How to Protect Your Exim MTA from the BDAT Vulnerability (CVE-2026-45185)

Introduction

Exim, the popular open-source Mail Transfer Agent (MTA) for Unix-like systems, has recently patched a critical security flaw that affects certain configurations. Tracked as CVE-2026-45185 (dubbed Dead.Letter), this use-after-free vulnerability can lead to memory corruption and potential remote code execution when the BDAT (Binary Data) extension is used with GnuTLS builds. If you run Exim with GnuTLS, immediate action is required to prevent exploitation. This step-by-step guide will walk you through identifying whether your installation is at risk, applying the necessary patches, and verifying your defenses.

What You Need

• Root or sudo access to the server running Exim
• Basic knowledge of the command line and Exim configuration
• Backup of your current Exim configuration files (especially /etc/exim/exim.conf)
• Access to a text editor (e.g., vi, nano)
• Optionally, a test email account to verify functionality after patching

Step-by-Step Guide

Step 1: Check Your Exim Version and Build Flags

First, determine the exact Exim version and how it was compiled. Run:

exim -bV

Look for lines indicating the build date, version number, and compilation flags. Specifically, check for EXIM_HAVE_GNUTLS and BDAT support. If you see GnuTLS in the output and the version is earlier than 4.98.1 (or the specific patched version from your distribution), your server is vulnerable.

Step 2: Identify Whether BDAT Is Enabled

The BDAT extension is used for chunked email transmission. In Exim, it is controlled by the bdat option in your configuration. Run:

grep -i bdat /etc/exim/exim.conf

If you find bdat = true or similar, the feature is active. Even if disabled, the binary may still be vulnerable if compiled with BDAT support. The vulnerability only triggers when BDAT is used in combination with GnuTLS, so both conditions must be met.

Step 3: Apply Security Patches or Upgrade Exim

The safest fix is to upgrade Exim to a version that includes the security patch. Use your package manager:

• Debian/Ubuntu: sudo apt update && sudo apt upgrade exim4
• RHEL/CentOS/Fedora: sudo dnf update exim
• Compiled from source: Download the latest tarball from exim.org and rebuild with make clean; make; sudo make install

If a patched package is not yet available, apply the official Exim patch for CVE-2026-45185 from their security advisories page. This may require recompiling.

Step 4: Verify the Installation

After upgrading, confirm the new version:

exim -bV

Ensure the version is 4.98.1 or later, or that the patch message appears. Also check that the build flags still include GnuTLS if your setup requires it, but now the vulnerable code path is fixed.

Step 5: Test Email Functionality

Send a test email internally and externally to ensure the MTA is still operational. Use a tool like mail or swaks to verify SMTP delivery. Pay attention to any error logs at /var/log/exim/mainlog or /var/log/mail.log.

Step 6: Implement Additional Hardening (Optional)

Even after patching, consider these best practices:

• Disable BDAT if not needed: set bdat = false in your Exim configuration and restart.
• Switch from GnuTLS to OpenSSL if possible (use a different build flag).
• Keep Exim updated regularly and subscribe to Exim security announcements.

Tips for Ongoing Protection

• Always test patches in a staging environment before production rollout.
• Monitor your Exim logs for unusual patterns that could indicate attempted exploitation.
• Use a firewall to restrict SMTP access to trusted IPs only if your mail server is internal.
• Consider running your MTA in a container or minimal chroot jail to limit potential damage from code execution.
• Document your Exim configuration and version history to simplify future security audits.

By following these steps, you can effectively close the Dead.Letter vulnerability and keep your mail server secure. Remember that proactive patching is the best defense against emerging threats.