cPanel update wiped out custom Exim configuration

rpvw

Well-Known Member
Jul 18, 2013
1,101
470
113
UK
cPanel Access Level
Root Administrator
This TSR update rebuilt the Exim configuration back to the pre-autofixer (/scripts/autorepair exim_disable_chunking) configuration.

Was this intentional ?
 

rclemings

Well-Known Member
Nov 5, 2007
52
5
58
I'm struggling to understand the thinking behind this.

Today's security update found a conflict with my custom Exim configuration. Fine, it happens. But then it went ahead and replaced my custom Exim with the default configuration. Whereupon about email for about 1,000 people became undeliverable, at least until I was able to shut down Exim and restore the custom stuff (except one SRS-related line that was the source of the problem).

Wouldn't it be better to:

1. Stop the update, roll back the changes and let me know about the problem.
2. Finish the update, but take Exim down until the conflict can be resolved.
3. Do pretty much anything other than replace the custom config with the default.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,120
255
388
cPanel Access Level
Root Administrator
Wondering this too.

I just added

chunking_advertise_hosts=""

under the @config@ in /etc/exim.conf.local file and rebuilt the exim configuration with

/scripts/buildeximconf

I couldn't remember if this is something that cPanel fixed or if this was a custom fix I had put in place.
 

DennisMidjord

Well-Known Member
Sep 27, 2016
330
69
78
Denmark
cPanel Access Level
Root Administrator
Hi,

When cPanel updated last night, our Exim configuration on all servers seems to have been reset. We received an email with the subject "Unable to automatically update the exim configuration".

I looked through the upcp log and found this:

*** Running check_exim_config ***
Configuration file has an invalid syntax. Please try the edit again.




Error message from syntax check:
2018-01-23 02:43:30 Exim configuration error in line 2 of /var/cpanel/exim_hidden/srs_config:
"srs_config" option set for the second time

-= BEGIN exim.conf chunk -=




* * F,2h,15m; G,16h,1h,1.5; F,4d,8h




# End of Exim 4 configuration
#!!# cPanel Exim 4 Config
==><==
domainlist blocked_domains = lsearch;/etc/blockeddomains
chunking_advertise_hosts = ""
hide srs_config = vz8Gq__D4NB6WXVUTYPx98r6eYqKpLqQ:60:5
-= END exim.conf chunk -=

Resetting “Exim CF and ReplaceCF Configuration” to defaults...
Configuration file has an invalid syntax. Please try the edit again.




Error message from syntax check:
2018-01-23 02:43:31 Exim configuration error in line 2 of /var/cpanel/exim_hidden/srs_config:
"srs_config" option set for the second time

-= BEGIN exim.conf chunk -=




* * F,2h,15m; G,16h,1h,1.5; F,4d,8h




# End of Exim 4 configuration
#!!# cPanel Exim 4 Config
==><==
domainlist blocked_domains = lsearch;/etc/blockeddomains
chunking_advertise_hosts = ""
hide srs_config = vz8Gq__D4NB6WXVUTYPx98r6eYqKpLqQ:60:5
-= END exim.conf chunk -=

Resetting “Exim ACL Configuration” to defaults...
Configuration file has an invalid syntax. Please try the edit again.




Error message from syntax check:
2018-01-23 02:43:31 Exim configuration error in line 2 of /var/cpanel/exim_hidden/srs_config:
"srs_config" option set for the second time

-= BEGIN exim.conf chunk -=




* * F,2h,15m; G,16h,1h,1.5; F,4d,8h




# End of Exim 4 configuration
#!!# cPanel Exim 4 Config
==><==
domainlist blocked_domains = lsearch;/etc/blockeddomains
chunking_advertise_hosts = ""
hide srs_config = dqwdqdqwdqwqQ:60:5
-= END exim.conf chunk -=
We haven't made any changes to srs_config, so I wonder why it's complaining about this setting.
It wasn't just the ACL settings that were reset. Also SECTION: AUTH, Postmailcount, Transportstart where reset, which means our MailChannels configuration was gone and a bunch of our customers emails where flagged as spam.

The only thing I can found about srs_config is in the backup of exim.conf:
hide srs_config = vz8Gq__D4NB6WXVUTYPx98r6eYqKpLqQ:60:5
It's not present in the new configuration on any of the new servers.

What is the cause of this?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

The specific change is noted in today's full disclosure of the recent security update:

When the experimental SRS option for Exim was enabled, the secret key used to sign SRS email was visible inside the exim.conf file. This setting is now stored in a separate file that is not world-readable.
A "Exim Update Failures" notification should have been sent via the configured contact method (WHM >> Contact Manager) if your Exim configuration was reset or could not be modified. Custom Exim configurations are automatically reset if they conflict with the changes associated with critical Exim updates. Feel free to open a support ticket using the link in my signature if you need help applying the update or restoring specific custom changes to your Exim configuration file.

Thank you.
 

rclemings

Well-Known Member
Nov 5, 2007
52
5
58
I suspect my Exim problem had to do with my having implemented SRS manually before the cPanel version was ready. As a result, some of my earlier SRS customizations conflicted with the cPanel version. The security key may have been part/all of the problem.

In any case, what I'm really asking here is whether it's wise to overwrite everything with the default configuration in case of a conflict like this. I didn't know there was a problem until I got the notice to the contact email, and by then, mail was already failing, because my custom config referenced an aliases file that Exim's default configuration didn't know about.

I managed shut down Exim and got everything fixed before restarting it, as far as I can tell, but I would have preferred that the update process let me know about the conflict instead of just proceeding and overwriting my customizations.
 

DennisMidjord

Well-Known Member
Sep 27, 2016
330
69
78
Denmark
cPanel Access Level
Root Administrator
Hello,

The specific change is noted in today's full disclosure of the recent security update:



A "Exim Update Failures" notification should have been sent via the configured contact method (WHM >> Contact Manager) if your Exim configuration was reset or could not be modified. Custom Exim configurations are automatically reset if they conflict with the changes associated with critical Exim updates. Feel free to open a support ticket using the link in my signature if you need help applying the update or restoring specific custom changes to your Exim configuration file.

Thank you.
What exactly is required by us? Do we need to make any changes (other than revert the changes besides the srs_config setting)?
 

cPanelJackson

Release Manager
Staff member
Aug 12, 2010
42
11
133
cPanel Access Level
Root Administrator
We had a similar incident where all the Exim configurations were reset.

I had to restore the Exim configurations from the backup and delete the hide srs_config before saving.
For any others experiencing this issue, this will restore your previous customized configuration while still providing the benefit of the protections from the TSR update.

Specifically:
  1. Go to the "Restore" tab of the WHM Exim Configuration Manager
  2. Click the "Restore" link next to the configuration backup created by the update
  3. Click the "Edit" button to edit the configuration backup
  4. Scroll down to the section with the "hide srs_config" config option and click the trash icon to the right
  5. Click "Save" at the bottom of the configuration editor
CPANEL-18162 has been opened to address the underlying bug in the Exim Configuration Editor, and will be mentioned on our changelogs once the fix is available. When using the restore interface you may experience odd scrolling behavior, CPANEL-18183 has been opened to address this as well.

Thank you.