:: Re: [DNG] Exim 4.94 (Daedalus backp…
Página superior
Este mensaje es parte del siguiente hilo:
M+\El árbol completo de hilos, ordenados por fecha
MMMsawbona, mensaje del <-
MMBrad Campbell, mensaje del ->
Eliminar este mensaje
Responder a este mensaje
Autor: Brad Campbell
Fecha:  
A: dng
Asunto: Re: [DNG] Exim 4.94 (Daedalus backports) heads-up
On 30/8/24 18:38, Nick Rickard via Dng wrote:
>
> On 30/08/2024 09:52, Brad Campbell via Dng wrote:
>> I upgraded all of my machines and vms to Daedalus earlier in the week. My man outbound mail relay & secondary server had "backports" enabled inadvertently and exim broke in non-obvious ways because I have some custom routers I wrote about 10 years ago.
>> When I say non obvious, exim was running but rejecting any mail that relied on these routers. Thankfully as a secondary I just blocked inbound at the firewall until I can fix this mess.
>>
>
> With big security caveats, if you need a hack to get your mailserver quickly back up and running whilst you work through and detaint your custom rules in slower time, this might be of use:
>
> https://jimbobmcgee.wordpress.com/2020/07/29/de-tainting-exim-configuration-variables/

G'day Nick,

Yes I looked at that one but figured it'd be faster and cleaner to try and do it properly. I think I was right.

Thankfully my primary was running 4.92 so all I had to do was firewall off the secondary from inbound to buy me time.

I've got it sorted now. I had to tweak some rules in a couple of custom routers that I'd written.
They weren't too bad to debug because they were reporting errors in either mainlog or paniclog. The thing that took the most time was debugging DKIM. Turns out it was tainting my dkim domain lookup, but with no error message or warning. Just flatly refused to sign mail. I ended up getting it to run in debug mode on the console which allowed me to see it was tainting the lookup, then I had to figure out how to re-write it so it didn't. Oddly enough that specific case was the one mentioned in the Exim-users mail, but my key lookups were different so the solution listed in that particular mail still left my lookup tainted.

Just how I like to spend a Friday night :)

Still, it works, it's tested and I ran through a list of plausible error scenarios just to make sure it wasn't going to let through something it shouldn't. Nothing like an unintended consequence turning your mail server into an open relay.

I'm off to read altoids info now while waiting for the F1 red flag to be cleared.

Regards,
Brad
Este mensaje se envió a las siguientes listas de correo:
dng
Información de la lista de correo | Mensajes cercanos		<-Re: [DNG] deb.devuan.org - bad certificate?Re: [DNG] Exim 4.94 (Daedalus backports) heads-up->

Donate to Dyne.org

dyne.org open discussions
administrado por dyne.org hackers		Lurker (versión 2.3)