[debian-edu-commits] debian-edu/ 01/01: Fix broken exim4 configuration, re-enable / improve security.

Wolfgang Schweer schweer-guest at moszumanska.debian.org
Mon May 15 09:47:57 UTC 2017 

This is an automated email from the git hooks/post-receive script.

schweer-guest pushed a commit to branch master
in repository debian-edu-config.

commit 8c82d2fb179e6cfee8d1788d1c500e14118fa91d
Author: Wolfgang Schweer <wschweer at arcor.de>
Date:   Mon May 15 11:44:18 2017 +0200

    Fix broken exim4 configuration, re-enable / improve security.
    
     Add usr/share/debian-edu-config/tools/exim4-create-cert.
     Add usr/share/debian-edu-config/tools/exim4-create-environment.
     Adjust cf/cf.exim to use both scripts.
     Adjust etc/exim4/exim-ldap-server-v4.conf (re-enable Kerberos, add TLS).
---
 cf/cf.exim                                         |  5 +++++
 etc/exim4/exim-ldap-server-v4.conf                 | 19 ++++++++++++++++--
 share/debian-edu-config/tools/exim4-create-cert    | 23 ++++++++++++++++++++++
 .../tools/exim4-create-environment                 | 18 +++++++++++++++++
 4 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/cf/cf.exim b/cf/cf.exim
index eba591e..23c5f34 100644
--- a/cf/cf.exim
+++ b/cf/cf.exim
@@ -16,6 +16,11 @@ editfiles:
 shellcommands:
 
 
+  debian.server.installation::
+
+  "/usr/share/debian-edu-config/tools/exim4-create-cert"
+  "/usr/share/debian-edu-config/tools/exim4-create-environment"
+
   debian.installation::
 
     "/usr/sbin/exim4 -qff"
diff --git a/etc/exim4/exim-ldap-server-v4.conf b/etc/exim4/exim-ldap-server-v4.conf
index c2a2a3e..bdab923 100644
--- a/etc/exim4/exim-ldap-server-v4.conf
+++ b/etc/exim4/exim-ldap-server-v4.conf
@@ -7,8 +7,22 @@
 # Upgrade from v3 version by Maximilian Wilhelm <max at rfc2324.org>
 #  -- Sat, 11 Jun 2005 02:44:08 +0200
 #
+# Adjusted to work after the exim4 security fix for CVE-2016-1531.
+# Also improve security some more: enable TLS, re-enable identity check;
+# only system mail to postmaster is enabled unconditionally; see #794602.
+# -- Wolfgang Schweer <wschweer at arcor.de>, 2017-05-13.
 
 ##
+keep_environment = KRB5_KTNAME : PWD : ^LDAP
+#MAIN_TLS_ENABLE = yes
+# Uncomment next entry for Jessie.
+tls_advertise_hosts = *
+tls_certificate = /etc/exim4/exim.crt
+tls_privatekey = /etc/exim4/exim.key
+daemon_smtp_ports = 25 : 587
+
+KRB5_KTNAME= /etc/krb5.keytab.smtp
+
 # LDAP Server info
 LDAPBASE = dc=skole,dc=skolelinux,dc=no
 LDAPSERVER = ldap
@@ -185,6 +199,7 @@ begin acl
 
 # ACL that is used after the RCPT command
 acl_check_rcpt:
+  accept local_parts = postmaster
   # Exim 3 had no checking on -bs messages, so for compatibility
   # we accept if the source is local SMTP (i.e. not over TCP/IP).
   # We do this by testing for an empty sending host field.
@@ -192,15 +207,15 @@ acl_check_rcpt:
   # Make sure users can not fake sender address vis SMTP.  Reject
   # unauthenticated connections and check that the sender is the same
   # as the Kerberos ID.
-  accept  hosts = :
-  accept  hosts = +relay_hosts
 
   deny  !authenticated = *
         message = SMTP server requires authentication. Check your SMTP client configuration.
   deny condition = ${if eq{$authenticated_id}{$sender_address_local_part at INTERN}{false}{true}}
         message = Sender address $sender_address conflicts with authentication $authenticated_id.
 
+  accept  hosts = :
   accept  domains = +local_domains
+  accept  hosts = +relay_hosts
   deny    message = relay not permitted
 
 # ACL that is used after the DATA command
diff --git a/share/debian-edu-config/tools/exim4-create-cert b/share/debian-edu-config/tools/exim4-create-cert
new file mode 100755
index 0000000..bb91e7f
--- /dev/null
+++ b/share/debian-edu-config/tools/exim4-create-cert
@@ -0,0 +1,23 @@
+#!/bin/bash
+#
+# Create a self-signed certificate.
+# Taken in parts from a script by Andreas B. Mundt <andi at debian.org>.
+
+set -e
+
+TEMPLATE="/usr/share/ssl-cert/ssleay.cnf"
+CONF="/tmp/exim.cnf"
+CERT="/etc/exim4/exim.crt"
+KEY="/etc/exim4/exim.key"
+
+if [ ! -f $CERT ] || [ ! -f $KEY ]; then
+    sed -e s#@HostName@#"postoffice.intern"# $TEMPLATE > $CONF
+    echo "subjectAltName=DNS:postoffice.intern,DNS:postoffice.intern" >> $CONF
+    openssl req -config $CONF -new -x509 -days 7000 -nodes -out $CERT -keyout $KEY
+    chmod 640 $KEY $CERT $CONF
+    chown root:Debian-exim $KEY $CERT
+else
+    echo "$CERT and $KEY already exist, skipping!"
+fi
+
+rm $CONF
diff --git a/share/debian-edu-config/tools/exim4-create-environment b/share/debian-edu-config/tools/exim4-create-environment
new file mode 100755
index 0000000..1ee4a3c
--- /dev/null
+++ b/share/debian-edu-config/tools/exim4-create-environment
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Create Kerberos environment for exim4 chroot. This is needed
+# to cope with the exim4 security fix for CVE-2016-1531. 
+
+set -e
+
+DIR="/var/lib/exim4/etc"
+FILE="krb5.keytab.smtp"
+
+if [ ! -f $DIR/$FILE ]; then
+    if [ ! -d $DIR ] ; then
+	mkdir $DIR
+    fi
+fi
+cp /etc/$FILE $DIR
+chown Debian-exim:Debian-exim $DIR/$FILE
+echo "Successfully created the Exim4 environment."

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git

More information about the debian-edu-commits mailing list