Jeremy Harris [Thu, 28 Dec 2017 20:09:05 +0000 (20:09 +0000)]
Fix crash associated with dnsdb lookup done from DKIM ACL. Bug 2215
Broken-by: cc55f4208e
Jeremy Harris [Thu, 28 Dec 2017 21:28:01 +0000 (21:28 +0000)]
Use common routine for building tagstring for dns-fail cache
Jeremy Harris [Wed, 27 Dec 2017 17:22:26 +0000 (17:22 +0000)]
Debug: enhance output from smtp transport entry
Jeremy Harris [Thu, 28 Dec 2017 20:51:28 +0000 (20:51 +0000)]
DKIM: tighter checking while parsing signature headers. Bug 2217
Geraint Edwards [Thu, 28 Dec 2017 15:53:51 +0000 (15:53 +0000)]
Check ARGV before subscripting it
Jeremy Harris [Wed, 27 Dec 2017 14:10:44 +0000 (14:10 +0000)]
Testtsuite: output changes resulting
Jeremy Harris [Wed, 27 Dec 2017 11:11:17 +0000 (11:11 +0000)]
Testsuite: better portability of postgresq test vs. postgresql versions
Jeremy Harris [Sun, 24 Dec 2017 16:42:04 +0000 (16:42 +0000)]
Lookups: fix pgsql multiple-row, single-column return
Report & fix from James <list@xdrv.co.uk>; additional tidying and testcase by JGH
Broken-by: acec9514b1
Jeremy Harris [Sun, 24 Dec 2017 20:46:56 +0000 (20:46 +0000)]
Testsuite: shift pgsql tests to the standard-run set
Jeremy Harris [Sun, 24 Dec 2017 20:35:24 +0000 (20:35 +0000)]
Testsuite: convert posgreql testing to standalone
Jeremy Harris [Sat, 23 Dec 2017 17:46:10 +0000 (17:46 +0000)]
Delivery: remove restriction on dirname length on having to create directories. Bug 2213
Jeremy Harris [Fri, 22 Dec 2017 17:19:37 +0000 (17:19 +0000)]
DANE/GnuTLS: split verification of mixed sets of TLSA records by usage
This is because we cannot do the required CA-anchor and names checks for TA-mode
and not for EE-mode, without knowing which usage TLSA was used.
Jeremy Harris [Fri, 22 Dec 2017 11:34:20 +0000 (11:34 +0000)]
Constification
Jeremy Harris [Fri, 22 Dec 2017 10:25:56 +0000 (10:25 +0000)]
Fix const issue in nisplus lookup
Andreas Piesk [Fri, 22 Dec 2017 10:05:02 +0000 (10:05 +0000)]
Fix build of nisplus lookup
Josh Soref [Thu, 14 Dec 2017 04:25:04 +0000 (04:25 +0000)]
exim: regularize exim -bI:help output
tv [Wed, 20 Dec 2017 22:59:50 +0000 (23:59 +0100)]
exiwhat: use RM_COMMAND
Jeremy Harris [Wed, 20 Dec 2017 23:12:07 +0000 (23:12 +0000)]
DANE/GnuTLS: filter TLSA records for usability
Jeremy Harris [Wed, 20 Dec 2017 21:14:06 +0000 (21:14 +0000)]
DANE/GnuTLS: ignore traditional CA anchor validation in DANE-EE mode
Not quite right for a mixed TA+EE set of TLSA records, but better than always-enforcing
Jeremy Harris [Wed, 20 Dec 2017 11:34:47 +0000 (11:34 +0000)]
ACL: Disallow '/' characters in queue names specified for "queue="
Jeremy Harris [Tue, 19 Dec 2017 22:14:18 +0000 (22:14 +0000)]
Merge branch '4.next'
Jeremy Harris [Tue, 19 Dec 2017 21:54:37 +0000 (21:54 +0000)]
Docs: clean for next release
Jeremy Harris [Tue, 19 Dec 2017 16:27:44 +0000 (16:27 +0000)]
Fix nossl build
Jeremy Harris [Tue, 19 Dec 2017 15:06:49 +0000 (15:06 +0000)]
DANE: support under GnuTLS. Bug 1523
GnuTLS version 3.0.0 onwards; still Experimental
Jeremy Harris [Mon, 18 Dec 2017 15:38:54 +0000 (15:38 +0000)]
Testsuite: move CRL testcases away from using SHA1-signed certs
Jeremy Harris [Sat, 16 Dec 2017 20:52:54 +0000 (20:52 +0000)]
Testsuite: output changes arising
Jeremy Harris [Sat, 16 Dec 2017 20:49:28 +0000 (20:49 +0000)]
Testsuite: regenerate certs tree
Jeremy Harris [Sat, 16 Dec 2017 20:45:18 +0000 (20:45 +0000)]
Testsuite: restore generation of OCSP status for EC certs
Broken-by: 854586e149
Jeremy Harris [Sat, 16 Dec 2017 20:41:27 +0000 (20:41 +0000)]
Testsuite: do not bother with cert hostnames when testing OCSP
Jeremy Harris [Sat, 16 Dec 2017 19:45:30 +0000 (19:45 +0000)]
Testsuite: restore lost dns config for DKIM extra-txt-records testcase
Broken-by: 854586e149
Jeremy Harris [Sat, 16 Dec 2017 14:17:13 +0000 (14:17 +0000)]
Testsuite output changes arising
Broken-by: 854586e149
Viktor Dukhovni [Fri, 1 Dec 2017 22:13:19 +0000 (22:13 +0000)]
DANE: fix type-2xx TLSA under older OpenSSL versions Bug 2198
OpenSSL 1.0.1t is known bad. 1.0.2 and 1.1.0 are apparently ok.
Jeremy Harris [Sat, 16 Dec 2017 02:05:13 +0000 (02:05 +0000)]
Testsuite: testcase for Bug 2198
Jeremy Harris [Tue, 12 Dec 2017 21:52:33 +0000 (21:52 +0000)]
CHUNKING: flush input stream after message-fatal error detection. Bug 2201
Jeremy Harris [Sat, 9 Dec 2017 15:05:14 +0000 (15:05 +0000)]
Testsuite: regen TLSA records, to match cert tree
Jeremy Harris [Sat, 9 Dec 2017 14:57:38 +0000 (14:57 +0000)]
Testsuite: regen TLSA records, to match cert tree
Phil Pennock [Fri, 8 Dec 2017 19:21:45 +0000 (14:21 -0500)]
openssl guidance: install shared libraries too
Jeremy Harris [Tue, 5 Dec 2017 20:55:19 +0000 (20:55 +0000)]
tidying
Jeremy Harris [Fri, 8 Dec 2017 12:55:25 +0000 (12:55 +0000)]
Add compile-time guard against BDB library version 6
Jeremy Harris [Mon, 4 Dec 2017 14:32:44 +0000 (14:32 +0000)]
Fix non-OCSP OpenSSL build
Issue found by: Frank Elsner
Jeremy Harris [Sun, 3 Dec 2017 23:57:11 +0000 (23:57 +0000)]
Docs: amend warning on on lack of multiple-OCSP-proof support
Jeremy Harris [Sun, 3 Dec 2017 22:40:43 +0000 (22:40 +0000)]
GnuTLS: multiple server certs, OCSP stapling. Bug 2092
Jeremy Harris [Sun, 3 Dec 2017 23:54:13 +0000 (23:54 +0000)]
Testsuite: regen certs trees, now with OCSP response for one EC cert
Jeremy Harris [Sun, 3 Dec 2017 20:36:12 +0000 (20:36 +0000)]
Docs: clarify smtp transport tls_verify_certificates option
Heiko Schlittermann (HS12-RIPE) [Sun, 3 Dec 2017 17:17:43 +0000 (18:17 +0100)]
DKIM: Ignore non-DKIM TXT records in DNS response. Bug 2207
Jeremy Harris [Sat, 2 Dec 2017 21:11:46 +0000 (21:11 +0000)]
Fix initialiser in smtp transport
Broken-by: 838d897c8e
Jeremy Harris [Sat, 2 Dec 2017 20:10:18 +0000 (20:10 +0000)]
Docs: add notes on lack of multiple-OCSP-proof support
This would be wanted for server OCSP stapling in a dual RSA/ECDSA certificate installation
Jeremy Harris [Tue, 28 Nov 2017 20:44:14 +0000 (20:44 +0000)]
Change log update
Heiko Schlittermann (HS12-RIPE) [Mon, 27 Nov 2017 21:42:33 +0000 (22:42 +0100)]
Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug 2201
Jeremy Harris [Sun, 26 Nov 2017 15:28:26 +0000 (15:28 +0000)]
Logging: fix log line for local_scan() rejection
Jeremy Harris [Sun, 26 Nov 2017 15:26:42 +0000 (15:26 +0000)]
DKIM: fix tolerating spaces round tag values
Jeremy Harris [Sun, 26 Nov 2017 15:22:38 +0000 (15:22 +0000)]
Fix filename length check in mime-handling
Jeremy Harris [Sun, 26 Nov 2017 15:20:04 +0000 (15:20 +0000)]
tidying
Jeremy Harris [Sat, 2 Dec 2017 21:11:46 +0000 (21:11 +0000)]
Fix initialiser in smtp transport
Broken-by: 838d897c8e
Jeremy Harris [Sat, 2 Dec 2017 20:10:18 +0000 (20:10 +0000)]
Docs: add notes on lack of multiple-OCSP-proof support
This would be wanted for server OCSP stapling in a dual RSA/ECDSA certificate installation
Jeremy Harris [Fri, 1 Dec 2017 22:43:19 +0000 (22:43 +0000)]
Debug: fix coding in dnssec reporting. Bug 2205
Jeremy Harris [Wed, 29 Nov 2017 23:22:34 +0000 (23:22 +0000)]
TLS: avoid calling smtp_auth_acl on client cert when no tls authenticator is configured
Jeremy Harris [Wed, 29 Nov 2017 22:18:18 +0000 (22:18 +0000)]
TLS: Fix excessive calling of smtp_auth_acl under AUTH_TLS. Bug 2203
Jeremy Harris [Tue, 28 Nov 2017 20:44:14 +0000 (20:44 +0000)]
Change log update
Heiko Schlittermann (HS12-RIPE) [Mon, 27 Nov 2017 21:42:33 +0000 (22:42 +0100)]
Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug 2201
Jeremy Harris [Sun, 26 Nov 2017 15:28:26 +0000 (15:28 +0000)]
Logging: fix log line for local_scan() rejection
Jeremy Harris [Sun, 26 Nov 2017 15:26:42 +0000 (15:26 +0000)]
DKIM: fix tolerating spaces round tag values
Jeremy Harris [Sun, 26 Nov 2017 15:22:38 +0000 (15:22 +0000)]
Fix filename length check in mime-handling
Jeremy Harris [Sun, 26 Nov 2017 15:20:04 +0000 (15:20 +0000)]
tidying
Jeremy Harris [Sat, 25 Nov 2017 21:05:53 +0000 (21:05 +0000)]
tidying
Jeremy Harris [Sat, 25 Nov 2017 20:24:00 +0000 (20:24 +0000)]
Replace the store_release() internal interface, which was excessively unsafe.
The new store_newblock() includes the required safety checck, plus the alocate
and data-copy operations.
Jeremy Harris [Sat, 25 Nov 2017 19:39:32 +0000 (19:39 +0000)]
Merge branch 'master' into 4.next
Jeremy Harris [Sat, 25 Nov 2017 16:21:14 +0000 (16:21 +0000)]
Change note for
445d03d4ea
Jeremy Harris [Fri, 24 Nov 2017 20:22:33 +0000 (20:22 +0000)]
Avoid release of store if there have been later allocations. Bug 2199
Jeremy Harris [Fri, 24 Nov 2017 20:24:40 +0000 (20:24 +0000)]
Add comment on GnuTLS library debugging facility
Jeremy Harris [Sat, 18 Nov 2017 15:22:48 +0000 (15:22 +0000)]
Testsuite: more pre-run configuration checks
Jeremy Harris [Thu, 16 Nov 2017 20:46:10 +0000 (20:46 +0000)]
tidying
Jeremy Harris [Thu, 16 Nov 2017 18:31:23 +0000 (18:31 +0000)]
Testsuite: delays for debug output ordering (again)
Jeremy Harris [Thu, 16 Nov 2017 12:12:48 +0000 (12:12 +0000)]
OpenSSL: avoid using now-deprecated routines on newer versions
Jeremy Harris [Wed, 15 Nov 2017 23:24:23 +0000 (23:24 +0000)]
Testsuite: OpenSSL/LibreSSL version output variances
Jeremy Harris [Wed, 15 Nov 2017 22:09:10 +0000 (22:09 +0000)]
Testsuite: OpenSSL/LibreSSL version output variances
Jeremy Harris [Wed, 15 Nov 2017 20:38:19 +0000 (20:38 +0000)]
Testsuite: OpenSSL/LibreSSL version output variances
Jeremy Harris [Wed, 15 Nov 2017 19:06:00 +0000 (19:06 +0000)]
Testsuite: better debug output from "server" script-runner
Jeremy Harris [Wed, 15 Nov 2017 18:56:21 +0000 (18:56 +0000)]
Testsuite: delays for debug output ordering
OpenBSD seems to prioritize the child of a fork; Linux & FreeBSD the parent
Jeremy Harris [Wed, 15 Nov 2017 18:38:44 +0000 (18:38 +0000)]
Testsuite: force RSA auth for testcase loading dual certs
More recent OpenSSL versions (1.1.0) reasonably prefer ECDSA when available,
where older (1.0.2) preferred RSA
Jeremy Harris [Wed, 15 Nov 2017 17:48:55 +0000 (17:48 +0000)]
Typo in sample configuration
Jeremy Harris [Sun, 12 Nov 2017 19:08:43 +0000 (19:08 +0000)]
Docs: PRVS validity. Bug 2033
Jeremy Harris [Tue, 14 Nov 2017 19:32:50 +0000 (19:32 +0000)]
Testsuite output updates
Heiko Schlittermann (HS12-RIPE) [Sun, 5 Nov 2017 22:57:16 +0000 (23:57 +0100)]
Add host detail on all deferred deliveries, not only the last one
Jeremy Harris [Sat, 11 Nov 2017 21:19:50 +0000 (21:19 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Sat, 11 Nov 2017 21:04:21 +0000 (21:04 +0000)]
Debug: remove router DSN config dump on startup
Jeremy Harris [Sat, 11 Nov 2017 18:39:09 +0000 (18:39 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Sat, 11 Nov 2017 16:20:02 +0000 (16:20 +0000)]
Merge branch 'master' into 4.next
Jeremy Harris [Sat, 11 Nov 2017 16:11:06 +0000 (16:11 +0000)]
Downgrade an unfound-list name from panic to DEFER. Bug 1645
Jeremy Harris [Thu, 9 Nov 2017 21:35:08 +0000 (21:35 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Thu, 9 Nov 2017 19:49:49 +0000 (19:49 +0000)]
Testsuite: another go at munging cipher-suite strings
Jeremy Harris [Wed, 8 Nov 2017 12:37:22 +0000 (12:37 +0000)]
docs: typo
Jeremy Harris [Wed, 8 Nov 2017 12:01:20 +0000 (12:01 +0000)]
tidying
Jeremy Harris [Wed, 8 Nov 2017 10:43:28 +0000 (10:43 +0000)]
DKIM: call ACL once for each signature matching the identity from dkim_verify_signers. Bug 2189
Jeremy Harris [Tue, 7 Nov 2017 21:40:19 +0000 (21:40 +0000)]
DKIM: make verification results visible in data ACL
Jeremy Harris [Tue, 7 Nov 2017 19:01:42 +0000 (19:01 +0000)]
DKIM: Allow the DKIM ACL to override verification results. Bug 2186
This provides generic support, though is covers the need introduced
by https://datatracker.ietf.org/doc/draft-ietf-dcrup-dkim-usage/?include_text=1
(deprecating sha-1 and RSA keys shorter than 1024 bits).
Jeremy Harris [Tue, 7 Nov 2017 16:09:28 +0000 (16:09 +0000)]
TLS: support multiple certificate files in server. Bug 2092
Jeremy Harris [Fri, 3 Nov 2017 13:05:16 +0000 (13:05 +0000)]
Docs: add index entry
Jeremy Harris [Fri, 3 Nov 2017 11:02:19 +0000 (11:02 +0000)]
DKIM: better syntax for control of oversigning. Bug 2180
Phil Pennock [Thu, 2 Nov 2017 18:48:30 +0000 (14:48 -0400)]
Use LDFLAGS not EXTRALIBS_EXIM; 1.0.2 needs ldl too