How to Safeguard Your Exim Mail Server from the Dead.Letter Vulnerability (CVE-2026-45185)

Introduction

If you run an Exim mail server on a Unix-like system, you need to act quickly. A critical security vulnerability, tracked as CVE-2026-45185 and nicknamed Dead.Letter, has been discovered in Exim's handling of the BDAT (Binary Data) command when built with GnuTLS. This use-after-free flaw can lead to memory corruption and potentially allow an attacker to execute arbitrary code on your server. Fortunately, the Exim development team has released security updates to address the issue. This step-by-step guide will walk you through the process of identifying whether your installation is affected, obtaining the fix, and applying it to keep your mail server safe.

How to Safeguard Your Exim Mail Server from the Dead.Letter Vulnerability (CVE-2026-45185) — Source: feeds.feedburner.com

What You Need

Root or sudo access to your Exim server
SSH or console access to run commands
Knowledge of your Exim version (check with exim -bV)
A package manager (apt, yum, dnf, etc.) or the ability to compile from source
A backup of your Exim configuration files (optional but recommended)

Step-by-Step Guide

Step 1: Identify Your Exim Version and Build Options

The first step is to confirm that you are running a vulnerable version. Log into your server and run:

exim -bV

Look for the version number. The vulnerability affects all Exim versions prior to the patched release (e.g., 4.98.1 or later). Also check if your build uses GnuTLS. You should see something like GnuTLS in the output. If your output shows OpenSSL instead, you are not directly affected by this specific flaw, but it's still good practice to update to the latest stable version.

Step 2: Verify Whether Your Configuration Exposes the BDAT Feature

The Dead.Letter vulnerability is triggered during BDAT command processing. BDAT is part of the CHUNKING extension (RFC 3030) and is usually enabled by default. To see if it's active, check your Exim configuration file (commonly /etc/exim/exim.conf) for the line:

chunking_advertise_hosts = *

If this line exists (or if you haven't explicitly disabled CHUNKING), your server is likely accepting BDAT commands. Even if not, the underlying code may still be reachable, so updating is still essential.

Step 3: Check How You Installed Exim

Exim can be installed via your distribution's package manager or compiled from source. Knowing which method you used will determine the easiest path to update.

Package manager: Debian/Ubuntu use apt, RHEL/CentOS use yum or dnf. Check with which exim or dpkg -l | grep exim (Debian).
Source compilation: Look for files in /usr/local/exim or a custom prefix.

Step 4: Obtain and Apply the Security Update

Based on your installation method, follow the appropriate sub-step:

Option A: Updating via Package Manager

Run the following commands to update your package lists and install the latest Exim package:

sudo apt update && sudo apt upgrade exim4   # Debian/Ubuntu
sudo yum update exim                        # CentOS 7
sudo dnf update exim                        # Fedora / RHEL 8+

The package may be named exim or exim4 depending on your distribution. After updating, verify the new version with exim -bV. It should be at least 4.98.1 (or the version that includes the patch).

Option B: Updating from Source

If you compiled Exim yourself, you must download the patched source code from the official Exim website or Git repository. Visit exim.org or clone the repository:

git clone https://git.exim.org/exim.git
cd exim

Checkout the latest stable branch (e.g., exim-4.98.1 or later). Then rebuild and install:

make clean
make
sudo make install

If you had custom build options (like GnuTLS), make sure they are still included in your Local/Makefile. Refer to Exim documentation for guidance.

Step 5: Restart Exim and Verify the Fix

After updating, restart the Exim service to apply the changes:

sudo systemctl restart exim4   # or 'exim' on some systems
sudo service exim restart

Check that the service is running:

sudo systemctl status exim4

Test the BDAT functionality by sending a test email with a large attachment to ensure no crashes. Also check logs (/var/log/exim4/mainlog or similar) for any errors.

Step 6: Confirm No Remaining Vulnerable Configurations

Even after patching, review your Exim configuration for any other potential weaknesses. The Exim team advises disabling unnecessary features. Consider removing the chunking_advertise_hosts line if you don't need BDAT support. Restart Exim after any changes.

Tips for Maintaining a Secure Exim Server

Stay informed: Subscribe to the exim-announce mailing list or follow the project on GitHub to receive security advisories promptly.
Enable automatic security updates for your operating system to catch package updates quickly.
Regularly review logs for suspicious activity, especially around BDAT or CHUNKING commands.
Consider using OpenSSL instead of GnuTLS if possible, as this vulnerability is specific to GnuTLS builds. However, always test thoroughly before switching.
Backup your configuration before any major changes, and test in a staging environment if available.
Minimize attack surface by disabling unnecessary SMTP extensions like CHUNKING if your users don't require them.

By following these steps, you have closed the door on the Dead.Letter vulnerability and strengthened your mail server's security posture. Remember, security is an ongoing process—keep your software up to date and stay vigilant.

Tags: