gpg: Signature made Sat May 8 06:31:37 2021 UTC
gpg: using DSA key 0E4236CB52951E14536066222099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi Tim,
On Fri, May 07, 2021 at 10:23:02AM +0100, Tim Robinson wrote:
> Am I right to assume that if port 25 is firewalled from the outside then the
> risk from external hacks is minimal?
If you don't need Exim to accept email from outside the server, e.g.
it's just being used to send email generated locally out to the
world, then I would recommend a few things:
1. Configure Exim to only listen on localhost.
2. Don't allow TCP/25 through your firewall.
3. Consider not using Exim at all, but something simpler, since your
needs are simple. Like Postfix.
On Debian, if you're letting Debian configure your Exim, then (1) is
achieved by running:
# dpkg-reconfigure exim4-config
It will ask you which interfaces to listen on.
If Exim isn't accepting connections from outside then yes, clearly
it can't be remotely exploited. 😀
However, there are still local exploits and this round of 21
advisories included 11 local vulnerabilities. There isn't much
detail available yet but I'm guessing that at least one of them
would allow another user on your system to get root access through
Exim.
And of course, another user on your system could include some action
taken by some other bit of software that *is* remotely accessible.
So personally I would only consider the local-only-access idea to be
a temporary stop-gap.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
