Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Enhancement/exim advertise auth only on localhost and tls connections (#3935)

* Update exim4.conf.template

Exim will advertise AUTH for localhost and TLS connections so we avoid to send cleartext passwords over the net

* Update exim4.conf.4.94.template

Exim will advertise AUTH for localhost and TLS connections so we avoid to send cleartext passwords over the net

* Update exim4.conf.4.95.template

Exim will advertise AUTH for localhost and TLS connections so we avoid to send cleartext passwords over the net

* Update exim4.conf.template

Changed tls_cipher by tls_in_cipher (both work but Exim uses tls_in_cipher in their examples

* Update exim4.conf.4.94.template

Changed tls_cipher by tls_in_cipher (both work but Exim uses tls_in_cipher in their examples)

* Update exim4.conf.4.95.template

Changed tls_cipher by tls_in_cipher (both work but Exim uses tls_in_cipher in their examples)

* Create 1.8.6.sh

Added steps to modify Exim conf file to add auth_advertise_hosts

* Do not update on install update

---------

Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>
sahsanu 2 years ago
parent
cb6246410f
commit
a729927aa7
4 changed files with 12 additions and 0 deletions
Split View Show Diff Stats
  1. 1 0
      install/deb/exim/exim4.conf.4.94.template
  2. 1 0
      install/deb/exim/exim4.conf.4.95.template
  3. 1 0
      install/deb/exim/exim4.conf.template
  4. 9 0
      install/upgrade/manual/disable-non-tls-auth.sh

+ 1 - 0
install/deb/exim/exim4.conf.4.94.template
View File 

@@ -65,6 +65,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 
 tls_on_connect_ports = 465
 
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 
 never_users = root
 
 host_lookup = *
 
 rfc1413_hosts = *

+ 1 - 0
install/deb/exim/exim4.conf.4.95.template
View File 

@@ -67,6 +67,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 
 tls_on_connect_ports = 465
 
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 
 never_users = root
 
 host_lookup = *
 
 rfc1413_hosts = *

+ 1 - 0
install/deb/exim/exim4.conf.template
View File 

@@ -65,6 +65,7 @@ tls_privatekey = \
 
 daemon_smtp_ports = 25 : 465 : 587
 
 tls_on_connect_ports = 465
 
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
 
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 
 never_users = root
 
 host_lookup = *
 
 rfc1413_hosts = *

+ 9 - 0
install/upgrade/manual/disable-non-tls-auth.sh
View File 

@@ -0,0 +1,9 @@
 
+#!/bin/bash
 
+
 
+# Modify Exim conf file (/etc/exim4/exim4.conf.template) to advertise AUTH only for localhost and TLS
 
+# connections, so we avoid that users send their passwords as clear text over the net.
 
+if ! grep -qw '^auth_advertise_hosts =' '/etc/exim4/exim4.conf.template'; then
 
+	echo '[ * ] Enable auth advertise for Exim only for localhost and TLS connections'
 
+	sed -i '/^tls_require_ciphers\s=\s.*/a auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}' '/etc/exim4/exim4.conf.template'
 
+	systemctl restart exim4
 
+fi