-exim-*
+!/system-integration/
!/test/aux-fixed/exim-ca
*~
*.bak
Andrew Colin Kissa <andrew@topdog.za.net>
Andrew Lewis <exim@judo.za.org>
Axel Rau <axel.rau@chaos1.de>
-bes-internal <bes.internal@gmail.com>
+Vladimir Varlamov <bes.internal@gmail.com>
David Woodhouse <David.Woodhouse@intel.com>
Dirk Mueller <dmueller@suse.com>
Eric Andresen <eandres@google.com>
-Exim repository: configs
-------------------------
+Exim repository: configs/
+-------------------------
-This directory contains sample configurations and similar files that have been
-submitted by Exim users. The files are not locally modified.
+This directory contains sample configurations and files for
+integrating Exim with the system. These have been submitted by Exim
+users and may or may not fit your your environment.
-End
+But we're interested in feedback and improvements.
--- /dev/null
+# System Integration
+
+Various systems use various ways to integrate Exim with the system.
+Mainly these tasks have to be accomplished:
+
+- startup procedure (running as a service or on demand)
+- queue runs
+- regular maintenance tasks (log rotation, database cleanup)
--- /dev/null
+.installed
--- /dev/null
+# Systemd Unit Examples for Exim
+
+This directory contains several examples for Systemd units to manage an Exim installation.
+There is room for improvement, so please share your ideas or setups that are proven to work
+in your environment.
+
+All the service units try to protect the system from unintentional
+writes to locations outside of Exim's spool, and log directories. You
+may need to override specific settings, we recommend using Systemd's
+override mechanism (`systemd edit …`).
+
+The .service units use `ProtectSystem=strict`, which implies a read-only
+file system structure. Exim needs write access to the spool directory
+(main config option: `spool_directory`), and the log directory (main
+config option: `log_file_path`). For improved security you can even set
+`NoNewPrivileges`, if you don't do local deliveries.
+
+The provides Systemd units are examples, containing placeholders
+`{{…}}`. The [install script](./install) helps substituting them.\1av
+The following placeholders are used currently:
+- `exim`:
+- `spooldir:`
+- `logdir`:
+
+
+## Daemon
+
+This is best suited for *average to high traffic systems*, it engages
+all built-in Exim facilities, as queue runner management and system load
+depending message processing.
+
+The [systemd service unit](./daemon/exim.service) starts the Exim main
+process. This process listens on the ports configured in the _runtime
+configuration_ (typically `exim.conf`), and supervises all other
+activities, including management of queue runner startups. Basically it
+calls `exim -odf -q...`.
+
+For regular maintenance tasks (database cleanup) additional units are
+[required](./maintenance).
+
+## Socket
+
+This is best suited for *low traffic* systems, which experience a
+message *burst* from time to time. Regular desktop, and edge systems fit this
+pattern.
+
+Exim's start is delayed until the first connection. Once a connection is
+initiated, Exim starts a listener on the port configured in the [systemd
+socket unit](./socket/exim.socket) and waits for more connections. It
+exits after being idle for a while. Basically it calls `exim -bw ...`.
+
+Additional [_queue runner_ timer and service units](#queue-runner) are required.
+
+For regular maintenance tasks (database cleanup)
+additional units are [required](./maintenance).
+
+## Inetd
+
+This is best suited for systems with *low traffic*, if the
+[socket](#socket) approach doesn't work.
+
+For each incoming connection a new Exim instance starts, handling
+exactly this connection and then exits. The listener port is configured
+in the [systemd socket unit](./inetd/exim.socket).
+
+Additional [_queue runner_ timer and service units](#queue-runner) are required.
+
+For regular maintenance tasks (database cleanup)
+additional units are [required](./maintenance).
+
+## Queue Runner
+
+This is a *timer*, and a *service* unit which starts Exim queue runner
+processes. This is necessary, as the socket activated Exim instances
+(from [socket](#socket) and [inetd](#inetd) do not care, once the first
+delivery attempt is done.
+
+## Maintenance
+
+This is a *timer* unit, and a *service* unit for regular maintenance
+tasks. For security it is recommended to use the `User=` Systemd
+directive in a local override file.
+
+The service unit cares about tidying Exim's hint databases. It *does
+not* rotate the log files, as most systems have their own mechanism for
+doing this job (e.g. Logrotate).
--- /dev/null
+[Unit]
+Description=Exim MTA (as daemon)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+Requires=network.target
+After=networking.target
+
+[Service]
+Environment=DAEMON_OPTS=
+Environment=QUEUE_OPTS=-q15m
+EnvironmentFile=-/etc/default/{{exim}}
+
+Type=exec
+ExecStart={{exim}} -bdf $DAEMON_OPTS $QUEUE_OPTS
+ExecReload=kill -HUP ${MAINPID}
+
+# If you do not need local deliveries, enabling the
+# next option can improve security
+#NoNewPrivileges=yes
+
+ProtectSystem=strict
+ReadWriteDirectories={{spooldir}}
+ReadWriteDirectories={{logdir}}
+
+Slice=exim.slice
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Exim MTA (inetd)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Socket]
+ListenStream=25
+Accept=yes
+
+[Install]
+WantedBy=sockets.target
--- /dev/null
+[Unit]
+Description=Exim MTA (socket activated - inetd mode)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Service]
+Type=exec
+
+# We can't use -odf, as this would ask exim to keep the connection
+# from the client open until the delivery is done
+ExecStart={{exim}} -bs
+
+StandardInput=socket
+StandardError=journal
+
+# Don't kill the delivery process we spawned as a child
+KillMode=process
+
+# If you do not need local deliveries, enabling the
+# next option can improve security
+#NoNewPrivileges=yes
+
+ProtectSystem=strict
+ReadWriteDirectories={{spooldir}}
+ReadWriteDirectories={{logdir}}
+
+Slice=exim.slice
--- /dev/null
+#!/bin/bash
+# simple helper, mainly for testing the provided Systemd units.
+
+set -eu
+export LC_ALL=C
+
+: ${EXIM=exim}
+: ${EXIM_LOGDIR=/var/log/exim}
+: ${EXIM_SPOOLDIR=/var/spool/exim}
+
+# Packagers should install to $(systemd-path systemd-system-unit)
+# which mostly is something like /lib/systemd/system
+dstdir=
+
+usage="$0 [OPTIONS] variant...
+ This simple script installs Systemd unit files to the desired destination, replacing
+ the {{Placeholder}}s.
+
+ VARIANT: one of daemon, inet, socket, maintainance, queuerunner
+
+ OPTIONS:
+ --help print this help and exit cleanly
+ --uninstall|-u uninstall the installed files
+ --dstdir|-d DIR the destination directory (mandatory, use 'DEFAULT'
+ to use Systemd's default location (`systemd-path systemd-system-conf`)
+
+ Placeholders:
+ {{exim}} from \$EXIM ($EXIM)
+ {{logdir}} from \$EXIM_LOGDIR ($EXIM_LOGDIR)
+ {{spooldir}} from \$EXIM_SPOOLDIR ($EXIM_SPOOLDIR)
+"
+
+
+tmp=$(getopt -n $0 -o d:n --long dstdir:,help,uninstall -- "$@")
+eval set -- "$tmp"
+while true
+do
+ o=$1; shift
+ case $o in
+ -d|--dstdir) dstdir=$1; shift;;
+ --help) echo "$usage"; exit;;
+ -n|--uninstall) uninstall=1;;
+ --) break
+ esac
+done
+
+if [[ -v uninstall ]]
+then
+ if ! [[ -r .installed ]]
+ then
+ echo "$0: noting to uninstall (.installed is empty or isn't readable)" >&2
+ exit
+ fi
+
+ rm -vf $(<.installed)
+ rm -f .installed
+ exit
+fi
+
+case $dstdir in
+ DEFAULT) dstdir=$(systemd-path systemd-system-conf);;
+ "") echo "$0: --dstdir is mandatory" >&2; exit 1;;
+ *) ;;
+esac
+
+if (( $# == 0 ))
+then echo "$0: need variant" >&2; exit 1;
+fi
+
+function xform() {
+ sed -e "s|{{exim}}|${EXIM:?}|g" \
+ -e "s|{{logdir}}|${EXIM_LOGDIR:?}|g" \
+ -e "s|{{spooldir}}|${EXIM_SPOOLDIR:?}|g"
+}
+
+for dir in ${@:?need source dir(s)}
+do
+ echo "# $dir"
+ for src in "$dir"/*
+ do
+ dst="$dstdir/${src##*/}"
+ echo "installing $dst"
+ xform <"$src" >"$dst"
+ echo $dst >> .installed
+ done
+done
+
+if [[ $dstdir == $(systemd-path systemd-system-conf) ]]
+then
+ echo "# reloading systemd configuration"
+ systemctl daemon-reload
+fi
--- /dev/null
+[Unit]
+Description=Exim MTA (maintenance)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Service]
+Type=oneshot
+ExecReload=kill -HUP ${MAINPID}
+
+# Dollars are doubled for systemd!
+WorkingDirectory={{spooldir}}
+ExecStart=sh -ec 'for db in db/* ;\
+ do \
+ test -f "$$db" && [ "$${db##*.}" != lockfile ] || continue ;\
+ exim_tidydb $$PWD "$${db##*/}"; \
+ done'
+
+ProtectSystem=strict
+ReadWriteDirectories={{spooldir}}/db
+
+Slice=exim.slice
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Unit]
+Description=Exim MTA (maintenance timer)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Timer]
+OnActiveSec=1h
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target
--- /dev/null
+[Unit]
+Description=Exim MTA (queue runner service)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Service]
+Type=oneshot
+
+ExecStart={{exim}} -q
+KillMode=process
+
+# If you do not need local deliveries, enabling the
+# next option can improve security
+#NoNewPrivileges=yes
+
+ProtectSystem=strict
+ReadWriteDirectories={{spooldir}}
+ReadWriteDirectories={{logdir}}
+ReadWriteDirectories=/var/mail /var/spool/mail
+
+Slice=exim.slice
--- /dev/null
+[Unit]
+Description=Exim MTA (queue runner timer)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Timer]
+OnActiveSec=120
+OnUnitActiveSec=15m
+
+[Install]
+WantedBy=timers.target
--- /dev/null
+[Unit]
+Description=Exim MTA (socket activated)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+PartOf=exim.socket
+
+[Service]
+Type=exec
+Environment=INACTIVITY_TIMEOUT=5m
+EnvironmentFile=-/etc/default/exim
+
+ExecStart=exim -bw${INACTIVITY_TIMEOUT}
+
+StandardInput=socket
+StandardError=journal
+
+# If you do not need local deliveries, enabling the
+# next option can improve security
+#NoNewPrivileges=yes
+
+ProtectSystem=strict
+ReadWriteDirectories={{spooldir}}
+ReadWriteDirectories={{logdir}}
+ReadWriteDirectories=/var/mail /var/spool/mail
+
+Slice=exim.slice
--- /dev/null
+[Unit]
+Description=Exim MTA (socket)
+Documentation=man:exim
+Documentation=https://exim.org/docs.html
+
+[Socket]
+ListenStream=25
+
+[Install]
+WantedBy=sockets.target
. Copyright year. Update this (only) when changing content.
.macro copyyear
-2021
+2023
.endmacro
. ===========================================================================
. Update the Copyright year (only) when changing content.
. /////////////////////////////////////////////////////////////////////////////
-.set previousversion "4.96"
+.set previousversion "4.97"
.include ./local_params
.set ACL "access control lists (ACLs)"
.set drivernamemax "64"
.macro copyyear
-2022
+2023
.endmacro
. /////////////////////////////////////////////////////////////////////////////
way of representing the date and time of day).
.next
After the first hyphen, the next
-.new
eleven
-.wen
characters are the id of the process that received the message.
.next
-.new
There are two different possibilities for the final four characters:
.olist
.oindex "&%localhost_number%&"
500000 (250000) and added to
the fractional part of the time, which in this case is in units of 2 us (4 us).
.endlist
-.wen
.endlist
After a message has been received, Exim waits for the clock to tick at the
referenced from the configuration (for example, alias files) are changed,
because these are reread each time they are used.
-.new
Either a SIGTERM or a SIGINT signal should be used to cause the daemon
to cleanly shut down.
Subprocesses handling recceiving or delivering messages,
or for scanning the queue,
will not be affected by the termination of the daemon process.
-.wen
.cmdopt -bdf
This option has the same effect as &%-bd%& except that it never disconnects
Because macros in the config file are often used for secrets, those are only
available to admin users.
-.new
The word &"set"& at the start of a line, followed by a single space,
is recognised specially as defining a value for a variable.
The syntax is otherwise the same as the ACL modifier &"set ="&.
-.wen
.cmdopt -bem <&'filename'&>
.cindex "testing" "string expansion"
given.
Normally the daemon creates this socket, unless a &%-oX%& and &*no*& &%-oP%&
option is also present.
-.new
If this option is given then the socket will not be created. This is required
if the system is running multiple daemons, in which case it should
be used on all.
.next
obtaining a current queue size
.endlist
-.wen
.cmdopt -pd
.cindex "Perl" "starting the interpreter"
.cindex "multiple SMTP deliveries"
connection because of the hints that were set up during the first queue scan.
-.new
Two-phase queue runs should be used on systems which, even intermittently,
have a large queue (such as mailing-list operators).
They may also be useful for hosts that are connected to the Internet
intermittently.
-.wen
.vitem &%-q[q]i...%&
.oindex "&%-qi%&"
Such a daemon listens for incoming SMTP calls, and also starts a queue runner
process every 30 minutes.
-.new
.cindex "named queues" "queue runners"
It is possible to set up runners for multiple named queues within one daemon,
For example:
.code
exim -qGhipri/2m -q10m -qqGmailinglist/1h
.endd
-.wen
When a daemon is started by &%-q%& with a time value, but without &%-bd%&, no
pid file is written unless one is explicitly requested by the &%-oP%& option.
[name="${quote_nisplus:$local_part}"]
.endd
.cindex "tainted data" "in lookups"
-.new
&*All*& tainted data used in a query-style lookup must be quoted
using a mechanism appropriate for the lookup type.
-.wen
See chapter &<<CHAPexpand>>& for full coverage of string expansions. The quote
operator can be used for all lookup types, but has no effect for single-key
lookups, since no quoting is ever needed in their key strings.
.oindex &%sqlite_dbfile%&
There are two ways of
specifying the file.
-The first is is by using the &%sqlite_dbfile%& main option.
+The first is by using the &%sqlite_dbfile%& main option.
The second, which allows separate files for each query,
is to use an option appended, comma-separated, to the &"sqlite"&
lookup type word. The option is the word &"file"&, then an equals,
database lookups, and the use of expansion operators such as &%sg%&, &%substr%&
and &%nhash%&.
-.new
When reading lines from the standard input,
macros can be defined and ACL variables can be set.
For example:
set acl_m_myvar = bar
.endd
Such macros and variables can then be used in later input lines.
-.wen
Exim gives up its root privilege when it is called with the &%-be%& option, and
instead runs under the uid and gid it was called with, to prevent users from
add_header = :at_start:${authresults {$primary_hostname}}
.endd
This is safe even if no authentication results are available
-.new
and would generally be placed in the DATA ACL.
-.wen
.vitem "&*${certextract{*&<&'field'&>&*}{*&<&'certificate'&>&*}&&&
For each item
in this list, its value is placed in &$item$&, and then the condition is
evaluated.
-.new
Any modification of &$value$& by this evaluation is discarded.
-.wen
If the condition is true, &$item$& is added to the output as an
item in a new list; if the condition is false, the item is discarded. The
separator used for the output list is the same as the one used for the
This item inserts &"raw"& header lines. It is described with the &%header%&
expansion item in section &<<SECTexpansionitems>>& above.
-.vitem "&*${run<&'options'&> {*&<&'command&~arg&~list'&>&*}{*&<&'string1'&>&*}&&&
+.vitem "&*${run<&'options'&> {*&<&'command&~string'&>&*}{*&<&'string1'&>&*}&&&
{*&<&'string2'&>&*}}*&"
.cindex "expansion" "running a command"
.cindex "&%run%& expansion item"
and without whitespace.
If the option &'preexpand'& is not used,
-the command string is split into individual arguments by spaces
-and then each argument is expanded.
+the command string before expansion is split into individual arguments by spaces
+and then each argument is separately expanded.
Then the command is run
in a separate process, but under the same uid and gid. As in other command
executions from Exim, a shell is not used by default. If the command requires
a careful assessment for security vulnerabilities should be done.
If the option &'preexpand'& is used,
-the command and its arguments are first expanded as one string. The result is
-split apart into individual arguments by spaces, and then the command is run
-as above.
+the command string is first expanded as a whole.
+The expansion result is split apart into individual arguments by spaces,
+and then the command is run as above.
Since the arguments are split by spaces, when there is a variable expansion
which has an empty result, it will cause the situation that the argument will
simply be omitted when the program is actually executed by Exim. If the
-.new
.vitem &*${headerwrap_*&<&'cols'&>&*_*&<&'limit'&>&*:*&<&'string'&>&*}*&
.cindex header "wrapping operator"
.cindex expansion "header wrapping"
Whitespace at a chosen wrap point is removed.
A line-wrap consists of a newline followed by a tab,
and the tab is counted as 8 columns.
-.wen
rejections of MAIL and rejections of RCPT.
.tvar &$recipients$&
-.new
.tvar &$recipients_list$&
These variables both contain the envelope recipients for a message.
this variable is not intended for further processing.
The second is a proper Exim list; colon-separated.
-.wen
However, the variables
are not generally available, to prevent exposure of Bcc recipients in
dns_again_means_nonexist = *.in-addr.arpa
.endd
This option applies to all DNS lookups that Exim does,
-.new
except for TLSA lookups (where knowing about such failures
is security-relevant).
-.wen
It also applies when the
&[gethostbyname()]& or &[getipnodebyname()]& functions give temporary errors,
since these are most likely to be caused by DNS lookup problems. The
nowadays the ACL specified by &%acl_smtp_connect%& can also reject incoming
connections immediately.
-.new
If the connection is on a TLS-on-connect port then the TCP connection is
just dropped. Otherwise, an SMTP error is sent first.
-.wen
The ability to give an immediate rejection (either by this option or using an
ACL) is provided for use in unusual cases. Many hosts will just try again,
.code
hosts_connection_nolog = :
.endd
-.new
The hosts affected by this option also do not log "no MAIL in SMTP connection"
lines, as may commonly be produced by a monitoring system.
-.wen
.option hosts_require_alpn main "host list&!!" unset
The option is available only if Exim has been built with Oracle support.
-.new
.option panic_coredump main boolean false
This option is rarely needed but can help for some debugging investigations.
If set, when an internal error is detected by Exim which is sufficient
Note that most systems require additional administrative configuration
to permit write a core file for a setuid program, which is Exim's
common installed configuration.
-.wen
.option percent_hack_domains main "domain list&!!" unset
.cindex "&""percent hack""&"
smtp_banner = $smtp_active_hostname ESMTP Exim \
$version_number $tod_full
.endd
-.new
Failure to expand the string causes a panic error;
a forced fail just closes the connection.
-.wen
If you want to create a
multiline response to the initial SMTP connection, use &"\n"& in the string at
appropriate points, but not at the end. Note that the 220 code is not included
&%tls_require_ciphers%& option).
After expansion it must contain
-.new
one or (only for OpenSSL versiona 1.1.1 onwards) more
-.wen
EC curve names, such as &`prime256v1`&, &`secp384r1`&, or &`P-521`&.
Consult your OpenSSL manual for valid curve names.
&`auto`& selects &`prime256v1`&. For more recent OpenSSL versions
&`auto`& tells the library to choose.
-.new
If the option expands to an empty string, the effect is undefined.
-.wen
.option tls_ocsp_file main string&!! unset
TLS session for any host that matches this list.
&%tls_verify_certificates%& should also be set for the transport.
-.new
The default is &"**"& if DANE is not in use for the connection,
or if DANE-TA us used.
It is empty if DANE-EE is used.
-.wen
.option hosts_require_alpn smtp "host list&!!" unset
.cindex ALPN "require negotiation in client"
.option max_rcpt smtp integer&!! 100
.cindex "RCPT" "maximum number of outgoing"
This option,
-.new
after expansion,
-.wen
limits the number of RCPT commands that are sent in a single
SMTP message transaction.
A value setting of zero disables the limit.
-.new
If a constant is given,
-.wen
each set of addresses is treated independently, and
so can cause parallel connections to the same host if &%remote_max_parallel%&
permits this.
Successful authentication sets up information used by the
&%authresults%& expansion item.
-.new
.cindex authentication "failure event, server"
If an authenticator is run and does not succeed,
an event (see &<<CHAPevents>>&) of type "auth:fail" is raised.
If the event is serviced and a string is returned then the string will be logged
instead of the default log line.
See <<CHAPevents>> for details on events.
-.wen
.section "Testing server authentication" "SECID169"
try again later. If there are any backup hosts available, they are tried in the
usual way.
-.new
.next
.cindex authentication "failure event, client"
If the response to authentication is a permanent error (5&'xx'& code),
will be valid.
If the event is serviced and a string is returned then the string will be logged.
See <<CHAPevents>> for details on events.
-.wen
.next
If the response to authentication is a permanent error (5&'xx'& code), Exim
server_set_id = $auth1
.endd
-.new
&*Note*&: plaintext authentication methods such as PLAIN and LOGIN
should not be advertised on cleartext SMTP connections.
See the discussion in section &<<SECTplain_TLS>>&.
-.wen
If the SMTP connection is encrypted, or if &$sender_host_address$& is equal to
&$received_ip_address$& (that is, the connection is local), the &"secured"&
(If an API is found to let OpenSSL be configured in this way,
let the Exim Maintainers know and we'll likely use it).
.next
-With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option
-main option, it must be ordered to match the &%tls_certificate%& list.
+With GnuTLS, if an explicit list is used for the &%tls_privatekey%& main option,
+it must be ordered to match the &%tls_certificate%& list.
.next
Some other recently added features may only be available in one or the other.
This should be documented with the feature. If the documentation does not
.next
Add TLSA DNS records. These say what the server certificate for a TLS connection should be.
.next
-Offer a server certificate, or certificate chain, in TLS connections which is is anchored by one of the TLSA records.
+Offer a server certificate, or certificate chain, in TLS connections which is anchored by one of the TLSA records.
.endlist
There are no changes to Exim specific to server-side operation of DANE.
the message override the banner message that is otherwise specified by the
&%smtp_banner%& option.
-.new
For tls-on-connect connections, the ACL is run before the TLS connection
is accepted; if the ACL does not accept then the TCP connection is dropped without
any TLS startup attempt and without any SMTP response being transmitted.
-.wen
.subsection "The EHLO/HELO ACL" SECID192
More than one header can be removed at the same time by using a colon separated
list of header specifiers.
-.new
If a specifier does not start with a circumflex (^)
then it is treated as a header name.
The header name matching is case insensitive.
.code
remove_header = \N^(?i)Authentication-Results\s*::\s*example.org;\N
.endd
-.wen
List expansion is not performed, so you cannot use hostlists to
create a list of headers, however both connection and message variable expansion
between the caller and Exim.
.next
.cindex "log" "connection identifier"
-.new
&%connection_identifier%&: An identifier for the accepted connection is added to
connection start and end lines and to message accept lines.
The identifier is tagged by Ci=.
The value is PID-based, so will reset on reboot and will wrap.
-.wen
.next
.cindex "log" "connection rejections"
&%connection_reject%&: A log entry is written whenever an incoming SMTP
If it is, the condition will return true and the variable
&$srs_recipient$& will be set to the decoded (original) value.
-.new
If the second argument is empty then the condition returns true if
the first argument is in valid SRS formet, else false.
The variable &$srs_recipient$& is not set for this case.
-.wen
.endlist
Example usage:
no other use is made of it.
For a tcp:connect event, if the connection is being made to a proxy
-then the address and port variables will be that of the proxy and not
-the target system.
+then the &$host_address$& and &$host_port$& variables
+will be that of the proxy and not the target system.
For tls:cert events, if GnuTLS is in use this will trigger only per
chain element received on the connection.
# Chapter directives just require . => @; however, dequoting the
# line thereafter will remove the first @, so just force it back
-# afterwards. If the chapter is is one describing a driver, set
+# afterwards. If the chapter is one describing a driver, set
# the driver name.
if (/\.chapter/)
affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
-Since 4.97
+Exim version 4.98
-----------------
-JH/01 Handle error on close of the spool data file during reception. Previously
+JH/01 Support list of dkim results in the dkim_status ACL condition, making
+ it more usable in the data ACL.
+
+JH/02 Handle error on close of the spool data file during reception. Previously
This was only logged, on the assumption that errors would be seen for
a previous fflush(). However, a fuse filesystem has been reported as
showing this an error for the fclose(). The spool is now in an uncertain
JH/19 Bug 2911: Fix a recursion in DNS lookups. Previously, if the main option
dns_again_means_nonexist included an element causing a DNS lookup which
- iteslf returned DNS_AGAIN, unbounded recursion occurred. Possible results
+ itself returned DNS_AGAIN, unbounded recursion occurred. Possible results
included (though probably not limited to) a process crash from stack
memory limit, or from excessive open files. Replace this with a paniclog
whine (as this is likely a configuration error), and returning
JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
and ${tr...}. Found and diagnosed by Heiko Schlichting.
-JH/40 Support list of dkim results in the dkim_status ACL condition, making
- it more usable in the data ACL.
+JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
+ could be triggered by externally-supplied input. Found by Trend Micro.
+ CVE-2023-42115
+
+JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
+ be triggered by externally-controlled input. Found by Trend Micro.
+ CVE-2023-42116
+
+JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could
+ be triggered by externally-controlled input. Found by Trend Micro.
+ CVE-2023-42114
+
+JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address.
+ Make the rewrite never match and keep the logging. Trust the
+ admin to be using verify=header-syntax (to actually reject the message).
+
+JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses.
+ CVE-2023-42219
+
+HS/02 Fix string_is_ip_address() CVE-2023-42117 (Bug 3031)
Exim version 4.96
test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
-Since 4.97
+Version 4.98
------------
- 1. The dkim_status ACL condition may not be used in data ACLs
+ 1. The dkim_status ACL condition may now be used in data ACLs
Version 4.97
------------
9. There is a new ACL, specified by acl_smtp_notquit, which is run in most
cases when an SMTP session ends without sending QUIT. However, when Exim
- itself is is bad trouble, such as being unable to write to its log files,
+ itself is in bad trouble, such as being unable to write to its log files,
this ACL is not run, because it might try to do things (such as write to
log files) that make the situation even worse.
#!/usr/bin/env perl
-# Copyright (c) The Exim Maintainers 2016 - 2021
+# Copyright (c) The Exim Maintainers 2016 - 2023
use strict;
use warnings;
# appropriate links, and then creating and running the main makefile in that
# directory.
-# Copyright (c) The Exim Maintainers 2022
+# Copyright (c) The Exim Maintainers 2022 - 2023
# Copyright (c) University of Cambridge, 1995 - 2018
# SPDX-License-Identifier: GPL-2.0-or-later
# See the file NOTICE for conditions of use and distribution.
# optional, Local/* files at the front of this file, to create Makefile in the
# build directory.
#
-# Copyright (c) The Exim Maintainers 1995 - 2022
+# Copyright (c) The Exim Maintainers 1995 - 2023
# SPDX-License-Identifier: GPL-2.0-or-later
SHELL = $(MAKE_SHELL)
# Exim: OS-specific make file for FreeBSD
#
-# Copyright (c) The Exim Maintainers 2020
+# Copyright (c) The Exim Maintainers 2020 - 2023
# SPDX-License-Identifier: GPL-2.0-or-later
CHOWN_COMMAND=/usr/sbin/chown
# Exim: OS-specific make file for OpenBSD
-# Copyright (c) The Exim Maintainers 2022
+# Copyright (c) The Exim Maintainers 2022 - 2023
# SPDX-License-Identifier: GPL-2.0-or-later
CHOWN_COMMAND=/usr/sbin/chown
# Exim: OS-specific make file for SunOS5
-# Copyright (c) The Exim Maintainers 2020
+# Copyright (c) The Exim Maintainers 2020 - 2023
# SPDX-License-Identifier: GPL-2.0-or-later
HAVE_ICONV=yes
*************************************************/
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) The Exim Maintainers 2021 - 2023 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
*************************************************/
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2021 */
+/* Copyright (c) The Exim Maintainers 2023 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
*************************************************/
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
# Script to build links for all the exim source files from the system-
# specific build directory. It should be run from within that directory.
#
-# Copyright (c) The Exim Maintainers 1995 - 2022
+# Copyright (c) The Exim Maintainers 1995 - 2023
# SPDX-License-Identifier: GPL-2.0-or-later
test ! -d ../src && \
#! /bin/sh
-# Copyright (c) The Exim Maintainters 2022
+# Copyright (c) The Exim Maintainters 2022 - 2023
# SPDX-License-Identifier: GPL-2.0-or-later
# Script to install Exim binaries in BIN_DIRECTORY, which is defined in
##################################################
# The Exim mail transport agent #
##################################################
-# Copyright (c) The Exim Maintainers 2022
+# Copyright (c) The Exim Maintainers 2022 - 2023
# SPDX-License-Identifier: GPL-2.0-or-later
# This is the template for Exim's main build-time configuration file. It
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Extract the numerical SRV fields (p is incremented) */
+ if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
GETSHORT(priority, p);
GETSHORT(weight, p);
GETSHORT(port, p);
*************************************************/
/* Experimental ARC support for Exim
Copyright (c) Jeremy Harris 2018 - 2020
- Copyright (c) The Exim Maintainers 2021 - 2022
+ Copyright (c) The Exim Maintainers 2021 - 2023
License: GPL
SPDX-License-Identifier: GPL-2.0-or-later
*/
* All the original code used here was torn by Marc Prud'hommeaux out of the
* Samba project (by Andrew Tridgell, Jeremy Allison, and others).
*
- * Copyright (c) The Exim Maintainers 2021
+ * Copyright (c) The Exim Maintainers 2021 - 2023
* SPDX-License-Identifier: GPL-2.0-or-later
* Tom Kistner provided additional code, adding spa_build_auth_challenge() to
up with a different answer to the one above)
*/
+#ifndef MACRO_PREDEF
+
+
#define DEBUG_X(a,b) ;
extern int DEBUGLEVEL;
#define spa_bytes_add(ptr, header, buf, count) \
{ \
-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+if ( buf && (count) != 0 /* we hate -Wint-in-bool-contex */ \
+ && ptr->bufIndex + count < sizeof(ptr->buffer) \
+ ) \
{ \
SSVAL(&ptr->header.len,0,count); \
SSVAL(&ptr->header.maxlen,0,count); \
#define spa_string_add(ptr, header, string) \
{ \
-char *p = string; \
+uschar * p = string; \
int len = 0; \
-if (p) len = strlen(p); \
-spa_bytes_add(ptr, header, (US p), len); \
+if (p) len = Ustrlen(p); \
+spa_bytes_add(ptr, header, p, len); \
}
#define spa_unicode_add_string(ptr, header, string) \
{ \
-char *p = string; \
-uschar *b = NULL; \
+uschar * p = string; \
+uschar * b = NULL; \
int len = 0; \
if (p) \
{ \
- len = strlen(p); \
- b = strToUnicode(p); \
+ len = Ustrlen(p); \
+ b = US strToUnicode(CS p); \
} \
spa_bytes_add(ptr, header, b, len*2); \
}
-#define GetUnicodeString(structPtr, header) \
-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
-#define GetString(structPtr, header) \
-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
-
#ifdef notdef
#define DumpBuffer(fp, structPtr, header) \
-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
+ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0))
static void
return buf;
}
+static inline uschar *
+get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+{
+int off = IVAL(&hdr->offset, 0);
+int len = SVAL(&hdr->len, 0);
+return off + len < sizeof(SPAAuthChallenge)
+ ? US unicodeToString(CS challenge + off, len/2) : US"";
+}
+
+static inline uschar *
+get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr)
+{
+int off = IVAL(&hdr->offset, 0);
+int len = SVAL(&hdr->len, 0);
+return off + len < sizeof(SPAAuthChallenge)
+ ? US toString(CS challenge + off, len) : US"";
+}
+
#ifdef notdef
+#define GetUnicodeString(structPtr, header) \
+ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2)
+
+#define GetString(structPtr, header) \
+ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0))
+
+
void
dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request)
{
#endif
void
-spa_build_auth_request (SPAAuthRequest * request, char *user, char *domain)
+spa_build_auth_request (SPAAuthRequest * request, uschar * user, uschar * domain)
{
-char *u = strdup (user);
-char *p = strchr (u, '@');
+uschar * u = string_copy(user);
+uschar * p = Ustrchr(u, '@');
if (p)
{
if (!domain)
- domain = p + 1;
+ domain = p + 1;
*p = '\0';
}
SIVAL (&request->flags, 0, 0x0000b207); /* have to figure out what these mean */
spa_string_add (request, user, u);
spa_string_add (request, domain, domain);
-free (u);
}
void
spa_build_auth_response (SPAAuthChallenge * challenge,
- SPAAuthResponse * response, char *user,
- char *password)
+ SPAAuthResponse * response, uschar * user,
+ uschar * password)
{
uint8x lmRespData[24];
uint8x ntRespData[24];
uint32x cf = IVAL(&challenge->flags, 0);
-char *u = strdup (user);
-char *p = strchr (u, '@');
-char *d = NULL;
-char *domain;
+uschar * u = string_copy(user);
+uschar * p = Ustrchr(u, '@');
+uschar * d = NULL;
+uschar * domain;
if (p)
{
*p = '\0';
}
-else domain = d = strdup((cf & 0x1)?
- CCS GetUnicodeString(challenge, uDomain) :
- CCS GetString(challenge, uDomain));
+else domain = d = string_copy(cf & 0x1
+ ? CUS get_challenge_unistr(challenge, &challenge->uDomain)
+ : CUS get_challenge_str(challenge, &challenge->uDomain));
-spa_smb_encrypt (US password, challenge->challengeData, lmRespData);
-spa_smb_nt_encrypt (US password, challenge->challengeData, ntRespData);
+spa_smb_encrypt(password, challenge->challengeData, lmRespData);
+spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData);
response->bufIndex = 0;
memcpy (response->ident, "NTLMSSP\0\0\0", 8);
SIVAL (&response->msgType, 0, 3);
-spa_bytes_add (response, lmResponse, lmRespData, (cf & 0x200) ? 24 : 0);
-spa_bytes_add (response, ntResponse, ntRespData, (cf & 0x8000) ? 24 : 0);
+spa_bytes_add(response, lmResponse, lmRespData, cf & 0x200 ? 24 : 0);
+spa_bytes_add(response, ntResponse, ntRespData, cf & 0x8000 ? 24 : 0);
if (cf & 0x1) { /* Unicode Text */
- spa_unicode_add_string (response, uDomain, domain);
- spa_unicode_add_string (response, uUser, u);
- spa_unicode_add_string (response, uWks, u);
+ spa_unicode_add_string(response, uDomain, domain);
+ spa_unicode_add_string(response, uUser, u);
+ spa_unicode_add_string(response, uWks, u);
} else { /* OEM Text */
- spa_string_add (response, uDomain, domain);
- spa_string_add (response, uUser, u);
- spa_string_add (response, uWks, u);
+ spa_string_add(response, uDomain, domain);
+ spa_string_add(response, uUser, u);
+ spa_string_add(response, uWks, u);
}
-spa_string_add (response, sessionKey, NULL);
+spa_string_add(response, sessionKey, NULL);
response->flags = challenge->flags;
-
-if (d != NULL) free (d);
-free (u);
}
+
+
+#endif /*!MACRO_PREDEF*/
* All the code used here was torn by Marc Prud'hommeaux out of the
* Samba project (by Andrew Tridgell, Jeremy Allison, and others).
*/
+/* Copyright (c) The Exim Maintainers 2023 */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* December 2004: The spa_base64_to_bits() function has no length checking in
void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
int spa_base64_to_bits(char *, int, const char *);
-void spa_build_auth_response (SPAAuthChallenge *challenge,
- SPAAuthResponse *response, char *user, char *password);
-void spa_build_auth_request (SPAAuthRequest *request, char *user,
- char *domain);
+void spa_build_auth_response (SPAAuthChallenge * challenge,
+ SPAAuthResponse * response, uschar * user, uschar * password);
+void spa_build_auth_request (SPAAuthRequest * request, uschar * user,
+ uschar * domain);
extern void spa_smb_encrypt (unsigned char * passwd, unsigned char * c8,
unsigned char * p24);
extern void spa_smb_nt_encrypt (unsigned char * passwd, unsigned char * c8,
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2023 */
/* Copyright (c) University of Cambridge 1995 - 2012 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
- * Copyright (c) The Exim Maintainers 2006 - 2022
+ * Copyright (c) The Exim Maintainers 2006 - 2023
* Copyright (c) 2004 Andrey Panin <pazke@donpac.ru>
* SPDX-License-Identifier: GPL-2.0-or-later
*
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2023 */
/* Copyright (c) Jeremy Harris 2019-2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
if (ob->server_param2)
{
uschar * s = expand_string(ob->server_param2);
- auth_vars[expand_nmax] = s;
+ auth_vars[expand_nmax = 1] = s;
expand_nstring[++expand_nmax] = s;
expand_nlength[expand_nmax] = Ustrlen(s);
if (ob->server_param3)
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 - 2021 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2019 - 2022 */
+/* Copyright (c) The Exim Maintainers 2019 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 - 2021 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
SPAAuthChallenge challenge;
SPAAuthResponse response;
char msgbuf[2048];
-char *domain = NULL;
-char *username, *password;
+uschar * domain = NULL, * username, * password;
/* Code added by PH to expand the options */
*buffer = 0; /* Default no message when cancelled */
-if (!(username = CS expand_string(ob->spa_username)))
+if (!(username = expand_string(ob->spa_username)))
{
if (f.expand_string_forcedfail) return CANCELLED;
string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
return ERROR;
}
-if (!(password = CS expand_string(ob->spa_password)))
+if (!(password = expand_string(ob->spa_password)))
{
if (f.expand_string_forcedfail) return CANCELLED;
string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
}
if (ob->spa_domain)
- if (!(domain = CS expand_string(ob->spa_domain)))
+ if (!(domain = expand_string(ob->spa_domain)))
{
if (f.expand_string_forcedfail) return CANCELLED;
string_format(buffer, buffsize, "expansion of \"%s\" failed in %s "
DSPA("\n\n%s authenticator: using domain %s\n\n", ablock->name, domain);
-spa_build_auth_request(&request, CS username, domain);
+spa_build_auth_request(&request, username, domain);
spa_bits_to_base64(US msgbuf, US &request, spa_request_length(&request));
DSPA("\n\n%s authenticator: sending request (%s)\n\n", ablock->name, msgbuf);
DSPA("\n\n%s authenticator: challenge (%s)\n\n", ablock->name, buffer + 4);
spa_base64_to_bits(CS (&challenge), sizeof(challenge), CCS (buffer + 4));
-spa_build_auth_response(&challenge, &response, CS username, CS password);
+spa_build_auth_response(&challenge, &response, username, password);
spa_bits_to_base64(US msgbuf, US &response, spa_request_length(&response));
DSPA("\n\n%s authenticator: challenge response (%s)\n\n", ablock->name, msgbuf);
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) The Exim Maintainers 2022 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2009 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004, 2015 */
/* License: GPL */
/* SPDX-License-Identifier: GPL-2.0-or-later */
-/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
/* See the file NOTICE for conditions of use and distribution. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) The Exim Maintainers 2022 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2018 - 2022 */
+/* Copyright (c) The Exim Maintainers 2018 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
-/* Copyright (c) University of Cambridge 1995 - 2023 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) Wolfgang Breyha 2005 - 2019
+/*
+ * Copyright (c) The Exim Maintainers 2015 - 2023
+ * Copyright (c) Wolfgang Breyha 2005 - 2019
* Vienna University Computer Center
* wbreyha@gmx.net
* See the file NOTICE for conditions of use and distribution.
*
- * Copyright (c) The Exim Maintainers 2015 - 2022
* SPDX-License-Identifier: GPL-2.0-or-later
*/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2015 - 2022 */
+/* Copyright (c) The Exim Maintainers 2015 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge, 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) The Exim Maintainers 2022 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
+/* Check a pointer for being past the end of a dns answer.
+Exactly one past the end is defined as ok.
+Return TRUE iff bad.
+*/
+static BOOL
+dnsa_bad_ptr(const dns_answer * dnsa, const uschar * ptr)
+{
+return ptr > dnsa->answer + dnsa->answerlen;
+}
+
/* Increment the aptr in dnss, checking against dnsa length.
Return: TRUE for a bad result
*/
static BOOL
dnss_inc_aptr(const dns_answer * dnsa, dns_scan * dnss, unsigned delta)
{
-return (dnss->aptr += delta) >= dnsa->answer + dnsa->answerlen;
+return dnsa_bad_ptr(dnsa, dnss->aptr += delta);
}
/*************************************************
namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
dnss->aptr, (DN_EXPAND_ARG4_TYPE) &dnss->srr.name, DNS_MAXNAME);
if (namelen < 0) goto null_return;
+
/* skip name, type, class & TTL */
TRACE trace = "A-hdr";
if (dnss_inc_aptr(dnsa, dnss, namelen+8)) goto null_return;
+
+ if (dnsa_bad_ptr(dnsa, dnss->aptr + sizeof(uint16_t))) goto null_return;
GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */
- /* skip over it */
+
+ /* skip over it, checking for a bogus size */
TRACE trace = "A-skip";
if (dnss_inc_aptr(dnsa, dnss, dnss->srr.size)) goto null_return;
}
TRACE trace = "R-name";
if (dnss_inc_aptr(dnsa, dnss, namelen)) goto null_return;
-GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
+/* Check space for type, class, TTL & data-size-word */
+if (dnsa_bad_ptr(dnsa, dnss->aptr + 3 * sizeof(uint16_t) + sizeof(uint32_t)))
+ goto null_return;
+
+GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */
+
TRACE trace = "R-class";
-if (dnss_inc_aptr(dnsa, dnss, 2)) goto null_return; /* Don't want class */
-GETLONG(dnss->srr.ttl, dnss->aptr); /* TTL */
-GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
-dnss->srr.data = dnss->aptr; /* The record's data follows */
+(void) dnss_inc_aptr(dnsa, dnss, sizeof(uint16_t)); /* skip class */
-/* Unchecked increment ok here since no further access on this iteration;
-will be checked on next at "R-name". */
+GETLONG(dnss->srr.ttl, dnss->aptr); /* TTL */
+GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */
+dnss->srr.data = dnss->aptr; /* The record's data follows */
-dnss->aptr += dnss->srr.size; /* Advance to next RR */
+/* skip over it, checking for a bogus size */
+if (dnss_inc_aptr(dnsa, dnss, dnss->srr.size))
+ goto null_return;
/* Return a pointer to the dns_record structure within the dns_answer. This is
for convenience so that the scans can use nice-looking for loops. */
/* Skip the mname & rname strings */
if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
- p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+ p, (DN_EXPAND_ARG4_TYPE)discard_buf, sizeof(discard_buf))) < 0)
break;
p += len;
if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
- p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+ p, (DN_EXPAND_ARG4_TYPE)discard_buf, sizeof(discard_buf))) < 0)
break;
p += len;
/* Skip the SOA serial, refresh, retry & expire. Grab the TTL */
- if (p > dnsa->answer + dnsa->answerlen - 5 * INT32SZ)
+ if (dnsa_bad_ptr(dnsa, p + 5 * INT32SZ))
break;
p += 4 * INT32SZ;
GETLONG(ttl, p);
const uschar * p = rr->data;
/* Extract the numerical SRV fields (p is incremented) */
+ if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
GETSHORT(priority, p);
GETSHORT(dummy_weight, p);
GETSHORT(port, p);
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) Heiko Schlittermann 2016
+/*
+ * Copyright (c) The Exim Maintainers 2022 - 2023
+ * Copyright (c) Heiko Schlittermann 2016
* hs@schlittermann.de
- * Copyright (c) The Exim Maintainers 2022
* See the file NOTICE for conditions of use and distribution.
* SPDX-License-Identifier: GPL-2.0-or-later
*/
#! /bin/sh
+# Copyright (c) The Exim Maintainers 2023
# Copyright (c) University of Cambridge, 1995 - 2015
# See the file NOTICE for conditions of use and distribution.
+# SPDX-License-Identifier: GPL-2.0-or-later
# This script takes the following command line arguments:
# -l dir Log file directory
#! PERL_COMMAND
+# Copyright (c) The Exim Maintainers 2020 - 2023
+# Copyright (c) 2007-2017 University of Cambridge.
+# See the file NOTICE for conditions of use and distribution.
+# SPDX-License-Identifier: GPL-2.0-or-later
+
use warnings;
use strict;
BEGIN { pop @INC if $INC[-1] eq '.' };
use Getopt::Long qw(:config no_ignore_case);
use File::Basename;
-# Copyright (c) 2007-2017 University of Cambridge.
-# Copyright (c) The Exim Maintainers 2020 - 2021
-# See the file NOTICE for conditions of use and distribution.
-
# Except when they appear in comments, the following placeholders in this
# source are replaced when it is turned into a runnable script:
#
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
#! /bin/sh
+# Copyright (c) The Exim Maintainers 2023
# Copyright (c) University of Cambridge, 1995 - 2007
# See the file NOTICE for conditions of use and distribution.
+# SPDX-License-Identifier: GPL-2.0-or-later
# Except when they appear in comments, the following placeholders in this
# source are replaced when it is turned into a runnable script:
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
#!PERL_COMMAND -T
#
+# Copyright (c) The Exim Maintainers 2023
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
# Utility to convert an exim message-id to a human readable form
#
# https://bugs.exim.org/show_bug.cgi?id=2956
# Written by Andrew C Aitchison
#
-# Copyright (c) 2023 The Exim Maintainers 2023
-# SPDX-License-Identifier: GPL-2.0-or-later
-#
# Portions taken from exicyclog.src, which is
# Copyright (c) University of Cambridge, 1995 - 2015
# See the file NOTICE for conditions of use and distribution.
# The build process concatenates on the front of this various settings from
# os-specific files and from the user's configuration file.
+# Copyright (c) The Exim Maintainers 2023
# Copyright (c) 2004 - 2015 University of Cambridge.
# See the file NOTICE for conditions of use and distribution.
+# SPDX-License-Identifier: GPL-2.0-or-later
# Except when they appear in comments, the following placeholders in this
# source are replaced when it is turned into a runnable script:
#!PERL_COMMAND
+# Copyright (c) The Exim Maintainers 2023
# Copyright (c) 2001-2017 University of Cambridge.
# See the file NOTICE for conditions of use and distribution.
+# SPDX-License-Identifier: GPL-2.0-or-later
# Perl script to generate statistics from one or more Exim log files.
#! /bin/sh
+# Copyright (c) The Exim Maintainers 2023
# Copyright (c) University of Cambridge, 1995 - 2007
# See the file NOTICE for conditions of use and distribution.
#!PERL_COMMAND
+
+# Copyright (c) The Exim Maintainers 2023
# Copyright (c) 1995 - 2018 University of Cambridge.
# SPDX-License-Identifier: GPL-2.0-or-later
# See the file NOTICE for conditions of use and distribution.
if ($e =~ /^[a-zA-Z0-9]$/) {
opendir(DD, "$d/$e") || next;
foreach my $f (grep !/^\./, readdir(DD)) {
- push(@m, { message => $1, path => "$d/$e" }) if ($f =~ /^(.{16})-H$/);
+ push(@m, { message => $1, path => "$d/$e" }) if ($f =~ /^(.{23}|.{16})-H$/);
}
closedir(DD);
- } elsif ($e =~ /^(.{16})-H$/) {
+ } elsif ($e =~ /^(.{23}|.{16})-H$/) {
push(@m, { message => $1, path => $d });
}
}
#! /bin/sh
+# Copyright (c) The Exim Maintainers 2023
# Copyright (c) University of Cambridge, 1995 - 2007
# See the file NOTICE for conditions of use and distribution.
+# SPDX-License-Identifier: GPL-2.0-or-later
# Except when they appear in comments, the following placeholders in this
# source are replaced when it is turned into a runnable script:
case ECOND_ISIP:
case ECOND_ISIP4:
case ECOND_ISIP6:
- rc = string_is_ip_address(sub[0], NULL);
- *yield = ((cond_type == ECOND_ISIP)? (rc != 0) :
- (cond_type == ECOND_ISIP4)? (rc == 4) : (rc == 6)) == testfor;
+ {
+ const uschar *errp;
+ const uschar **errpp;
+ DEBUG(D_expand) errpp = &errp; else errpp = 0;
+ if (0 == (rc = string_is_ip_addressX(sub[0], NULL, errpp)))
+ DEBUG(D_expand) debug_printf("failed: %s\n", errp);
+
+ *yield = ( cond_type == ECOND_ISIP ? rc != 0 :
+ cond_type == ECOND_ISIP4 ? rc == 4 : rc == 6) == testfor;
+ }
+
break;
/* Various authentication tests - all optionally compiled */
goto EXPAND_FAILED_CURLY; /*}*/
}
+ DEBUG(D_expand) debug_printf_indent("%s: evaluate input list list\n", name);
if (!(list = expand_string_internal(s,
ESI_BRACE_ENDS | ESI_HONOR_DOLLAR | flags, &s, &resetok, NULL)))
goto EXPAND_FAILED; /*{{*/
expand_string_message = US"missing '{' for second arg of reduce";
goto EXPAND_FAILED_CURLY; /*}*/
}
+ DEBUG(D_expand) debug_printf_indent("reduce: initial result list\n");
t = expand_string_internal(s,
ESI_BRACE_ENDS | ESI_HONOR_DOLLAR | flags, &s, &resetok, NULL);
if (!t) goto EXPAND_FAILED;
condition for real. For EITEM_MAP and EITEM_REDUCE, do the same, using
the normal internal expansion function. */
+ DEBUG(D_expand) debug_printf_indent("%s: find end of conditionn\n", name);
if (item_type != EITEM_FILTER)
temp = expand_string_internal(s,
ESI_BRACE_ENDS | ESI_HONOR_DOLLAR | ESI_SKIPPING, &s, &resetok, NULL);
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
extern uschar *string_format_size(int, uschar *);
extern int string_interpret_escape(const uschar **);
extern int string_is_ip_address(const uschar *, int *);
+extern int string_is_ip_addressX(const uschar *, int *, const uschar **);
#ifdef SUPPORT_I18N
extern BOOL string_is_utf8(const uschar *);
#endif
store_free_3(dnsa, CCS func, line);
}
+
+/* Check for an RR being large enough. Return TRUE iff bad. */
+static inline BOOL
+rr_bad_size(const dns_record * rr, size_t minbytes)
+{
+return rr->size < minbytes;
+}
+
+/* Check for an RR having further data beyond a given pointer.
+Return TRUE iff bad. */
+static inline BOOL
+rr_bad_increment(const dns_record * rr, const uschar * ptr, size_t minbytes)
+{
+return rr_bad_size(rr, ptr - rr->data + minbytes);
+}
+
/******************************************************************************/
/* Routines with knowledge of spool layout */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
* Exim - an Internet mail transport agent
*
- * Copyright (c) The Exim Maintainers 2010 - 2022
+ * Copyright (c) The Exim Maintainers 2010 - 2023
* Copyright (c) University of Cambridge 1995 - 2009
* SPDX-License-Identifier: GPL-2.0-or-later
*
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
const uschar * s = rr->data; /* MUST be unsigned for GETSHORT */
uschar data[256];
+ if (rr_bad_size(rr, sizeof(uint16_t))) continue;
GETSHORT(precedence, s); /* Pointer s is advanced */
/* For MX records, we use a random "weight" which causes multiple records of
/* SRV records are specified with a port and a weight. The weight is used
in a special algorithm. However, to start with, we just use it to order the
records of equal priority (precedence). */
+
+ if (rr_bad_increment(rr, s, 2 * sizeof(uint16_t))) continue;
GETSHORT(weight, s);
GETSHORT(port, s);
}
+/* Copyright (c) The Exim Maintainers 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 - 2021 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
uschar **errmsg where to put an error message if there is a problem
The yield of xxx_open() is a void * value representing the open file or
-database. For real files is is normally the FILE or DBM value. For other
+database. For real files it is normally the FILE or DBM value. For other
kinds of lookup, if there is no natural value to use, (-1) is recommended.
The value should not be NULL (or 0) as that is taken to indicate failure of
the xxx_open() function. For single-key lookups, the handle is cached along
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
if (type == T_TXT || type == T_SPF)
{
if (!outsep2) /* output only the first item of data */
- yield = string_catn(yield, US (rr->data+1), (rr->data)[0]);
+ {
+ uschar n = (rr->data)[0];
+ /* size byte + data bytes must not excced the RRs length */
+ if (n + 1 <= rr->size)
+ yield = string_catn(yield, US (rr->data+1), n);
+ }
else
for (unsigned data_offset = 0; data_offset < rr->size; )
{
uschar chunk_len = (rr->data)[data_offset];
+ int remain = rr->size - data_offset;
+
+ /* Apparently there are resolvers that do not check RRs before passing
+ them on, and glibc fails to do so. So every application must...
+ Check for chunk len exceeding RR */
+
+ if (chunk_len > remain)
+ chunk_len = remain;
+
if (*outsep2 && data_offset != 0)
yield = string_catn(yield, outsep2, 1);
- yield = string_catn(yield, US ((rr->data) + ++data_offset), chunk_len);
+ yield = string_catn(yield, US ((rr->data) + ++data_offset), --chunk_len);
data_offset += chunk_len;
}
}
else if (type == T_TLSA)
- {
- uint8_t usage, selector, matching_type;
- uint16_t payload_length;
- uschar s[MAX_TLSA_EXPANDED_SIZE];
- uschar * sp = s;
- uschar * p = US rr->data;
+ if (rr->size < 3)
+ continue;
+ else
+ {
+ uint8_t usage, selector, matching_type;
+ uint16_t payload_length;
+ uschar s[MAX_TLSA_EXPANDED_SIZE];
+ uschar * sp = s;
+ uschar * p = US rr->data;
+
+ usage = *p++;
+ selector = *p++;
+ matching_type = *p++;
+ /* What's left after removing the first 3 bytes above */
+ payload_length = rr->size - 3;
+ sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
+ selector, *outsep2, matching_type, *outsep2);
+ /* Now append the cert/identifier, one hex char at a time */
+ while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+ sp += sprintf(CS sp, "%02x", *p++);
- usage = *p++;
- selector = *p++;
- matching_type = *p++;
- /* What's left after removing the first 3 bytes above */
- payload_length = rr->size - 3;
- sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
- selector, *outsep2, matching_type, *outsep2);
- /* Now append the cert/identifier, one hex char at a time */
- while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
- sp += sprintf(CS sp, "%02x", *p++);
-
- yield = string_cat(yield, s);
- }
+ yield = string_cat(yield, s);
+ }
else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SOA, T_SRV */
{
int priority, weight, port;
switch (type)
{
case T_MXH:
+ if (rr_bad_size(rr, sizeof(u_int16_t))) continue;
/* mxh ignores the priority number and includes only the hostnames */
GETSHORT(priority, p);
break;
case T_MX:
+ if (rr_bad_size(rr, sizeof(u_int16_t))) continue;
GETSHORT(priority, p);
sprintf(CS s, "%d%c", priority, *outsep2);
yield = string_cat(yield, s);
break;
case T_SRV:
+ if (rr_bad_size(rr, 3*sizeof(u_int16_t))) continue;
GETSHORT(priority, p);
GETSHORT(weight, p);
GETSHORT(port, p);
break;
case T_CSA:
+ if (rr_bad_size(rr, 3*sizeof(u_int16_t))) continue;
/* See acl_verify_csa() for more comments about CSA. */
GETSHORT(priority, p);
GETSHORT(weight, p);
if (type == T_SOA && outsep2 != NULL)
{
- unsigned long serial, refresh, retry, expire, minimum;
+ unsigned long serial = 0, refresh = 0, retry = 0, expire = 0, minimum = 0;
p += rc;
yield = string_catn(yield, outsep2, 1);
else yield = string_cat(yield, s);
p += rc;
- GETLONG(serial, p); GETLONG(refresh, p);
- GETLONG(retry, p); GETLONG(expire, p); GETLONG(minimum, p);
+ if (!rr_bad_increment(rr, p, 5 * sizeof(u_int32_t)))
+ {
+ GETLONG(serial, p); GETLONG(refresh, p);
+ GETLONG(retry, p); GETLONG(expire, p); GETLONG(minimum, p);
+ }
sprintf(CS s, "%c%lu%c%lu%c%lu%c%lu%c%lu",
*outsep2, serial, *outsep2, refresh,
*outsep2, retry, *outsep2, expire, *outsep2, minimum);
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2009 */
-/* Copyright (c) The Exim Maintainers 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) The Exim Maintainers 2021 - 2023 */
/* Copyright (c) Jeremy Harris 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2023 */
/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) Jeremy Harris 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2021 - 2023 */
/* Copyright (c) Jeremy Harris 2017 - 2018 */
-/* Copyright (c) The Exim Maintainers 2021 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
*************************************************/
/*
- * Copyright (c) The Exim Maintainers 2015 - 2022
+ * Copyright (c) The Exim Maintainers 2015 - 2023
* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
* License: GPL
* SPDX-License-Identifier: GPL-2.0-or-later
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
*************************************************/
/*
- * Copyright (c) The Exim Maintainers 2015 - 2022
+ * Copyright (c) The Exim Maintainers 2015 - 2023
* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2015
* License: GPL
* SPDX-License-Identifier: GPL-2.0-or-later
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) The Exim Maintainers 2021 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/*
* PDKIM - a RFC4871 (DKIM) implementation
*
- * Copyright (c) The Exim Maintainers 2021 - 2022
- * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
+ * Copyright (c) The Exim Maintainers 2021 - 2023
* Copyright (C) 2016 - 2020 Jeremy Harris <jgh@exim.org>
+ * Copyright (C) 2009 - 2016 Tom Kistner <tom@duncanthrax.net>
* SPDX-License-Identifier: GPL-2.0-or-later
*
* http://duncanthrax.net/pdkim/
/*
* PDKIM - a RFC4871 (DKIM) implementation
- * Copyright (c) The Exim Maintainers 1995 - 2022
+ * Copyright (c) The Exim Maintainers 1995 - 2023
* SPDX-License-Identifier: GPL-2.0-or-later
*
* signing/verification interface
-/* Copyright (c) The Exim Maintainers 2022 */
+/*************************************************
+* Exim - an Internet mail transport agent *
+*************************************************/
+
+/* Copyright (c) The Exim Maintainers 2022 - 2023 */
/* SPDX-License-Identifier: GPL-2.0-or-later */
#include "exim.h"
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
*************************************************/
/*
- * Copyright (c) The Exim Maintainers 2016 - 2022
+ * Copyright (c) The Exim Maintainers 2016 - 2023
* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003-2015
* License: GPL
* SPDX-License-Identifier: GPL-2.0-or-later
*************************************************/
/*
- * Copyright (c) The Exim Maintainers 2022
+ * Copyright (c) The Exim Maintainers 2022 - 2023
* License: GPL
* SPDX-License-Identifier: GPL-2.0-or-later
*/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) The Exim Maintainers 2021 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2023 */
/* Copyright (c) University of Cambridge 1995 - 2009 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
*************************************************/
/*
- * Copyright (c) The Exim Maintainers 2016 - 2022
+ * Copyright (c) The Exim Maintainers 2016 - 2023
* Copyright (c) Michael Haardt 2003 - 2015
* See the file NOTICE for conditions of use and distribution.
* SPDX-License-Identifier: GPL-2.0-or-later
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
*************************************************/
/* SPF support.
- Copyright (c) The Exim Maintainers 2015 - 2022
+ Copyright (c) The Exim Maintainers 2015 - 2023
Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
License: GPL
SPDX-License-Identifier: GPL-2.0-or-later
.hook = NULL, /* misc information */
.source = spf_dns_server
};
-int dns_rc;
DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
return spfrr;
}
-switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
+switch (dns_lookup(dnsa, US domain, rr_type, NULL))
{
- case DNS_SUCCEED: srr.herrno = NETDB_SUCCESS; break;
case DNS_AGAIN: srr.herrno = TRY_AGAIN; break;
case DNS_NOMATCH: srr.herrno = HOST_NOT_FOUND; break;
case DNS_NODATA: srr.herrno = NO_DATA; break;
case DNS_FAIL:
default: srr.herrno = NO_RECOVERY; break;
+ case DNS_SUCCEED:
+ srr.herrno = NETDB_SUCCESS;
+ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+ rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+ /* Need to alloc space for all records, so no early-out */
+ if (rr->type == rr_type) found++;
+ break;
}
-for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
- rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
- if (rr->type == rr_type) found++;
-
if (found == 0)
{
SPF_dns_rr_dup(&spfrr, &srr);
switch(rr_type)
{
case T_MX:
+ if (rr->size < 2) continue;
s += 2; /* skip the MX precedence field */
case T_PTR:
{
gstring * g = NULL;
uschar chunk_len;
+ if (rr->size < 1+6) continue; /* min for version str */
if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
{
HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
continue;
}
- for (int off = 0; off < rr->size; off += chunk_len)
+ /* require 1 byte for the chunk_len */
+ for (int off = 0; off < rr->size - 1; off += chunk_len)
{
- if (!(chunk_len = s[off++])) break;
+ if ( !(chunk_len = s[off++])
+ || rr->size < off + chunk_len /* ignore bogus size chunks */
+ ) break;
g = string_catn(g, s+off, chunk_len);
}
if (!g)
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
+/*
+ * Copyright (c) The Exim Maintainers 2016 - 2023
+ * Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
* License: GPL
- * Copyright (c) The Exim Maintainers 2016 - 2021
* SPDX-License-Identifier: GPL-2.0-or-later
*/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim maintainers 2019 - 2022 */
+/* Copyright (c) The Exim maintainers 2019 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
maskptr NULL if no mask is permitted to follow
otherwise, points to an int where the offset of '/' is placed
if there is no / followed by trailing digits, *maskptr is set 0
+ errp NULL if no diagnostic information is required, and if the netmask
+ length should not be checked. Otherwise it is set pointing to a short
+ descriptive text.
Returns: 0 if the string is not a textual representation of an IP address
4 if it is an IPv4 address
6 if it is an IPv6 address
+
+The legacy string_is_ip_address() function follows below.
*/
int
-string_is_ip_address(const uschar *s, int *maskptr)
+string_is_ip_addressX(const uschar * ip_addr, int * maskptr, const uschar ** errp)
{
-int yield = 4;
+uschar * slash, * percent, * endp = NULL;
+long int mask = 0;
+const uschar * addr = NULL;
+int af;
+union { /* we do not need this, but inet_pton() needs a place for storage */
+ struct in_addr sa4;
+ struct in6_addr sa6;
+} sa;
+
+/* If there is a slash, but we didn't request a (optional) netmask,
+we return failure, as we do if the mask isn't a pure numerical value,
+or if it is negative. The actual length is checked later, once we know
+the address family. */
+if (slash = Ustrchr(ip_addr, '/'))
+ {
+ uschar * rest;
-/* If an optional mask is permitted, check for it. If found, pass back the
-offset. */
+ if (!maskptr)
+ {
+ if (errp) *errp = US"netmask found, but not requested";
+ return 0;
+ }
-if (maskptr)
- {
- const uschar *ss = s + Ustrlen(s);
- *maskptr = 0;
- if (s != ss && isdigit(*(--ss)))
+ mask = Ustrtol(slash+1, &rest, 10);
+ if (*rest || mask < 0)
{
- while (ss > s && isdigit(ss[-1])) ss--;
- if (ss > s && *(--ss) == '/') *maskptr = ss - s;
+ if (errp) *errp = US"netmask not numeric or <0";
+ return 0;
}
+
+ *maskptr = slash - ip_addr; /* offset of the slash */
+ endp = slash;
}
+else if (maskptr) *maskptr = 0; /* no slash found */
-/* A colon anywhere in the string => IPv6 address */
+/* The interface-ID suffix (%<id>) is optional (for IPv6). If it
+exists, we check it syntactically. Later, if we know the address
+family is IPv4, we might reject it.
+The interface-ID is mutually exclusive with the netmask, to the
+best of my knowledge. */
-if (Ustrchr(s, ':') != NULL)
+if (percent = Ustrchr(ip_addr, '%'))
{
- BOOL had_double_colon = FALSE;
- BOOL v4end = FALSE;
-
- yield = 6;
-
- /* An IPv6 address must start with hex digit or double colon. A single
- colon is invalid. */
-
- if (*s == ':' && *(++s) != ':') return 0;
-
- /* Now read up to 8 components consisting of up to 4 hex digits each. There
- may be one and only one appearance of double colon, which implies any number
- of binary zero bits. The number of preceding components is held in count. */
-
- for (int count = 0; count < 8; count++)
+ if (slash)
{
- /* If the end of the string is reached before reading 8 components, the
- address is valid provided a double colon has been read. This also applies
- if we hit the / that introduces a mask or the % that introduces the
- interface specifier (scope id) of a link-local address. */
-
- if (*s == 0 || *s == '%' || *s == '/') return had_double_colon ? yield : 0;
-
- /* If a component starts with an additional colon, we have hit a double
- colon. This is permitted to appear once only, and counts as at least
- one component. The final component may be of this form. */
-
- if (*s == ':')
- {
- if (had_double_colon) return 0;
- had_double_colon = TRUE;
- s++;
- continue;
- }
-
- /* If the remainder of the string contains a dot but no colons, we
- can expect a trailing IPv4 address. This is valid if either there has
- been no double-colon and this is the 7th component (with the IPv4 address
- being the 7th & 8th components), OR if there has been a double-colon
- and fewer than 6 components. */
-
- if (Ustrchr(s, ':') == NULL && Ustrchr(s, '.') != NULL)
+ if (errp) *errp = US"interface-ID and netmask are mutually exclusive";
+ return 0;
+ }
+ for (uschar *p = percent+1; *p; p++)
+ if (!isalnum(*p) && !ispunct(*p))
{
- if ((!had_double_colon && count != 6) ||
- (had_double_colon && count > 6)) return 0;
- v4end = TRUE;
- yield = 6;
- break;
+ if (errp) *errp = US"interface-ID must match [[:alnum:][:punct:]]";
+ return 0;
}
+ endp = percent;
+ }
- /* Check for at least one and not more than 4 hex digits for this
- component. */
-
- if (!isxdigit(*s++)) return 0;
- if (isxdigit(*s) && isxdigit(*(++s)) && isxdigit(*(++s))) s++;
-
- /* If the component is terminated by colon and there is more to
- follow, skip over the colon. If there is no more to follow the address is
- invalid. */
+/* inet_pton() can't parse netmasks and interface IDs, so work on a shortened copy
+allocated on the current stack */
- if (*s == ':' && *(++s) == 0) return 0;
+if (endp)
+ {
+ ptrdiff_t l = endp - ip_addr;
+ if (l > 255)
+ {
+ if (errp) *errp = US"rudiculous long ip address string";
+ return 0;
}
+ addr = string_copyn(ip_addr, l);
+ }
+else
+ addr = ip_addr;
- /* If about to handle a trailing IPv4 address, drop through. Otherwise
- all is well if we are at the end of the string or at the mask or at a percent
- sign, which introduces the interface specifier (scope id) of a link local
- address. */
-
- if (!v4end)
- return (*s == 0 || *s == '%' ||
- (*s == '/' && maskptr != NULL && *maskptr != 0))? yield : 0;
+af = Ustrchr(addr, ':') ? AF_INET6 : AF_INET;
+if (!inet_pton(af, CCS addr, &sa))
+ {
+ if (errp) *errp = af == AF_INET6 ? US"IP address string not parsable as IPv6"
+ : US"IP address string not parsable IPv4";
+ return 0;
}
-/* Test for IPv4 address, which may be the tail-end of an IPv6 address. */
+/* we do not check the values of the mask here, as
+this is done on the callers side (but I don't understand why), so
+actually I'd like to do it here, but it breaks at least testcase 0002 */
-for (int i = 0; i < 4; i++)
+switch (af)
{
- long n;
- uschar * end;
-
- if (i != 0 && *s++ != '.') return 0;
- n = strtol(CCS s, CSS &end, 10);
- if (n > 255 || n < 0 || end <= s || end > s+3) return 0;
- s = end;
+ case AF_INET6:
+ if (errp && mask > 128)
+ {
+ *errp = US"IPv6 netmask value must not be >128";
+ return 0;
+ }
+ return 6;
+ case AF_INET:
+ if (percent)
+ {
+ if (errp) *errp = US"IPv4 address string must not have an interface-ID";
+ return 0;
+ }
+ if (errp && mask > 32)
+ {
+ *errp = US"IPv4 netmask value must not be >32";
+ return 0;
+ }
+ return 4;
+ default:
+ if (errp) *errp = US"unknown address family (should not happen)";
+ return 0;
}
+}
+
-return !*s || (*s == '/' && maskptr && *maskptr != 0) ? yield : 0;
+int
+string_is_ip_address(const uschar * ip_addr, int * maskptr)
+{
+return string_is_ip_addressX(ip_addr, maskptr, 0);
}
+
#endif /* COMPILE_UTILITY */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* Copyright (c) Phil Pennock 2012 */
/* See the file NOTICE for conditions of use and distribution. */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2019 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
Separately we might try to replace using OCSP_basic_verify() - which seems to not
be a public interface into the OpenSSL library (there's no manual entry) -
-(in 3.0.0 + is is public)
+(in 3.0.0 + it is public)
But what with? We also use OCSP_basic_verify in the client stapling callback.
And there we NEED it; we must verify that status... unless the
library does it for us anyway? */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2022 */
+/* Copyright (c) The Exim Maintainers 2022 - 2023 */
/* Copyright (c) Jeremy Harris 2014 - 2019 */
/* SPDX-License-Identifier: GPL-2.0-or-later */
#! PERL_COMMAND
+# Copyright (c) The Exim Maintainers 2023
+# See the file NOTICE for conditions of use and distribution.
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+
# This is a Perl script to demonstrate the possibilities of on-the-fly
# delivery filtering in Exim. It is presented with a message on its standard
# input, and must copy it to the standard output, transforming it as it
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim maintainers 2020 - 2022 */
+/* Copyright (c) The Exim maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2020 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim maintainers 2020 - 2022 */
+/* Copyright (c) The Exim maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
-/* Copyright (c) The Exim Maintainers 2020 - 2021 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2021 - 2022 */
+/* Copyright (c) The Exim Maintainers 2021 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
Argument:
s string to add
- addr the address is is a duplicate of
+ addr the address it is a duplicate of
Returns: nothing
*/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) The Exim Maintainers 2020 - 2023 */
/* Copyright (c) University of Cambridge 1995 - 2023 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
#use strict;
use v5.10.1;
use warnings;
-use if $^V >= v5.19.11, experimental => 'smartmatch';
use Errno;
use FileHandle;
print "Exim binary is `$parm_exim'\n" if defined $parm_exim;
+my %wanted;
my @wanted = sort numerically uniq
@tests_wanted ? @tests_wanted : (),
@range_wanted ? $range_wanted[0] .. $range_wanted[1] : (),
0+$ARGV[0]..0+$ARGV[1] # add 0 to cope with test numbers starting with zero
: ();
@wanted = 1..TEST_TOP if not @wanted;
+map { $wanted{sprintf("%04d",$_)}= $_; } @wanted;
##################################################
# Check for sudo access to root #
# We want the tests from this subdirectory, provided they are in the
# range that was selected.
- @testlist = grep { $_ ~~ @wanted } grep { /^\d+(?:\.\d+)?$/ } map { basename $_ } glob "scripts/$testdir/*";
+ undef @testlist;
+ map { push @testlist, $_ if exists $wanted{$_} } grep { /^\d+(?:\.\d+)?$/ } map { basename $_ } glob "scripts/$testdir/*";
tests_exit(-1, "Failed to read test scripts from `scripts/$testdir/*': $!")
if not @testlist;
gei: ${if gei{ABC}{abc}{y}{n}}
isip: ${if isip {1.2.3.4}{y}{n}} 1.2.3.4
+isip: ${if isip {1.2.3}{y}{n}} 1.2.3
isip4: ${if isip4{1.2.3.4}{y}{n}} 1.2.3.4
isip6: ${if isip6{1.2.3.4}{y}{n}} 1.2.3.4
isip: ${if isip {::1.2.3.256}{y}{n}} ::1.2.3.256
isip: ${if isip {rhubarb}{y}{n}} rhubarb
isip4: ${if isip4{rhubarb}{y}{n}} rhubarb
isip6: ${if isip6{rhubarb}{y}{n}} rhubarb
+isip6: ${if isip6{::/100}{y}{n}} ::/100
+isip6: ${if isip6{::/foo}{y}{n}} ::/foo
+isip6: ${if isip6{::/f o}{y}{n}} ::/f o
match: ${if match{abcd}{\N^([ab]+)(\w+)$\N}{$2$1}fail}
match: ${if match{abcd}{^\N([ab]+)(\w+)$\N}{$2$1}fail}
> gei: y
>
> isip: y 1.2.3.4
+> isip: n 1.2.3
> isip4: y 1.2.3.4
> isip6: n 1.2.3.4
> isip: n ::1.2.3.256
> isip: n rhubarb
> isip4: n rhubarb
> isip6: n rhubarb
+> isip6: n ::/100
+> isip6: n ::/foo
+> isip6: n ::/f o
>
> match: cdab
> match: cdab
git://git.exim.org / exim.git / commitdiff