Exim 4.94 Upgrade

MailCleaner Support
Added about 1 month ago

There have been disclosures made for several critical vulnerabilities with the Exim MTA which is used in MailCleaner. In addition to patching these vulnerabilities, there have been additional changes to the intervening versions of Exim which have required some changes to the configuration templates used in MailCleaner to prevent other mail delivery issues. After carefully testing these changes we have now made a new version of the package available. This should be automatically installed during the first nightly updates.

However, to ensure a safe upgrade without any of the delivery issues mentioned, the automatic upgrade will refuse to proceed if either 1) the new template files are not yet present or 2) if you have made modifications to the template files which will fail to be automatically replicated to the new templates. The upgrade will retry nightly until the new version is installed. To verify that the upgrade was successful, you can check the current version (looking for 4.94 or later), by running:

/opt/exim4/bin/exim --version | head -n 1

If you are not already on the current version, please only attempt the upgrade using the official installation script since manually installing the package may result in incompatible configuration templates being used:

/root/Updater4MC/updater4mc.sh

Monitor for the progress immediately following "Executing update: /root/Updater4MC/updates/62_mc_exim_4.94.update" and follow up by checking the version again to be sure. If the upgrade is abandoned, the relevant error will be printed. Here is what the output should look like:

Executing update: /root/Updater4MC/updates/62_mc_exim_4.94.update ...
Upgrading mc-exim package to 4.94.2
...
The following packages will be upgraded:
  mc-exim
1 upgraded, 0 newly installed, 0 to remove and 98 not upgraded.
Need to get 1,086 kB of archives.
After this operation, 176 kB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  mc-exim
Get:1 http://cdnmcpool.mailcleaner.net/ jessie/main mc-exim amd64 4.94.2 [1,086 kB]
Fetched 1,086 kB in 1s (698 kB/s)
(Reading database ... 57098 files and directories currently installed.)
Preparing to unpack .../mc-exim_4.94.2_amd64.deb ...
Unpacking mc-exim (4.94.2) over (4.92.3) ...
Setting up mc-exim (4.94.2) ...
Processing triggers for libc-bin (2.19-18+deb8u10) ...
End of update.

Known Issues

Git not up-to-date

You may see this error:

New configuration templates have not been installed. It is not safe to update Exim. Please ensure that the Git tree at /usr/mailcleaner is up-to-date with origin:master.

If you tried to manually run the update as detailed in other issues below, then try to run to official update script instead. This will attempt to pull the latest updates from Git:

/root/Updater4MC/updater4mc.sh

If you already tried the official update script, this means that there is some change to the Git repository which is preventing updates from being pulled. Change to the MailCleaner repository directory and check the status to see why it is held back:

cd /usr/mailcleaner
git status

It is normal for there to be many modified and new files. These will not block updates. The most likely issue is that are on a different branch, which should be resolve with:

git checkout master
git pull --rebase origin master

Changes to existing templates

In order to ensure that changes you have intentionally made to the old version of the templates can be ported, the upgrade will be abandoned if it sees that any of the following files have been modified:

/usr/mailcleaner/etc/exim/exim_stage1.conf_template
/usr/mailcleaner/etc/exim/exim_stage4.conf_template
/usr/mailcleaner/etc/exim/stage1/ldap_callout_template

These files all have mandatory changes which have been made to make them compatible with 4.94 in versions of the same files with a suffix of '_4.94'. If you are blocked because of this issue, you should see which changes have been made to these files with a diff command like:

git diff /usr/mailcleaner/etc/exim/exim_stage1.conf_template

Ensure that these changes get ported to the _4.94 version of the templates. Once these changes have been ported, you can force the upgrade to complete by running:

/bin/bash /root/Updater4MC/updates/62_mc_exim_4.94.update --force

This will simply ignore that the old templates are modified and continue with this upgrade and any subsequent upgrades.

Failure to install package

There is currently no known situation where the apt-get command within the update script will fail to install the mc-exim package. However the update does verify that it was successfully installed, so if it is unable to do so, it will retry every night until it succeeds. If you experience any issue with this, you may be able to resolve it by installing manually:

apt-get install mc-exim

or by trying to fix a previous failed installation:

apt-get install -f

If you encounter this issue, even if the above resolves it, we would appreciate the details so that we can update this document. Please open a ticket or email support@mailcleaner.net

Tainted file path

The primary changes made to the configuration templates between the old and new version is to address errors related to "tainted" file paths. Exim became more strict about refusing to use files using certain variable name. The "taintedness" refers to certain variables used within a file path in the configuration which could contain unsanitized values.

The new template versions have all been corrected, however the update is not able to check other custom configuration files which might be pulled in as an include option, so it is possible that you may notice some delivery issues and/or these errors in your logs. If this is the case, you need to correct whatever path is "tainted" by replacing these variables by equivalents which are sanitized:

$domain -> $domain_data
$local_part -> $local_part_data

Not every variable has a *_data equivalent and most other variables are already sanitized, so please do not start modifying any which don't produce error output. You can find the Exim variable index here:

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-variable_index.html