[debian-edu-commits] debian-edu/ 01/03: Fix exim4 configuration (cfengine/config file).

Wolfgang Schweer schweer-guest at moszumanska.debian.org
Thu May 18 16:08:00 UTC 2017 

This is an automated email from the git hooks/post-receive script.

schweer-guest pushed a commit to branch jessie
in repository debian-edu-config.

commit 69c7ea4017072c50919047345b5a6d8ef33c4049
Author: Wolfgang Schweer <wschweer at arcor.de>
Date:   Thu May 18 18:03:18 2017 +0200

    Fix exim4 configuration (cfengine/config file).
---
 cf/cf.exim                         |  4 ++++
 etc/exim4/exim-ldap-server-v4.conf | 17 +++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/cf/cf.exim b/cf/cf.exim
index 3d9299c..7c67bb4 100644
--- a/cf/cf.exim
+++ b/cf/cf.exim
@@ -23,6 +23,10 @@ editfiles:
   
 shellcommands:
 
+  debian.server.installation::
+
+  "/usr/share/debian-edu-config/tools/exim4-create-cert"
+  "/usr/share/debian-edu-config/tools/exim4-create-environment"
 
   debian.installation::
 
diff --git a/etc/exim4/exim-ldap-server-v4.conf b/etc/exim4/exim-ldap-server-v4.conf
index c2a2a3e..e98b932 100644
--- a/etc/exim4/exim-ldap-server-v4.conf
+++ b/etc/exim4/exim-ldap-server-v4.conf
@@ -7,8 +7,20 @@
 # Upgrade from v3 version by Maximilian Wilhelm <max at rfc2324.org>
 #  -- Sat, 11 Jun 2005 02:44:08 +0200
 #
+# Adjusted to work after the exim4 security fix for CVE-2016-1531.
+# Also improve security some more: enable TLS, re-enable identity check;
+# only system mail to postmaster is enabled unconditionally; see #794602.
+# -- Wolfgang Schweer <wschweer at arcor.de>, 2017-05-13.
 
 ##
+keep_environment = KRB5_KTNAME : PWD : ^LDAP
+tls_advertise_hosts = *
+tls_certificate = /etc/exim4/exim.crt
+tls_privatekey = /etc/exim4/exim.key
+daemon_smtp_ports = 25 : 587
+
+KRB5_KTNAME= /etc/krb5.keytab.smtp
+
 # LDAP Server info
 LDAPBASE = dc=skole,dc=skolelinux,dc=no
 LDAPSERVER = ldap
@@ -185,6 +197,7 @@ begin acl
 
 # ACL that is used after the RCPT command
 acl_check_rcpt:
+  accept local_parts = postmaster
   # Exim 3 had no checking on -bs messages, so for compatibility
   # we accept if the source is local SMTP (i.e. not over TCP/IP).
   # We do this by testing for an empty sending host field.
@@ -192,15 +205,15 @@ acl_check_rcpt:
   # Make sure users can not fake sender address vis SMTP.  Reject
   # unauthenticated connections and check that the sender is the same
   # as the Kerberos ID.
-  accept  hosts = :
-  accept  hosts = +relay_hosts
 
   deny  !authenticated = *
         message = SMTP server requires authentication. Check your SMTP client configuration.
   deny condition = ${if eq{$authenticated_id}{$sender_address_local_part at INTERN}{false}{true}}
         message = Sender address $sender_address conflicts with authentication $authenticated_id.
 
+  accept  hosts = :
   accept  domains = +local_domains
+  accept  hosts = +relay_hosts
   deny    message = relay not permitted
 
 # ACL that is used after the DATA command

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-edu/debian-edu-config.git

More information about the debian-edu-commits mailing list