Mailing List Archive

On Fri, Jul 17, 2020 at 07:26:20PM +0000, admin--- via Exim-dev wrote:

> https://bugs.exim.org/show_bug.cgi?id=2624

Isn't this a duplicate of

https://bugs.exim.org/show_bug.cgi?id=2594

> > Exim's manualroute should not replace the secure user provided hostname with
> > anything else.
>
> Cite standards, please. Otherwise, you are saying that CNAME should not be
> followed for manualroute, and it isn't clear why.

With the expected behaviour already settled in the earlier bug report?

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2624

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.exim.org/show_
| |bug.cgi?id=2594

--- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
Ah, I didn't spot this was being raised against an out-of-date version of Exim.
Thankyou, Viktor.

Jason, please re-check using 4.94

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2624

--- Comment #3 from Jason Gunthorpe <jgg@ziepe.ca> ---
4.94 fails too, but the commit linked to bug 2594 is not in 4.94, so I will try
building from source as it does look like the right fix (give me a bit to get
this done).

Regarding standards, bug 2594 has a good quote from the SMTP RFC:

- A SMTP client would probably only want to authenticate an SMTP
server whose server certificate has a domain name that is the
domain name that the client thought it was connecting to.

In my particular case the manualroute is choosing a transport with
authentication enabled, so the above applies.

In terms of Exim, when the above says "the domain name that the client thought
it was connecting to" it means the route_data in the manualroute. This
specifies the "domain name" that Exim is to allowed to send the authentication
to.

The problem here is that DNS is insecure and it is not so hard to inject a
CNAME response into Exim. With authentication turned on this means someone can
steal the authentication secret. I think it is understandable why this is bad.

I recommend backporting this patch into earlier releases.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2624

--- Comment #4 from Jason Gunthorpe <jgg@ziepe.ca> ---
The patch from 2594 does solve the problem I was looking at.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

https://bugs.exim.org/show_bug.cgi?id=2624

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE

--- Comment #5 from Jeremy Harris <jgh146exb@wizmail.org> ---
Good to hear. Closing as dup.

*** This bug has been marked as a duplicate of bug 2594 ***

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##