Jeremy Harris [Wed, 20 Dec 2017 23:12:07 +0000 (23:12 +0000)]
DANE/GnuTLS: filter TLSA records for usability
Jeremy Harris [Wed, 20 Dec 2017 21:14:06 +0000 (21:14 +0000)]
DANE/GnuTLS: ignore traditional CA anchor validation in DANE-EE mode
Not quite right for a mixed TA+EE set of TLSA records, but better than always-enforcing
Jeremy Harris [Wed, 20 Dec 2017 11:34:47 +0000 (11:34 +0000)]
ACL: Disallow '/' characters in queue names specified for "queue="
Jeremy Harris [Tue, 19 Dec 2017 22:14:18 +0000 (22:14 +0000)]
Merge branch '4.next'
Jeremy Harris [Tue, 19 Dec 2017 21:54:37 +0000 (21:54 +0000)]
Docs: clean for next release
Jeremy Harris [Tue, 19 Dec 2017 16:27:44 +0000 (16:27 +0000)]
Fix nossl build
Jeremy Harris [Tue, 19 Dec 2017 15:06:49 +0000 (15:06 +0000)]
DANE: support under GnuTLS. Bug 1523
GnuTLS version 3.0.0 onwards; still Experimental
Jeremy Harris [Mon, 18 Dec 2017 15:38:54 +0000 (15:38 +0000)]
Testsuite: move CRL testcases away from using SHA1-signed certs
Jeremy Harris [Sat, 16 Dec 2017 20:52:54 +0000 (20:52 +0000)]
Testsuite: output changes arising
Jeremy Harris [Sat, 16 Dec 2017 20:49:28 +0000 (20:49 +0000)]
Testsuite: regenerate certs tree
Jeremy Harris [Sat, 16 Dec 2017 20:45:18 +0000 (20:45 +0000)]
Testsuite: restore generation of OCSP status for EC certs
Broken-by: 854586e149
Jeremy Harris [Sat, 16 Dec 2017 20:41:27 +0000 (20:41 +0000)]
Testsuite: do not bother with cert hostnames when testing OCSP
Jeremy Harris [Sat, 16 Dec 2017 19:45:30 +0000 (19:45 +0000)]
Testsuite: restore lost dns config for DKIM extra-txt-records testcase
Broken-by: 854586e149
Jeremy Harris [Sat, 16 Dec 2017 14:17:13 +0000 (14:17 +0000)]
Testsuite output changes arising
Broken-by: 854586e149
Viktor Dukhovni [Fri, 1 Dec 2017 22:13:19 +0000 (22:13 +0000)]
DANE: fix type-2xx TLSA under older OpenSSL versions Bug 2198
OpenSSL 1.0.1t is known bad. 1.0.2 and 1.1.0 are apparently ok.
Jeremy Harris [Sat, 16 Dec 2017 02:05:13 +0000 (02:05 +0000)]
Testsuite: testcase for Bug 2198
Jeremy Harris [Tue, 12 Dec 2017 21:52:33 +0000 (21:52 +0000)]
CHUNKING: flush input stream after message-fatal error detection. Bug 2201
Jeremy Harris [Sat, 9 Dec 2017 15:05:14 +0000 (15:05 +0000)]
Testsuite: regen TLSA records, to match cert tree
Jeremy Harris [Sat, 9 Dec 2017 14:57:38 +0000 (14:57 +0000)]
Testsuite: regen TLSA records, to match cert tree
Phil Pennock [Fri, 8 Dec 2017 19:21:45 +0000 (14:21 -0500)]
openssl guidance: install shared libraries too
Jeremy Harris [Tue, 5 Dec 2017 20:55:19 +0000 (20:55 +0000)]
tidying
Jeremy Harris [Fri, 8 Dec 2017 12:55:25 +0000 (12:55 +0000)]
Add compile-time guard against BDB library version 6
Jeremy Harris [Mon, 4 Dec 2017 14:32:44 +0000 (14:32 +0000)]
Fix non-OCSP OpenSSL build
Issue found by: Frank Elsner
Jeremy Harris [Sun, 3 Dec 2017 23:57:11 +0000 (23:57 +0000)]
Docs: amend warning on on lack of multiple-OCSP-proof support
Jeremy Harris [Sun, 3 Dec 2017 22:40:43 +0000 (22:40 +0000)]
GnuTLS: multiple server certs, OCSP stapling. Bug 2092
Jeremy Harris [Sun, 3 Dec 2017 23:54:13 +0000 (23:54 +0000)]
Testsuite: regen certs trees, now with OCSP response for one EC cert
Jeremy Harris [Sun, 3 Dec 2017 20:36:12 +0000 (20:36 +0000)]
Docs: clarify smtp transport tls_verify_certificates option
Heiko Schlittermann (HS12-RIPE) [Sun, 3 Dec 2017 17:17:43 +0000 (18:17 +0100)]
DKIM: Ignore non-DKIM TXT records in DNS response. Bug 2207
Jeremy Harris [Sat, 2 Dec 2017 21:11:46 +0000 (21:11 +0000)]
Fix initialiser in smtp transport
Broken-by: 838d897c8e
Jeremy Harris [Sat, 2 Dec 2017 20:10:18 +0000 (20:10 +0000)]
Docs: add notes on lack of multiple-OCSP-proof support
This would be wanted for server OCSP stapling in a dual RSA/ECDSA certificate installation
Jeremy Harris [Tue, 28 Nov 2017 20:44:14 +0000 (20:44 +0000)]
Change log update
Heiko Schlittermann (HS12-RIPE) [Mon, 27 Nov 2017 21:42:33 +0000 (22:42 +0100)]
Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug 2201
Jeremy Harris [Sun, 26 Nov 2017 15:28:26 +0000 (15:28 +0000)]
Logging: fix log line for local_scan() rejection
Jeremy Harris [Sun, 26 Nov 2017 15:26:42 +0000 (15:26 +0000)]
DKIM: fix tolerating spaces round tag values
Jeremy Harris [Sun, 26 Nov 2017 15:22:38 +0000 (15:22 +0000)]
Fix filename length check in mime-handling
Jeremy Harris [Sun, 26 Nov 2017 15:20:04 +0000 (15:20 +0000)]
tidying
Jeremy Harris [Sat, 2 Dec 2017 21:11:46 +0000 (21:11 +0000)]
Fix initialiser in smtp transport
Broken-by: 838d897c8e
Jeremy Harris [Sat, 2 Dec 2017 20:10:18 +0000 (20:10 +0000)]
Docs: add notes on lack of multiple-OCSP-proof support
This would be wanted for server OCSP stapling in a dual RSA/ECDSA certificate installation
Jeremy Harris [Fri, 1 Dec 2017 22:43:19 +0000 (22:43 +0000)]
Debug: fix coding in dnssec reporting. Bug 2205
Jeremy Harris [Wed, 29 Nov 2017 23:22:34 +0000 (23:22 +0000)]
TLS: avoid calling smtp_auth_acl on client cert when no tls authenticator is configured
Jeremy Harris [Wed, 29 Nov 2017 22:18:18 +0000 (22:18 +0000)]
TLS: Fix excessive calling of smtp_auth_acl under AUTH_TLS. Bug 2203
Jeremy Harris [Tue, 28 Nov 2017 20:44:14 +0000 (20:44 +0000)]
Change log update
Heiko Schlittermann (HS12-RIPE) [Mon, 27 Nov 2017 21:42:33 +0000 (22:42 +0100)]
Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug 2201
Jeremy Harris [Sun, 26 Nov 2017 15:28:26 +0000 (15:28 +0000)]
Logging: fix log line for local_scan() rejection
Jeremy Harris [Sun, 26 Nov 2017 15:26:42 +0000 (15:26 +0000)]
DKIM: fix tolerating spaces round tag values
Jeremy Harris [Sun, 26 Nov 2017 15:22:38 +0000 (15:22 +0000)]
Fix filename length check in mime-handling
Jeremy Harris [Sun, 26 Nov 2017 15:20:04 +0000 (15:20 +0000)]
tidying
Jeremy Harris [Sat, 25 Nov 2017 21:05:53 +0000 (21:05 +0000)]
tidying
Jeremy Harris [Sat, 25 Nov 2017 20:24:00 +0000 (20:24 +0000)]
Replace the store_release() internal interface, which was excessively unsafe.
The new store_newblock() includes the required safety checck, plus the alocate
and data-copy operations.
Jeremy Harris [Sat, 25 Nov 2017 19:39:32 +0000 (19:39 +0000)]
Merge branch 'master' into 4.next
Jeremy Harris [Sat, 25 Nov 2017 16:21:14 +0000 (16:21 +0000)]
Change note for
445d03d4ea
Jeremy Harris [Fri, 24 Nov 2017 20:22:33 +0000 (20:22 +0000)]
Avoid release of store if there have been later allocations. Bug 2199
Jeremy Harris [Fri, 24 Nov 2017 20:24:40 +0000 (20:24 +0000)]
Add comment on GnuTLS library debugging facility
Jeremy Harris [Sat, 18 Nov 2017 15:22:48 +0000 (15:22 +0000)]
Testsuite: more pre-run configuration checks
Jeremy Harris [Thu, 16 Nov 2017 20:46:10 +0000 (20:46 +0000)]
tidying
Jeremy Harris [Thu, 16 Nov 2017 18:31:23 +0000 (18:31 +0000)]
Testsuite: delays for debug output ordering (again)
Jeremy Harris [Thu, 16 Nov 2017 12:12:48 +0000 (12:12 +0000)]
OpenSSL: avoid using now-deprecated routines on newer versions
Jeremy Harris [Wed, 15 Nov 2017 23:24:23 +0000 (23:24 +0000)]
Testsuite: OpenSSL/LibreSSL version output variances
Jeremy Harris [Wed, 15 Nov 2017 22:09:10 +0000 (22:09 +0000)]
Testsuite: OpenSSL/LibreSSL version output variances
Jeremy Harris [Wed, 15 Nov 2017 20:38:19 +0000 (20:38 +0000)]
Testsuite: OpenSSL/LibreSSL version output variances
Jeremy Harris [Wed, 15 Nov 2017 19:06:00 +0000 (19:06 +0000)]
Testsuite: better debug output from "server" script-runner
Jeremy Harris [Wed, 15 Nov 2017 18:56:21 +0000 (18:56 +0000)]
Testsuite: delays for debug output ordering
OpenBSD seems to prioritize the child of a fork; Linux & FreeBSD the parent
Jeremy Harris [Wed, 15 Nov 2017 18:38:44 +0000 (18:38 +0000)]
Testsuite: force RSA auth for testcase loading dual certs
More recent OpenSSL versions (1.1.0) reasonably prefer ECDSA when available,
where older (1.0.2) preferred RSA
Jeremy Harris [Wed, 15 Nov 2017 17:48:55 +0000 (17:48 +0000)]
Typo in sample configuration
Jeremy Harris [Sun, 12 Nov 2017 19:08:43 +0000 (19:08 +0000)]
Docs: PRVS validity. Bug 2033
Jeremy Harris [Tue, 14 Nov 2017 19:32:50 +0000 (19:32 +0000)]
Testsuite output updates
Heiko Schlittermann (HS12-RIPE) [Sun, 5 Nov 2017 22:57:16 +0000 (23:57 +0100)]
Add host detail on all deferred deliveries, not only the last one
Jeremy Harris [Sat, 11 Nov 2017 21:19:50 +0000 (21:19 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Sat, 11 Nov 2017 21:04:21 +0000 (21:04 +0000)]
Debug: remove router DSN config dump on startup
Jeremy Harris [Sat, 11 Nov 2017 18:39:09 +0000 (18:39 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Sat, 11 Nov 2017 16:20:02 +0000 (16:20 +0000)]
Merge branch 'master' into 4.next
Jeremy Harris [Sat, 11 Nov 2017 16:11:06 +0000 (16:11 +0000)]
Downgrade an unfound-list name from panic to DEFER. Bug 1645
Jeremy Harris [Thu, 9 Nov 2017 21:35:08 +0000 (21:35 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Thu, 9 Nov 2017 19:49:49 +0000 (19:49 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Wed, 8 Nov 2017 12:37:22 +0000 (12:37 +0000)]
docs: typo
Jeremy Harris [Wed, 8 Nov 2017 12:01:20 +0000 (12:01 +0000)]
tidying
Jeremy Harris [Wed, 8 Nov 2017 10:43:28 +0000 (10:43 +0000)]
DKIM: call ACL once for each signature matching the identity from dkim_verify_signers. Bug 2189
Jeremy Harris [Tue, 7 Nov 2017 21:40:19 +0000 (21:40 +0000)]
DKIM: make verification results visible in data ACL
Jeremy Harris [Tue, 7 Nov 2017 19:01:42 +0000 (19:01 +0000)]
DKIM: Allow the DKIM ACL to override verification results. Bug 2186
This provides generic support, though is covers the need introduced
by https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/?include_text=1
(deprecating sha-1 and RSA keys shorter than 1024 bits).
Jeremy Harris [Tue, 7 Nov 2017 16:09:28 +0000 (16:09 +0000)]
TLS: support multiple certificate files in server. Bug 2092
Jeremy Harris [Fri, 3 Nov 2017 13:05:16 +0000 (13:05 +0000)]
Docs: add index entry
Jeremy Harris [Fri, 3 Nov 2017 11:02:19 +0000 (11:02 +0000)]
DKIM: better syntax for control of oversigning. Bug 2180
Phil Pennock [Thu, 2 Nov 2017 18:48:30 +0000 (14:48 -0400)]
Use LDFLAGS not EXTRALIBS_EXIM; 1.0.2 needs ldl too
Heiko Schlittermann (HS12-RIPE) [Wed, 1 Nov 2017 21:38:43 +0000 (22:38 +0100)]
exigrep: we need to run with perl 5.8.x
The defined-or operator '//' does not exist yet.
Jeremy Harris [Wed, 1 Nov 2017 12:32:13 +0000 (12:32 +0000)]
Use back-compatible variable for perl version
The modern $^V is not present in some buildfarm animals' perl versions.
Heiko Schlittermann (HS12-RIPE) [Wed, 1 Nov 2017 06:45:55 +0000 (07:45 +0100)]
Testsuite: Output the --version from exigrep, exinext, eximstats
Heiko Schlittermann (HS12-RIPE) [Wed, 1 Nov 2017 06:45:14 +0000 (07:45 +0100)]
Add --version to all installed Perl and Shell scripts.
This option outputs the build info, and for Perl scripts it additionally
outputs the Perl version that is running the current script.
Jeremy Harris [Tue, 31 Oct 2017 16:31:34 +0000 (16:31 +0000)]
Lose extraneous line
Broken-by: 9650d98a07
Jeremy Harris [Tue, 31 Oct 2017 15:31:50 +0000 (15:31 +0000)]
Add macro support to -be expansion test mode. Bug 1623
Jeremy Harris [Mon, 30 Oct 2017 10:40:27 +0000 (10:40 +0000)]
typo
Jeremy Harris [Mon, 30 Oct 2017 10:15:26 +0000 (10:15 +0000)]
Testsuite: notify perl version at runtest startup
Andreas Metzler [Sat, 28 Oct 2017 17:45:30 +0000 (19:45 +0200)]
Make exim_monitor build reproducible.
Adapt changes to exim for SOURCE_DATE_EPOCH from exim
6e411084a29a7658f7bc88aa5a62ab9016c22c79 to exim_monitor.
Jeremy Harris [Sat, 28 Oct 2017 21:33:02 +0000 (22:33 +0100)]
Testsuite output + script changes needed for
c246a1de88
Jeremy Harris [Sat, 28 Oct 2017 20:36:13 +0000 (21:36 +0100)]
Add macro support to -be expansion test mode. Bug 1623
Jeremy Harris [Sat, 28 Oct 2017 20:33:24 +0000 (21:33 +0100)]
Merge branch 'master' into 4.next
Jeremy Harris [Sat, 28 Oct 2017 14:09:05 +0000 (15:09 +0100)]
Do not exit when cwd has no name. Bug 2078
Andreas Metzler [Sat, 28 Oct 2017 13:23:50 +0000 (14:23 +0100)]
Build: fix repeatable-build typo
Jeremy Harris [Sat, 28 Oct 2017 13:04:12 +0000 (14:04 +0100)]
Fix build warning. Bug 2181
Andreas Metzler [Sat, 28 Oct 2017 12:26:48 +0000 (14:26 +0200)]
Correct typo "psuedo" in exipick documentation.
Phil Pennock [Fri, 27 Oct 2017 17:07:48 +0000 (13:07 -0400)]
nit: typo-fix in comment (my goof)