back to article Stop us if you've heard this one before: Yet another critical flaw threatens Exim servers

Admins of Linux and Unix boxes running Exim would be well-advised to update the software following the disclosure of another critical security flaw. The Exim 4.92.3 patch, released on September 28th, includes a fix to close up the CVE-2019-16928 flaw. Discovered by bug-hunters with the QAX A-Team, the vulnerability is caused …

  1. A random security guy

    Surprised that this wasn't caught earlier.

    Should be very simple to exploit.

  2. sbt

    The best fix is Postfix.

    It covers Exim's features (and more). It handles loads better. It doesn't have frequent critical security flaws.

    1. Nate Amsden

      Re: The best fix is Postfix.

      I was going to say why exim? Why not postfix? There must be a reason. I remembered the early hatred of sendmail and m4 files.. I started using postfix around 2001. On my personal mail server the config hasn't changed in well over a decade. Hell I'm still running most of the same regex header filters I wrote in 2002. Postfix is simple to configure so am curious any exim fans want to say what keeps them on exim? Maybe it's better than postfix I don't know either way.

      I don't remember why i chose postfix over the other options at the time. I want to say it was likely reccomended to me perhaps by sophos to integrate an antivirus solution which I think was called amavis at the time which I jad deployed running both sophos and mcafee. Looks like amavis is still around and Wikipedia specifically mentions using it with postfix. So that was probably my reason at the time.

      1. eldakka

        Re: The best fix is Postfix.

        I had the same thought, so did a DDG search "postfix vs exim", the first match

        When comparing Exim vs Postfix, the Slant community recommends Exim for most people. In the question“What are the best Linux mail transfer agents (MTAs)?” Exim is ranked 1st while Postfix is ranked 2nd. The most important reason people chose Exim is:
        Most Linux distributions that come with Exim, come with sane Exim default configurations. Changing default values and slightly adjusting configuration is relatively easy. On the other hand, building a completely new Exim configuration file from scratch might not.

        More stuff on that page.

        1. don't you hate it when you lose your account

          Re: The best fix is Postfix.

          Agree with that analysis if you're going to set up for the first time, was my path many years ago. But now run postfix, wasn't a security based switch, always expect zero days, more to do with what I could set up to my liking

        2. vgrig_us

          Re: The best fix is Postfix.

          @eldakka wtf is "slant community" and why are we listening to it?!

          World's gone mad.

      2. sbt

        Re: The best fix is Postfix.

        Yes, same config since '05. It just runs and runs. I've had it jailed on FreeBSD with no issues. An Atom N270 with 1.5GB RAM has been fine for over 10 years (shared with a bunch of apache/PHP web servers).

        Maybe Exim was less compelling since I'm not using Linux. I'll be switching from Courier to Dovecot for the IMAP side next time the server gets rebuilt.

        1. vgrig_us

          Re: The best fix is Postfix.

          @sbt if I was still building email systems I'd do the same - go from courier to dovecot. You can out mailbox index on an ssd: that way 100s of thousands of messages in the inbox won't slow it down.

          1. sbt

            Re: The best fix is Postfix.

            Thanks. Well, I would have done it sooner, but it's still the build from 2008. The whole system is on SSDs, of a sort, as long as SD cards count...

            Icon --> closest option to BSD Daemon.

      3. Captain Scarlet Silver badge

        Re: The best fix is Postfix.

        To be honest, I have always used it since it was included with WHM/cPanel (What I admit it, I'm lazy).

        Checking I'm surprised a request to add Postfix has had so little votes.

        1. Anonymous Coward
          Anonymous Coward

          Re: The best fix is Postfix.

          That's because cPanel rarely add anything of real value, preferring to add fluff that pads out the feature list for pepole that don't know any better.

      4. vgrig_us

        Re: The best fix is Postfix.

        @nate amsden redhat switched default mta on rhel to exim a while back - that's why (or one of the major reasons).

        IMHO - if one can't configure postfix properly in under 30 min, one has no business putting an mta on the internet.

      5. Anonymous Coward
        Anonymous Coward

        Re: The best fix is Postfix.

        I believe both Debian and Ubuntu ship exim as the default MTA. That’s probably why so many sites run it.

    2. Nick Kew

      Re: Credit where credit's due

      I've used postfix for many years, ever since migrating from qmail around the turn of the century.

      But I think qmail deserves the credit for introducing secure-by-design to smtp with its thought-through separation of components and privileges. That was the first serious alternative to sendmail, right back in the mid-1990s. I switched away from sendmail for both simplicity and security, but it was the ease of introducing my own spam-fighting filters that motivated my own qmail->postfix change - at which time I also looked at and dismissed exim.

  3. Will Godfrey Silver badge

    A buffer overrun?

    Am I surprised?


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like