[debian-edu-commits] debian-edu/ 01/01: Fix broken exim4 configuration, re-enable / improve security.
Wolfgang Schweer
schweer-guest at moszumanska.debian.org
Mon May 15 09:47:57 UTC 2017
This is an automated email from the git hooks/post-receive script.
schweer-guest pushed a commit to branch master
in repository debian-edu-config.
commit 8c82d2fb179e6cfee8d1788d1c500e14118fa91d
Author: Wolfgang Schweer <wschweer at arcor.de>
Date: Mon May 15 11:44:18 2017 +0200
Fix broken exim4 configuration, re-enable / improve security.
Add usr/share/debian-edu-config/tools/exim4-create-cert.
Add usr/share/debian-edu-config/tools/exim4-create-environment.
Adjust cf/cf.exim to use both scripts.
Adjust etc/exim4/exim-ldap-server-v4.conf (re-enable Kerberos, add TLS).
---
cf/cf.exim | 5 +++++
etc/exim4/exim-ldap-server-v4.conf | 19 ++++++++++++++++--
share/debian-edu-config/tools/exim4-create-cert | 23 ++++++++++++++++++++++
.../tools/exim4-create-environment | 18 +++++++++++++++++
4 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/cf/cf.exim b/cf/cf.exim
index eba591e..23c5f34 100644
--- a/cf/cf.exim
+++ b/cf/cf.exim
@@ -16,6 +16,11 @@ editfiles:
shellcommands:
+ debian.server.installation::
+
+ "/usr/share/debian-edu-config/tools/exim4-create-cert"
+ "/usr/share/debian-edu-config/tools/exim4-create-environment"
+
debian.installation::
"/usr/sbin/exim4 -qff"
diff --git a/etc/exim4/exim-ldap-server-v4.conf b/etc/exim4/exim-ldap-server-v4.conf
index c2a2a3e..bdab923 100644
--- a/etc/exim4/exim-ldap-server-v4.conf
+++ b/etc/exim4/exim-ldap-server-v4.conf
@@ -7,8 +7,22 @@
# Upgrade from v3 version by Maximilian Wilhelm <max at rfc2324.org>
# -- Sat, 11 Jun 2005 02:44:08 +0200
#
+# Adjusted to work after the exim4 security fix for CVE-2016-1531.
+# Also improve security some more: enable TLS, re-enable identity check;
+# only system mail to postmaster is enabled unconditionally; see #794602.
+# -- Wolfgang Schweer <wschweer at arcor.de>, 2017-05-13.
##
+keep_environment = KRB5_KTNAME : PWD : ^LDAP
+#MAIN_TLS_ENABLE = yes
+# Uncomment next entry for Jessie.
+tls_advertise_hosts = *
+tls_certificate = /etc/exim4/exim.crt
+tls_privatekey = /etc/exim4/exim.key
+daemon_smtp_ports = 25 : 587
+
+KRB5_KTNAME= /etc/krb5.keytab.smtp
+
# LDAP Server info
LDAPBASE = dc=skole,dc=skolelinux,dc=no
LDAPSERVER = ldap
@@ -185,6 +199,7 @@ begin acl
# ACL that is used after the RCPT command
acl_check_rcpt:
+ accept local_parts = postmaster
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
@@ -192,15 +207,15 @@ acl_check_rcpt:
# Make sure users can not fake sender address vis SMTP. Reject
# unauthenticated connections and check that the sender is the same
# as the Kerberos ID.
- accept hosts = :
- accept hosts = +relay_hosts
deny !authenticated = *
message = SMTP server requires authentication. Check your SMTP client configuration.
deny condition = ${if eq{$authenticated_id}{$sender_address_local_part at INTERN}{false}{true}}
message = Sender address $sender_address conflicts with authentication $authenticated_id.
+ accept hosts = :
accept domains = +local_domains
+ accept hosts = +relay_hosts
deny message = relay not permitted
# ACL that is used after the DATA command
diff --git a/share/debian-edu-config/tools/exim4-create-cert b/share/debian-edu-config/tools/exim4-create-cert
new file mode 100755
index 0000000..bb91e7f
--- /dev/null
+++ b/share/debian-edu-config/tools/exim4-create-cert
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Create a self-signed certificate.
+# Taken in parts from a script by Andreas B. Mundt <andi at debian.org>.
+
+set -e
+
+TEMPLATE="/usr/share/ssl-cert/ssleay.cnf"
+CONF="/tmp/exim.cnf"
+CERT="/etc/exim4/exim.crt"
+KEY="/etc/exim4/exim.key"
+
+if [ ! -f $CERT ] || [ ! -f $KEY ]; then
+ sed -e s#@HostName@#"postoffice.intern"# $TEMPLATE > $CONF
+ echo "subjectAltName=DNS:postoffice.intern,DNS:postoffice.intern" >> $CONF
+ openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
+ chmod 640 $KEY $CERT $CONF
+ chown root:Debian-exim $KEY $CERT
+else
+ echo "$CERT and $KEY already exist, skipping!"
+fi
+
+rm $CONF
diff --git a/share/debian-edu-config/tools/exim4-create-environment b/share/debian-edu-config/tools/exim4-create-environment
new file mode 100755
index 0000000..1ee4a3c
--- /dev/null
+++ b/share/debian-edu-config/tools/exim4-create-environment
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Create Kerberos environment for exim4 chroot. This is needed
+# to cope with the exim4 security fix for CVE-2016-1531.
+
+set -e
+
+DIR="/var/lib/exim4/etc"
+FILE="krb5.keytab.smtp"
+
+if [ ! -f $DIR/$FILE ]; then
+ if [ ! -d $DIR ] ; then
+ mkdir $DIR
+ fi
+fi
+cp /etc/$FILE $DIR
+chown Debian-exim:Debian-exim $DIR/$FILE
+echo "Successfully created the Exim4 environment."
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git
More information about the debian-edu-commits
mailing list