Phil Pennock [Sun, 24 Jun 2012 09:55:29 +0000 (02:55 -0700)]
Add gnutls_enable_pkcs11 option.
GnuTLS 2.12.0 adds PKCS11 support using p11-kit and by default will
autoload modules, which interoperates badly with GNOME keyring
integration, configured via paths in environment variables, and Exim
invoked by the user (eg, mailq) will then try to load the modules, fail
and spew warnings from the module for a library loaded by a library.
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
documents that to prevent this, explicitly init PKCS11 before calling
gnutls_global_init(). So we do so, unless the admin sets the new
option.
Reported by Andreas Metzler, who confirmed that the added calls fixed
the problem for him.
Jeremy Harris [Tue, 12 Jun 2012 20:43:58 +0000 (21:43 +0100)]
Merge branch 'lists'
Jeremy Harris [Tue, 12 Jun 2012 20:41:05 +0000 (21:41 +0100)]
Change names to "listnamed" and "listcount".
Jeremy Harris [Sun, 10 Jun 2012 16:53:01 +0000 (17:53 +0100)]
Add ${list:name} and ${nlist:string} expansion operators.
Nigel Metheringham [Sat, 9 Jun 2012 20:23:57 +0000 (21:23 +0100)]
Corrections to spec examples - fixes bug 1196
Nigel Metheringham [Sat, 9 Jun 2012 20:16:02 +0000 (21:16 +0100)]
Typo fix in spec - fixes bug 1197
Phil Pennock [Thu, 7 Jun 2012 17:25:37 +0000 (13:25 -0400)]
Packagers: Debian
Phil Pennock [Thu, 7 Jun 2012 17:08:35 +0000 (13:08 -0400)]
Expand $sender_host_dnssec and add vtype_bool
Phil Pennock [Thu, 7 Jun 2012 17:08:05 +0000 (13:08 -0400)]
Unbreak EXPERIMENTAL_OCSP after TLS cutthrough
Phil Pennock [Wed, 6 Jun 2012 23:51:44 +0000 (19:51 -0400)]
BUGFIX: forced-fail smtp option tls_sni would dereference NULL
Phil Pennock [Wed, 6 Jun 2012 23:46:40 +0000 (19:46 -0400)]
BUGFIX: forced-fail smtp option tls_sni would dereference NULL
Phil Pennock [Wed, 6 Jun 2012 18:13:34 +0000 (14:13 -0400)]
LLONG_MIN example in os.h-Linux
Todd Lyons [Wed, 6 Jun 2012 15:05:28 +0000 (08:05 -0700)]
Ignore files left over from patch program
Jeremy Harris [Tue, 5 Jun 2012 19:50:30 +0000 (20:50 +0100)]
Testsuite: add per-testcase munge facility; use for dnssec and gnutls.
Jeremy Harris [Tue, 5 Jun 2012 15:33:47 +0000 (16:33 +0100)]
Docs for "G" modifier on numbers in ${if comparisons.
Jeremy Harris [Tue, 5 Jun 2012 15:16:40 +0000 (16:16 +0100)]
Support "G" modifier on numbers in ${if comparisons.
Jeremy Harris [Mon, 4 Jun 2012 21:32:32 +0000 (22:32 +0100)]
Basic documentation for cutthrough.
Jeremy Harris [Mon, 4 Jun 2012 16:48:52 +0000 (17:48 +0100)]
Add $tls_in_* variables; note the old names as deprecated.
Jeremy Harris [Mon, 4 Jun 2012 13:54:13 +0000 (14:54 +0100)]
Add hosts_verify_avoid_tls option to smtp transport.
Jeremy Harris [Mon, 4 Jun 2012 12:36:19 +0000 (13:36 +0100)]
Fix post-rebase merge issues.
Jeremy Harris [Tue, 15 May 2012 23:22:01 +0000 (00:22 +0100)]
Split out OpenSSL and GnuTLS versions of tests.
Jeremy Harris [Tue, 15 May 2012 21:51:53 +0000 (22:51 +0100)]
Change use of $tls_cipher in client context to $tls_out_cipher.
Jeremy Harris [Tue, 15 May 2012 21:39:27 +0000 (22:39 +0100)]
Fix bug verifying certs on dual-tls.
Jeremy Harris [Fri, 11 May 2012 20:46:57 +0000 (21:46 +0100)]
Support transport hosts_avoid_tls for cutthrough.
Jeremy Harris [Mon, 7 May 2012 20:15:33 +0000 (21:15 +0100)]
Add testcase for callout fallback from ESMTP to SMTP.
Jeremy Harris [Mon, 7 May 2012 17:24:16 +0000 (18:24 +0100)]
Better debug.
Jeremy Harris [Mon, 7 May 2012 16:06:00 +0000 (17:06 +0100)]
Fix testsuite cases affected by 8bitmime-as-default.
Jeremy Harris [Sun, 6 May 2012 17:53:34 +0000 (18:53 +0100)]
Fix tls variables order, and testsuite case 5401 (cutthrough) for changes that went in with dual-tls.
Jeremy Harris [Sun, 6 May 2012 16:12:31 +0000 (17:12 +0100)]
Deal explicitly with attempt to callout via null transport; fixes crash.
Jeremy Harris [Tue, 1 May 2012 19:12:36 +0000 (20:12 +0100)]
Fixup testsuite cases affected by dual-tls - mainly EHLO on callouts.
Jeremy Harris [Sun, 29 Apr 2012 20:02:27 +0000 (21:02 +0100)]
Dual-tls - split management of TLS into in- and out-bound connection-handling.
Enables concurrent use from a single process, and thereby use for cutthrough delivery.
As a side-effect EHLO and TLS use for verify callouts introduced.
This was a manual import from elsewhere and is known to fail the test-suite.
Jeremy Harris [Sun, 29 Apr 2012 17:22:56 +0000 (18:22 +0100)]
Testsuite cases for basic cutthrough_delivery.
Also fixed bug where a predata acl was required for cutthrough.
Jeremy Harris [Thu, 26 Apr 2012 22:59:34 +0000 (23:59 +0100)]
Basic cutthrough delivery.
Todd Lyons [Mon, 4 Jun 2012 13:03:18 +0000 (06:03 -0700)]
Test for proper parsing of optional MAIL FROM args.
Todd Lyons [Tue, 29 May 2012 13:07:42 +0000 (06:07 -0700)]
Refactor optional MAIL FROM args
Todd Lyons [Mon, 4 Jun 2012 13:05:29 +0000 (06:05 -0700)]
Test system - parse ipv6 addresses with no :: in them.
Jeremy Harris [Mon, 4 Jun 2012 12:14:28 +0000 (13:14 +0100)]
Remove extraneous #ifndef guards from config.h.default
Phil Pennock [Mon, 4 Jun 2012 00:27:59 +0000 (20:27 -0400)]
Implement -G => "control=suppress_local_fixups"
fixes bug 1117
Phil Pennock [Sun, 3 Jun 2012 22:46:58 +0000 (18:46 -0400)]
Cmdline -L option; also -Ac -Am -X<logfile>
These are for Sendmail compatibility.
bug 1117
Phil Pennock [Sun, 3 Jun 2012 17:27:20 +0000 (13:27 -0400)]
ChangeLog: note cyrus plugin use situation
Phil Pennock [Sun, 3 Jun 2012 17:18:03 +0000 (13:18 -0400)]
Cyrus SASL: set host;port properties on auth driver
Phil Pennock [Sun, 3 Jun 2012 17:04:54 +0000 (13:04 -0400)]
copyright year
Phil Pennock [Sun, 3 Jun 2012 13:42:50 +0000 (09:42 -0400)]
DSCP: inbound via control = dscp/<value>
Phil Pennock [Sat, 2 Jun 2012 21:43:19 +0000 (17:43 -0400)]
Docs: pipes in redirect, need for quote caution
Phil Pennock [Sat, 2 Jun 2012 21:19:32 +0000 (17:19 -0400)]
Christof Meerwald (for patches in bug 1095)
Phil Pennock [Sat, 2 Jun 2012 18:45:26 +0000 (14:45 -0400)]
DSCP: take numeric values too.
Also fix doc claim that value is unexpanded.
Also strip affix whitespace before numeric conversion and fixed string comparison.
Phil Pennock [Sat, 2 Jun 2012 14:41:41 +0000 (10:41 -0400)]
FreeBSD is ELF and has been for a long time
Phil Pennock [Sat, 2 Jun 2012 13:10:44 +0000 (09:10 -0400)]
DSCP: document; hex print; -bI:dscp
Phil Pennock [Fri, 1 Jun 2012 16:05:42 +0000 (12:05 -0400)]
DSCP support, tentative
Phil Pennock [Fri, 1 Jun 2012 14:15:14 +0000 (10:15 -0400)]
DNSSEC babystep: dns_use_dnssec & $sender_host_dnssec
Phil Pennock [Fri, 1 Jun 2012 12:30:06 +0000 (08:30 -0400)]
improve PH entry, per Bill Hacker's suggestion
Phil Pennock [Fri, 1 Jun 2012 11:49:05 +0000 (07:49 -0400)]
ACKNOWLEDGEMENTS update, covering a few years
Phil Pennock [Fri, 1 Jun 2012 09:52:31 +0000 (05:52 -0400)]
tls_dh_min_bits smtp transport option
Could not find an API for use with OpenSSL, so GnuTLS only
Phil Pennock [Fri, 1 Jun 2012 08:29:39 +0000 (04:29 -0400)]
Make -n combine with -bP to inhibit names
Phil Pennock [Fri, 1 Jun 2012 07:37:26 +0000 (03:37 -0400)]
Add -bI:help and -bI:sieve
Phil Pennock [Thu, 31 May 2012 10:29:28 +0000 (06:29 -0400)]
Doc: drop .new/.wen, update previousversion.
Also, drop fix one place which claimed TLS SNI support was OpenSSL only.
Phil Pennock [Thu, 31 May 2012 00:40:15 +0000 (20:40 -0400)]
Revert "Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512."
This reverts commit
83f4c7515f3eb06dc070e78edd2694c1d088e5fd.
This was not a new check! The call to gnutls_dh_set_prime_bits() was
made with DH_BITS in Exim 4.77, so the only difference is that now an
administrator can choose at compile time to change the lower bound.
So keeping this at 1024 is not a regression and if we can't talk to them
now, we couldn't before, and we shouldn't lower security by default.
The reverted commit was only acceptable IF it was still better than what
we had in Exim 4.77.
Phil Pennock [Wed, 30 May 2012 23:38:20 +0000 (19:38 -0400)]
Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512.
Wolfgang Breyha saw a real-world site using 768 bits.
Phil Pennock [Mon, 28 May 2012 05:11:48 +0000 (01:11 -0400)]
Merge openssl_disable_ssl2 branch
Phil Pennock [Sun, 27 May 2012 16:21:37 +0000 (12:21 -0400)]
typo fix: "overriden" -> "overridden" from Andreas Metzler
Phil Pennock [Sun, 27 May 2012 16:12:31 +0000 (12:12 -0400)]
release: don't try to sign .tar.lz files
Jeremy Harris [Sun, 27 May 2012 15:50:39 +0000 (16:50 +0100)]
Test: update for new tls_dhparam (suite used on Scientific Linux 6 test host).
Phil Pennock [Sun, 27 May 2012 15:02:01 +0000 (11:02 -0400)]
Doc: fix glitch
Phil Pennock [Sun, 27 May 2012 14:57:32 +0000 (10:57 -0400)]
Test: update for new tls_dhparam
Phil Pennock [Sun, 27 May 2012 14:02:12 +0000 (10:02 -0400)]
Doc: SECTgnutlsparam referencing tls_dhparam
Phil Pennock [Sun, 27 May 2012 13:14:39 +0000 (09:14 -0400)]
For DH, use standard primes from RFCs
Phil Pennock [Sun, 27 May 2012 05:34:36 +0000 (01:34 -0400)]
">" -> ">=" for EXIM_CLIENT_DH_MIN_BITS+10
Phil Pennock [Sun, 27 May 2012 05:17:04 +0000 (01:17 -0400)]
Deal with GnuTLS DH generation overshoot
Phil Pennock [Sun, 27 May 2012 03:42:50 +0000 (23:42 -0400)]
FAQ for GnuTLS
Phil Pennock [Sun, 27 May 2012 00:18:31 +0000 (20:18 -0400)]
teach sprint_vformat() size_t z modifier (jgh)
Jeremy wrote this, mostly; I just fixed up a comment and pedantically numbered the enum values
Phil Pennock [Sun, 27 May 2012 00:10:40 +0000 (20:10 -0400)]
fix size param for gnutls_dh_params_export_pkcs3() again
Todd Lyons [Fri, 25 May 2012 16:19:36 +0000 (09:19 -0700)]
Ignore vim swap files and test/* temporary files/dirs
Phil Pennock [Fri, 25 May 2012 14:57:25 +0000 (10:57 -0400)]
release: no .lz by default for now
Phil Pennock [Fri, 25 May 2012 14:29:06 +0000 (10:29 -0400)]
Doc: Provide context for bare numbers from CHAP/SECT.
Phil Pennock [Fri, 25 May 2012 09:01:39 +0000 (05:01 -0400)]
Cyrus SASL auth: SSF retrieval was incorrect.
Exim thought protection layer was required, which is not implemented.
Patch from Wolfgang Breyha.
Fixes bug 1254
Phil Pennock [Fri, 25 May 2012 08:05:17 +0000 (04:05 -0400)]
It's 2012, not 1012. Noted by Jay Rouman
Nigel Metheringham [Thu, 24 May 2012 15:45:12 +0000 (16:45 +0100)]
Added some more .gitignore entries
Ignore more build side effects
Nigel Metheringham [Thu, 24 May 2012 15:40:42 +0000 (16:40 +0100)]
Moved pdkim declaration to satisfy older compilers
As suggested by Dennis Davis to fix an error with gcc 2.95.2
which threw the following error:-
gcc pdkim.c
pdkim.c: In function `pdkim_feed_finish':
pdkim.c:1389: parse error before `*'
pdkim.c:1390: `hdrs' undeclared (first use in this function)
pdkim.c:1390: (Each undeclared identifier is reported only once
pdkim.c:1390: for each function it appears in.)
gmake[2]: *** [pdkim.o] Error 1
See https://lists.exim.org/lurker/message/
20120524.094800.
89928246.en.html
Phil Pennock [Thu, 24 May 2012 06:12:53 +0000 (02:12 -0400)]
ReleaseTools: support .lz lzip archives
Phil Pennock [Thu, 24 May 2012 03:43:20 +0000 (23:43 -0400)]
_ISOC99_SOURCE -> _GNU_SOURCE
_ISOC99_SOURCE broke build on Linux (Ubuntu 11.10) because it broke <resolv.h>, <arpa/nameser.h>, etc.
Their u_char and u_int usage relies upon BSD source being enabled too. So use _GNU_SOURCE.
Phil Pennock [Thu, 24 May 2012 03:27:44 +0000 (23:27 -0400)]
Define _ISOC99_SOURCE in exim.h
Done before os.h is pulled in so an OS can override it.
Phil Pennock [Wed, 23 May 2012 19:03:21 +0000 (15:03 -0400)]
Doc: move -bmalware into alphabetic place
Phil Pennock [Wed, 23 May 2012 17:02:52 +0000 (13:02 -0400)]
Doc: s/DNS/domains/ in new text
Phil Pennock [Wed, 23 May 2012 16:58:18 +0000 (12:58 -0400)]
Doc: document when dnslookup will decline
Phil Pennock [Wed, 23 May 2012 16:25:16 +0000 (12:25 -0400)]
Doc: tls_require_ciphers examples
Note how to test strings, provide examples which distinguish port 25 from other ports.
Carefully used short examples, but allows two different strings per implementation
and demonstrates how the strings are very different.
Todd Lyons [Wed, 23 May 2012 13:35:31 +0000 (06:35 -0700)]
Manually control locale, setting to "C" in runtest script.
Fixes the output of 'ls' command to a standard format (test 345).
Phil Pennock [Wed, 23 May 2012 05:20:09 +0000 (01:20 -0400)]
expanded comment, noting size types and API issue
Phil Pennock [Wed, 23 May 2012 00:12:35 +0000 (20:12 -0400)]
README.UPDATING: emphasise more the LDAP issue
Phil Pennock [Tue, 22 May 2012 13:06:24 +0000 (09:06 -0400)]
OCSP description: minor nits
Phil Pennock [Tue, 22 May 2012 02:14:18 +0000 (22:14 -0400)]
Enable PCRE_CONFIG by default
With this, src/EDITME as Local/Makefile *only* needs EXIM_USER to be
set and EXIM_MONITOR commented out for Exim to build on my box.
I think this is a reasonable default; if there are releases of PCRE which
do not include pcre-config, then on those boxes a slight change will be
needed, but only where the file was already having to be edited anyway.
Phil Pennock [Tue, 22 May 2012 01:58:00 +0000 (21:58 -0400)]
Guard SNI usage better (client-side)
Jeremy Harris [Mon, 21 May 2012 21:16:00 +0000 (22:16 +0100)]
Testsuite: more robust fix for SHELL vs /bin/sh, take two.
Jeremy Harris [Mon, 21 May 2012 19:36:42 +0000 (20:36 +0100)]
Revert "Testsuite: more robust fix for SHELL vs /bin/sh"
This reverts commit
8dedb69a41c30fd82ab6e084fe567f7ee7aaa562.
Kills testcase 0137.
Jeremy Harris [Mon, 21 May 2012 18:51:21 +0000 (19:51 +0100)]
Testsuite: more robust fix for SHELL vs /bin/sh
Phil Pennock [Mon, 21 May 2012 10:49:54 +0000 (06:49 -0400)]
OpenBSD compat, DNS resolver library
Report and point to fix from Dennis Davis.
Phil Pennock [Mon, 21 May 2012 10:33:08 +0000 (06:33 -0400)]
Update binary's copyright message.
Rough text per suggestion from Tony.
Amended ACKNOWLEDGEMENTS briefly, but need to actually add people. Like, er, me.
Phil Pennock [Mon, 21 May 2012 09:54:50 +0000 (05:54 -0400)]
avoid NUL in dh params file
gnutls_dh_params_export_pkcs3() returns 2 different sizes.
NUL observed by Janne Snabb
Phil Pennock [Mon, 21 May 2012 04:32:11 +0000 (00:32 -0400)]
.end -> .wen
Phil Pennock [Mon, 21 May 2012 04:29:25 +0000 (00:29 -0400)]
Add tls_dh_max_bits to OptionLists.txt
Phil Pennock [Mon, 21 May 2012 04:20:37 +0000 (00:20 -0400)]
features.h; tls_validate_require_cipher: log flag & tests
Pull in <features.h> on Linux.
Switch readconf log from D_all (bug) to D_tls (though D_any would have
worked).
Modified runtest to handle clamped DH bits and
tls_validate_require_cipher added debug logging.