Exim vulnerability CVE2019-15846

Exim vulnerability CVE2019-15846

Guess by now you have heard about the Exim vulnerability on version 4.91 and earlier.  Exim mail server is widely used in cPanel. If you are using cPanel with the latest updates, your Exim is probably patched.

You can ensure the cPanel Exim is patched by logging to your VPS or server as root through SSH Type this command:

rpm -q --changelog exim | grep CVE-2019-15846

If you get a response like this – Applied upstream patch for CVE-2019-15846
Your Exim is patched with the new build 4.92 #5

However, for those still using EA3, the update is blocked and you need to migrate to EA4. You can do it from your WHM. The migration from EA3 to EA4 is pretty straight forward. The only reason, some is still in EA3 is because they have concerns on their website PHP compatibility since EA4 support minimum PHP 5.5 which is EOL too.

We strongly recommended you should upgrade to EA4 to get the Exim update immediately. Alternatively, if you have to use a lower PHP version, you can consider using CloudLinux since they have hardened the lower PHP versions ad the lower versions are available from the PHP selector.

Protect your mail server from ylmf-pc bruteforce

If you have been getting regular brute force attacks which has cmd: EHLO ylmf-pc from different IPs. These bruteforce can be blocked and it’s easy to do it with Exim mail server on cPanel.

1) Create a file with a list of the HELOs that you want to block. For example, create and edit /etc/heloblocks

2) Go to WHM > Exim Configuration Manager > Advanced Editor.

3) Scroll down until you find “acl_smtp_helo”

4) Below that, you will find a box titled “custom_begin_smtp_helo”. In that box, paste the following code:

 condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
 log_message = HELO/EHLO - HELO on heloblocks Blocklist
 message = HELO is on our blocklist

Check your exim_mainlog, you will see similar result using when you to telnet and helo ylmf-pc.