Phil Pennock [Tue, 10 Jul 2018 18:35:58 +0000 (14:35 -0400)]
Document problems with SHA-1 in certs with DANE-TA
Very few domains are using SHA-1 in EE certs issued from a CA used in
DANE-TA anchoring, but some are. Meanwhile apparently GnuTLS now
defaults to disabling SHA-1 in chains. Which is eminently reasonable.
I do not believe that Exim should re-enable use of SHA-1 here. Let it
die. Document with warnings that folks using a private CA for certs to
be publicly trusted via DANE-TA should follow decent operational
issuance practices.
Also update my Channel Binding docs for GSASL to warn that Channel
Binding is Broken™.
Jeremy Harris [Thu, 28 Jun 2018 21:07:28 +0000 (22:07 +0100)]
Callouts: enhance debug message
Jeremy Harris [Thu, 28 Jun 2018 11:28:09 +0000 (12:28 +0100)]
Testsuite: tweak instructions for running the suite
Jeremy Harris [Wed, 27 Jun 2018 19:28:02 +0000 (20:28 +0100)]
Restore rsmapd support
Following discussions on the exim-user mailinglist it seems that the conclusion
that the interface was nonfunctioning was unwarranted.
Jeremy Harris [Tue, 26 Jun 2018 13:52:39 +0000 (14:52 +0100)]
tidying
Jeremy Harris [Tue, 26 Jun 2018 11:02:56 +0000 (12:02 +0100)]
Merge branch 'rspamd-removal'
Jeremy Harris [Sat, 16 Jun 2018 17:08:09 +0000 (18:08 +0100)]
Revert "Support Rspamd. Patch from Andrew Lewis, lightly editorialised"
This reverts commit
c5f280e20a8e3ecd5f016b8fb34a436588915ed2.
Jeremy Harris [Sat, 16 Jun 2018 17:22:47 +0000 (18:22 +0100)]
Revert "Rspamd: add $authenticated_id as User to scan command"
This reverts commit
6c54be6459b83b955fbd2fd6d6a844f80c98427a.
Jeremy Harris [Sat, 16 Jun 2018 13:45:44 +0000 (14:45 +0100)]
Revert "Spamd: add missing initialiser. Rspamd mode was incorrectly sometimes seen."
This reverts commit
e718bd6285cb0fb45b74b6fc00b7737590dcaa60.
Jeremy Harris [Sat, 16 Jun 2018 13:45:40 +0000 (14:45 +0100)]
Revert "Do not use shutdown() when talking to rspamd. Fixes 1802"
This reverts commit
416a0be6df0697848ca551dd3243b652e763792d.
Jeremy Harris [Sat, 16 Jun 2018 13:45:32 +0000 (14:45 +0100)]
Revert "Testsuite: limited support for Content-length:"
This reverts commit
f6f239461fd62b3a4f3142b6b2a85f8f65eee486.
Jeremy Harris [Sat, 16 Jun 2018 13:41:14 +0000 (14:41 +0100)]
Revert "Avoid repeated string-copy building command-string for rspamd"
This reverts commit
5df838645bcdb135355205a115bf918c85987caf.
Jeremy Harris [Tue, 26 Jun 2018 11:01:15 +0000 (12:01 +0100)]
Unbreak non-DANE build
Broken-by: afdb5e9cf0
Jeremy Harris [Wed, 20 Jun 2018 23:04:25 +0000 (00:04 +0100)]
Expansions: A tls option on ${readsocket }. Bug 2282
Jeremy Harris [Mon, 25 Jun 2018 11:08:37 +0000 (12:08 +0100)]
ARC: Fix verification to do AS checks in reverse order
Broken from the original introduction (
617d39327e)
Jeremy Harris [Sun, 24 Jun 2018 19:30:23 +0000 (20:30 +0100)]
Fix mutiple message send under TLS
Broken-by: 74f1a42304
Jeremy Harris [Thu, 21 Jun 2018 18:16:29 +0000 (19:16 +0100)]
TLS: rework client-side use with an explicit context rather than a global
Jeremy Harris [Mon, 18 Jun 2018 11:30:54 +0000 (12:30 +0100)]
Testsuite: workaround older-perl bug
Jeremy Harris [Thu, 21 Jun 2018 17:22:56 +0000 (18:22 +0100)]
Testsuite: missing output files
Jeremy Harris [Thu, 21 Jun 2018 16:03:38 +0000 (17:03 +0100)]
DKIM: Fix signing for body lines starting with a pair of dots. Bug 2284
Broken-by: 42055a3385
Kirill Miazine [Thu, 21 Jun 2018 16:08:18 +0000 (17:08 +0100)]
Docs: spelling
Jeremy Harris [Wed, 20 Jun 2018 19:28:54 +0000 (20:28 +0100)]
OpenSSL: TLSv1.3 notes
Jeremy Harris [Thu, 14 Jun 2018 20:28:19 +0000 (21:28 +0100)]
OpenSSL: enable use of TLS 1.3 (with OpenSSL 1.1.0 and later)
Jeremy Harris [Thu, 14 Jun 2018 10:04:22 +0000 (11:04 +0100)]
Add client-ip info to non-pass iprev ${authres } lines
Heiko Schlittermann (HS12-RIPE) [Tue, 12 Jun 2018 13:09:18 +0000 (15:09 +0200)]
Clarify the socket address family (UNIX) for server_socket (dovecot)
Wishlist item (#2280) is created for INET connections.
See https://bugs.exim.org/show_bug.cgi?id=2280
Jeremy Harris [Sat, 9 Jun 2018 20:39:44 +0000 (21:39 +0100)]
DKIM: support timestamp and expiry tags in signing. Bug 2260
Jeremy Harris [Thu, 7 Jun 2018 17:08:22 +0000 (18:08 +0100)]
Follow CNAME chains only one step. Bug 2264
Jeremy Harris [Thu, 7 Jun 2018 15:24:31 +0000 (16:24 +0100)]
ARC: Fix signing for case when DKIM signing failed
Jeremy Harris [Wed, 6 Jun 2018 10:15:21 +0000 (11:15 +0100)]
Change-log
Jeremy Harris [Wed, 6 Jun 2018 09:41:51 +0000 (10:41 +0100)]
Fix logging of cmdline args when starting in an unlinked cwd. Bug 2274
Jeremy Harris [Thu, 24 May 2018 15:28:20 +0000 (16:28 +0100)]
Use serial number 1 for self-generated selfsigned certificate
Broken-by: 23bb69826c
Jeremy Harris [Thu, 17 May 2018 08:27:49 +0000 (09:27 +0100)]
ARC: better diagnostics for keyfile issues
Jeremy Harris [Sun, 20 May 2018 17:26:00 +0000 (18:26 +0100)]
DMARC: do not wipe values set by config options, between message receptions
Broken-by: b4757e3611
Jeremy Harris [Thu, 17 May 2018 10:18:04 +0000 (11:18 +0100)]
Docs: add note on DKIM signing-limit security
Phil Pennock [Sat, 19 May 2018 16:09:55 +0000 (12:09 -0400)]
Safer handling of argument-logging memory of cwd
Jeremy Harris [Wed, 16 May 2018 21:15:55 +0000 (22:15 +0100)]
Testsuite: output changes arising
Jeremy Harris [Sun, 13 May 2018 21:02:59 +0000 (22:02 +0100)]
Callouts: record succeeding random local-part tests. Bug 177
Jeremy Harris [Fri, 11 May 2018 17:02:29 +0000 (18:02 +0100)]
Content scanning: Fix locking on message spool files. Bug 2275
Phil Pennock [Tue, 15 May 2018 23:04:34 +0000 (19:04 -0400)]
Don't open spool data-files which are symlinks
Jeremy Harris [Fri, 11 May 2018 15:26:17 +0000 (16:26 +0100)]
ARC: fix crash on signing with missing key file
Heiko Schlittermann (HS12-RIPE) [Wed, 9 May 2018 13:46:47 +0000 (15:46 +0200)]
-bV: include the CONFIGURE_FILE path if it contains a ':'
Jeremy Harris [Mon, 7 May 2018 13:42:35 +0000 (14:42 +0100)]
tidying
Jeremy Harris [Sat, 5 May 2018 20:29:44 +0000 (21:29 +0100)]
Cutthrough: fix race resulting in duplicate-delivery. Bug 2273
Jeremy Harris [Tue, 1 May 2018 21:50:47 +0000 (22:50 +0100)]
tidying
Heiko Schlittermann (HS12-RIPE) [Thu, 3 May 2018 07:22:53 +0000 (09:22 +0200)]
Fix typo in readconf.c
Jeremy Harris [Tue, 1 May 2018 16:45:21 +0000 (17:45 +0100)]
Expansions: new ${lheader:<name>}. Bug 2272
Jeremy Harris [Sun, 29 Apr 2018 14:10:27 +0000 (15:10 +0100)]
tidying
Jeremy Harris [Sat, 28 Apr 2018 12:09:04 +0000 (13:09 +0100)]
Docs: minor fixes
Jeremy Harris [Wed, 25 Apr 2018 21:30:31 +0000 (22:30 +0100)]
ARC: add $arc_oldest_pass variable, for verify
Jeremy Harris [Wed, 25 Apr 2018 20:02:39 +0000 (21:02 +0100)]
ARC: support $arc_domains also for verify fails
Jeremy Harris [Tue, 24 Apr 2018 21:46:11 +0000 (22:46 +0100)]
ARC: add $arc_domains variable, for verify pass
Jeremy Harris [Tue, 24 Apr 2018 12:07:53 +0000 (13:07 +0100)]
ARC: limit verify chain to 50-deep
Jeremy Harris [Mon, 23 Apr 2018 12:25:47 +0000 (13:25 +0100)]
Testsuite: syslog testcase
Jeremy Harris [Mon, 23 Apr 2018 10:26:52 +0000 (11:26 +0100)]
DKIM: enforce limit of 20 on received DKIM-Signature: headers. Bug 2269
Phil Pennock [Sun, 22 Apr 2018 00:20:40 +0000 (20:20 -0400)]
Improve OpenSSL/GnuTLS; enable DNSSEC for non-smarthost
Jeremy Harris [Sat, 21 Apr 2018 22:59:46 +0000 (23:59 +0100)]
Docs: clarify DKIM verification
Phil Pennock [Sat, 21 Apr 2018 00:05:53 +0000 (20:05 -0400)]
TLS by default for example smarthost SMTP Transport
And _decent_ TLS at that, with verification.
Jeremy Harris [Wed, 18 Apr 2018 22:43:30 +0000 (23:43 +0100)]
Testsuite: output changes arising.
Broken-by: 0e8aed8aab
Jeremy Harris [Wed, 18 Apr 2018 22:28:26 +0000 (23:28 +0100)]
ACL: reword error message for ratelimit. Bug 2267
Jeremy Harris [Wed, 18 Apr 2018 22:27:15 +0000 (23:27 +0100)]
Docs: rewrite description of 'leaky' ratelimit. Bug 1298
Heiko Schlittermann (HS12-RIPE) [Wed, 18 Apr 2018 15:20:58 +0000 (17:20 +0200)]
Fix spec
Thanks to Mike Brudenell
Jeremy Harris [Tue, 17 Apr 2018 19:30:22 +0000 (20:30 +0100)]
Compile warning defaults for OpenBSD, at request of the port maintainer
Jeremy Harris [Mon, 16 Apr 2018 18:20:21 +0000 (19:20 +0100)]
tidying
Phil Pennock [Mon, 16 Apr 2018 19:24:34 +0000 (15:24 -0400)]
Belated README.UPDATING notes for Exim 4.91
People skip versions and move past them later, so while it's too late
for 4.91, this will still help people moving to 4.92 from pre-4.91 in
future.
Note that none of these strictly needed to be documented here:
experimental features, features marked as deprecated for many many
years, etc. But let's err on the side of caution and include "things
which will break if you try to upgrade without changing Local/Makefile".
Jeremy Harris [Mon, 16 Apr 2018 17:45:04 +0000 (18:45 +0100)]
Fix OpenSSL non-OCSP build
Jeremy Harris [Mon, 16 Apr 2018 13:23:30 +0000 (14:23 +0100)]
Fix merge artifacts
Jeremy Harris [Mon, 16 Apr 2018 10:21:33 +0000 (11:21 +0100)]
Testsuite: output changes arising
Broken-by: 777e3beace
Jeremy Harris [Mon, 16 Apr 2018 08:15:17 +0000 (09:15 +0100)]
Fix typo in arc. Bug 2262
Phil Pennock [Sun, 15 Apr 2018 21:45:48 +0000 (17:45 -0400)]
Enable weak/old stuff in OpenSSL
Configure OpenSSL with:
enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers
Include explanation as to why.
Jeremy Harris [Sun, 15 Apr 2018 21:03:45 +0000 (22:03 +0100)]
Testsuite: syslog testcase
Jeremy Harris [Sun, 15 Apr 2018 16:50:14 +0000 (17:50 +0100)]
Merge branch '4.next'
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Tidy logging code
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages
Jeremy Harris [Wed, 4 Apr 2018 15:15:22 +0000 (16:15 +0100)]
Add client-ip info to iprev ${authres } line
Jeremy Harris [Wed, 4 Apr 2018 10:10:56 +0000 (11:10 +0100)]
ARC: add optional x= tag to signing
Jeremy Harris [Tue, 3 Apr 2018 23:22:49 +0000 (00:22 +0100)]
ARC: add optional t= tags to signing
Jeremy Harris [Fri, 30 Mar 2018 21:54:55 +0000 (22:54 +0100)]
Avoid doing logging in signal-handlers. Bug 1007
Jeremy Harris [Sun, 15 Apr 2018 15:29:46 +0000 (16:29 +0100)]
Docs: clean for next release
Jeremy Harris [Sat, 14 Apr 2018 23:18:10 +0000 (00:18 +0100)]
Testsuite: tidyup after myslq testing
Jeremy Harris [Sat, 14 Apr 2018 22:31:05 +0000 (23:31 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
also syslog_pid=no and log_selector +pid
Jeremy Harris [Fri, 13 Apr 2018 16:02:15 +0000 (17:02 +0100)]
Docs: typo
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
Phil Pennock [Fri, 13 Apr 2018 22:51:23 +0000 (18:51 -0400)]
DKIM downgrade example again; this time debugged
As well as previous commit's `len_3` -> `length_3`, we were missing
braces around the expansion operator, resulting in trying to dereference
an unknown variable `$length_3`, and we were missing the outer braces
from the `or` expansion condition.
We really need a better way to test ACL expansion without a full harness. :(
This bug-fixed version is now running on my system.
Phil Pennock [Fri, 13 Apr 2018 22:35:20 +0000 (18:35 -0400)]
Fix length expansion operator in DKIM downgrade example
Jeremy Harris [Fri, 13 Apr 2018 10:51:50 +0000 (11:51 +0100)]
DKIM: add support for the SubjectPublicKeyInfo wrapped form of pubkey
Jeremy Harris [Thu, 12 Apr 2018 15:55:42 +0000 (16:55 +0100)]
Docs: add known broken-version info for OpenSSL behavior
Phil Pennock [Thu, 12 Apr 2018 02:04:28 +0000 (22:04 -0400)]
Mention MTA-STS in DANE context; nit fixes
Did an audit of text changed since commit
6aa6fc9c5 to look for issues
which stood out, fixed those. Spelling mistakes, markup issues, minor
grammatical infelicities.
The public/private CA stuff in the DANE text might push people away from
public CAs, but the existence of MTA-STS means that one of those is
probably the best choice. Mention what exim.org does, to provide
slightly firmer guidance without pressure.
List the `dkim_hash` values, `sha512` appears to be new since that text
was last touched.
Phil Pennock [Thu, 12 Apr 2018 01:06:54 +0000 (21:06 -0400)]
Doc: website updates and so forth
I've added <https://downloads.exim.org/> as a new vhost which doesn't
reference FTP and loses the `/pub/exim` prefix.
Fixed various other outdated claims and documented Jeremy's PGP key as
the main key for releases, with mine (Phil's) and Heiko's as fallbacks.
Mention the `.xz` files.
Phil Pennock [Mon, 9 Apr 2018 21:52:19 +0000 (17:52 -0400)]
Add `receive_time` to list of log_selector values
Phil Pennock [Mon, 9 Apr 2018 21:49:57 +0000 (17:49 -0400)]
bugfix: heimdal interaction, check length
clang noted that taking the address of a struct member will never be 0,
so checking against 0 was wrong. It was a `.length` member. I've
compiled RC4 with this change and deployed it to my box and I can still
authenticate fine.
Jeremy Harris [Mon, 9 Apr 2018 14:08:34 +0000 (15:08 +0100)]
ARC: fix signing when DKIM-signing is also being done
The ordering of headers being signed was wrong when a message
being forwarded arrived with a dkim signature
Jeremy Harris [Mon, 9 Apr 2018 10:19:47 +0000 (11:19 +0100)]
DMARC: fix history file
Too many variables were being cleared between connections
Broken-by: c780096c29 4.91 RC2
Phil Pennock [Mon, 9 Apr 2018 03:46:26 +0000 (23:46 -0400)]
Better(?!?) fallback for stat: Perl
We use Perl extensively in other scripts.
*sigh*
Phil Pennock [Mon, 9 Apr 2018 02:43:36 +0000 (22:43 -0400)]
stat portability
I forgot how much I loathe basic stuff like "get the size of a file,
portably, in shell". Bleh.
Phil Pennock [Mon, 9 Apr 2018 02:28:56 +0000 (22:28 -0400)]
Added util/renew-opendmarc-tlds.sh script to renew PSL
Jeremy Harris [Sun, 8 Apr 2018 21:45:39 +0000 (22:45 +0100)]
OpenSSL: Revert the disabling of the session-cache. Bug 2255
Session cacheing is never useful, as we use a new context for every TLS startup.
However, removing the support triggers odd behaviour from Outlook Express (only
when there is an IMAP server on the same machine as Exim): an initial connect
from the OE client fails, the immediate retry works.
Jeremy Harris [Sat, 7 Apr 2018 21:44:39 +0000 (22:44 +0100)]
ARC: fix verify to not evaluate the top AMS twice
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages
Jeremy Harris [Fri, 6 Apr 2018 09:48:00 +0000 (10:48 +0100)]
Logging: fix DKIM precis received log line element.
Broken-by: 2c47372fad
Heiko Schlittermann (HS12-RIPE) [Wed, 4 Apr 2018 19:39:36 +0000 (21:39 +0200)]
compiler quietening