LWN: Comments on "Critical vulnerability in Exim"

Critical vulnerability in Exim

kmweber — Thu, 12 Sep 2019 22:16:43 +0000

The most recent release version of Slackware uses sendmail, though sendmail was moved into /extra and replaced with postfix in -current a couple of years ago.

Critical vulnerability in Exim

anselm — Thu, 12 Sep 2019 11:46:04 +0000

The story I've heard is that while Eric Allman was writing Sendmail as a postgraduate student at UCB, he had to take a class on production systems. This explains why, based on the time-honoured adage, “if the only tool you have is a hammer, all problems suddenly start looking like nails”, sendmail.cf defines a set of productions to handle e-mail.

MTAs in Debian

grawity — Thu, 12 Sep 2019 09:29:59 +0000

Hm, if the remote root exploit depends on the server accepting TLS connections, then Debian's default local-only configuration shouldn't be exploitable at all, is it?

Critical vulnerability in Exim

xose — Wed, 11 Sep 2019 21:37:46 +0000

> On Judgment Day Eric Allman will have some serious explaining to do.

Already done: https://www.youtube.com/watch?v=Jmsxl8KNgLU

Critical vulnerability in Exim

Wol — Wed, 11 Sep 2019 16:19:52 +0000

I don't think he'll have any 'splainin to do ...

READ UP ON HISTORY!

Eric Allman wrote a - simple - program that delivered mail, in an environment where malware didn't exist. Like so many things, it just "took off" and loads of people added loads of options - NOT ERIC. Then the Morris Worm hit ...

Hindsight is a wonderful pair of reality-distortion specs ...

Cheers,
Wol

Critical vulnerability in Exim

anselm — Wed, 11 Sep 2019 15:44:16 +0000

[Sendmail was] a "start it and then it just works" kind of program, something I can decidedly not state about Postfix, although that may have improved since I was last forced to deail with its ailments some time in 2006.

It turns out that the debconf setup routine for Postfix in Debian is actually quite nice. It can deal with the standard use cases (local-only, local mail with a relay host, mail server on the Internet, …) out of the box and you can take it from there if you need more specialised configurations. Also, Postfix (a) has pretty good documentation and (b) has come a long way since 2006.

Critical vulnerability in Exim

anselm — Wed, 11 Sep 2019 15:32:45 +0000

I used to be a Sendmail admin even before m4-style configuration was added to it, but I stopped using Sendmail in favour of Postfix at some point in the early 2000s and have never looked back. On Judgment Day Eric Allman will have some serious explaining to do.

Critical vulnerability in Exim

rweikusat2 — Wed, 11 Sep 2019 14:22:43 +0000

I wasn't writing about using it as internet-reachable mailer, just for the purpose of delivering mails written by me to some "destintation mail server". You seem to be a little bit behind the times here as the default configuration of being an open relay was changed to not relaying anything by default some time before 1998. Contrary to your implicit suggestion, I'm also not too stupid or incompetent to configure publically reachable mail servers in a sensible way.

But that's rather besides the point I was trying to make, namely, that's a "start it and then it just works" kind of program, something I can decidedly not state about Postfix, although that may have improved since I was last forced to deail with its ailments some time in 2006.

Critical vulnerability in Exim

ceplm — Wed, 11 Sep 2019 07:36:33 +0000

Question is not whether it carried all emails it was supposed to carry, it is whether it didn’t carry many more emails it wasn’t. Sorry, cannot resist.

Critical vulnerability in Exim

rweikusat2 — Tue, 10 Sep 2019 20:58:08 +0000

Sendmail has delivered every email I ever sent since 1998 without a single hiccup. I'm also using it with some "non-standard" features such as selecting a smart host based on the domain portion of a sender address. I have to admit that I also like the configuration language, although that's probably only something for people who are fond of accumulator machines :-).

MTAs in Debian

dskoll — Tue, 10 Sep 2019 14:13:38 +0000

Debian, by default, configures Exim (and possibly all of its MTAs?) to listen only on the loopback address. That converts a remote root exploit to a local root exploit... still pretty bad, but one small step less bad.

Presumably, if you're going to reconfigure your MTA for actual mail delivery from outside just localhost, you can uninstall Exim if your goal is to use another MTA. It's not a difficult extra step, as others have pointed out.

Critical vulnerability in Exim

LightDot — Tue, 10 Sep 2019 07:58:55 +0000

Security guarantees are fine, but they are not what made the software secure in the first place.

If anyone is aware of any issues in qmail's derivatives, such as netqmail, s/qmail, notqmail or qmail as distributed by Plesk, do report them.

MTAs in Debian

anselm — Tue, 10 Sep 2019 00:06:55 +0000

In practice, the fact that Debian defaults to Exim isn't a huge problem because (a) Exim isn't a completely unreasonable MTA (occasional CVEs notwithstanding) for casual use, (b) people tend to be very opinionated about their MTA preferences and there is no pleasing everyone at the same time, anyway, and (c) on Debian it is completely trivial to replace Exim with a different MTA such as Postfix if one is so inclined.

It would of course be possible to have Debian default to Postfix instead of Exim, but since setting up an MTA usually involves quite a lot of configuration work in any case, starting that work off with apt-get install postfix doesn't really make a huge difference in the grand scheme of things, and the Debian project seems to think that it's not really worth the hassle to change what is an agreed-upon and, by now, well-established default. In fact if the change ever did get made then probably the Exim fans would complain loudly about the move away from Exim and the Sendmail and Courier fans would complain loudly that the move is not to Sendmail or Courier, so it's a good thing to keep this one in reserve in case all of the other gratuitous flame wars on the Debian lists ever fizzle out.

MTAs in Debian

rahulsundaram — Mon, 09 Sep 2019 21:57:15 +0000

>respectively, exim gets picked as first because it is first in the alphabet … really

It is a bit more complicated than that but in this case, it is because the shortest name wins

http://yum.baseurl.org/wiki/CompareProviders.html

MTAs in Debian

ceplm — Mon, 09 Sep 2019 20:53:44 +0000

Certainly not that. I was just thinking about RHEL/Fedora which doesn’t hard write any mail-transport-agent provider as default (respectively, exim gets picked as first because it is first in the alphabet … really), but the default MTA is defined in comps as postfix, and it is selected (AFAIK) in the default installer, when the user defines computers as a mail server.

MTAs in Debian

rotty — Mon, 09 Sep 2019 18:00:27 +0000

> ... but other distributions managed to change (or at least allow) different MTA. Most of them used to be on sendmail, after all.

Did you imply that you cannot change the MTA on Debian? I've been doing `apt-get install postfix` (or even ssmtp) after installing a fresh Debian install for, I'm not sure, at least a decade now? On Debian bullseye, these MTAs (although some are not real MTAs, like ssmtp, for instance) are currently at your disposal:

% aptitude search '?provides(mail-transport-agent)' | awk '{ print $2; }'
citadel-server
courier-mta
dma
esmtp-run
exim4-daemon-heavy
exim4-daemon-light
masqmail
msmtp-mta
nullmailer
opensmtpd
postfix
qmail-run
sendmail-bin
ssmtp

Critical vulnerability in Exim

niner — Mon, 09 Sep 2019 15:22:19 +0000

Why would someone security-conscious use qmail? There's either the actually secure original qmail, or the actually useful in real world extended versions like netqmail for which any security guarantees are no longer valid.

Critical vulnerability in Exim

mgedmin — Mon, 09 Sep 2019 12:31:38 +0000

Ubuntu picked Postfix as the default MTA back in 2005, if not earlier: https://help.ubuntu.com/community/Postfix?action=recall&...

Critical vulnerability in Exim

vadim — Mon, 09 Sep 2019 08:10:52 +0000

Just run it under Fedora, it's already got a well working SELinux configuration, which includes Exim

Critical vulnerability in Exim

ceplm — Mon, 09 Sep 2019 06:38:57 +0000

I am sure about the latter (that nobody cared where Wietse Venema worked), but other distributions managed to change (or at least allow) different MTA. Most of them used to be on sendmail, after all.

Critical vulnerability in Exim

anselm — Sun, 08 Sep 2019 23:38:35 +0000

The Debian project would have adopted Postfix as the default MTA if Postfix had been ready to use at the time that the default MTA was being picked. Since Postfix wasn't quite finished then, the project settled on Exim as the next-best alternative, and Exim wasn't considered sufficiently worse than Postfix to be worth the trouble to switch defaults later.

The fact that Postfix was started by Wietse Venema while he was under contract at IBM Research didn't play a significant role in the decision.

Critical vulnerability in Exim

ceplm — Sun, 08 Sep 2019 16:49:18 +0000

> But, Postfix originated at IBM research, which never meshed well with distribution adoption.

What??? It is only Debian (and Ubuntu) which still carry Exim as their default email server. Distros from Red Hat, SUSE, I believe everybody else switched to Postfix long time ago. And talking about SELinux, of course, it is tightly confined in Fedora/CentOS/RHEL.

And I am quite certain that even Debian/Ubuntu have perfectly working packages of Postfix. There is just no reason at all not to switch.

Critical vulnerability in Exim

murukesh — Sun, 08 Sep 2019 14:02:01 +0000

The Fedora docs[1] say:

> Fedora offers two primary MTAs: Postfix and Sendmail. Postfix is configured as the default MTA and Sendmail is considered deprecated.

Looks like there's a bug somewhere - either in the docs, or in the packaging.

[1]: https://docs.fedoraproject.org/en-US/fedora/rawhide/syste...

Critical vulnerability in Exim

LightDot — Sun, 08 Sep 2019 09:36:42 +0000

> Anyone security-conscious has switched to Postfix since forever ...

Or simply kept using qmail. ;)

Critical vulnerability in Exim

lsl — Sat, 07 Sep 2019 21:46:21 +0000

The last time Fedora shipped an MTA by default, it was Sendmail. ;-)

https://fedoraproject.org/wiki/Changes/NoDefaultSendmail (though the proposal wasn't accepted for F20 IIRC)

You're even listed there as the change owner.

Now, you could argue that 10 releases is indeed forever in Fedora land and that even before that, most users chose Postfix as if it was the default.

These days, Fedora (as opposed to EL) doesn't really have anything akin to a default MTA, no? A 'dnf install server(smtp)' results in Exim but that's more of an implementation artifact rather than a conscious decision for a default MTA.

Critical vulnerability in Exim

quotemstr — Sat, 07 Sep 2019 18:30:10 +0000

Apple's "goto fail" was one line of code too.

Critical vulnerability in Exim

Matlib — Sat, 07 Sep 2019 13:20:35 +0000

This is actually a bug in string.c (+ similar one in another file) causing a function to skip over the 0x0 at the end if the actual string ends with backslash. The POC is about leveraging this as heap overflow by sending a crafted TLS request to overwrite the name of the spool file and eventually send that as message content. I don't think this could be practically exploitable.

Several things that strike me most though:

this basic buffer overrun has existed since ever I am able to checkout (Oct 7 2004) and nobody noticed,
that it was reported in early August and fixed by Heiko on Aug 19 and did not make it to the 4.92.1 release,
that there is a dozen of mail, CVE forms &c. filled in for one line of code added (if (ch == '\0') return **pp;) showing the unfortunate reality that many FOSS projects are a bureaucratic mess.

MeTA1 (was Critical vulnerability in Exim)

dskoll — Sat, 07 Sep 2019 00:53:55 +0000

Is anyone other than Claus Aßmann actually using MeTA1 in production? I got the feeling the project never really gained traction.

Critical vulnerability in Exim

xose — Fri, 06 Sep 2019 22:26:24 +0000

> You’re right, I though that by now, they’d have finished sendmail X, but it seems to have gone nowhere

It is http://www.MeTA1.org

More info at https://en.wikipedia.org/wiki/MeTA1 (currently down)

Critical vulnerability in Exim

mattdm — Fri, 06 Sep 2019 19:48:19 +0000

> But, Postfix originated at IBM research, which never meshed well with distribution adoption.

Really? It's been the default in the Fedora ecosystem since, like, forever.

(And no IBM jokes, please?)

Critical vulnerability in Exim

nim-nim — Fri, 06 Sep 2019 19:24:58 +0000

>> I suppose sendmail should be ok-ish now it's been rewritten from scratch

> Huh! I hadn't heard that'd happened.

You’re right, I though that by now, they’d have finished sendmail X, but it seems to have gone nowhere

> My main problem with Postfix (and the reason I'm using Exim) is that kept running into flexibility problems when using Postfix.

Sure, that's the drawback of strong capability separation, you can’t configure a postfix component, outside its security capabilities, and many postfix documentation pages start with a flow diagram, explaining where a setting applies and what its limits are.

Critical vulnerability in Exim

quotemstr — Fri, 06 Sep 2019 18:15:12 +0000

There's superuser and there's superuser though. I really need to start confining Exim with SELinux or something.

Critical vulnerability in Exim

quotemstr — Fri, 06 Sep 2019 18:14:10 +0000

> I suppose sendmail should be ok-ish now it's been rewritten from scratch

Huh! I hadn't heard that'd happened. My main problem with Postfix (and the reason I'm using Exim) is that kept running into flexibility problems when using Postfix. Exim's general string substitution thing is super ugly, but it works, and it provides a lot of power. Sendmail is similarly (and infamously) configurable. I never thought I'd type these words, but: maybe I should switch to sendmail.

> The modular architecture used by Postfix is given in example in security classes.

Exim is *supposed* to use a privilege separation system too.

Critical vulnerability in Exim

ametlwn — Fri, 06 Sep 2019 18:01:30 +0000

> At the very least, it needs to have better sandboxing. RCE is bad. But elevation to root? Why?

A design choice. Exim offers amazing flexibility at the price of running as superuser at some time.

Critical vulnerability in Exim

nim-nim — Fri, 06 Sep 2019 17:58:57 +0000

Anyone security-conscious has switched to Postfix since forever (I suppose sendmail should be ok-ish now it's been rewritten from scratch). The modular architecture used by Postfix is given in example in security classes.

But, Postfix originated at IBM research, which never meshed well with distribution adoption.

Critical vulnerability in Exim

quotemstr — Fri, 06 Sep 2019 17:13:24 +0000

At the very least, it needs to have better sandboxing. RCE is bad. But elevation to root? Why?

Critical vulnerability in Exim

mirabilos — Fri, 06 Sep 2019 17:10:37 +0000

A week.

Exim is worse than sendmail ever was. It should have never become this widespread.

Critical vulnerability in Exim

quotemstr — Fri, 06 Sep 2019 16:45:50 +0000

Second major Exim vulnerability in, what, a year? Maybe I should consider switching.