Jeremy Harris [Wed, 7 May 2014 19:46:49 +0000 (20:46 +0100)]
Make $tls_out_ocsp visible to TPDA (mostly testsuite)
Jeremy Harris [Thu, 8 May 2014 22:29:35 +0000 (23:29 +0100)]
Certificate-related routines only present when TLS is supported
Jeremy Harris [Thu, 8 May 2014 19:38:46 +0000 (20:38 +0100)]
Enable operator md5 and sha1 use on certificate variables. Bug 1170
Jeremy Harris [Tue, 6 May 2014 13:44:21 +0000 (14:44 +0100)]
OCSP observability: variables $tls_{in,out}_ocsp
and smtp transport option hosts_request_ocsp
Jeremy Harris [Tue, 6 May 2014 07:44:59 +0000 (08:44 +0100)]
Refactor tls_client_init interface
Jeremy Harris [Mon, 5 May 2014 15:53:48 +0000 (16:53 +0100)]
Extractors for subject-alternate-name, ocsp-uri, crl-uri return list. Bug 1358
Jeremy Harris [Sun, 4 May 2014 17:28:51 +0000 (18:28 +0100)]
Fix build with OpenSSL on earlier versions.
Centos 6.5 and earlier had a build fail with GENERAL_NAME etc. undefined.
Just include the file defining it even if it's a duplicate on later versions.
Jeremy Harris [Sat, 3 May 2014 20:36:14 +0000 (21:36 +0100)]
More debug output
Jeremy Harris [Sat, 3 May 2014 17:08:19 +0000 (18:08 +0100)]
Restore testsuite operation on earlier GnuTLS libraries
Typo
Jeremy Harris [Sat, 3 May 2014 16:46:23 +0000 (17:46 +0100)]
Restore testsuite operation on earlier GnuTLS libraries
Jeremy Harris [Fri, 2 May 2014 17:50:34 +0000 (18:50 +0100)]
Certificate variables and field-extractor expansions. Bug 1358
Jeremy Harris [Thu, 1 May 2014 22:26:14 +0000 (23:26 +0100)]
Support dnssec in verify-callout use of smtp transport.
Use of dnslookup router support is already present.
Jeremy Harris [Tue, 29 Apr 2014 23:16:30 +0000 (00:16 +0100)]
Cancel in-progress or reject requeted cutthrough when fakereject. Bug 1475
Todd Lyons [Wed, 30 Apr 2014 00:07:04 +0000 (17:07 -0700)]
Merge branch 'master' of ssh://git.exim.org/home/git/exim
Heiko Schlichting [Tue, 2 Apr 2013 19:06:03 +0000 (21:06 +0200)]
Bug 1454: Option -oMm for message reference
Includes docs and test suite
Jeremy Harris [Sun, 27 Apr 2014 17:17:29 +0000 (18:17 +0100)]
Add options dnssec_request_domains, dnssec_require_domains to the smtp transport
Note there are no testsuite cases included.
TODO in this area:
- dnssec during verify-callouts
- dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup
Jeremy Harris [Thu, 24 Apr 2014 22:28:24 +0000 (23:28 +0100)]
Support OCSP Stapling under GnuTLS. Bug 1459
Requires GnuTLS version 3.1.3 or later.
Under EXPERIMENTAL_OCSP
Jeremy Harris [Thu, 24 Apr 2014 15:41:11 +0000 (16:41 +0100)]
Dnssec observability: add variable $lookup_dnssec_authenticated
Todd Lyons [Thu, 24 Apr 2014 14:54:36 +0000 (07:54 -0700)]
Fix typo in markup. Add .new/.wen.
Lars Timmann [Thu, 24 Apr 2014 00:03:06 +0000 (17:03 -0700)]
Bug 609: Add -C option to exiqgrep
Option is a passthrough to the exim process that it spawns that
generates the queue list.
Fixed Conflicts:
doc/doc-txt/ChangeLog
Jeremy Harris [Wed, 23 Apr 2014 23:49:56 +0000 (00:49 +0100)]
dnssec_strict, _lax, _never modifiers for dnsdb lookups
Lacking testsuite coverage
Heiko Schlichting [Wed, 23 Apr 2014 14:30:41 +0000 (07:30 -0700)]
Bug 1453: Add SERVERS ldap server list override
Todd Lyons [Wed, 23 Apr 2014 12:26:34 +0000 (05:26 -0700)]
Merge branch 'master' of git://git.exim.org/exim
Todd Lyons [Wed, 23 Apr 2014 12:25:54 +0000 (05:25 -0700)]
Make --verbose propogate to html generation script
Phil Pennock [Mon, 21 Apr 2014 23:42:21 +0000 (19:42 -0400)]
Merge remote-tracking branch 'github/pr/13'
(exiqgrep -a support)
mg [Mon, 21 Apr 2014 22:41:34 +0000 (00:41 +0200)]
exiqgrep: add -a to use all recipients (including delivered)
Jeremy Harris [Mon, 21 Apr 2014 15:50:46 +0000 (16:50 +0100)]
Updated GnuTLS error messages
Jeremy Harris [Mon, 21 Apr 2014 15:34:01 +0000 (16:34 +0100)]
Fix testcase "server missing/empty certificate file"
GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable
client-cert request when tls_verify_certificates is an empty file.
Since the test is for missing *server* certs (tls_certificate)
avoid this by pointing to a real (if non-verifying) cert in
tls_verify_certificates.
Jeremy Harris [Mon, 21 Apr 2014 12:07:17 +0000 (13:07 +0100)]
Fix DISABLE_DNSSEC build
Bad syntax possibly only affected some compilers.
Jeremy Harris [Sun, 20 Apr 2014 22:28:34 +0000 (23:28 +0100)]
Make testcase more robust vs. timing variations
by restricting operations and logging to fewer items of interest
Jeremy Harris [Sun, 20 Apr 2014 20:50:48 +0000 (21:50 +0100)]
Restore testsuite operation under gnuTLS 2.8.5
Jeremy Harris [Sun, 20 Apr 2014 19:53:32 +0000 (20:53 +0100)]
Update testsuite for gnuTLS 3.1.23
Jeremy Harris [Sun, 20 Apr 2014 15:44:52 +0000 (16:44 +0100)]
Add options dnssec_request_domains, dnssec_require_domains to the dnslookup router
Note there are no testsuite cases included.
TODO in this area:
- dnssec during verify-callouts
- dnssec during dnsdb expansions
- dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup
- observability of status of requested dnssec
Jeremy Harris [Sun, 20 Apr 2014 15:44:52 +0000 (16:44 +0100)]
Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455
The split of these variables into _in and _out sets introduced by d9b231
in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional
during a transport and associated client authenticator.
Fix by repointing the legacy set to the outbound connection set at
transport startup (and do not clear out the inbound set at this
time, either).
Todd Lyons [Sat, 19 Apr 2014 17:28:32 +0000 (10:28 -0700)]
Copyright year updates:
vim $(git whatchanged --since=2014-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
Todd Lyons [Thu, 17 Apr 2014 18:58:09 +0000 (11:58 -0700)]
Fix Proxy Protocol v2 handling
Change recv() to not use MSGPEEK and eliminated flush_input().
Add proxy_target_address/port expansions.
Convert ipv6 decoding to memmove().
Use sizeof() for variable sizing.
Correct struct member access.
Enhance debug output when passed invalid command/family.
Add to and enhance documentation.
Client script to test Proxy Protocol, interactive on STDIN/STDOUT,
so can be chained (ie a swaks pipe), useful for any service, not
just Exim and/or smtp.
Jeremy Harris [Fri, 18 Apr 2014 13:21:59 +0000 (14:21 +0100)]
Fix logging of nomail
When built with TLS support, non-TLS connections not resulting in mail transfer were crashing while
building a log line. Fix by not returning a non-extensible string from the routine added in
67d81c1.
Phil Pennock [Wed, 16 Apr 2014 06:25:45 +0000 (23:25 -0700)]
Bail configuration on missing package
If we're configured to use pkg-config (or pcre-config) and the tool is
not available or does not know about the package we ask for, that should
be a fatal configuration error.
We should not silently ignore the missing package, then try to compile,
and have missing header warnings from the compiler. Eg, if we're told
to support GSASL, we'll try to compile the client code, and without
compiler flags, we'll either fail to compile (missing headers) or fail
to link, which obscures the source of the errors.
This change will only break people who had builds set to have Exim
depend upon non-existent packages, and that _needs_ to break.
Phil Pennock [Wed, 16 Apr 2014 02:43:31 +0000 (19:43 -0700)]
Report OpenSSL build date too.
Adjust `-d -bV` output for OpenSSL to include library build date.
Some OS packagers have backported heartbleed security fixes without
changing anything in the reported version number. The closest we can
get to a reassuring sign for administrators is to report the OpenSSL
library build date, as picked by the library which Exim is using at run
time.
```
Library version: OpenSSL: Compile: OpenSSL 1.0.1g 7 Apr 2014
Runtime: OpenSSL 1.0.1g 7 Apr 2014
: built on: Mon Apr 7 15:08:30 PDT 2014
```
For comparison, the version information for OpenSSL on Ubuntu (where
Exim is by default built with GnuTLS, but this provides for context for
comparison):
```
$ openssl version -v -b
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
```
GnuTLS: the closest I can find to a runtime value is the call we are
already making; if an OS vendor patches GnuTLS without changing the
version which would be returned by `gnutls_check_version(NULL)` then the
sysadmin is SOL and will have to explore library linkages more
carefully.
Todd Lyons [Tue, 15 Apr 2014 20:22:46 +0000 (13:22 -0700)]
Make dmarc code c89 compliant
Todd Lyons [Tue, 15 Apr 2014 20:10:59 +0000 (13:10 -0700)]
Add back deprecated SPF error conditions
Previous patch introduced a change that could break existing SPF
configurations. Add back the two non-standard "err_temp" and
"err_perm" result values, with note that it is deprecated and
will be removed in a future release.
Todd Lyons [Sat, 12 Apr 2014 17:42:52 +0000 (10:42 -0700)]
Add expansion for DMARC policy
New variable is $dmarc_domain_policy
Todd Lyons [Tue, 15 Apr 2014 16:53:43 +0000 (09:53 -0700)]
Merge branch 'master' of ssh://git.exim.org/home/git/exim
Fixed Conflicts:
doc/doc-txt/ChangeLog
Todd Lyons [Tue, 15 Apr 2014 16:52:22 +0000 (09:52 -0700)]
De-duplicate two documentation sections
Axel Rau [Mon, 14 Apr 2014 19:02:41 +0000 (20:02 +0100)]
Update ${utf8clean }. Bug 1401
Jeremy Harris [Sun, 13 Apr 2014 16:43:11 +0000 (17:43 +0100)]
Fix build for update on library component.
When, eg, the smtp transport is changed the transports library must be rebuilt.
Fix the main makefile to not assume that the date on the library .a is sufficient,
but always call the library subdir makefiles.
Jeremy Harris [Sun, 30 Mar 2014 20:48:32 +0000 (21:48 +0100)]
More care with headers add/remove lists. Bug 1452
As a side-effect, playing games with newlines no longer gives an altered message body/
Testcase 0324 is questionable (though passing)
Todd Lyons [Wed, 9 Apr 2014 16:11:21 +0000 (17:11 +0100)]
dnsdb tlsa lookup
Todd Lyons [Wed, 26 Mar 2014 23:05:13 +0000 (16:05 -0700)]
Print support for Experimental Proxy with -bV
Jeremy Harris [Sun, 23 Mar 2014 22:53:06 +0000 (22:53 +0000)]
Fix string_unprinting()
Jeremy Harris [Thu, 20 Mar 2014 20:09:08 +0000 (20:09 +0000)]
Future-proof OpenSSL version string. Bug 1421
Jeremy Harris [Wed, 19 Mar 2014 21:16:37 +0000 (21:16 +0000)]
Fix testcase for GnuTLS tls_require_ciphers
Jeremy Harris [Wed, 19 Mar 2014 20:14:24 +0000 (20:14 +0000)]
Docs for transport tls_verify_hosts &c.
Wolfgang Breyha [Tue, 18 Mar 2014 16:03:43 +0000 (16:03 +0000)]
Add tls_verify_hosts and tls_try_verify_hosts to smtp transport, GnuTLS.
Jeremy Harris [Wed, 19 Mar 2014 19:46:35 +0000 (19:46 +0000)]
Fix testsuite GnuTLS case for
511a6c1
Jeremy Harris [Tue, 18 Mar 2014 16:17:56 +0000 (16:17 +0000)]
Fix ACL "condition =" for negative number values. Bug 1005
Fix conditional "bool{<string>}" for negative number values, to match.
Heiko Schlittermann [Sun, 16 Mar 2014 22:29:59 +0000 (22:29 +0000)]
Enforce that only smtp transports can be used for verify callouts. Bug 1445
Jeremy Harris [Sun, 16 Mar 2014 17:22:56 +0000 (17:22 +0000)]
Support transport-added headers under cutthrough delivery. Bug 1431
Wolfgang Breyha [Sat, 15 Mar 2014 14:16:05 +0000 (14:16 +0000)]
Add tls_verify_hosts and tls_try_verify_hosts to smtp transport. Bug 1371
Code by Wolfgang Breyha, docs and testsuite by Jeremy Harris
Jeremy Harris [Sat, 15 Mar 2014 14:06:07 +0000 (14:06 +0000)]
Testcases
Jeremy Harris [Sat, 15 Mar 2014 12:29:31 +0000 (12:29 +0000)]
Add documentation
Jeremy Harris [Tue, 11 Mar 2014 16:24:50 +0000 (16:24 +0000)]
Fix DISABLE_DKIM build
Reported-by: heiko.schlichting@fu-berlin.de
Broken-in:
6e62c454 - jgh146exb@wizmail.org
Jeremy Harris [Sun, 9 Mar 2014 21:45:33 +0000 (21:45 +0000)]
Refactor malware.c and introduce new scanner type "sock". Bugs 1418 and 1396
Jeremy Harris [Sun, 9 Mar 2014 16:51:00 +0000 (16:51 +0000)]
Log port and TLS details for a failed delivery
Jeremy Harris [Sun, 9 Mar 2014 16:41:20 +0000 (16:41 +0000)]
Log incoming-TLS details on rejects. Bug 305
Jeremy Harris [Sun, 9 Mar 2014 21:05:59 +0000 (21:05 +0000)]
Fix docs for utf8clean
Axel Rau [Sat, 8 Mar 2014 20:59:24 +0000 (20:59 +0000)]
${utf8clean:string} expansion operator. Bug 1401
Jeremy Harris [Sat, 8 Mar 2014 18:50:16 +0000 (18:50 +0000)]
Expand documentation on use of dnslists in an IPv6 environment. Bug 1369
Todd Lyons [Fri, 7 Mar 2014 04:55:19 +0000 (20:55 -0800)]
Change strings of SPF result to conform to RFC 4408
Introduces a small backwards incompatible change to two results,
err_temp to temperror and err_perm to permerror.
Michael Fischer v. Mollard [Thu, 6 Mar 2014 02:19:24 +0000 (18:19 -0800)]
Code for verify=header_names_ascii
Documentation and test included.
Fixed Conflicts:
doc/doc-txt/ChangeLog
Wolfgang Breyha [Wed, 5 Mar 2014 19:33:04 +0000 (19:33 +0000)]
Support log_selector smtp_confirmation for the lmtp transport. Bug 1157
Phil Pennock [Sun, 2 Mar 2014 20:48:02 +0000 (15:48 -0500)]
Fix docs, `dns_dnssec_ok` not `dns_use_dnssec`
The variable rename in 4.82 PP/19 (commit
0fbd9bff) was incomplete, I
missed changing the documentation. :(
Jeremy Harris [Sat, 1 Mar 2014 17:02:43 +0000 (17:02 +0000)]
Fix parallel make. Bug 1446
from work by Heiko Schlittermann
Wolfgang Breyha [Wed, 26 Feb 2014 20:07:46 +0000 (20:07 +0000)]
Add tls_verify_hosts and tls_try_verify_hosts to smtp transport
Patch version 2
Jeremy Harris [Sun, 9 Feb 2014 21:03:27 +0000 (21:03 +0000)]
Fix build on systems having ipv6 but lacking an IPV6_TCLASS define (GNU Hurd). Bug 1441
By Samuel Thibault
Jeremy Harris [Sun, 26 Jan 2014 18:03:01 +0000 (18:03 +0000)]
Fix tls_verify_certificates in gnutls use. Bug 1413.
Patch by W.Breyha, tested by H.Schlittermann
Wolfgang Breyha [Tue, 14 Jan 2014 14:12:38 +0000 (06:12 -0800)]
Bugzilla 1433: Fix DMARC SEGV
Properly escape value passed to expand_string().
Check for NULL return from expand_string().
Phil Pennock [Tue, 7 Jan 2014 06:59:04 +0000 (01:59 -0500)]
Update copyright year in --version output
Phil Pennock [Tue, 7 Jan 2014 06:56:40 +0000 (01:56 -0500)]
Copyright year updates:
vi $(git whatchanged --since=2013-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
Did 2014 first, since otherwise every file I touched to update to 2013
would show as changed in 2014. Last invocation logged to git was during
2012. Will need to be more careful if auditing next year.
Phil Pennock [Tue, 7 Jan 2014 06:49:54 +0000 (01:49 -0500)]
Copyright year updates: 2014
vi $(git whatchanged --since=2014-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
Jeremy Harris [Sun, 5 Jan 2014 21:22:06 +0000 (21:22 +0000)]
Document (and enforce) that DKIM-signing is not supported in cobination with cutthrough routing
Jeremy Harris [Sun, 5 Jan 2014 17:54:41 +0000 (17:54 +0000)]
Documant the non-support of header manipulation in post-RCPT ACLs in combination with cuttrhough.
Add check and paniclog attempts to do so. Bug 1411 (WONTFIX).
Jeremy Harris [Sun, 5 Jan 2014 15:27:19 +0000 (15:27 +0000)]
Explicitly disable cutthrough on transports having filters
Jeremy Harris [Sun, 29 Dec 2013 19:10:05 +0000 (19:10 +0000)]
Explicitly disable cutthrough on transports having filters
Todd Lyons [Mon, 30 Dec 2013 23:02:21 +0000 (15:02 -0800)]
Proxy negotiation saves socket timeout values.
Rename proxy expansions conforming to Exim standards.
Update documentation to reflect rename.
Seperate restore socket function
Jeremy Harris [Sun, 27 Oct 2013 15:18:44 +0000 (15:18 +0000)]
Add ${listextract {n}{list}...}
Jeremy Harris [Sun, 15 Dec 2013 18:36:48 +0000 (18:36 +0000)]
Fix use of uninitialized variable
Jeremy Harris [Sun, 15 Dec 2013 22:17:42 +0000 (22:17 +0000)]
Increase test CA key sizes from 512 to 1024 to handle TLS1.2 digest sizes.
Jeremy Harris [Sat, 7 Dec 2013 13:34:42 +0000 (13:34 +0000)]
Clarify interaction of delay_warning and retry configuration.
Todd Lyons [Sat, 30 Nov 2013 19:31:21 +0000 (11:31 -0800)]
Proxy Protocol - Server support
Initial conf setting and expansions
Logging setting whether to record proxy host, off by default
Put PROXY processing before connect ACL
Fix incoming address logging
Add Proxy Protocol to ChangeLog
Set window for Proxy Protocol header to be sent
Update docs and EDITME.
Phil Pennock [Thu, 21 Nov 2013 01:16:02 +0000 (17:16 -0800)]
build: try to get dash/bash for sanity
The "local" builtin is not part of POSIX. We want it. Try harder to
get a vaguely sane shell, rather than just a POSIX shell.
Also, safeguard to error out more gracefully if invoked from outside the
build process.
Jeremy Harris [Wed, 20 Nov 2013 14:19:37 +0000 (14:19 +0000)]
Fix testsuite build on Solaris
As of s11, Solaris & derivatives need libsocket and libnsl. Ensure they are searched for
by autoconfig. This seems to be successfully ignored on Linux.
Credit to Dave Edmondson (dme@dme.org) for the fix.
Todd Lyons [Thu, 31 Oct 2013 16:42:15 +0000 (09:42 -0700)]
Fix ldap option setting.
Some client libs set a global context, newer client libs set a global
default which then needs to be reloaded.
Jeremy Harris [Tue, 12 Nov 2013 19:51:10 +0000 (19:51 +0000)]
Fix memory management vs acl-as-conditional, redux
Jeremy Harris [Sun, 10 Nov 2013 21:31:17 +0000 (21:31 +0000)]
Fix memory management vs. acl-as-conditional
Jeremy Harris [Sun, 10 Nov 2013 21:12:51 +0000 (21:12 +0000)]
Add commented-braces for ease of brace-matching editor use
Phil Pennock [Sun, 10 Nov 2013 10:16:27 +0000 (05:16 -0500)]
spec: TLS certificates: avoid MD5
Make it clearer in the spec, where talking about certificates, that MD5
in certs is a really Quite Bad idea.
Todd Lyons [Sat, 12 Oct 2013 16:42:31 +0000 (09:42 -0700)]
Bug 1334: AutoDetect compression type in exigrep
Does not use any extra perl modules.
Attempts hard coded types first, so no extra code for the standard
case.
Easy to add more compression types.
Tony Finch [Thu, 7 Nov 2013 16:26:33 +0000 (16:26 +0000)]
Portability fix for Solaris without xpg4 utilities
Tony Finch [Thu, 7 Nov 2013 16:25:51 +0000 (16:25 +0000)]
quickrelease: A dumb script for making source-only tarballs