- atmail 7.x On-Premises Server Installations
Exim has recently announced the above CVE's regarding denial of service exploits. Only exim versions 4.88 or newer are impacted. You can find your exim version using the following:
# /usr/local/atmail/mailserver/bin/exim --version
Exim version 4.87 #2 built 25-Oct-2017 14:49:57
Copyright (c) University of Cambridge, 1995 - 2016
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2016
Berkeley DB: Berkeley DB 5.3.21: (May 11, 2012)
Support for: crypteq iconv() OpenSSL Content_Scanning DKIM DNSSEC Event OCSP PRDR
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz dbmnz dnsdb ldap ldapdn ldapm mysql
Authenticators: dovecot plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir autoreply pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /usr/local/atmail/mailserver/configure
⚠ Please Note:
Default version of exim used with the latest release of atmail 7 is 4.87 and not affected by this issue.
If you are currently using exim 4.88+, please add
chunking_advertise_hosts = to your exim configuration.
# sed -i '8i chunking_advertise_hosts =' /usr/local/atmail/mailserver/configure
Then restart atmail.
# /etc/init.d/atmailserver restart
For further information, please find the below as advised by the Exim developers.
A remote code execution vulnerability has been reported in Exim, with
immediate public disclosure (we were given no private notice).
A tentative patch exists but has not yet been confirmed.
With immediate effect, please apply this workaround: if you are running
Exim 4.88 or newer (4.89 is current, 4.90 is upcoming) then in the main
section of your Exim configuration, set:
That's an empty value, nothing on the right of the equals. This
disables advertising the ESMTP CHUNKING extension, making the BDAT verb
unavailable and avoids letting an attacker apply the logic.
This should be a complete workaround. Impact of applying the workaround
is that mail senders have to stick to the traditional DATA verb instead
of using BDAT.
We've requested CVEs. More news will be forthcoming as we get this
## List details at https://lists.exim.org/mailman/listinfo/exim-announce Exim details at http://www.exim.org/ ##