enable DANE
best options
SUPPORT_DANE=yes
dnssec_request_domains = *
hosts_try_dane = *
The widely used Exim email server software is due to be patched today to close a critical security flaw that can be exploited to potentially gain root-level access to the machine. The programming blunder can be abused over the network, or internet if the server is public facing, or by logged-in users to completely commandeer …
This is not a solution to the issue at hand; whilst it has use in other contexts, it will not in any way prevent your system from the bug that's been patched today (unless you've found something that hasn't been discussed).
Mitigation if you cannot patch: do not offer TLS to connecting hosts at that prevents the vulnerable code path being hit*. Additionally, Heiko has provided additional mitigation on the exim-users mailing list which prevents acceptance (and writing to spool) of messages with 'dangerous' SNI values.
*this is not recommended, but is a quick and dirty hack while you patch/wait for updates.
This isn't an operating system problem. It's not an issue with Linux. It's an issue with a 3rd party application that is running on linux.
Hating on Linux for this would be like hating on Windows for a Macafee vulnerability, or for the recent steam escalation of privilege vulnerability, or Lenovo's 'user experience' software that puts a TLS MITM proxy on their PCs.
>Just, not a few distro look to install an Exim instance by default.
Yes, it took a little digging to find out that Exim is the default MTA in Debian and potentially other distributions, hence I suspect for many users/admins they don't actually realise they are running Exim and hence are vulnerable...
yum remove exim
yum install postfix
I really don't know why anyone continues to use it. Then again, Sendmail is still everywhere, and it's even worse.
Postfix is secure by design and relatively easy to configure. Yes, there's jiggery-pokerty with SPF etc, but that happens with any MTA and if you don't understand the basic options, you shouldn't be running an MTA. And it's easy to configure for SElinux!
OpenSMTPD looks like it's worth a look as well, with perhaps a little less of a learning curve compared to Postfix (which it was obviously inspired by) for the more advanced options. But maybe a little less flexilbity overall. Haven't used it myself.