Enhancement/exim advertise auth only on localhost and tls connections (hestiacp#3935)

sahsanu · jaapmarcus · web-flow · commit 599d2a01ddcb · 2023-08-24T11:09:37.000+02:00
* Update exim4.conf.template

Exim will advertise AUTH for localhost and TLS connections so we avoid to send cleartext passwords over the net

* Update exim4.conf.4.94.template

Exim will advertise AUTH for localhost and TLS connections so we avoid to send cleartext passwords over the net

* Update exim4.conf.4.95.template

Exim will advertise AUTH for localhost and TLS connections so we avoid to send cleartext passwords over the net

* Update exim4.conf.template

Changed tls_cipher by tls_in_cipher (both work but Exim uses tls_in_cipher in their examples

* Update exim4.conf.4.94.template

Changed tls_cipher by tls_in_cipher (both work but Exim uses tls_in_cipher in their examples)

* Update exim4.conf.4.95.template

Changed tls_cipher by tls_in_cipher (both work but Exim uses tls_in_cipher in their examples)

* Create 1.8.6.sh

Added steps to modify Exim conf file to add auth_advertise_hosts

* Do not update on install update

---------

Co-authored-by: Jaap Marcus &lt;9754650+jaapmarcus@users.noreply.github.com&gt;
diff --git a/install/deb/exim/exim4.conf.4.94.template b/install/deb/exim/exim4.conf.4.94.template
@@ -65,6 +65,7 @@ tls_privatekey = \
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 never_users = root
 host_lookup = *
 rfc1413_hosts = *
diff --git a/install/deb/exim/exim4.conf.4.95.template b/install/deb/exim/exim4.conf.4.95.template
@@ -67,6 +67,7 @@ tls_privatekey = \
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 never_users = root
 host_lookup = *
 rfc1413_hosts = *
diff --git a/install/deb/exim/exim4.conf.template b/install/deb/exim/exim4.conf.template
@@ -65,6 +65,7 @@ tls_privatekey = \
 daemon_smtp_ports = 25 : 465 : 587
 tls_on_connect_ports = 465
 tls_require_ciphers = PERFORMANCE:-RSA:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:%SERVER_PRECEDENCE
+auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}
 never_users = root
 host_lookup = *
 rfc1413_hosts = *
diff --git a/install/upgrade/manual/disable-non-tls-auth.sh b/install/upgrade/manual/disable-non-tls-auth.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Modify Exim conf file (/etc/exim4/exim4.conf.template) to advertise AUTH only for localhost and TLS
+# connections, so we avoid that users send their passwords as clear text over the net.
+if ! grep -qw '^auth_advertise_hosts =' '/etc/exim4/exim4.conf.template'; then
+	echo '[ * ] Enable auth advertise for Exim only for localhost and TLS connections'
+	sed -i '/^tls_require_ciphers\s=\s.*/a auth_advertise_hosts = localhost : ${if eq{$tls_in_cipher}{}{}{*}}' '/etc/exim4/exim4.conf.template'
+	systemctl restart exim4
+fi
diff --git a/install/upgrade/versions/1.8.6.sh b/install/upgrade/versions/1.8.6.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.8.6
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### upgrade_config_set_value only accepts true or false.                    #######
+#######                                                                         #######
+####### Pass through information to the end user in case of a issue or problem  #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### in the upgrade notification email. Example:                             #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'false'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'false'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
