users/heiko/exim.git
6 years agoOpenSSL: TLSv1.3 notes
Jeremy Harris [Wed, 20 Jun 2018 19:28:54 +0000 (20:28 +0100)]
OpenSSL: TLSv1.3 notes

6 years agoOpenSSL: enable use of TLS 1.3 (with OpenSSL 1.1.0 and later)
Jeremy Harris [Thu, 14 Jun 2018 20:28:19 +0000 (21:28 +0100)]
OpenSSL: enable use of TLS 1.3  (with OpenSSL 1.1.0 and later)

6 years agoAdd client-ip info to non-pass iprev ${authres } lines
Jeremy Harris [Thu, 14 Jun 2018 10:04:22 +0000 (11:04 +0100)]
Add client-ip info to non-pass iprev ${authres } lines

6 years agoClarify the socket address family (UNIX) for server_socket (dovecot)
Heiko Schlittermann (HS12-RIPE) [Tue, 12 Jun 2018 13:09:18 +0000 (15:09 +0200)]
Clarify the socket address family (UNIX) for server_socket (dovecot)

Wishlist item (#2280) is created for INET connections.
See https://bugs.exim.org/show_bug.cgi?id=2280

6 years agoDKIM: support timestamp and expiry tags in signing. Bug 2260
Jeremy Harris [Sat, 9 Jun 2018 20:39:44 +0000 (21:39 +0100)]
DKIM: support timestamp and expiry tags in signing.  Bug 2260

6 years agoFollow CNAME chains only one step. Bug 2264
Jeremy Harris [Thu, 7 Jun 2018 17:08:22 +0000 (18:08 +0100)]
Follow CNAME chains only one step.  Bug 2264

6 years agoARC: Fix signing for case when DKIM signing failed
Jeremy Harris [Thu, 7 Jun 2018 15:24:31 +0000 (16:24 +0100)]
ARC: Fix signing for case when DKIM signing failed

6 years agoChange-log
Jeremy Harris [Wed, 6 Jun 2018 10:15:21 +0000 (11:15 +0100)]
Change-log

6 years agoFix logging of cmdline args when starting in an unlinked cwd. Bug 2274
Jeremy Harris [Wed, 6 Jun 2018 09:41:51 +0000 (10:41 +0100)]
Fix logging of cmdline args when starting in an unlinked cwd.  Bug 2274

6 years agoUse serial number 1 for self-generated selfsigned certificate
Jeremy Harris [Thu, 24 May 2018 15:28:20 +0000 (16:28 +0100)]
Use serial number 1 for self-generated selfsigned certificate

Broken-by: 23bb69826c
6 years agoARC: better diagnostics for keyfile issues
Jeremy Harris [Thu, 17 May 2018 08:27:49 +0000 (09:27 +0100)]
ARC: better diagnostics for keyfile issues

6 years agoDMARC: do not wipe values set by config options, between message receptions
Jeremy Harris [Sun, 20 May 2018 17:26:00 +0000 (18:26 +0100)]
DMARC: do not wipe values set by config options, between message receptions

Broken-by: b4757e3611
6 years agoDocs: add note on DKIM signing-limit security
Jeremy Harris [Thu, 17 May 2018 10:18:04 +0000 (11:18 +0100)]
Docs: add note on DKIM signing-limit security

6 years agoSafer handling of argument-logging memory of cwd
Phil Pennock [Sat, 19 May 2018 16:09:55 +0000 (12:09 -0400)]
Safer handling of argument-logging memory of cwd

6 years agoTestsuite: output changes arising
Jeremy Harris [Wed, 16 May 2018 21:15:55 +0000 (22:15 +0100)]
Testsuite: output changes arising

6 years agoCallouts: record succeeding random local-part tests. Bug 177
Jeremy Harris [Sun, 13 May 2018 21:02:59 +0000 (22:02 +0100)]
Callouts: record succeeding random local-part tests.  Bug 177

6 years agoContent scanning: Fix locking on message spool files. Bug 2275
Jeremy Harris [Fri, 11 May 2018 17:02:29 +0000 (18:02 +0100)]
Content scanning: Fix locking on message spool files.  Bug 2275

6 years agoDon't open spool data-files which are symlinks
Phil Pennock [Tue, 15 May 2018 23:04:34 +0000 (19:04 -0400)]
Don't open spool data-files which are symlinks

6 years agoARC: fix crash on signing with missing key file
Jeremy Harris [Fri, 11 May 2018 15:26:17 +0000 (16:26 +0100)]
ARC: fix crash on signing with missing key file

6 years ago-bV: include the CONFIGURE_FILE path if it contains a ':'
Heiko Schlittermann (HS12-RIPE) [Wed, 9 May 2018 13:46:47 +0000 (15:46 +0200)]
-bV: include the CONFIGURE_FILE path if it contains a ':'

6 years agotidying
Jeremy Harris [Mon, 7 May 2018 13:42:35 +0000 (14:42 +0100)]
tidying

6 years agoCutthrough: fix race resulting in duplicate-delivery. Bug 2273
Jeremy Harris [Sat, 5 May 2018 20:29:44 +0000 (21:29 +0100)]
Cutthrough: fix race resulting in duplicate-delivery.  Bug 2273

6 years agotidying
Jeremy Harris [Tue, 1 May 2018 21:50:47 +0000 (22:50 +0100)]
tidying

6 years agoFix typo in readconf.c
Heiko Schlittermann (HS12-RIPE) [Thu, 3 May 2018 07:22:53 +0000 (09:22 +0200)]
Fix typo in readconf.c

6 years agoExpansions: new ${lheader:<name>}. Bug 2272
Jeremy Harris [Tue, 1 May 2018 16:45:21 +0000 (17:45 +0100)]
Expansions: new ${lheader:<name>}.  Bug 2272

6 years agotidying
Jeremy Harris [Sun, 29 Apr 2018 14:10:27 +0000 (15:10 +0100)]
tidying

6 years agoDocs: minor fixes
Jeremy Harris [Sat, 28 Apr 2018 12:09:04 +0000 (13:09 +0100)]
Docs: minor fixes

6 years agoARC: add $arc_oldest_pass variable, for verify
Jeremy Harris [Wed, 25 Apr 2018 21:30:31 +0000 (22:30 +0100)]
ARC: add $arc_oldest_pass variable, for verify

6 years agoARC: support $arc_domains also for verify fails
Jeremy Harris [Wed, 25 Apr 2018 20:02:39 +0000 (21:02 +0100)]
ARC: support $arc_domains also for verify fails

6 years agoARC: add $arc_domains variable, for verify pass
Jeremy Harris [Tue, 24 Apr 2018 21:46:11 +0000 (22:46 +0100)]
ARC: add $arc_domains variable, for verify pass

6 years agoARC: limit verify chain to 50-deep
Jeremy Harris [Tue, 24 Apr 2018 12:07:53 +0000 (13:07 +0100)]
ARC: limit verify chain to 50-deep

6 years agoTestsuite: syslog testcase
Jeremy Harris [Mon, 23 Apr 2018 12:25:47 +0000 (13:25 +0100)]
Testsuite: syslog testcase

6 years agoDKIM: enforce limit of 20 on received DKIM-Signature: headers. Bug 2269
Jeremy Harris [Mon, 23 Apr 2018 10:26:52 +0000 (11:26 +0100)]
DKIM: enforce limit of 20 on received DKIM-Signature: headers.  Bug 2269

6 years agoImprove OpenSSL/GnuTLS; enable DNSSEC for non-smarthost
Phil Pennock [Sun, 22 Apr 2018 00:20:40 +0000 (20:20 -0400)]
Improve OpenSSL/GnuTLS; enable DNSSEC for non-smarthost

6 years agoDocs: clarify DKIM verification
Jeremy Harris [Sat, 21 Apr 2018 22:59:46 +0000 (23:59 +0100)]
Docs: clarify DKIM verification

6 years agoTLS by default for example smarthost SMTP Transport
Phil Pennock [Sat, 21 Apr 2018 00:05:53 +0000 (20:05 -0400)]
TLS by default for example smarthost SMTP Transport

And _decent_ TLS at that, with verification.

6 years agoTestsuite: output changes arising.
Jeremy Harris [Wed, 18 Apr 2018 22:43:30 +0000 (23:43 +0100)]
Testsuite: output changes arising.

Broken-by: 0e8aed8aab
6 years agoACL: reword error message for ratelimit. Bug 2267
Jeremy Harris [Wed, 18 Apr 2018 22:28:26 +0000 (23:28 +0100)]
ACL: reword error message for ratelimit.  Bug 2267

6 years agoDocs: rewrite description of 'leaky' ratelimit. Bug 1298
Jeremy Harris [Wed, 18 Apr 2018 22:27:15 +0000 (23:27 +0100)]
Docs: rewrite description of 'leaky' ratelimit.  Bug 1298

6 years agoFix spec
Heiko Schlittermann (HS12-RIPE) [Wed, 18 Apr 2018 15:20:58 +0000 (17:20 +0200)]
Fix spec

Thanks to Mike Brudenell

6 years agoCompile warning defaults for OpenBSD, at request of the port maintainer
Jeremy Harris [Tue, 17 Apr 2018 19:30:22 +0000 (20:30 +0100)]
Compile warning defaults for OpenBSD, at request of the port maintainer

6 years agotidying
Jeremy Harris [Mon, 16 Apr 2018 18:20:21 +0000 (19:20 +0100)]
tidying

6 years agoBelated README.UPDATING notes for Exim 4.91
Phil Pennock [Mon, 16 Apr 2018 19:24:34 +0000 (15:24 -0400)]
Belated README.UPDATING notes for Exim 4.91

People skip versions and move past them later, so while it's too late
for 4.91, this will still help people moving to 4.92 from pre-4.91 in
future.

Note that none of these strictly needed to be documented here:
experimental features, features marked as deprecated for many many
years, etc.  But let's err on the side of caution and include "things
which will break if you try to upgrade without changing Local/Makefile".

6 years agoFix OpenSSL non-OCSP build
Jeremy Harris [Mon, 16 Apr 2018 17:45:04 +0000 (18:45 +0100)]
Fix OpenSSL non-OCSP build

6 years agoFix merge artifacts
Jeremy Harris [Mon, 16 Apr 2018 13:23:30 +0000 (14:23 +0100)]
Fix merge artifacts

6 years agoTestsuite: output changes arising
Jeremy Harris [Mon, 16 Apr 2018 10:21:33 +0000 (11:21 +0100)]
Testsuite: output changes arising

Broken-by: 777e3beace
6 years agoFix typo in arc. Bug 2262
Jeremy Harris [Mon, 16 Apr 2018 08:15:17 +0000 (09:15 +0100)]
Fix typo in arc.  Bug 2262

6 years agoEnable weak/old stuff in OpenSSL
Phil Pennock [Sun, 15 Apr 2018 21:45:48 +0000 (17:45 -0400)]
Enable weak/old stuff in OpenSSL

Configure OpenSSL with:

    enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers

Include explanation as to why.

6 years agoTestsuite: syslog testcase
Jeremy Harris [Sun, 15 Apr 2018 21:03:45 +0000 (22:03 +0100)]
Testsuite: syslog testcase

6 years agoMerge branch '4.next'
Jeremy Harris [Sun, 15 Apr 2018 16:50:14 +0000 (17:50 +0100)]
Merge branch '4.next'

6 years agoTidy logging code
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Tidy logging code

6 years agoClear more globals between messages
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages

6 years agoAdd client-ip info to iprev ${authres } line
Jeremy Harris [Wed, 4 Apr 2018 15:15:22 +0000 (16:15 +0100)]
Add client-ip info to iprev ${authres } line

6 years agoARC: add optional x= tag to signing
Jeremy Harris [Wed, 4 Apr 2018 10:10:56 +0000 (11:10 +0100)]
ARC: add optional x= tag to signing

6 years agoARC: add optional t= tags to signing
Jeremy Harris [Tue, 3 Apr 2018 23:22:49 +0000 (00:22 +0100)]
ARC: add optional t= tags to signing

6 years agoAvoid doing logging in signal-handlers. Bug 1007
Jeremy Harris [Fri, 30 Mar 2018 21:54:55 +0000 (22:54 +0100)]
Avoid doing logging in signal-handlers.  Bug 1007

6 years agoDocs: clean for next release
Jeremy Harris [Sun, 15 Apr 2018 15:29:46 +0000 (16:29 +0100)]
Docs: clean for next release

6 years agoTestsuite: tidyup after myslq testing exim-4_91
Jeremy Harris [Sat, 14 Apr 2018 23:18:10 +0000 (00:18 +0100)]
Testsuite: tidyup after myslq testing

6 years agoLogging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
Jeremy Harris [Sat, 14 Apr 2018 22:31:05 +0000 (23:31 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
         also syslog_pid=no and log_selector +pid

6 years agoDocs: typo
Jeremy Harris [Fri, 13 Apr 2018 16:02:15 +0000 (17:02 +0100)]
Docs: typo

6 years agoLogging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec

6 years agoDKIM downgrade example again; this time debugged
Phil Pennock [Fri, 13 Apr 2018 22:51:23 +0000 (18:51 -0400)]
DKIM downgrade example again; this time debugged

As well as previous commit's `len_3` -> `length_3`, we were missing
braces around the expansion operator, resulting in trying to dereference
an unknown variable `$length_3`, and we were missing the outer braces
from the `or` expansion condition.

We really need a better way to test ACL expansion without a full harness. :(

This bug-fixed version is now running on my system.

6 years agoFix length expansion operator in DKIM downgrade example
Phil Pennock [Fri, 13 Apr 2018 22:35:20 +0000 (18:35 -0400)]
Fix length expansion operator in DKIM downgrade example

6 years agoDKIM: add support for the SubjectPublicKeyInfo wrapped form of pubkey
Jeremy Harris [Fri, 13 Apr 2018 10:51:50 +0000 (11:51 +0100)]
DKIM: add support for the SubjectPublicKeyInfo wrapped form of pubkey

6 years agoDocs: add known broken-version info for OpenSSL behavior
Jeremy Harris [Thu, 12 Apr 2018 15:55:42 +0000 (16:55 +0100)]
Docs: add known broken-version info for OpenSSL behavior

6 years agoMention MTA-STS in DANE context; nit fixes
Phil Pennock [Thu, 12 Apr 2018 02:04:28 +0000 (22:04 -0400)]
Mention MTA-STS in DANE context; nit fixes

Did an audit of text changed since commit 6aa6fc9c5 to look for issues
which stood out, fixed those.  Spelling mistakes, markup issues, minor
grammatical infelicities.

The public/private CA stuff in the DANE text might push people away from
public CAs, but the existence of MTA-STS means that one of those is
probably the best choice.  Mention what exim.org does, to provide
slightly firmer guidance without pressure.

List the `dkim_hash` values, `sha512` appears to be new since that text
was last touched.

6 years agoDoc: website updates and so forth
Phil Pennock [Thu, 12 Apr 2018 01:06:54 +0000 (21:06 -0400)]
Doc: website updates and so forth

I've added <https://downloads.exim.org/> as a new vhost which doesn't
reference FTP and loses the `/pub/exim` prefix.

Fixed various other outdated claims and documented Jeremy's PGP key as
the main key for releases, with mine (Phil's) and Heiko's as fallbacks.

Mention the `.xz` files.

6 years agoAdd `receive_time` to list of log_selector values
Phil Pennock [Mon, 9 Apr 2018 21:52:19 +0000 (17:52 -0400)]
Add `receive_time` to list of log_selector values

6 years agobugfix: heimdal interaction, check length
Phil Pennock [Mon, 9 Apr 2018 21:49:57 +0000 (17:49 -0400)]
bugfix: heimdal interaction, check length

clang noted that taking the address of a struct member will never be 0,
so checking against 0 was wrong.  It was a `.length` member.  I've
compiled RC4 with this change and deployed it to my box and I can still
authenticate fine.

6 years agoARC: fix signing when DKIM-signing is also being done
Jeremy Harris [Mon, 9 Apr 2018 14:08:34 +0000 (15:08 +0100)]
ARC: fix signing when DKIM-signing is also being done

The ordering of headers being signed was wrong when a message
being forwarded arrived with a dkim signature

6 years agoDMARC: fix history file
Jeremy Harris [Mon, 9 Apr 2018 10:19:47 +0000 (11:19 +0100)]
DMARC: fix history file

Too many variables were being cleared between connections
Broken-by: c780096c29 4.91 RC2
6 years agoBetter(?!?) fallback for stat: Perl
Phil Pennock [Mon, 9 Apr 2018 03:46:26 +0000 (23:46 -0400)]
Better(?!?) fallback for stat: Perl

We use Perl extensively in other scripts.

*sigh*

6 years agostat portability
Phil Pennock [Mon, 9 Apr 2018 02:43:36 +0000 (22:43 -0400)]
stat portability

I forgot how much I loathe basic stuff like "get the size of a file,
portably, in shell".  Bleh.

6 years agoAdded util/renew-opendmarc-tlds.sh script to renew PSL
Phil Pennock [Mon, 9 Apr 2018 02:28:56 +0000 (22:28 -0400)]
Added util/renew-opendmarc-tlds.sh script to renew PSL

6 years agoOpenSSL: Revert the disabling of the session-cache. Bug 2255
Jeremy Harris [Sun, 8 Apr 2018 21:45:39 +0000 (22:45 +0100)]
OpenSSL: Revert the disabling of the session-cache.  Bug 2255

Session cacheing is never useful, as we use a new context for every TLS startup.
However, removing the support triggers odd behaviour from Outlook Express (only
when there is an IMAP server on the same machine as Exim): an initial connect
from the OE client fails, the immediate retry works.

6 years agoARC: fix verify to not evaluate the top AMS twice exim-4_91_RC4
Jeremy Harris [Sat, 7 Apr 2018 21:44:39 +0000 (22:44 +0100)]
ARC: fix verify to not evaluate the top AMS twice

6 years agoClear more globals between messages
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages

6 years agoLogging: fix DKIM precis received log line element.
Jeremy Harris [Fri, 6 Apr 2018 09:48:00 +0000 (10:48 +0100)]
Logging: fix DKIM precis received log line element.

Broken-by: 2c47372fad
6 years agocompiler quietening
Heiko Schlittermann (HS12-RIPE) [Wed, 4 Apr 2018 19:39:36 +0000 (21:39 +0200)]
compiler quietening

6 years agoAdd client-ip info to iprev ${authres } line
Jeremy Harris [Wed, 4 Apr 2018 15:15:22 +0000 (16:15 +0100)]
Add client-ip info to iprev ${authres } line

6 years agocompiler quietening
Jeremy Harris [Wed, 4 Apr 2018 11:38:38 +0000 (12:38 +0100)]
compiler quietening

6 years agoActually reap node2 process in redis cluster test
Graeme Fowler [Wed, 4 Apr 2018 10:30:21 +0000 (11:30 +0100)]
Actually reap node2 process in redis cluster test

6 years agoARC: add optional x= tag to signing
Jeremy Harris [Wed, 4 Apr 2018 10:10:56 +0000 (11:10 +0100)]
ARC: add optional x= tag to signing

6 years agolocal_scan: add note on Makefile requirement
Jeremy Harris [Fri, 30 Mar 2018 23:24:28 +0000 (00:24 +0100)]
local_scan: add note on Makefile requirement

6 years agoARC: add optional t= tags to signing
Jeremy Harris [Tue, 3 Apr 2018 23:22:49 +0000 (00:22 +0100)]
ARC: add optional t= tags to signing

6 years agoARC: log signing-spec errors in mainlog only, not paniclog
Jeremy Harris [Wed, 28 Mar 2018 13:15:23 +0000 (14:15 +0100)]
ARC: log signing-spec errors in mainlog only, not paniclog

6 years agoARC: enhance debug for signing; explicitly init signing context
Jeremy Harris [Tue, 27 Mar 2018 21:01:03 +0000 (22:01 +0100)]
ARC: enhance debug for signing; explicitly init signing context

6 years agoFix non-ARC build
Jeremy Harris [Mon, 26 Mar 2018 17:44:33 +0000 (18:44 +0100)]
Fix non-ARC build

6 years agoARC: add guard in verify against lack of the dkim-verify context
Jeremy Harris [Mon, 26 Mar 2018 16:30:47 +0000 (17:30 +0100)]
ARC: add guard in verify against lack of the dkim-verify context
needed for body-hashing

6 years agoARC: cutthrough delivery may not be used with ARC signing
Jeremy Harris [Mon, 26 Mar 2018 14:59:25 +0000 (15:59 +0100)]
ARC: cutthrough delivery may not be used with ARC signing

6 years agoCutthrough: enforce non-use in combination with DKIM signing or transport filter
Jeremy Harris [Mon, 26 Mar 2018 14:53:49 +0000 (15:53 +0100)]
Cutthrough: enforce non-use in combination with DKIM signing or transport filter

Broken-by: 02b41d7106
6 years agoAdd ARC signing caveats
Phil Pennock [Mon, 26 Mar 2018 16:24:48 +0000 (12:24 -0400)]
Add ARC signing caveats

6 years agoARC: give more detail with "bad signing-spec" message
Jeremy Harris [Sat, 24 Mar 2018 13:53:50 +0000 (13:53 +0000)]
ARC: give more detail with "bad signing-spec" message

6 years agoARC: For signing, accept A-R header lacking ARC info as equivalent to "none"
Jeremy Harris [Fri, 23 Mar 2018 16:45:03 +0000 (16:45 +0000)]
ARC: For signing, accept A-R header lacking ARC info as equivalent to "none"

6 years agoARC: add independent-source testcase. Fix signatures by not line-terminating
Jeremy Harris [Fri, 23 Mar 2018 11:06:35 +0000 (11:06 +0000)]
ARC: add independent-source testcase.  Fix signatures by not line-terminating
last header line being hashed.

6 years agoARC: AS header should have no c= tag
Jeremy Harris [Tue, 20 Mar 2018 22:11:24 +0000 (22:11 +0000)]
ARC: AS header should have no c= tag

6 years agoARC: on the smtp transport option take empty or forced-fail to disable signing
Jeremy Harris [Tue, 20 Mar 2018 19:58:00 +0000 (19:58 +0000)]
ARC: on the smtp transport option take empty or forced-fail to disable signing

6 years agoAvast: rework interface exim-4_91_RC3
Heiko Schlittermann (HS12-RIPE) [Mon, 2 Apr 2018 20:11:57 +0000 (22:11 +0200)]
Avast: rework interface

6 years agoAvast: implement pass_unscanned option
Heiko Schlittermann (HS12-RIPE) [Mon, 2 Apr 2018 15:39:39 +0000 (17:39 +0200)]
Avast: implement pass_unscanned option

6 years agoAvast: improve compliance with avast-protocol(5)
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Mar 2018 22:06:47 +0000 (00:06 +0200)]
Avast: improve compliance with avast-protocol(5)

Treat scanner errors as malware. Defer on scanner tmpfail
only.