Securing Exim Against the Dead.Letter Vulnerability: A Complete Remediation Guide

Overview

The Exim Mail Transfer Agent (MTA), a cornerstone of email infrastructure on Unix-like systems, recently came under scrutiny due to a critical security flaw. Designated as CVE-2026-45185 and nicknamed Dead.Letter, this vulnerability is a use-after-free bug that manifests specifically in builds compiled with GnuTLS. Attackers can exploit it to trigger memory corruption and, under certain conditions, achieve remote code execution. This guide provides a comprehensive walkthrough for identifying, mitigating, and preventing exploitation of this vulnerability. You will learn how to check your Exim version, apply the necessary updates, and verify that your system is no longer at risk.

Prerequisites

Before diving into the remediation steps, ensure you have the following:

• Root or sudo access on the server running Exim.
• Familiarity with command-line operations in a Unix-like environment (Linux, BSD, or macOS).
• A backup of your current Exim configuration – ideally a full system backup or at least a copy of /etc/exim/ or /usr/local/etc/exim/.
• Knowledge of your Exim build – specifically whether it was compiled with GnuTLS or OpenSSL. This guide focuses on GnuTLS builds, but the steps can be adapted.

Step-by-Step Instructions

1. Check Your Exim Version and Build Flags

First, determine the installed Exim version and whether it uses GnuTLS. Run the following commands:

exim -bV

Look for lines similar to:

Exim version 4.94 #1 built 20-Mar-2025 12:00:00
Copyright (c) University of Cambridge, 2025
GnuTLS 3.7.8

If the output shows GnuTLS (as opposed to OpenSSL or no TLS), your build is potentially affected. Versions earlier than 4.94.2 (or whatever the patched version is) are vulnerable. Note the exact version number.

2. Confirm the Presence of CVE-2026-45185

While the version check is a strong indicator, you can also verify by examining the Exim source code or changelog. For official distributions (Debian, Red Hat, FreeBSD ports), use their package management to see available updates:

# Debian/Ubuntu
dpkg -l | grep exim4
apt-cache show exim4-daemon-heavy | grep Version

# RHEL/CentOS
rpm -qa | grep exim
yum info exim

# FreeBSD
pkg info exim

If the current installed version is below the patched threshold, proceed to update.

3. Backup Your Exim Configuration

Before updating, safeguard your configuration files. Exim’s main configuration file is typically /etc/exim/exim.conf or /usr/local/etc/exim/configure. Backup with:

sudo cp /etc/exim/exim.conf /etc/exim/exim.conf.backup.$(date +%F)

Also backup the spool directory (/var/spool/exim/) if possible. This ensures you can roll back if the update introduces incompatibilities.

4. Update Exim to the Patched Version

Obtain the latest patched release. If you use a package manager, update via:

# Debian/Ubuntu
sudo apt update
sudo apt upgrade exim4-daemon-heavy

# RHEL/CentOS (if using EPEL or other repo)
sudo yum update exim

# FreeBSD
sudo pkg upgrade exim

If you compiled Exim from source, download the latest tarball from the official Exim website and rebuild with the same flags you used previously. For example:

wget https://ftp.exim.org/pub/exim/exim4/exim-4.94.2.tar.gz
tar -xzf exim-4.94.2.tar.gz
cd exim-4.94.2
make configure
make
sudo make install

Make sure to include USE_GNUTLS=yes in your Local/Makefile if you were using GnuTLS – otherwise the patch won’t apply to the relevant code path.

5. Verify the Update and Rebuild

After the update, check the version again:

exim -bV

You should see the new version number (e.g., 4.94.2). Additionally, run a quick syntax check on the configuration to ensure no corruption occurred during the update:

sudo exim -bV | grep -i configuration
# Or explicitly:
sudo exim -C /etc/exim/exim.conf -bV

If no errors appear, the update is successful.

6. Restart the Exim Service

To apply the changes, restart the Exim daemon:

sudo systemctl restart exim     # systemd systems
sudo service exim restart       # SysV init
sudo /etc/rc.d/exim restart     # BSD style

Monitor the logs for any anomalies:

sudo tail -f /var/log/exim/mainlog

Send a test email to verify the service is functioning.

7. Additional Hardening (Optional)

If you cannot immediately update (e.g., due to legacy constraints), consider these workarounds:

• Disable BDAT support – In the Exim configuration, set bdat_max_chunk = 0 (or comment out any bdat_* options). Note: this may break interoperability with modern SMTP servers that use chunking.
• Switch to OpenSSL – If feasible, recompile Exim with OpenSSL instead of GnuTLS. This completely bypasses the vulnerability, as it only affects GnuTLS builds.
• Restrict incoming connections – Use a firewall to limit which hosts can send mail to your server. This reduces the attack surface.

Common Mistakes

• Assuming all Exim versions are affected. The vulnerability only exists in builds compiled with GnuTLS. OpenSSL builds are safe.
• Forgetting to rebuild with the same flags. If you compile from source and accidentally omit USE_GNUTLS=yes, the new binary might use OpenSSL, changing behavior and potentially breaking TLS compatibility.
• Neglecting to restart the service. Simply updating the binary without restarting leaves the old process running and vulnerable.
• Not checking the spool directory permissions. After an update, ensure that the spool directory is still owned by the correct user (exim or mailnull) to avoid delivery issues.
• Confusing BDAT with other SMTP extensions. The BDAT command (chunking) is part of RFC 3030 and is used for efficient large message transfer. Disabling it may cause timeouts with modern mailers.

Summary

The Dead.Letter vulnerability (CVE-2026-45185) is a critical use-after-free flaw in Exim’s BDAT handling when built with GnuTLS. To protect your mail server, you must update to the fixed version (4.94.2 or later) or apply mitigations such as disabling BDAT or switching to OpenSSL. This guide walked you through verifying your Exim version, backing up configuration, updating the package or source, and testing the fix. Regular security audits and staying informed about Exim advisories are key to maintaining a robust email infrastructure.