Re: [bitfolk] 21 critical Exim security issues need addressing

Hi Tim, On Fri, May 07, 2021 at 10:23:02AM +0100, Tim Robinson wrote: If you don't need Exim to accept email from outside the server, e.g. it's just being used to send email generated locally out to the world, then I would recommend a few things: 1. Configure Exim to only listen on localhost. 2. Don't allow TCP/25 through your firewall. 3. Consider not using Exim at all, but something simpler, since your needs are simple. Like Postfix. On Debian, if you're letting Debian configure your Exim, then (1) is achieved by running: # dpkg-reconfigure exim4-config It will ask you which interfaces to listen on. If Exim isn't accepting connections from outside then yes, clearly it can't be remotely exploited. 😀 However, there are still local exploits and this round of 21 advisories included 11 local vulnerabilities. There isn't much detail available yet but I'm guessing that at least one of them would allow another user on your system to get root access through Exim. And of course, another user on your system could include some action taken by some other bit of software that *is* remotely accessible. So personally I would only consider the local-only-access idea to be a temporary stop-gap. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting