Jeremy Harris [Sun, 23 Nov 2014 22:38:14 +0000 (22:38 +0000)]
Log certificate verification status by default
Jeremy Harris [Sun, 23 Nov 2014 17:01:14 +0000 (17:01 +0000)]
Make smtp transport try server cert verify by default
This is an exim client checking a server certificate.
Jeremy Harris [Sun, 23 Nov 2014 16:58:06 +0000 (16:58 +0000)]
Make "system" location for certificate CA bundle the default
Jeremy Harris [Sun, 23 Nov 2014 16:10:30 +0000 (16:10 +0000)]
Support use of system default CA bundle
Jeremy Harris [Sat, 22 Nov 2014 19:16:19 +0000 (19:16 +0000)]
Move certificate name checking to mainline, default enabled
This is an exim client checking a server certificate.
Jeremy Harris [Fri, 21 Nov 2014 15:15:15 +0000 (15:15 +0000)]
As client, request PRDR by default if the server offers it
Jeremy Harris [Fri, 21 Nov 2014 15:12:17 +0000 (15:12 +0000)]
Testsuite: cat 0601 logging ordering
Jeremy Harris [Fri, 21 Nov 2014 13:44:26 +0000 (13:44 +0000)]
Update RFC conformance notes
Jeremy Harris [Thu, 20 Nov 2014 16:32:35 +0000 (16:32 +0000)]
Refactor common uses of list-checking
Jeremy Harris [Sun, 16 Nov 2014 17:47:50 +0000 (17:47 +0000)]
Make the multi_domain smtp transport option expanded
Jeremy Harris [Sun, 16 Nov 2014 14:14:35 +0000 (14:14 +0000)]
Make the retry_include_ip_address smtp transport option expanded. Bug 1545
Jeremy Harris [Tue, 18 Nov 2014 19:56:44 +0000 (19:56 +0000)]
Testsuite: msglog files
Jeremy Harris [Tue, 18 Nov 2014 19:43:09 +0000 (19:43 +0000)]
Compiler quietening
Jeremy Harris [Sun, 16 Nov 2014 20:57:10 +0000 (20:57 +0000)]
Fix debug output of name of transport option list being matched
Jeremy Harris [Sat, 15 Nov 2014 21:11:23 +0000 (21:11 +0000)]
Test case for retry_include_ip_address
Jeremy Harris [Sun, 16 Nov 2014 13:54:01 +0000 (13:54 +0000)]
docs typo
Todd Lyons [Thu, 13 Nov 2014 21:15:13 +0000 (13:15 -0800)]
Add items to NewStuff
Jeremy Harris [Thu, 13 Nov 2014 17:14:09 +0000 (17:14 +0000)]
ChangeLog entries for minor feates and fixes since 4.84
Todd Lyons [Wed, 12 Nov 2014 17:23:24 +0000 (09:23 -0800)]
Move DANE desgin doc, drop extra dane drafts
Jeremy Harris [Wed, 12 Nov 2014 15:49:28 +0000 (15:49 +0000)]
Testsuite: munge for unrelated test affected by EXPERIMENTAL_CERTNAMES
Jeremy Harris [Wed, 12 Nov 2014 14:47:01 +0000 (14:47 +0000)]
Testsuite: 0393 intermittently spits an extra stderr line. Unimportant
for the testcase, so ignore it.
Jeremy Harris [Mon, 10 Nov 2014 16:41:12 +0000 (16:41 +0000)]
Handle UTC vs specified-timezone for certificate extractors. Bug 1541
Jeremy Harris [Sat, 8 Nov 2014 23:45:00 +0000 (23:45 +0000)]
Testsuite: additional dns zone for certificate name testing
Jeremy Harris [Sat, 8 Nov 2014 13:24:21 +0000 (13:24 +0000)]
Fix smtp transport certificate-verification option matching to use correct host
Fix certificate name verification done with tls_try_verify_hosts
Affected tls_verify_hosts, tls_try_verify_hosts, tls_verify_cert_hostnames.
Jeremy Harris [Thu, 6 Nov 2014 21:22:18 +0000 (21:22 +0000)]
EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host
connected-to, not be list of acceptable names. The name checked is the
host name.
Jeremy Harris [Wed, 5 Nov 2014 18:24:00 +0000 (18:24 +0000)]
Do not permit multi-component wildcards on certificate names (OpenSSL, EXPERIMENTAL_CERTNAMES)
Jeremy Harris [Sun, 26 Oct 2014 21:06:46 +0000 (21:06 +0000)]
Do not permit multi-component wildcards on certificate names (OpenSSL)
Jeremy Harris [Wed, 5 Nov 2014 17:31:34 +0000 (17:31 +0000)]
Add doc examples for disabling SSLv3
Jeremy Harris [Tue, 4 Nov 2014 15:13:00 +0000 (15:13 +0000)]
Fix dnssec indication variable when used from verify-callout smtp:commect event
Jeremy Harris [Mon, 3 Nov 2014 15:48:31 +0000 (15:48 +0000)]
Tweak docs on difference between "local" and "remote" source messages
Jeremy Harris [Mon, 3 Nov 2014 15:48:15 +0000 (15:48 +0000)]
Testsuite: tidying
Jeremy Harris [Sat, 1 Nov 2014 11:37:36 +0000 (11:37 +0000)]
Testsuite: tidying
Jeremy Harris [Thu, 30 Oct 2014 20:48:02 +0000 (20:48 +0000)]
Fix cert-try-verify when denied by event action
Jeremy Harris [Thu, 30 Oct 2014 20:32:14 +0000 (20:32 +0000)]
Test suite: disable OCSP for old openssl part 3
Jeremy Harris [Thu, 30 Oct 2014 18:52:45 +0000 (18:52 +0000)]
Fix dnssec indication variable when used from smtp:commect event
Jeremy Harris [Thu, 30 Oct 2014 12:12:31 +0000 (12:12 +0000)]
For connects and certificate-verifies denied by event actions, log
the string resulting from the event expansion
Todd Lyons [Wed, 29 Oct 2014 14:50:41 +0000 (07:50 -0700)]
Test suite: disable OCSP for old openssl part 2
Make sure to only disable this if building for openssl, allow gnutls
to build with OCSP for all versions that support it.
Todd Lyons [Wed, 29 Oct 2014 14:26:17 +0000 (07:26 -0700)]
Test suite: disable OCSP for old OpenSSL versions
OpenSSL 0.9.8 in CentOS 5.x has early OCSP support, but not stapling
so just completely disable OCSP using the same logic that exists
in tls-openssl.c.
Jeremy Harris [Wed, 29 Oct 2014 12:57:55 +0000 (12:57 +0000)]
Testsuite: compiler quietening
Jeremy Harris [Wed, 29 Oct 2014 12:57:00 +0000 (12:57 +0000)]
Testsuite: tidying
Jeremy Harris [Tue, 28 Oct 2014 14:42:10 +0000 (14:42 +0000)]
Testsuite: compiler quietening
Jeremy Harris [Sun, 26 Oct 2014 23:35:32 +0000 (23:35 +0000)]
Testsuite: output changes for ipv6
Jeremy Harris [Sun, 26 Oct 2014 22:57:00 +0000 (22:57 +0000)]
Do not claim OCSP support when compiled with too-old GnuTLS version
Jeremy Harris [Sun, 26 Oct 2014 22:14:03 +0000 (22:14 +0000)]
Fix cert-try-verify when denied by event action
Jeremy Harris [Sun, 26 Oct 2014 17:37:52 +0000 (17:37 +0000)]
Testcase 0601: move udpsend action from connect to rcpt ACL
Some test runs were seeing the receiving perl output before the exim startup banner;
try to get the udpsend to happpen after the banner gets a chance to be emitted.
Jeremy Harris [Sun, 26 Oct 2014 17:48:33 +0000 (17:48 +0000)]
Testsuite: increase default "client" utility connect timeout from 1 to 5 seconds
Jeremy Harris [Sun, 26 Oct 2014 17:29:24 +0000 (17:29 +0000)]
Testsuite: use different exit codes for various fail modes of "client" utility
Jeremy Harris [Sun, 26 Oct 2014 17:15:20 +0000 (17:15 +0000)]
Fix feature-ifdef for OpenSSL builtin certname checking
Jeremy Harris [Sun, 26 Oct 2014 15:51:55 +0000 (15:51 +0000)]
Testsuite: extend timeout on troublesom test
Testcase 0035 persistently fails with "status 99" on some buildfarm
animals. Try extending the connect timeout used by the "client" utility
to see if this helps.
Jeremy Harris [Sun, 26 Oct 2014 14:54:28 +0000 (14:54 +0000)]
Expand commentary on certificate files
Jeremy Harris [Thu, 23 Oct 2014 17:22:33 +0000 (18:22 +0100)]
Add event for inbound cert visibility
Jeremy Harris [Thu, 23 Oct 2014 17:18:43 +0000 (18:18 +0100)]
Make transport name available in verify-callouts. Add verify_mode variable
Jeremy Harris [Sat, 18 Oct 2014 19:38:07 +0000 (20:38 +0100)]
Rename facility to Event Actions, ifdeffed on EXPERIMENTAL_EVENT
Jeremy Harris [Fri, 24 Oct 2014 10:12:20 +0000 (11:12 +0100)]
Testsuite: more portable implementation of "showenv"
At least one Solaris installation seems not to have "whoami"
Todd Lyons [Thu, 23 Oct 2014 19:27:41 +0000 (12:27 -0700)]
Test suite continue past unexpected client errors
Todd Lyons [Wed, 22 Oct 2014 19:40:33 +0000 (12:40 -0700)]
Merge branch 'master' of ssh://git.exim.org/home/git/exim
Todd Lyons [Wed, 22 Oct 2014 19:40:08 +0000 (12:40 -0700)]
Fix labels in testsuite conf files
Jeremy Harris [Sun, 12 Oct 2014 16:51:56 +0000 (17:51 +0100)]
Make $host available in tpda delivery event, for cutthrough. Bug 1529
Jeremy Harris [Thu, 25 Sep 2014 21:20:33 +0000 (22:20 +0100)]
More regular logging use of H=<name> [<ip>]
Note this may affect utilities which parse logs.
Jeremy Harris [Wed, 22 Oct 2014 12:41:57 +0000 (13:41 +0100)]
Testsuite outputs: ipv6
Jeremy Harris [Sat, 18 Oct 2014 17:51:16 +0000 (18:51 +0100)]
Compiler quietening
Todd Lyons [Mon, 20 Oct 2014 14:16:04 +0000 (07:16 -0700)]
Merge branch 'master' of ssh://git.exim.org/home/git/exim
Todd Lyons [Mon, 20 Oct 2014 14:14:42 +0000 (07:14 -0700)]
Test suite: completely omit 127/8 IPs
Jeremy Harris [Thu, 16 Oct 2014 18:11:45 +0000 (19:11 +0100)]
Handle certificate dir under GnuTLS, if recent enough
Add testcases for certificate directories
The GnuTLS implementation has been tested on Fedora 21 (alpha),
using GnuTLS 3.3.9. The testsuite case is here but with the
script commented-out. When enabled, the log/mail/stdout/stderr
files will be created fresh.
Jeremy Harris [Sun, 12 Oct 2014 22:43:48 +0000 (23:43 +0100)]
Testsuite output gnutls changes resulting from munging for openssl
version differences
Jeremy Harris [Sun, 12 Oct 2014 21:11:41 +0000 (22:11 +0100)]
Make dnssec status available in tpda delivery event, for cutthrough
Jeremy Harris [Sun, 12 Oct 2014 17:18:51 +0000 (18:18 +0100)]
Quieten noisy compiler
As usual, gcc whining that perfectly valid C coding is
"ambiguous". Wrongly.
Jeremy Harris [Sun, 5 Oct 2014 20:31:20 +0000 (21:31 +0100)]
Remove limit on remove_headers item size. Bug 1533
Jeremy Harris [Mon, 29 Sep 2014 10:50:06 +0000 (11:50 +0100)]
Fix Solaris build
Jeremy Harris [Mon, 29 Sep 2014 10:49:35 +0000 (11:49 +0100)]
Doc notes on expansion ordering
Jeremy Harris [Sun, 28 Sep 2014 16:58:38 +0000 (17:58 +0100)]
More testsuite variance between OpenSSL library versions
Wolfgang Breyha [Sun, 28 Sep 2014 12:40:45 +0000 (13:40 +0100)]
Fix transport-results pipe for multiple recipients combined with certs.
The previous parsing failed when a result item split over a buffer boundary;
fix by prefixing sizes to items, and checking enough has been read as the
initial parsing stage.
Jeremy Harris [Tue, 16 Sep 2014 15:58:04 +0000 (16:58 +0100)]
Clarify error message for host-connect fail. Bug 1505
Jeremy Harris [Sun, 21 Sep 2014 16:59:44 +0000 (17:59 +0100)]
Amplify comment on server requests for client certificates
Todd Lyons [Tue, 23 Sep 2014 12:11:48 +0000 (05:11 -0700)]
ChangeLog for Github Issue 18
Todd Lyons [Tue, 23 Sep 2014 12:09:15 +0000 (05:09 -0700)]
Merge remote-tracking branch 'exim_github/pr/18'
Todd Lyons [Thu, 18 Sep 2014 16:02:17 +0000 (09:02 -0700)]
Fix kill commandline for Solaris compatibility #2
Todd Lyons [Thu, 18 Sep 2014 14:47:22 +0000 (07:47 -0700)]
Fix kill commandline for Solaris compatibility
Jeremy Harris [Tue, 16 Sep 2014 13:59:54 +0000 (14:59 +0100)]
Replace use of index() with Ustrchr()
Jeremy Harris [Sat, 13 Sep 2014 13:55:57 +0000 (14:55 +0100)]
Restrict dane to DANE-TA(2) and DANE-EE(3) usage TLSA records
Also, just ignore TLSA records with unsipported match types.
Jeremy Harris [Fri, 12 Sep 2014 20:13:47 +0000 (21:13 +0100)]
Fix needless OCSP request under DANE
usage 3 and with require_ocsp in play though inactive
Todd Lyons [Fri, 12 Sep 2014 13:22:24 +0000 (06:22 -0700)]
Bug 1216: Add -M (related) to exigrep.
Thanks to Arkadiusz for pointing out that this was never merged.
Heiko Schlittermann [Thu, 11 Sep 2014 21:25:51 +0000 (22:25 +0100)]
Fix ldap lookup for single-attr request, multiple-attr return. Bug 1521
Exim documented behaviour is that the single-request case controls
the output format (by not labelling attributes with names).
The code is broken for the case where attrs B, C are derived from A
and A is requested (and the LDAP server used isn't buggy here; some
are and only return A rather than A, B, C).
Jeremy Harris [Thu, 11 Sep 2014 20:41:12 +0000 (21:41 +0100)]
Add debug for number of CA certs, for OpenSSL/file load
Jeremy Harris [Wed, 10 Sep 2014 13:26:58 +0000 (14:26 +0100)]
Fix undersized buffer use by eximon. Bug 1527
The long spoolfile line now used for certificate info was too big,
resulting in an apparent syntax error in the file.
Apart from using a decent size, do autogrow in case of immense
certificates.
Jeremy Harris [Wed, 10 Sep 2014 14:13:53 +0000 (15:13 +0100)]
TPDA tidying
Jeremy Harris [Mon, 8 Sep 2014 08:55:57 +0000 (09:55 +0100)]
doc typo
Jeremy Harris [Sat, 6 Sep 2014 20:10:17 +0000 (21:10 +0100)]
Add expansion item for sorting lists
Jeremy Harris [Sat, 6 Sep 2014 18:59:34 +0000 (19:59 +0100)]
Support secondary-separator specifier for MX, SRV and TLSA dnsdb lookups
Todd Lyons [Sat, 6 Sep 2014 05:17:37 +0000 (22:17 -0700)]
Merge branch 'master_condition_description'
Todd Lyons [Thu, 4 Sep 2014 18:20:31 +0000 (11:20 -0700)]
Bug 1518: fix description of condition processing
The description in the first commit was completely wrong. Thanks to
Phil for setting me straight and seeding me with the correct verbage.
Jeremy Harris [Thu, 4 Sep 2014 21:40:09 +0000 (22:40 +0100)]
Enforce TLS under DANE when host has TLSA records
Jeremy Harris [Tue, 2 Sep 2014 22:37:57 +0000 (23:37 +0100)]
Fix ${extract expansion for use within ${if inlist etc. Bug 1524
The coding of the numeric test on the key decided that empty was numeric, and
insisted on a third substring even in syntax-check "skip" mode. This failed
when a single expansion variable was used for the key (eg. $item) and the
defaults for string2, string3 were being assumed. Skip the test in skip mode.
Jeremy Harris [Tue, 2 Sep 2014 12:14:01 +0000 (13:14 +0100)]
Introduce EXPERIMENTAL_DANE feature
Jeremy Harris [Tue, 2 Sep 2014 12:12:45 +0000 (13:12 +0100)]
ChangeLog entry
Sebastian Wiedenroth [Tue, 2 Sep 2014 10:41:30 +0000 (12:41 +0200)]
redis lookup returns false for things that should be true
If redis returns an integer the lookup code currently checks if the value is 1 and returns false for all other values.
This is problematic if you want to use redis commands that return counts (ZCARD etc.) because you can't check for "does not exist" or "exists at least once". (It will be 0->false, 1->true, 2 or more-> false again)
This commit changes the code to handle integer values like C: 0 is false and everything else is true.
For the simple 0 and 1 values nothing changes to existing queries so this diff is backwards compatible.
For queries that return other values exim now gets the bool that would be expected.
Jeremy Harris [Mon, 1 Sep 2014 13:54:59 +0000 (14:54 +0100)]
Warn on OCSP interaction with DANE
Jeremy Harris [Sun, 31 Aug 2014 21:07:54 +0000 (22:07 +0100)]
Add missing puctuation
Jeremy Harris [Sun, 31 Aug 2014 20:54:58 +0000 (21:54 +0100)]
Update comment
Heiko Schlittermann [Sun, 31 Aug 2014 13:13:22 +0000 (14:13 +0100)]
Further doc examples for ldap lookup output