Jeremy Harris [Mon, 23 Apr 2018 10:26:52 +0000 (11:26 +0100)]
DKIM: enforce limit of 20 on received DKIM-Signature: headers. Bug 2269
Phil Pennock [Sun, 22 Apr 2018 00:20:40 +0000 (20:20 -0400)]
Improve OpenSSL/GnuTLS; enable DNSSEC for non-smarthost
Jeremy Harris [Sat, 21 Apr 2018 22:59:46 +0000 (23:59 +0100)]
Docs: clarify DKIM verification
Phil Pennock [Sat, 21 Apr 2018 00:05:53 +0000 (20:05 -0400)]
TLS by default for example smarthost SMTP Transport
And _decent_ TLS at that, with verification.
Jeremy Harris [Wed, 18 Apr 2018 22:43:30 +0000 (23:43 +0100)]
Testsuite: output changes arising.
Broken-by: 0e8aed8aab
Jeremy Harris [Wed, 18 Apr 2018 22:28:26 +0000 (23:28 +0100)]
ACL: reword error message for ratelimit. Bug 2267
Jeremy Harris [Wed, 18 Apr 2018 22:27:15 +0000 (23:27 +0100)]
Docs: rewrite description of 'leaky' ratelimit. Bug 1298
Heiko Schlittermann (HS12-RIPE) [Wed, 18 Apr 2018 15:20:58 +0000 (17:20 +0200)]
Fix spec
Thanks to Mike Brudenell
Jeremy Harris [Tue, 17 Apr 2018 19:30:22 +0000 (20:30 +0100)]
Compile warning defaults for OpenBSD, at request of the port maintainer
Jeremy Harris [Mon, 16 Apr 2018 18:20:21 +0000 (19:20 +0100)]
tidying
Phil Pennock [Mon, 16 Apr 2018 19:24:34 +0000 (15:24 -0400)]
Belated README.UPDATING notes for Exim 4.91
People skip versions and move past them later, so while it's too late
for 4.91, this will still help people moving to 4.92 from pre-4.91 in
future.
Note that none of these strictly needed to be documented here:
experimental features, features marked as deprecated for many many
years, etc. But let's err on the side of caution and include "things
which will break if you try to upgrade without changing Local/Makefile".
Jeremy Harris [Mon, 16 Apr 2018 17:45:04 +0000 (18:45 +0100)]
Fix OpenSSL non-OCSP build
Jeremy Harris [Mon, 16 Apr 2018 13:23:30 +0000 (14:23 +0100)]
Fix merge artifacts
Jeremy Harris [Mon, 16 Apr 2018 10:21:33 +0000 (11:21 +0100)]
Testsuite: output changes arising
Broken-by: 777e3beace
Jeremy Harris [Mon, 16 Apr 2018 08:15:17 +0000 (09:15 +0100)]
Fix typo in arc. Bug 2262
Phil Pennock [Sun, 15 Apr 2018 21:45:48 +0000 (17:45 -0400)]
Enable weak/old stuff in OpenSSL
Configure OpenSSL with:
enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers
Include explanation as to why.
Jeremy Harris [Sun, 15 Apr 2018 21:03:45 +0000 (22:03 +0100)]
Testsuite: syslog testcase
Jeremy Harris [Sun, 15 Apr 2018 16:50:14 +0000 (17:50 +0100)]
Merge branch '4.next'
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Tidy logging code
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages
Jeremy Harris [Wed, 4 Apr 2018 15:15:22 +0000 (16:15 +0100)]
Add client-ip info to iprev ${authres } line
Jeremy Harris [Wed, 4 Apr 2018 10:10:56 +0000 (11:10 +0100)]
ARC: add optional x= tag to signing
Jeremy Harris [Tue, 3 Apr 2018 23:22:49 +0000 (00:22 +0100)]
ARC: add optional t= tags to signing
Jeremy Harris [Fri, 30 Mar 2018 21:54:55 +0000 (22:54 +0100)]
Avoid doing logging in signal-handlers. Bug 1007
Jeremy Harris [Sun, 15 Apr 2018 15:29:46 +0000 (16:29 +0100)]
Docs: clean for next release
Jeremy Harris [Sat, 14 Apr 2018 23:18:10 +0000 (00:18 +0100)]
Testsuite: tidyup after myslq testing
Jeremy Harris [Sat, 14 Apr 2018 22:31:05 +0000 (23:31 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
also syslog_pid=no and log_selector +pid
Jeremy Harris [Fri, 13 Apr 2018 16:02:15 +0000 (17:02 +0100)]
Docs: typo
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
Phil Pennock [Fri, 13 Apr 2018 22:51:23 +0000 (18:51 -0400)]
DKIM downgrade example again; this time debugged
As well as previous commit's `len_3` -> `length_3`, we were missing
braces around the expansion operator, resulting in trying to dereference
an unknown variable `$length_3`, and we were missing the outer braces
from the `or` expansion condition.
We really need a better way to test ACL expansion without a full harness. :(
This bug-fixed version is now running on my system.
Phil Pennock [Fri, 13 Apr 2018 22:35:20 +0000 (18:35 -0400)]
Fix length expansion operator in DKIM downgrade example
Jeremy Harris [Fri, 13 Apr 2018 10:51:50 +0000 (11:51 +0100)]
DKIM: add support for the SubjectPublicKeyInfo wrapped form of pubkey
Jeremy Harris [Thu, 12 Apr 2018 15:55:42 +0000 (16:55 +0100)]
Docs: add known broken-version info for OpenSSL behavior
Phil Pennock [Thu, 12 Apr 2018 02:04:28 +0000 (22:04 -0400)]
Mention MTA-STS in DANE context; nit fixes
Did an audit of text changed since commit
6aa6fc9c5 to look for issues
which stood out, fixed those. Spelling mistakes, markup issues, minor
grammatical infelicities.
The public/private CA stuff in the DANE text might push people away from
public CAs, but the existence of MTA-STS means that one of those is
probably the best choice. Mention what exim.org does, to provide
slightly firmer guidance without pressure.
List the `dkim_hash` values, `sha512` appears to be new since that text
was last touched.
Phil Pennock [Thu, 12 Apr 2018 01:06:54 +0000 (21:06 -0400)]
Doc: website updates and so forth
I've added <https://downloads.exim.org/> as a new vhost which doesn't
reference FTP and loses the `/pub/exim` prefix.
Fixed various other outdated claims and documented Jeremy's PGP key as
the main key for releases, with mine (Phil's) and Heiko's as fallbacks.
Mention the `.xz` files.
Phil Pennock [Mon, 9 Apr 2018 21:52:19 +0000 (17:52 -0400)]
Add `receive_time` to list of log_selector values
Phil Pennock [Mon, 9 Apr 2018 21:49:57 +0000 (17:49 -0400)]
bugfix: heimdal interaction, check length
clang noted that taking the address of a struct member will never be 0,
so checking against 0 was wrong. It was a `.length` member. I've
compiled RC4 with this change and deployed it to my box and I can still
authenticate fine.
Jeremy Harris [Mon, 9 Apr 2018 14:08:34 +0000 (15:08 +0100)]
ARC: fix signing when DKIM-signing is also being done
The ordering of headers being signed was wrong when a message
being forwarded arrived with a dkim signature
Jeremy Harris [Mon, 9 Apr 2018 10:19:47 +0000 (11:19 +0100)]
DMARC: fix history file
Too many variables were being cleared between connections
Broken-by: c780096c29 4.91 RC2
Phil Pennock [Mon, 9 Apr 2018 03:46:26 +0000 (23:46 -0400)]
Better(?!?) fallback for stat: Perl
We use Perl extensively in other scripts.
*sigh*
Phil Pennock [Mon, 9 Apr 2018 02:43:36 +0000 (22:43 -0400)]
stat portability
I forgot how much I loathe basic stuff like "get the size of a file,
portably, in shell". Bleh.
Phil Pennock [Mon, 9 Apr 2018 02:28:56 +0000 (22:28 -0400)]
Added util/renew-opendmarc-tlds.sh script to renew PSL
Jeremy Harris [Sun, 8 Apr 2018 21:45:39 +0000 (22:45 +0100)]
OpenSSL: Revert the disabling of the session-cache. Bug 2255
Session cacheing is never useful, as we use a new context for every TLS startup.
However, removing the support triggers odd behaviour from Outlook Express (only
when there is an IMAP server on the same machine as Exim): an initial connect
from the OE client fails, the immediate retry works.
Jeremy Harris [Sat, 7 Apr 2018 21:44:39 +0000 (22:44 +0100)]
ARC: fix verify to not evaluate the top AMS twice
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages
Jeremy Harris [Fri, 6 Apr 2018 09:48:00 +0000 (10:48 +0100)]
Logging: fix DKIM precis received log line element.
Broken-by: 2c47372fad
Heiko Schlittermann (HS12-RIPE) [Wed, 4 Apr 2018 19:39:36 +0000 (21:39 +0200)]
compiler quietening
Jeremy Harris [Wed, 4 Apr 2018 15:15:22 +0000 (16:15 +0100)]
Add client-ip info to iprev ${authres } line
Jeremy Harris [Wed, 4 Apr 2018 11:38:38 +0000 (12:38 +0100)]
compiler quietening
Graeme Fowler [Wed, 4 Apr 2018 10:30:21 +0000 (11:30 +0100)]
Actually reap node2 process in redis cluster test
Jeremy Harris [Wed, 4 Apr 2018 10:10:56 +0000 (11:10 +0100)]
ARC: add optional x= tag to signing
Jeremy Harris [Fri, 30 Mar 2018 23:24:28 +0000 (00:24 +0100)]
local_scan: add note on Makefile requirement
Jeremy Harris [Tue, 3 Apr 2018 23:22:49 +0000 (00:22 +0100)]
ARC: add optional t= tags to signing
Jeremy Harris [Wed, 28 Mar 2018 13:15:23 +0000 (14:15 +0100)]
ARC: log signing-spec errors in mainlog only, not paniclog
Jeremy Harris [Tue, 27 Mar 2018 21:01:03 +0000 (22:01 +0100)]
ARC: enhance debug for signing; explicitly init signing context
Jeremy Harris [Mon, 26 Mar 2018 17:44:33 +0000 (18:44 +0100)]
Fix non-ARC build
Jeremy Harris [Mon, 26 Mar 2018 16:30:47 +0000 (17:30 +0100)]
ARC: add guard in verify against lack of the dkim-verify context
needed for body-hashing
Jeremy Harris [Mon, 26 Mar 2018 14:59:25 +0000 (15:59 +0100)]
ARC: cutthrough delivery may not be used with ARC signing
Jeremy Harris [Mon, 26 Mar 2018 14:53:49 +0000 (15:53 +0100)]
Cutthrough: enforce non-use in combination with DKIM signing or transport filter
Broken-by: 02b41d7106
Phil Pennock [Mon, 26 Mar 2018 16:24:48 +0000 (12:24 -0400)]
Add ARC signing caveats
Jeremy Harris [Sat, 24 Mar 2018 13:53:50 +0000 (13:53 +0000)]
ARC: give more detail with "bad signing-spec" message
Jeremy Harris [Fri, 23 Mar 2018 16:45:03 +0000 (16:45 +0000)]
ARC: For signing, accept A-R header lacking ARC info as equivalent to "none"
Jeremy Harris [Fri, 23 Mar 2018 11:06:35 +0000 (11:06 +0000)]
ARC: add independent-source testcase. Fix signatures by not line-terminating
last header line being hashed.
Jeremy Harris [Tue, 20 Mar 2018 22:11:24 +0000 (22:11 +0000)]
ARC: AS header should have no c= tag
Jeremy Harris [Tue, 20 Mar 2018 19:58:00 +0000 (19:58 +0000)]
ARC: on the smtp transport option take empty or forced-fail to disable signing
Heiko Schlittermann (HS12-RIPE) [Mon, 2 Apr 2018 20:11:57 +0000 (22:11 +0200)]
Avast: rework interface
Heiko Schlittermann (HS12-RIPE) [Mon, 2 Apr 2018 15:39:39 +0000 (17:39 +0200)]
Avast: implement pass_unscanned option
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Mar 2018 22:06:47 +0000 (00:06 +0200)]
Avast: improve compliance with avast-protocol(5)
Treat scanner errors as malware. Defer on scanner tmpfail
only.
Jeremy Harris [Sat, 31 Mar 2018 13:23:31 +0000 (14:23 +0100)]
Testsuite: ignore config-optional -bP output
Jeremy Harris [Sat, 31 Mar 2018 13:21:36 +0000 (14:21 +0100)]
Testsuite: output changes arising
Jeremy Harris [Fri, 30 Mar 2018 23:07:55 +0000 (00:07 +0100)]
Docs: tidy the ChangeLog file
Phil Pennock [Sat, 31 Mar 2018 02:28:20 +0000 (22:28 -0400)]
Merge branch 'dane_require_tls_ciphers'
New SMTP Transport option for simplified improved security for DANE.
Jeremy Harris [Fri, 30 Mar 2018 21:54:55 +0000 (22:54 +0100)]
Avoid doing logging in signal-handlers. Bug 1007
Jeremy Harris [Fri, 30 Mar 2018 16:36:30 +0000 (17:36 +0100)]
Testsuite: avoid ipv6 use in dane_require_tls_ciphers testcases
Jeremy Harris [Fri, 30 Mar 2018 16:36:30 +0000 (17:36 +0100)]
Testsuite: avoid ipv6 use in dane_require_tls_ciphers testcases
Jeremy Harris [Fri, 30 Mar 2018 15:08:56 +0000 (16:08 +0100)]
DANE: smtp transport option dane_require_tls_ciphers
Jeremy Harris [Fri, 30 Mar 2018 14:50:35 +0000 (15:50 +0100)]
Testcases for dane_require_tls_ciphers
Phil Pennock [Thu, 29 Mar 2018 03:01:34 +0000 (23:01 -0400)]
Implement dane_require_tls_ciphers (theoretically)
It compiles with OpenSSL, on Darwin (if restore Darwin OS).
It doesn't crash immediately, but more testing is needed from a place
where port 25 is not just blocked.
Phil Pennock [Thu, 29 Mar 2018 01:41:20 +0000 (21:41 -0400)]
Document new dane_require_tls_ciphers
Haven't written the code yet, but writing the docs first helped me
affirm that this makes sense and feels clean. Code in next commit.
Jeremy Harris [Wed, 28 Mar 2018 13:15:23 +0000 (14:15 +0100)]
ARC: log signing-spec errors in mainlog only, not paniclog
Jeremy Harris [Tue, 27 Mar 2018 21:01:03 +0000 (22:01 +0100)]
ARC: enhance debug for signing; explicitly init signing context
Jeremy Harris [Mon, 26 Mar 2018 17:44:33 +0000 (18:44 +0100)]
Fix non-ARC build
Jeremy Harris [Mon, 26 Mar 2018 16:30:47 +0000 (17:30 +0100)]
ARC: add guard in verify against lack of the dkim-verify context
needed for body-hashing
Jeremy Harris [Mon, 26 Mar 2018 15:59:29 +0000 (16:59 +0100)]
Cutthrough: for an onward finaldot timeout, generate an initator 450 in defer=pass mode
Jeremy Harris [Mon, 26 Mar 2018 14:59:25 +0000 (15:59 +0100)]
ARC: cutthrough delivery may not be used with ARC signing
Jeremy Harris [Mon, 26 Mar 2018 14:53:49 +0000 (15:53 +0100)]
Cutthrough: enforce non-use in combination with DKIM signing or transport filter
Broken-by: 02b41d7106
Phil Pennock [Mon, 26 Mar 2018 16:24:48 +0000 (12:24 -0400)]
Add ARC signing caveats
Jeremy Harris [Mon, 26 Mar 2018 12:49:52 +0000 (13:49 +0100)]
SPF: remove the deprecated "err_temp" and "err_perm" result names
Jeremy Harris [Mon, 26 Mar 2018 12:30:13 +0000 (13:30 +0100)]
DKIM: document proper
Ed25519 key-generation methods; remove helper program
Jeremy Harris [Mon, 26 Mar 2018 11:23:59 +0000 (12:23 +0100)]
Expand directory opetion for queuefile transport
Jeremy Harris [Mon, 26 Mar 2018 11:20:50 +0000 (12:20 +0100)]
Remove extraneus line - benign but pointless.
Broken-by: 9e70917d0a
Jeremy Harris [Sun, 25 Mar 2018 16:14:41 +0000 (17:14 +0100)]
Testsuite: for SPF tests, avoid using the ipv4 address
Jeremy Harris [Sun, 25 Mar 2018 15:42:34 +0000 (16:42 +0100)]
Add non-mtp source info to ${authres }
Jeremy Harris [Sun, 25 Mar 2018 13:08:36 +0000 (14:08 +0100)]
DKIM: document generation of RSA keys
Jeremy Harris [Sat, 24 Mar 2018 23:35:00 +0000 (23:35 +0000)]
DKIM: document
Ed25519 private key generation under OpenSSL (1.1.1+)
Jeremy Harris [Sat, 24 Mar 2018 15:19:27 +0000 (15:19 +0000)]
DKIM: move ed25519_privkey_pem_to_pubkey_raw_b64 to src/util/ and add usage notes to docs
Jeremy Harris [Sat, 24 Mar 2018 18:38:15 +0000 (18:38 +0000)]
Docs: more on ${authresults }
Jeremy Harris [Sat, 24 Mar 2018 13:53:50 +0000 (13:53 +0000)]
ARC: give more detail with "bad signing-spec" message
Jeremy Harris [Sat, 24 Mar 2018 13:43:01 +0000 (13:43 +0000)]
Mark variables that are unused before release of store in the queue-list loop
Phil Pennock [Fri, 23 Mar 2018 22:34:21 +0000 (18:34 -0400)]
Address jgh notes re OpenSSL
* `/usr/local` is fair, on Linux, but I deliberately picked something
specific to OpenSSL to make the context clear and limit bad
interactions with other locally-installed software.
* `RPATH` and `RUNPATH` are not the same and are deeply twisty in their
interactions.
<https://blog.qt.io/blog/2011/10/28/rpath-and-runpath/> is a decent
summary.