Posts Tagged ‘Exim’

Summary

A memory corruption vulnerability exists in Exim versions 4.69 and older (CVE-2010-4344). Exim is the mail transfer agent used by cPanel & WHM.

Security Rating

This update has been rated as Important by the cPanel Security team.

Description

A memory corruption vulnerability has been discovered in Exim. This vulnerability may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. cPanel previously released RPMs that mitigated the severity of the vulnerability on December 9, 2010 (CVE-2010-4345). This notification is for the release of new RPMs which remove the remote memory corruption vulnerability in its entirety. The vulnerability relies upon “rejected_header” being enabled (default setting) in the log_selector configuration.

Solution

To resolve and work around the issue on Linux systems, cPanel has issued new Exim RPMs. Server Owners are strongly urged to upgrade to the following Exim RPM versions:

Systems configured to use Maildir: Exim 4.69-26

Systems configured to use mbox (deprecated): Exim 4.63-5

Exim RPMs will be distributed through cPanel’s package management system. All cPanel & WHM servers receiving updates automatically will receive the updated Exim RPM during normal update and maintenance operations (upcp). To begin an Exim update on cPanel systems immediately, run the following command as root:

/scripts/eximup

FreeBSD systems should be running Exim 4.72 by default, which is not affected by this issue.

FAQ

This notification covers CVE-2010-4344.

The notification release earlier on December 10, 2010 with the summary “A privilege escalation vulnerability exists in Exim, the mail transfer agent used by cPanel & WHM.” covers CVE-2010-4345. At the time of the earlier announcement, the CVE had not been assigned.

Exim logs /var/log/exim_mainlog shows Berkeley DB error.

Berkeley DB error: PANIC: fatal region error detected; run recovery
Berkeley DB error: PANIC: fatal region error detected; run recovery
Berkeley DB error: PANIC: fatal region error detected; run recovery

Exim stores certain databases using BerkeleyDB (e.g. aliases file). These are due to corrupted Berkeley DB.

In cPanel server you can remove / move the DB and restart exim to fix.

mv /var/spool/exim/db /var/spool/exim/db.bak

/scripts/restartsrv_exim

Now confirm the errors are gone.

tail -f /var/log/exim_mainlog

You can set the mail filter from your cPanel.Please refer the following steps to set the filter.

1] Go to cPanel
2] Go to Mail >> email filtering
3] Click on Add filter option

This option is also very useful when your clients domain marked as Spam in your mail box.For example if email came from example.com marked as Spam email then you can set the filter in following manner to avoid Spam mail problem for your domain example.com

1] Go to cPanel
2] Go to Mail >> email filtering
3] Click on Add filter option
4] Then as per your email headers you can set the filter here
5] Destination should be allow
6] Click on activate option.

So that all the emails from example.com not be treated as spam.

The message-IDs that Exim uses to refer to messages in its queue are mixed-case alpha-numeric, and take the form of: xXX-YYYY-ZZ. Most commands related to managing the queue and logging use these message-ids.
There are three — count ’em, THREE — files for each message in the spool directory. If you’re working in these files by hand, instead of using he appropriate exim commands as detailed below, make sure you get them all, and don’t leave Exim with long list of messages in the queue.

Files in /var/spool/exim/msglog contain logging information for each message and are named the same as the message-id.

Files in /var/spool/exim/input are named after the message-id, plus a suffix denoting whether it is the envelope header (-H) or message data (-D).

These directories may contain further hashed subdirectories to deal with larger mail queues, so don’t expect everything to always appear directly on the top /var/spool/exim/input or /var/spool/exim/msglog directories; any searches or greps will need to be recursive. See if there is a proper way to do what you’re doing before working directly on the spool files.

Below are some useful commands for managing an Exim server::

1) Print a count of the messages in the queue:

root@localhost# exim -bpc

2) Print a listing of the messages in the queue (time queued, size, message-id, sender, recipient):

root@localhost# exim -bp

3) Print a summary of messages in the queue (count, volume, oldest, newest, domain, and totals):

root@localhost# exim -bp | exiqsumm

4) Generate and display Exim stats from a logfile:

root@localhost# eximstats /path/to/exim_mainlog

5) Generate and display Exim stats from a logfile, with less verbose output:

root@localhost# eximstats -ne -nr -nt /path/to/exim_mainlog

6) Generate and display Exim stats from a logfile, for one particular day:

root@localhost# fgrep 2007-02-16 /path/to/exim_mainlog | eximstats

7) Print what Exim is doing right now:

root@localhost# exiwhat

8 ) To delete frozen emails

exim -bp | awk ‘$6~”frozen” { print $3 }’ | xargs exim -Mrm

9) To deliver emails forcefully

exim -qff -v -C /etc/exim.conf &

10) To check the port and exim status

#exiwhat

Receving emails syslogd failed every 5 minutes

syslogd failed @ Fri Dec 25 09:12:32 2009. A restart was attempted automagically.

Check logs

-bash-3.2# tail -f /usr/local/cpanel/logs/tailwatchd_log
Notification => test@gmail.com via EMAIL [level => 1]
Notification => test@gmail.com via EMAIL [level => 1]
Notification => test@gmail.com via EMAIL [level => 1]

Check if syslogd is installed or not
-bash-3.2# /etc/init.d/syslog restart
-bash: /etc/init.d/syslog: No such file or directory

Install sysklogd

-bash-3.2# yum install sysklogd

Once done check by restarting the service.

-bash-3.2# /etc/init.d/syslog restart
Shutting down kernel logger: [FAILED]
Shutting down system logger: [FAILED]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]

Check the logs again

-bash-3.2# tail -f /usr/local/cpanel/logs/tailwatchd_log

This should resolve the issue.

If you are getting following error while sending email from SquirrelMail then just restart Iptables or stop and start IPtables. That will fix the issue

Connection refused 111 Can’t open SMTP stream

Command to restart Iptables

/etc/init.d/iptables restart

Commands to stop and start IPtables

/etc/init.d/iptables stop
/etc/init.d/iptables start

If  it does not resolve the issue then restart exim service.