Oh no, not again.
It’s clearly time exim was sent to the great mailer-daemon in the sky. How many RCE CVE’s in the last two years? Too many.
Sadly there don’t seem to be any open source SMTP servers written in memory safe langauges around. Unless I’ve missed one?
Fortunately there are SMTP servers with a proper design that greatly reduce the severity of the effects of memory corruption.
I disagree that those 2 examples are good solutions: Postfix’s configuration is even less readable than Exim’s, and OpenSMTPd is really under-documented and looks much more trouble to run on Linux than it’s worth. Exim is still the least bad of the bunch.
All of them should be run in a container (or jail/chroot) if not a VM (QubesOS). Furthermore, we need to get rid of root.
**edit, oh jebus. It looks like ASN.1 parsing strikes again. The most profitable back door in the history of computers.