> a majority of our user base. (Or will be, in case of Debian, which
> currently ships 4.92, but having 4.94 already in its backports.)
>
> The traffic on the mailing lists indicated that there are issues with
> these taint checks. A good share of the issues was caused by broken
> builds. But another share of the issues arose due to suddenly broken
> configurations.
> ======
>
> So if you use exim and have any custom lookups, please take note.
> Fixing this is entirely non-obvious and poorly documented.
>
> Just a note while I'm here :
>
> Most of these machines were running Beowulf. Trial upgrades (on test systems) directly from Beowulf to Daedalus failed in horrible ways early on with a broken libc (missing libcrypt.so.1 and that was all she wrote).
> The most expedient workaround for me was going Beowulf->Chimaera->Daedalus. If I did the upgrade in 2 steps I encountered zero issues (except the one noted above, but that's not a Devuan issue)
> As I was upgrading some headless boxes on the other side of the world, I opted for "slow and steady wins the race".
>
> Regards,
> Brad
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng