users/heiko/exim.git
12 years agofeatures.h; tls_validate_require_cipher: log flag & tests exim-4_80_RC3
Phil Pennock [Mon, 21 May 2012 04:20:37 +0000 (00:20 -0400)]
features.h; tls_validate_require_cipher: log flag & tests

Pull in <features.h> on Linux.
Switch readconf log from D_all (bug) to D_tls (though D_any would have
worked).
Modified runtest to handle clamped DH bits and
tls_validate_require_cipher added debug logging.

12 years agoonly drop privs for TLS if still root
Phil Pennock [Mon, 21 May 2012 02:58:18 +0000 (22:58 -0400)]
only drop privs for TLS if still root

12 years agoUpdate docs for latest state of TLS affairs.
Phil Pennock [Mon, 21 May 2012 02:15:48 +0000 (22:15 -0400)]
Update docs for latest state of TLS affairs.

gnutls-params bits count no longer necessarily what GnuTLS says to use.
The OpenSSL-vs-GnuTLS text needed some updating.
Catches a ChangeLog addition made during the previous commit, so not picked up by it.

12 years agoAdded tls_dh_max_bits & check tls_require_ciphers early.
Phil Pennock [Mon, 21 May 2012 01:49:40 +0000 (21:49 -0400)]
Added tls_dh_max_bits & check tls_require_ciphers early.

Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop
problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS
was suggesting 2432 bits as normal.

Added new global option tls_dh_max_bits to clamp all DH values (client
or server); unexpanded integer.  Default value to 2236.  Apply to both
GnuTLS and OpenSSL (which requires tls_dh_params for this).

Tired of debugging "SMTP fails TLS" error messages in mailing-lists
caused by OpenSSL library/include clashes, and of finding out I typo'd
in tls_require_ciphers only at the STARTTLS handshake.  During readconf,
fork/drop-privs/initialise-TLS-library.  In that, if tls_require_ciphers
is set, then validate it.

The validation child will panic if it can't initialise or if
tls_require_ciphers can't be parsed, else it exits 0.  If the child
exits anything other than 0, the main Exim process will exit.

12 years agoGuard TLS SNI callback define better.
Phil Pennock [Sun, 20 May 2012 23:35:34 +0000 (19:35 -0400)]
Guard TLS SNI callback define better.

Guarded the callback invocation on OpenSSL having TLS extension support.
Failed to guard the callback definition.  Fixed.
Problem spotted by Todd Lyons.

12 years agotls_require_ciphers must be assigned to state copy
Phil Pennock [Sun, 20 May 2012 22:22:06 +0000 (18:22 -0400)]
tls_require_ciphers must be assigned to state copy

12 years agoMerge branch 'master_testsuite_faq'
Todd Lyons [Sun, 20 May 2012 15:11:23 +0000 (08:11 -0700)]
Merge branch 'master_testsuite_faq'

12 years agoFAQ of running test suite
Todd Lyons [Sun, 20 May 2012 15:08:59 +0000 (08:08 -0700)]
FAQ of running test suite

12 years agoTestsuite: more guidance in README
Jeremy Harris [Sun, 20 May 2012 14:32:34 +0000 (15:32 +0100)]
Testsuite: more guidance in README

12 years agoTypo: PRE_PRERELEASE -> PCRE_PRERELEASE
Phil Pennock [Sun, 20 May 2012 09:34:57 +0000 (05:34 -0400)]
Typo: PRE_PRERELEASE -> PCRE_PRERELEASE

Noted by Moritz Wilhelmy.

12 years agoGnuTLS debug callback: check for existing \n
Phil Pennock [Sun, 20 May 2012 09:33:22 +0000 (05:33 -0400)]
GnuTLS debug callback: check for existing \n

12 years ago"make makfile" -> "make makefile".
Phil Pennock [Sun, 20 May 2012 07:48:53 +0000 (03:48 -0400)]
"make makfile" -> "make makefile".

Confirmed typo, rather than QNXism, by grepping tree and finding no
other instances.

Reported by René Berber.

12 years agoCipher munging continues.
Phil Pennock [Sun, 20 May 2012 02:22:06 +0000 (22:22 -0400)]
Cipher munging continues.

I omitted log/2025 pending further investigation.

12 years agoHAVE_IPV6=yes in comment; need value!
Phil Pennock [Sun, 20 May 2012 01:29:45 +0000 (21:29 -0400)]
HAVE_IPV6=yes in comment; need value!

12 years agoTestsuite: munge recorded TLS version &c in output to permit awkward test-host instal...
Jeremy Harris [Sun, 20 May 2012 00:04:24 +0000 (01:04 +0100)]
Testsuite: munge recorded TLS version &c in output to permit awkward test-host installations.

12 years agoPRINTF_FUNCTION -> ALMOST_PRINTF.
Phil Pennock [Sat, 19 May 2012 23:55:15 +0000 (19:55 -0400)]
PRINTF_FUNCTION -> ALMOST_PRINTF.

WANT_DEEPER_PRINTF_CHECKS guards ALMOST_PRINTF being PRINTF_FUNCTION.
Fix some actual issues exposed when I cut down on the spam.

12 years agoPortability to HP-UX.
Phil Pennock [Sat, 19 May 2012 23:13:51 +0000 (19:13 -0400)]
Portability to HP-UX.

Report and fix from Michael Haardt.

The resolver library change's assumed typedef was absent, but the
underlying struct __res_state is present.  Long type issues for the
arithmetic changes.

12 years agoPCRE_PRERELEASE fix, again
Phil Pennock [Sat, 19 May 2012 21:59:09 +0000 (17:59 -0400)]
PCRE_PRERELEASE fix, again

12 years agoTorture the English language slightly less exim-4_80_RC2
Phil Pennock [Fri, 18 May 2012 23:17:38 +0000 (19:17 -0400)]
Torture the English language slightly less

12 years agoFix three issues highlighted by clang analyser.
Phil Pennock [Fri, 18 May 2012 22:22:30 +0000 (18:22 -0400)]
Fix three issues highlighted by clang analyser.

Only crash-plausible issue would require the Cambridge-specific
iplookup router and a misconfiguration.

Report from Marcin Mirosław

12 years agoTest suite fixes, mostly for new certs.
Phil Pennock [Fri, 18 May 2012 22:07:55 +0000 (18:07 -0400)]
Test suite fixes, mostly for new certs.

New cert1 and cert2 but I'd only updated the GnuTLS tests.
This fixes OpenSSL ones too.

The SHELL vs /bin/sh one also fixed, finally realised that
the test output just hadn't been updated to match the munging.

12 years agoDocument DCC in experimental-spec.txt
Phil Pennock [Fri, 18 May 2012 20:22:04 +0000 (16:22 -0400)]
Document DCC in experimental-spec.txt

Base text from Wolfgang Breyha.
I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.

12 years agoSecond SPF fix, moved to where type is correct.
Phil Pennock [Fri, 18 May 2012 19:52:08 +0000 (15:52 -0400)]
Second SPF fix, moved to where type is correct.

De-initialised "type" var in stack declaration, so a repeat of this mistake
would lead to an uninitialized variable usage warning which would have blocked
the previous incorrect fix from being committed.

12 years agoFix dcc_header content corruption.
Phil Pennock [Fri, 18 May 2012 19:46:06 +0000 (15:46 -0400)]
Fix dcc_header content corruption.

(stack memory referenced, read-only, out of scope).

Patch from Wolfgang Breyha, report from Stuart Northfield.

12 years agoSPF multiple strings join on "".
Phil Pennock [Fri, 18 May 2012 19:35:32 +0000 (15:35 -0400)]
SPF multiple strings join on "".

Patch from Janne Snabb.

12 years agoGnuTLS pretty much passes test suite. exim-4_80_RC1
Phil Pennock [Fri, 18 May 2012 03:04:36 +0000 (23:04 -0400)]
GnuTLS pretty much passes test suite.

Fixed assumption that tls_certificate non-NULL in server when TLS
advertised.
Weakened an !S_ISREG() to an S_ISDIR() to keep the test-suite happy.

Using:
  do { rc = gnutls_handshake(state->session);
  } while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
is contra-indicated when you expect SIGALRM to be able to break you out
of the loop.  A little _too_ robust there.  Switching last part to:
  (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)
is rather more productive.

Only test not passing is 2025, which makes major assumptions about
cipher suites and needs to be revisited to see what it's trying to
achieve.  We fail the test because we successfully deliver the message
without expected errors, because other ciphersuites are available, since
we're no longer limited to a *very* short list embedded in the Exim
code.  That sort of failure I can live with.

12 years agoMake test-suite client cmd -t<timeout> actually work
Phil Pennock [Fri, 18 May 2012 02:12:59 +0000 (22:12 -0400)]
Make test-suite client cmd -t<timeout> actually work

12 years agoCRL addition returns count of CRLs added
Phil Pennock [Fri, 18 May 2012 00:07:04 +0000 (20:07 -0400)]
CRL addition returns count of CRLs added

A couple more cert1/2 strings updated, plus some disambiguating rhubarb.

12 years agoInsert new JH/02 entry for the ACL clean-up
Phil Pennock [Thu, 17 May 2012 23:37:49 +0000 (19:37 -0400)]
Insert new JH/02 entry for the ACL clean-up

12 years agoDocumentation update for bug 1172.
root [Thu, 17 May 2012 23:08:30 +0000 (00:08 +0100)]
Documentation update for bug 1172.

12 years agoSupport expansion variable for hi-res timestamp (bug 1172).
Jeremy Harris [Mon, 23 Apr 2012 20:03:46 +0000 (21:03 +0100)]
Support expansion variable for hi-res timestamp (bug 1172).

12 years agofix tls_cipher memory lifetime.
Phil Pennock [Thu, 17 May 2012 21:24:36 +0000 (17:24 -0400)]
fix tls_cipher memory lifetime.

Some tests had not been updated for the new cert because they were missing an X= log-line.
Updated those tests now.

12 years agoMore GnuTLS cleanups/fixes.
Phil Pennock [Thu, 17 May 2012 20:18:34 +0000 (16:18 -0400)]
More GnuTLS cleanups/fixes.

Decided "unknown (reason)" in tls_peerdn was wrong, stripped that, added
replacement guard.

Moved cipherbuf construction to where it makes more sense, where peerdn
is extracted, so that setting the exim vars gets back closer to just
some pointer switching.

Fix missing failure check after handshake in client.

Fix tls.c tls_ungetc() and friends by pointing watermark vars at state
content.

Regenerated test-suite D-H params so we don't have too small values,
which was causing connection rejections.

Test-suite output where new test cert info is logged (there will be a
couple more, when I fix a lingering problem with tls_peerdn being unset
in client log-lines).

Give test-suite client command some --help.

12 years agoGnuTLS control constants exposed to Makefile.
Phil Pennock [Thu, 17 May 2012 18:05:06 +0000 (14:05 -0400)]
GnuTLS control constants exposed to Makefile.

Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging.
If someone screams that we kept the default dh-bits at 1024 for old GnuTLS,
we can point them at EXIM_SERVER_DH_BITS_PRE2_12.  The name itself will
tell them to shut up and update their library if they care about security. :)

12 years agoCopyright year updates.
Phil Pennock [Thu, 17 May 2012 16:19:52 +0000 (12:19 -0400)]
Copyright year updates.

Updated all files modified in 2012 which contained a copyright year
already, unless the range was specified as open-ended.

vi $(git whatchanged --since=2012-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)

12 years agognutls_require_protocols comment on 4.77 notes.
Phil Pennock [Thu, 17 May 2012 15:37:13 +0000 (11:37 -0400)]
gnutls_require_protocols comment on 4.77 notes.

12 years ago4.78 -> 4.80
Phil Pennock [Thu, 17 May 2012 15:21:54 +0000 (11:21 -0400)]
4.78 -> 4.80

12 years agoHandle absent tls_require_ciphers correctly.
Phil Pennock [Thu, 17 May 2012 15:17:20 +0000 (11:17 -0400)]
Handle absent tls_require_ciphers correctly.

Fix test-suite certs to not use MD5.
Document that we do not support MD5 certs any longer.
Make test-suite generate probably-correct gnutls-params filename for us.

12 years agoHandle TLSv1.2 in test suite.
Phil Pennock [Thu, 17 May 2012 12:16:11 +0000 (08:16 -0400)]
Handle TLSv1.2 in test suite.

Normalise TLSv1.2 to TLSv1.
Normalise AES256-GCM-SHA384 to AES256-SHA.
Make some test configs accept AES256-GCM-SHA384 in "encrypted =" ACLs.

Have test suite print final test id during abort, make it easier to track down.

12 years agoGet TLS SNI server-switching working with GnuTLS.
Phil Pennock [Thu, 17 May 2012 06:53:44 +0000 (02:53 -0400)]
Get TLS SNI server-switching working with GnuTLS.

Registering a cert/key in an x509 credentials *adds* them, and there's
no way to remove them, so we need a shiny new x509_cred each time the
key/cert change.

Since we avoid re-expanding unless tls_sni appears in tls_certificate,
we've mostly avoided the expense unless SNI is in use, and the extra
loading should be minimal, as everything should be in buffer/cache from
a few microseconds beforehand.

This code tested with GnuTLS and OpenSSL clients, without TLS
extensions, with servername, and verifying we do now get the correct
cert.

12 years agofix TLS SNI segfault case
Phil Pennock [Thu, 17 May 2012 06:15:27 +0000 (02:15 -0400)]
fix TLS SNI segfault case

Failed to notice my test config on the GnuTLS box did nothing with SNI.
Fixed segfault.  Better diagnostics.

Still not actually changing key/cert, need to investigate further

12 years agoGuards for older releases of GnuTLS.
Phil Pennock [Thu, 17 May 2012 05:32:13 +0000 (01:32 -0400)]
Guards for older releases of GnuTLS.

gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of
GnuTLS 2.12.x.  Guard their usage on 2.12.0+ at compile time.

In older versions, the vaguely_random_number() function just immediately
calls the fallback, so it's the same as before this change (just one
extra indirection in the code-path).

Define a constant of 1024 for dh-bits for use in those old releases
where GnuTLS won't tell us how many we should use.

Change the on-disk filename for generated D-H params again, replacing
the -normal with -<bitcount>, so that it's 1024 or whatever, and as
the value changes, Exim will automatically start using the new value.

12 years agodnsdb SPF support, from Janne Snabb
Phil Pennock [Thu, 17 May 2012 04:39:38 +0000 (00:39 -0400)]
dnsdb SPF support, from Janne Snabb

12 years agoMerge branch 'experimental_ocsp'
Phil Pennock [Wed, 16 May 2012 16:35:40 +0000 (12:35 -0400)]
Merge branch 'experimental_ocsp'

12 years agoOverhaul of GnuTLS code.
Phil Pennock [Wed, 16 May 2012 16:15:26 +0000 (12:15 -0400)]
Overhaul of GnuTLS code.

GnuTLS code re-done, using cut&paste for preservation where appropriate.

Stop using deprecated APIs.  Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.

Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).

Added TLS SNI support.

Made the channel binding integration theoretically actually work.  I had
it guarded by an #ifdef but the value used was an enum instead.  Oops.
Fixed.

New code much more amenable to future work permitting TLS in callouts.

DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).

DH param setup only done for servers now, since clients don't need/use
it.

GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).

Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.

GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.

Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.

Nuke test 2011 which related to the gnutls_require_* options now
non-functional.

12 years agoTestsuite: fix problem with parsing retry records spanning midnight.
Jeremy Harris [Mon, 14 May 2012 23:06:18 +0000 (00:06 +0100)]
Testsuite: fix problem with parsing retry records spanning midnight.

12 years agoMerge branch '64bitint'
Jeremy Harris [Sun, 13 May 2012 21:39:47 +0000 (22:39 +0100)]
Merge branch '64bitint'

12 years agoUse defines in config.h for type & scanf-patterns for eval. Update docs.
Jeremy Harris [Sun, 13 May 2012 20:04:45 +0000 (21:04 +0100)]
Use defines in config.h for type & scanf-patterns for eval.  Update docs.

12 years agotypo fix
Phil Pennock [Sun, 13 May 2012 19:30:58 +0000 (15:30 -0400)]
typo fix

12 years agoMake integer values 64bit (bug 1171).
Jeremy Harris [Mon, 23 Apr 2012 21:47:58 +0000 (22:47 +0100)]
Make integer values 64bit (bug 1171).

12 years agoTestsuite: ensure socket from wait-mode daemon test is not held open.
Jeremy Harris [Sun, 13 May 2012 15:43:02 +0000 (16:43 +0100)]
Testsuite: ensure socket from wait-mode daemon test is not held open.

12 years agoOops, missed .c change in bug 1246 fix git commit
Phil Pennock [Sun, 13 May 2012 08:18:55 +0000 (04:18 -0400)]
Oops, missed .c change in bug 1246 fix git commit

12 years agoFixed headers_only on smtp transports.
Phil Pennock [Sun, 13 May 2012 08:09:25 +0000 (04:09 -0400)]
Fixed headers_only on smtp transports.

Was not sending trailing dot.
Added test case to catch this.

fixes bug 1246.

12 years agopcre-config support.
Phil Pennock [Sat, 12 May 2012 13:11:28 +0000 (09:11 -0400)]
pcre-config support.

Remove a couple of stray references to PCRE_CFLAGS too (dating from when PCRE was bundled).

12 years agoTesting for -bw mode
Phil Pennock [Fri, 11 May 2012 10:21:17 +0000 (06:21 -0400)]
Testing for -bw mode

12 years agoTestsuite: updates for 8bitmime-as-default (Dovecot; untested).
Jeremy Harris [Thu, 10 May 2012 22:38:57 +0000 (23:38 +0100)]
Testsuite: updates for 8bitmime-as-default (Dovecot; untested).

12 years agoTestsuite: updates for 8bitmime-as-default (GnuTLS).
Jeremy Harris [Thu, 10 May 2012 21:55:58 +0000 (22:55 +0100)]
Testsuite: updates for 8bitmime-as-default (GnuTLS).

Also add Retry command to more runtest testcase-fail possibilities.

12 years agofix non-bw case, late slip not re-run by my earlier tests
Phil Pennock [Thu, 10 May 2012 05:50:47 +0000 (01:50 -0400)]
fix non-bw case, late slip not re-run by my earlier tests

12 years agoMerge branch 'master' of git://git.exim.org/exim
Jeremy Harris [Wed, 9 May 2012 17:51:31 +0000 (18:51 +0100)]
Merge branch 'master' of git://git.exim.org/exim

12 years agoFix non-TLS build. Detection and fix by Todd Lyons.
Jeremy Harris [Wed, 9 May 2012 17:50:08 +0000 (18:50 +0100)]
Fix non-TLS build.  Detection and fix by Todd Lyons.

12 years agoinetd wait mode support with -bw
Phil Pennock [Tue, 8 May 2012 21:44:36 +0000 (14:44 -0700)]
inetd wait mode support with -bw

12 years agoOCSP Stapling support, under EXPERIMENTAL_OCSP.
Phil Pennock [Tue, 8 May 2012 15:20:33 +0000 (08:20 -0700)]
OCSP Stapling support, under EXPERIMENTAL_OCSP.

OpenSSL only.

12 years agoTestsuite: updates for 8bitmime-as-default.
Jeremy Harris [Mon, 7 May 2012 14:35:14 +0000 (15:35 +0100)]
Testsuite: updates for 8bitmime-as-default.

12 years agoDefault accept_8bitmime to true.
Phil Pennock [Mon, 7 May 2012 11:03:37 +0000 (04:03 -0700)]
Default accept_8bitmime to true.

Some discussion at http://bugs.exim.org/show_bug.cgi?id=817

Refer readers to Dan Bernstein's analysis of the issues.
Consensus seen from maintainers is that DJB is right on this point.

12 years agorevert "%s" addition in em_main.c, broke %D in log_file.
Phil Pennock [Mon, 7 May 2012 10:09:37 +0000 (06:09 -0400)]
revert "%s" addition in em_main.c, broke %D in log_file.

Also added gdb support.

This leaves us with a printf warning.  We accept that as the cost of using PRINTF_FORMAT for strings that aren't libc formats.

12 years agoTestsuite: teach the fakedns zonefile generator about the ipv6 double-colon rule.
Jeremy Harris [Sun, 6 May 2012 22:12:03 +0000 (23:12 +0100)]
Testsuite: teach the fakedns zonefile generator about the ipv6 double-colon rule.

Fixes case 1003 for me (having a trailing ::).

12 years agoUnbreak build on Solaris.
Phil Pennock [Sun, 6 May 2012 13:32:53 +0000 (06:32 -0700)]
Unbreak build on Solaris.

Solaris needs -lresolv, ie $(LIBRESOLV), for anything referencing DNS.
I added _res stuff to os.c.
os.c is used by multiple tools, but of those only Exim needs the DNS functionality.
So used a !defined(COMPILE_UTILITY) guard.

12 years agoDisable SSLv2 by default. pdp/openssl_disable_ssl2
Phil Pennock [Sun, 6 May 2012 09:50:57 +0000 (02:50 -0700)]
Disable SSLv2 by default.

12 years agoDNS resolver init changes for NetBSD compatibility.
Phil Pennock [Sun, 6 May 2012 04:38:18 +0000 (21:38 -0700)]
DNS resolver init changes for NetBSD compatibility.

12 years agoFix eximon build (tls_sni)
Jeremy Harris [Sat, 5 May 2012 20:26:02 +0000 (21:26 +0100)]
Fix eximon build (tls_sni)

12 years agoMerge branch 'master' of git://git.exim.org/exim
Jeremy Harris [Sat, 5 May 2012 20:10:19 +0000 (21:10 +0100)]
Merge branch 'master' of git://git.exim.org/exim

12 years agoFix bug 1225: Accept new testsuite case output.
Jeremy Harris [Sat, 5 May 2012 19:52:41 +0000 (20:52 +0100)]
Fix bug 1225: Accept new testsuite case output.

Having looked further at the ratelimit code, the new output looks reasonable.  The obscure
values of "19" derive from testing "per-byte", being the size of the test message.

12 years agoCheck localhost_number expansion for failure.
Phil Pennock [Sat, 5 May 2012 01:22:16 +0000 (18:22 -0700)]
Check localhost_number expansion for failure.

Avoids NULL dereference.
Report and patch from Alun Jones.

Also a couple of SIZE_T_FMT sizeof() printf string fixes while I was in there.

fixes bug 1122

12 years agoNew doc section explaining TLS SNI
Phil Pennock [Fri, 4 May 2012 22:52:30 +0000 (15:52 -0700)]
New doc section explaining TLS SNI

12 years agosilence various compiler complaints; expose NVALGRIND
Phil Pennock [Fri, 4 May 2012 20:25:49 +0000 (13:25 -0700)]
silence various compiler complaints; expose NVALGRIND

12 years agofix sdop directive in filter.xfpt
Phil Pennock [Fri, 4 May 2012 20:06:38 +0000 (13:06 -0700)]
fix sdop directive in filter.xfpt

12 years agofix all sdop "line overflow" doc complaints
Phil Pennock [Fri, 4 May 2012 19:52:56 +0000 (12:52 -0700)]
fix all sdop "line overflow" doc complaints

12 years agofix example line-length, add comment (openssl_options)
Phil Pennock [Fri, 4 May 2012 19:26:21 +0000 (12:26 -0700)]
fix example line-length, add comment (openssl_options)

12 years agoDoc build bug-fix.
Phil Pennock [Fri, 4 May 2012 19:13:56 +0000 (12:13 -0700)]
Doc build bug-fix.

Had repeated .ilist instead of .next in the openssl_options value list.
Old sdop: segfault.  New sdop: memory exhaustion.
Oops!

12 years agoMore tls_sni support: outbound, logging.
Phil Pennock [Fri, 4 May 2012 15:27:09 +0000 (08:27 -0700)]
More tls_sni support: outbound, logging.

tls_sni as SMTP transport option.
Use correct storage pool for copying tls_sni, so survives for life of process.
Add +tls_sni log-selector, for inbound tls_sni.
Update exipick to handle -tls_sni in spool files.

Also reset tls_bits at start of outbound connection (was missing).

12 years agoTLS SNI support for OpenSSL ($tls_sni)
Phil Pennock [Fri, 4 May 2012 11:39:01 +0000 (04:39 -0700)]
TLS SNI support for OpenSSL ($tls_sni)

12 years agoGuard loadable module vars with LOOKUP_MODULE_DIR.
Phil Pennock [Fri, 4 May 2012 02:20:43 +0000 (19:20 -0700)]
Guard loadable module vars with LOOKUP_MODULE_DIR.

Fixes compiler complaints about unused variables.

12 years agospurious compiler warning of unused var fix
Phil Pennock [Fri, 4 May 2012 02:18:34 +0000 (19:18 -0700)]
spurious compiler warning of unused var fix

(but added check in case wrong about spuriousness)

12 years agoOpenSSL fixes and backwards compat break.
Phil Pennock [Fri, 4 May 2012 02:11:49 +0000 (19:11 -0700)]
OpenSSL fixes and backwards compat break.

Drop SSL_clear() after SSL_new() which causes protocol negotiation failures for TLS1.0 vs TLS1.1/1.2 in OpenSSL 1.0.1b.

Remove SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (+dont_insert_empty_fragments) from default of openssl_options.

12 years agoLDAP: Check for errors of TLS initialisation
Phil Pennock [Thu, 3 May 2012 10:21:31 +0000 (03:21 -0700)]
LDAP: Check for errors of TLS initialisation

Report and patch from Dmitry Banschikov.

12 years agoUpdate testsuite output files for GnuTLS version update and fixes.
Jeremy Harris [Tue, 1 May 2012 22:27:17 +0000 (23:27 +0100)]
Update testsuite output files for GnuTLS version update and fixes.

12 years agoCode refactoring in acl.c (bug 1184)
Jeremy Harris [Sun, 22 Apr 2012 21:23:42 +0000 (22:23 +0100)]
Code refactoring in acl.c (bug 1184)

Move to a table-driven approach for the parsing of "verify =".

12 years agoChange notes for bug 660.
Jeremy Harris [Fri, 27 Apr 2012 21:45:16 +0000 (22:45 +0100)]
Change notes for bug 660.

12 years agoReturn multi-values attributes from an LDAP lookup in parsable form (bug 660).
Jeremy Harris [Mon, 23 Apr 2012 20:46:03 +0000 (21:46 +0100)]
Return multi-values attributes from an LDAP lookup in parsable form (bug 660).

12 years agodocument TK's bug 1239 fix in ChangeLog
Phil Pennock [Mon, 30 Apr 2012 23:58:45 +0000 (16:58 -0700)]
document TK's bug 1239 fix in ChangeLog

12 years agoFix verification when DKIM Signatures are not inserted as tracking headers. Thanks...
Tom Kistner [Mon, 30 Apr 2012 12:37:40 +0000 (13:37 +0100)]
Fix verification when DKIM Signatures are not inserted as tracking headers. Thanks to Wolfgang Breyha for the patch! (bug 1239)

12 years agoInclude string_interpret_escape() in COMPILE_UTILITY cases.
Jeremy Harris [Sat, 28 Apr 2012 23:22:35 +0000 (00:22 +0100)]
Include string_interpret_escape() in COMPILE_UTILITY cases.

Eximon needs it, via util-spool_in.o
It needed a private hex_digits[] to avoid bringing in all of globals.c to COMPILE_UTILITY.

12 years agoinclude string_unprinting() in COMPILE_UTILITY cases.
Phil Pennock [Sat, 28 Apr 2012 21:17:24 +0000 (14:17 -0700)]
include string_unprinting() in COMPILE_UTILITY cases.

jgh debugged eximon build failure; util-spool_in.o needs it

12 years agoTLS fixes for OpenSSL.
Phil Pennock [Sat, 28 Apr 2012 13:21:02 +0000 (06:21 -0700)]
TLS fixes for OpenSSL.

Support TLS 1.1 & 1.2
New "openssl_options" values (all now documented).

Set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read or write after
TLS renegotiation, which otherwise led to messages "Got SSL error 2".

12 years agodescribe spool file changes for -tls_peerdn
Phil Pennock [Sat, 28 Apr 2012 13:04:09 +0000 (06:04 -0700)]
describe spool file changes for -tls_peerdn

12 years agoHandle \n in tls_peerdn for spool files. pdp/bug_1240
Phil Pennock [Fri, 27 Apr 2012 09:39:59 +0000 (02:39 -0700)]
Handle \n in tls_peerdn for spool files.

Fixes bug 1240.

12 years agoFix testsuite case 0373.
Jeremy Harris [Thu, 26 Apr 2012 22:00:15 +0000 (23:00 +0100)]
Fix testsuite case 0373.

The subtest does a readsocket (with 1s timeout) into a server
which closes immediately.  The expected output in the testcase was null, the output
actually seen was the error-return expansion, which seems more correct.
Accepting the actual output.

12 years agoNew testcase output from SSL library.
Jeremy Harris [Sun, 22 Apr 2012 07:23:53 +0000 (08:23 +0100)]
New testcase output from SSL library.

12 years agoAdd ACL name to debug output of condition result (bug 1238).
Jeremy Harris [Tue, 24 Apr 2012 23:25:51 +0000 (00:25 +0100)]
Add ACL name to debug output of condition result (bug 1238).

12 years agoEnsure $smtp_command is initialized before it can be expanded (bug 1182).
Jeremy Harris [Mon, 23 Apr 2012 22:57:47 +0000 (23:57 +0100)]
Ensure $smtp_command is initialized before it can be expanded (bug 1182).