Jeremy Harris [Thu, 29 Jul 2021 18:35:02 +0000 (19:35 +0100)]
Update comments in expample config file to match current default for TLS
Jeremy Harris [Fri, 23 Jul 2021 11:08:02 +0000 (12:08 +0100)]
Docs: tidy variables lists
Jeremy Harris [Fri, 23 Jul 2021 11:05:49 +0000 (12:05 +0100)]
DKIM: fix build with older GnuTLS
Jeremy Harris [Thu, 22 Jul 2021 21:01:10 +0000 (22:01 +0100)]
TLS: fix tls_verify_certificates handling of "system"
A previous try at managing it for new-enough versions of GnuTLS actually
broke it for everything:
744170d4d3
Jeremy Harris [Thu, 22 Jul 2021 20:59:01 +0000 (21:59 +0100)]
Testsuite: output chnges resulting
Broken-by: 9138b6973b
Jeremy Harris [Wed, 21 Jul 2021 08:38:25 +0000 (09:38 +0100)]
typo
Andreas Metzler [Wed, 21 Jul 2021 08:30:56 +0000 (09:30 +0100)]
Docs: enhance SPF description
Jeremy Harris [Tue, 20 Jul 2021 10:00:03 +0000 (11:00 +0100)]
Docs: remove extraneous file copy
Jeremy Harris [Sun, 18 Jul 2021 19:30:24 +0000 (20:30 +0100)]
typo
Jeremy Harris [Sun, 18 Jul 2021 18:23:52 +0000 (19:23 +0100)]
ALPN: not supported under LibreSSL
Jeremy Harris [Sun, 18 Jul 2021 16:34:31 +0000 (17:34 +0100)]
Fix no-TLS bulid
Broken-by: c4b4086235
Jeremy Harris [Sun, 18 Jul 2021 14:51:16 +0000 (15:51 +0100)]
ALPN: feature macro
Jeremy Harris [Sun, 18 Jul 2021 14:11:32 +0000 (15:11 +0100)]
typo
Broken-by: c4b4086235
Jeremy Harris [Sun, 18 Jul 2021 13:25:14 +0000 (14:25 +0100)]
typo
Broken-by: c4b4086235
Jeremy Harris [Sat, 17 Jul 2021 23:15:01 +0000 (00:15 +0100)]
TLS: ALPN options
Jeremy Harris [Sat, 17 Jul 2021 12:53:22 +0000 (13:53 +0100)]
Remove the must-helo check from the example config
given that there is now a default-set option and hard code (
2f8e0a5f6b)
Heiko Schlittermann (HS12-RIPE) [Thu, 15 Jul 2021 20:55:05 +0000 (22:55 +0200)]
NewStuff typo
Jeremy Harris [Thu, 15 Jul 2021 20:05:27 +0000 (21:05 +0100)]
Docs: Clarify $acl_verify_message lifetime
Jeremy Harris [Mon, 12 Jul 2021 18:55:02 +0000 (19:55 +0100)]
Docs: fix formatting
Heiko Schlittermann (HS12-RIPE) [Sat, 10 Jul 2021 21:50:01 +0000 (23:50 +0200)]
Remove duplicate 4.95 section from NewStuff
Heiko Schlittermann (HS12-RIPE) [Sat, 10 Jul 2021 21:58:21 +0000 (23:58 +0200)]
Update OptionsList.txt
Heiko Schlittermann (HS12-RIPE) [Sat, 10 Jul 2021 21:49:35 +0000 (23:49 +0200)]
Fix various doc typos
Jeremy Harris [Sun, 11 Jul 2021 11:21:54 +0000 (12:21 +0100)]
GnuTLS: Fix certextract expansion
Jeremy Harris [Fri, 25 Jun 2021 14:23:38 +0000 (15:23 +0100)]
tidying
Jeremy Harris [Wed, 7 Jul 2021 21:19:07 +0000 (22:19 +0100)]
Fix tainted message for fakereject
Jeremy Harris [Fri, 2 Jul 2021 18:33:29 +0000 (19:33 +0100)]
Docs: additional possible result from spf check. Bug 2786
Jeremy Harris [Mon, 28 Jun 2021 21:17:22 +0000 (22:17 +0100)]
LibreSSL: TLS-write-shutdown does not push data
Jeremy Harris [Mon, 28 Jun 2021 18:49:00 +0000 (19:49 +0100)]
Readonly-config: not supported by Solaris 10
Broken-by: 753739fdef
Jeremy Harris [Mon, 28 Jun 2021 17:50:27 +0000 (18:50 +0100)]
Testsuite: munge for LibreSSL TLSv1.3
Jeremy Harris [Sun, 27 Jun 2021 23:35:57 +0000 (00:35 +0100)]
Merge branch 'readonly_config'
Jeremy Harris [Mon, 17 May 2021 21:13:21 +0000 (22:13 +0100)]
Doc note
Jeremy Harris [Mon, 17 May 2021 11:40:51 +0000 (12:40 +0100)]
gsasl authenticator: do not try to clear server password after use, if
from config text
Jeremy Harris [Sun, 16 May 2021 19:22:45 +0000 (20:22 +0100)]
Small config, with:
----Exit nonpool max: 18 kB in 8 blocks
----Exit npools max: 95 kB
----Exit pool 0 max: 12 kB in 2 blocks at order 13 untainted main
----Exit pool 1 max: 4 kB in 1 blocks at order 13 untainted perm
----Exit pool 2 max: 4 kB in 1 blocks at order 13 untainted config
----Exit pool 3 max: 4 kB in 1 blocks at order 13 untainted search
----Exit pool 4 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 5 max: 4 kB in 1 blocks at order 13 tainted main
----Exit pool 6 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted config
----Exit pool 8 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 9 max: 4 kB in 1 blocks at order 13 tainted message
Small config, without:
----Exit nonpool max: 18 kB in 8 blocks
----Exit npools max: 87 kB
----Exit pool 0 max: 12 kB in 2 blocks at order 13 untainted main
----Exit pool 1 max: 4 kB in 1 blocks at order 13 untainted perm
----Exit pool 2 max: 4 kB in 1 blocks at order 13 untainted search
----Exit pool 3 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 4 max: 4 kB in 1 blocks at order 13 tainted main
----Exit pool 5 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 6 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted message
Large config, with:
----Exit nonpool max: 17 kB in 30 blocks
----Exit npools max: 309 kB
----Exit pool 0 max: 124 kB in 5 blocks at order 17 untainted main
----Exit pool 1 max: 60 kB in 4 blocks at order 15 untainted perm
----Exit pool 2 max: 298 kB in 2 blocks at order 13 untainted config
----Exit pool 3 max: 12 kB in 2 blocks at order 13 untainted search
----Exit pool 4 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 5 max: 60 kB in 4 blocks at order 15 tainted main
----Exit pool 6 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted config
----Exit pool 8 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 9 max: 4 kB in 1 blocks at order 13 tainted message
Large config, without:
----Exit nonpool max: 212 kB in 30 blocks
----Exit npools max: 591 kB
----Exit pool 0 max: 508 kB in 7 blocks at order 19 untainted main
----Exit pool 1 max: 12 kB in 2 blocks at order 13 untainted perm
----Exit pool 2 max: 4 kB in 1 blocks at order 13 untainted search
----Exit pool 3 max: 4 kB in 1 blocks at order 13 untainted message
----Exit pool 4 max: 4 kB in 1 blocks at order 13 tainted main
----Exit pool 5 max: 52 kB in 3 blocks at order 15 tainted perm
----Exit pool 6 max: 4 kB in 1 blocks at order 13 tainted search
----Exit pool 7 max: 4 kB in 1 blocks at order 13 tainted message
Jeremy Harris [Sun, 16 May 2021 14:37:18 +0000 (15:37 +0100)]
paniclog sigsegv events
Jeremy Harris [Sun, 16 May 2021 12:22:20 +0000 (13:22 +0100)]
openssl config strings are immutable
Jeremy Harris [Sun, 16 May 2021 11:52:36 +0000 (12:52 +0100)]
Config lines are immutable during -bP config dump
Jeremy Harris [Sat, 15 May 2021 15:52:12 +0000 (16:52 +0100)]
autorepy never_mail strings are immutable
Jeremy Harris [Sat, 15 May 2021 15:32:57 +0000 (16:32 +0100)]
avoid mofying config text
Jeremy Harris [Sat, 15 May 2021 14:41:43 +0000 (15:41 +0100)]
smtp tpt fallback_hosts list must be mutable
Jeremy Harris [Sat, 15 May 2021 14:18:22 +0000 (15:18 +0100)]
acceptable log output change
Jeremy Harris [Sat, 15 May 2021 00:11:41 +0000 (01:11 +0100)]
hostlist for router fallback_hosts must be mutable
Jeremy Harris [Fri, 14 May 2021 23:48:40 +0000 (00:48 +0100)]
consification
Jeremy Harris [Fri, 14 May 2021 23:37:43 +0000 (00:37 +0100)]
avoid modifying source text in parse_forward_list()
Jeremy Harris [Fri, 14 May 2021 23:19:26 +0000 (00:19 +0100)]
avoid modifying source text, in appendfile
Jeremy Harris [Fri, 14 May 2021 23:03:01 +0000 (00:03 +0100)]
tree nodes for acls must be mutable
Jeremy Harris [Fri, 14 May 2021 23:01:27 +0000 (00:01 +0100)]
avoid modifying possible config text during :fail: delivery
Jeremy Harris [Fri, 14 May 2021 23:00:06 +0000 (00:00 +0100)]
copy transport struct for modifying for **bypassed** postprocess
Jeremy Harris [Fri, 14 May 2021 22:58:32 +0000 (23:58 +0100)]
use store_get_perm()
Jeremy Harris [Thu, 13 May 2021 21:19:10 +0000 (22:19 +0100)]
driver options blocks must be mutable
Jeremy Harris [Thu, 13 May 2021 20:59:25 +0000 (21:59 +0100)]
router instance must be mutable
Jeremy Harris [Thu, 13 May 2021 20:31:16 +0000 (21:31 +0100)]
namedlist_block has to be allocated mutably, to cache lookups
paniclog from 5 - subprocess crashes
Jeremy Harris [Mon, 10 May 2021 21:47:01 +0000 (22:47 +0100)]
first go. crashes in 0003
Jeremy Harris [Fri, 7 May 2021 12:09:12 +0000 (13:09 +0100)]
Suggestion from Qalys:
If I may add one more thing, there is an issue that should be addressed
sooner rather than later: the writable configuration at the beginning of
the heap. A short-term (and hopefully non-intrusive) solution may be to
mmap() the configuration instead, and then mprotect(PROT_READ) it. This
would mitigate the exploitation technique that almost all Exim exploits
have been using.
Jeremy Harris [Sun, 27 Jun 2021 23:29:09 +0000 (00:29 +0100)]
Fix Solaris 10 build, more
Jeremy Harris [Sun, 27 Jun 2021 20:15:45 +0000 (21:15 +0100)]
Fix Solaris 10 build, for intro of taintwarn
Broken-by: f9a3fcddba
Jeremy Harris [Sun, 27 Jun 2021 17:58:44 +0000 (18:58 +0100)]
TLS: track changing fd of file-watcher when creds are releaded.
Broken-by: 5fd673807d
Heiko Schlittermann (HS12-RIPE) [Fri, 25 Jun 2021 08:02:47 +0000 (10:02 +0200)]
Merge branch 'hs/taintwarn'
This is a "forward" port of the taintwarn patches that are applied to
4.94.2+fixes.
Heiko Schlittermann (HS12-RIPE) [Wed, 16 Jun 2021 20:22:50 +0000 (22:22 +0200)]
Testsuite: Fix 608
Heiko Schlittermann (HS12-RIPE) [Sat, 15 May 2021 11:40:46 +0000 (13:40 +0200)]
Fix logging with build-time config and empty elements (Closes 2733)
(cherry picked from commit
66392b270e3a6c8202e4626d43bbc9b77545ae23)
Jeremy Harris [Sat, 15 May 2021 11:37:04 +0000 (13:37 +0200)]
Fix logging with empty element in log_file_path (Bug 2733)
(cherry picked from commit
e19790f7707cc901435849e78d20f249056c16b5)
Heiko Schlittermann (HS12-RIPE) [Sun, 20 Jun 2021 17:02:59 +0000 (19:02 +0200)]
Revert "testsuite: adjust 622 for taintwarn"
This reverts commit
7ab3a6cd7fe7b033b5e267617f3be8a99b33db31.
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 08:17:57 +0000 (10:17 +0200)]
testsuite: adjust 622 for taintwarn
(cherry picked from commit
460aac0eb9a289af1ab0f32a242a27dab851fa18)
Heiko Schlittermann (HS12-RIPE) [Sun, 25 Apr 2021 16:58:35 +0000 (18:58 +0200)]
Silence the compiler
(cherry picked from commit
33d5b8e8e4c2f23b4e834e3a095e3c9dd9f0686b)
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 20:41:57 +0000 (22:41 +0200)]
Do not close the (main)_log, if we do not see a chance to open it again.
The process doing local deliveries runs as an unprivileged user. If this
process needs to log failures or warnings (as caused by the
is_tainting2() function), it can't re-open the main_log and just exits.
(cherry picked from commit
235c7030ee9ee1c1aad507786506a470b580bfe2)
Heiko Schlittermann (HS12-RIPE) [Fri, 23 Apr 2021 15:40:40 +0000 (17:40 +0200)]
Silence compiler
(cherry picked from commit
2c9869d0622cc690b424cc74166d4a8393017ece)
Heiko Schlittermann (HS12-RIPE) [Mon, 12 Apr 2021 07:19:21 +0000 (09:19 +0200)]
Heiko Schlittermann (HS12-RIPE) [Mon, 5 Apr 2021 14:06:24 +0000 (16:06 +0200)]
testsuite: add 0990 for allow_insecure_tainted_data
(cherry picked from commit
56213337357265eb42c40dd04a22f6ac433b9e81)
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 07:29:13 +0000 (09:29 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:02:27 +0000 (22:02 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:42:38 +0000 (21:42 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sat, 3 Apr 2021 08:54:22 +0000 (10:54 +0200)]
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 06:36:24 +0000 (08:36 +0200)]
rf_get_transport
(cherry picked from commit
015fff57c854184f8bce61476c46a2830a97daf8)
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:36:12 +0000 (21:36 +0200)]
lf_sqlperform
(cherry picked from commit
9810dfc25d8b9687b46e57963a3ac30bf5c9b2c9)
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:33:50 +0000 (21:33 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 19:28:59 +0000 (21:28 +0200)]
Heiko Schlittermann (HS12-RIPE) [Wed, 31 Mar 2021 21:12:44 +0000 (23:12 +0200)]
Heiko Schlittermann (HS12-RIPE) [Fri, 2 Apr 2021 15:30:27 +0000 (17:30 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 09:06:27 +0000 (11:06 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:59:46 +0000 (10:59 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:58:46 +0000 (10:58 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:50:14 +0000 (10:50 +0200)]
Heiko Schlittermann (HS12-RIPE) [Sun, 28 Mar 2021 08:49:49 +0000 (10:49 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:45:03 +0000 (22:45 +0200)]
Heiko Schlittermann (HS12-RIPE) [Thu, 1 Apr 2021 20:44:31 +0000 (22:44 +0200)]
Introduce main config option allow_insecure_tainted_data
This option is deprecated already now.
(cherry picked from commit
ec06d64532e4952fc36429f73e0222d26997ef7c)
Jeremy Harris [Tue, 22 Jun 2021 22:42:24 +0000 (23:42 +0100)]
GnuTLS: fix build with older GnuTLS
The ALPN handling we need requires later features than the basic functions.
Broken-byu:
f50a063dc0
Jeremy Harris [Tue, 22 Jun 2021 22:04:59 +0000 (23:04 +0100)]
TLS: as server, reject connections with ALPN indicating non-smtp use
Jeremy Harris [Mon, 21 Jun 2021 19:39:37 +0000 (20:39 +0100)]
Testsuite: fix testcases for non-TLS build
Jeremy Harris [Mon, 21 Jun 2021 19:22:23 +0000 (20:22 +0100)]
Testsuite: fix munging for no-TLS build
Broken-by: da40b1ec6b
Jeremy Harris [Sun, 20 Jun 2021 13:20:32 +0000 (14:20 +0100)]
Compiler quietening
Stupid static analysis failing to track crontrol dependencies
Jeremy Harris [Sat, 19 Jun 2021 19:12:09 +0000 (20:12 +0100)]
OpenSSL: on library versions too old to support session tickets
client-side limit the valid lifetime of resumable sessions
Jeremy Harris [Sat, 19 Jun 2021 18:11:43 +0000 (19:11 +0100)]
Testsuite: split out OpenSSL TLS1.3 resume tests
Older library versions do not support 1.3 so a separate numbered
testcase is needed
Jeremy Harris [Sat, 19 Jun 2021 18:10:26 +0000 (19:10 +0100)]
Testsuite: allow time for daemon to listen before terminating
Jeremy Harris [Thu, 17 Jun 2021 19:45:32 +0000 (20:45 +0100)]
OpenSSL: fix verify-certs stack initialization
Jeremy Harris [Thu, 17 Jun 2021 18:50:08 +0000 (19:50 +0100)]
Testsuite: output changes for OpenSSL library variants
Broken-by: 2f8e0a5f6b
Jeremy Harris [Thu, 17 Jun 2021 18:44:19 +0000 (19:44 +0100)]
Docs: typo
Jeremy Harris [Tue, 15 Jun 2021 18:27:04 +0000 (19:27 +0100)]
hosts_require_helo
Jeremy Harris [Sun, 13 Jun 2021 13:47:25 +0000 (14:47 +0100)]
Testsuite: EC cert
Jeremy Harris [Tue, 8 Jun 2021 20:42:23 +0000 (21:42 +0100)]
Fix server creds cache invalidation
Broken-by: 5fd673807d
Jeremy Harris [Mon, 7 Jun 2021 18:13:09 +0000 (19:13 +0100)]
compiler quietening
Jeremy Harris [Mon, 7 Jun 2021 17:47:14 +0000 (18:47 +0100)]
Re-fix non-Linux build