diff -Nru exim4-4.80/ACKNOWLEDGMENTS exim4-4.82/ACKNOWLEDGMENTS --- exim4-4.80/ACKNOWLEDGMENTS 2012-05-31 00:40:15.000000000 +0000 +++ exim4-4.82/ACKNOWLEDGMENTS 2013-10-25 00:46:27.000000000 +0000 @@ -1,5 +1,26 @@ EXIM ACKNOWLEDGEMENTS +This file is divided into two parts. The first is the original list maintained +by Exim's author, Philip Hazel, before he retired. That has two sub-lists of +contributors. The second main part is an attempt to bring this up-to-date, +using information from ChangeLog and git. + +Names may well occur more than once. + +There was a five year gap. It is unlikely that this file is complete. +If you contributed and are not listed, then *please* let us know. Even if you +don't much care, we want to acknowledge your help. A contribution isn't just +code, it includes reporting real bugs, helping with tracking problems down, +documentation fixes and more. + +(Note that we have patches from folks in various countries and Latin1 is not + sufficient to handle all of their names acceptably. + This file should be in UTF-8). + +-Phil Pennock, pp The Exim Maintainers. + +============================8< cut here >8============================== + I have not been very good at keeping a proper record of all the people who have sent in patches and other contributions to Exim. I am going to try to do better in the future by keeping a record in this file. First, I'll put a list of all @@ -20,11 +41,6 @@ Lists created: 20 November 2002 Last updated (by PH): 22 August 2007 - Note: at current time, Exim is maintained in git; the commit messages - typically credit sources, at the very least. Also the ChangeLog file - will record who provided patches. This file is not very up-to-date. - -Phil Pennock, 2012 - THE OLD LIST Alan Barratt First code for relay checking @@ -71,6 +87,7 @@ Anton Altaparmakov Patches to get cyrus_sasl fully working Simon Arlott Patch for $dnslist_matched. Claus Assmann Example code for OpenSSL CRL support +Warren Baker Experimental Redis lookup. Robert Bannocks Patch for LDAP reference problem on Solaris Ian Bell Analysis of a bug and an infelicity in clock tick code Patch for ${quote_local_part @@ -161,6 +178,7 @@ ... and several more Thomas Hager Patch for saslauthd crash bug Richard Hall Fix for file descriptor leak in redirection + Fix for exiqsumm output corner case Jori Hamalainen Patch to add features to exiqsumm Patch to speed up exigrep Steve Haslam Lots of stuff, including @@ -198,13 +216,14 @@ Tom Kistner SPA server code Writing and maintaining the content scanning extension (exiscan) -Jürgen Kreileder Fix for cyrus_sasl advertisement problem +Jürgen Kreileder Fix for cyrus_sasl advertisement problem Friso Kuipers Patch for GDBM problem Matthias Lederhofer Diagnosing and patching obscure and subtle socket bug Chris Liddiard Fix for bug in exiqsumm Chris Lightfoot Patch for -restore-times in exim_lock Edgar Lovecraft Patch for ${str2b64: Torsten Luettgert Suggested patch for proper integer overflow detection +Todd Lyons Patch to add DMARC support using OpenDMARC libs/tools David Madole Patch for SPA forced expansion failure bug Lars Mainka Patch for OpenSSL crl collections Andrey Malyshev Patch for $address_data after redirection bug @@ -237,6 +256,7 @@ Gaige Paulsen Amended Darwin config files Richard Premdas Patch for PAM buglet Jason Pyeron Suggested patch for ignoring Sendmail's -O option +Axel Rau Patch for Transport Post Delivery sql logging Mark Rigby-Jones Patch for race condition during MBX locking Robert Roselius Patch for OpenSSL workaround for bad clients Larry Rosenman OpenUNIX config files @@ -287,3 +307,168 @@ control=freeze/no_tell basic code Erik ? patch to use select() instead of poll() on OS X **** + +============================8< cut here >8============================== + +The Exim Maintainers Lists +========================== + +We'll start with the Exim Maintainers, who are the people with commit +access to the master git repository and a couple more folk; then we'll list +known contributors since the lists above. Then we list the folks who work +to make Exim available on various operating systems as porters/packagers. + +For the Maintainers, we may list primary focus area. All maintainers +will have contributed to work outside those areas. The maintainers' +contributions are initialled in ChangeLog. Changes from before maintainership +should be listed as a contributor. + +For other contributors, we will attempt to track all contributions. Note that +the entries per-person were added initially by scanning back through the +ChangeLog and git, so are not in chronological order. + +[ With names from all over the world, we need one sort order. I've arbitrarily + decreed it to be "normal British address-book sort order, but based on family + name rather than whichever comes last and using whatever seems sanest for + sort order of characters which do not collate onto an English character", + which should handle the majority of cases. If it is not adequate for some + situation, we'll resolve it then. + We leave out titles and honourifics, just names and handles. ] + + +Maintainers +----------- +Steve Campbell eximstats maintainer. +Mike Cardwell Exim webmaster. +Tony Finch Unbreaks lots of things. Ratelimit code. +Graeme Fowler +Michael Haardt Maintains Sieve support, works on DKIM. +Jeremy Harris +Philip Hazel Retired. + Originating architect and author of the Exim project. +John Jetmore +Tom Kistner DKIM. Content scanning. SPA. +Todd Lyons +Nigel Metheringham Transitioning out of Default Victim status. +Phil Pennock Release Coordinator. Breaks lots of things. +David Woodhouse Dynamic modules. Security. + + +Contributors +------------ +Andrew Aitchison Spotted cmdline AV scanner regression with -bmalware +Simon Arlott Code for outbound SSL-on-connect + Patch implementing %M datestamping in log filenames + Patch restoring SIGPIPE handler for child_open_uid + Patch fixing NUL term/init of DKIM strings + Patch fixing dnsdb TXT record handling for DKIM + Patch speeding up DomainKeys signing +Warren Baker Found crash with MIME ACLs in non-SMTP local injection +Dmitry Banschikov Path to check for LDAP TLS initialisation errors +René Berber Pointed out mistake in build instructions for QNX +Johannes Berg Maintained dynamically loadable module code out-of-tree + Patch expanding spamd_address if contains $ +Jasen Betts Spotted lack of docs re bool{} on empty string + and typo fixes +Wolfgang Breyha DCC integration; expandable spamd_address + Patch handling IPv6 addresses for SPF + Patch fixing DKIM verification when signature header + not prepended + Unbroke Cyrus SASL auth after incorrect SSF addition + Logging of 8bitmime reception +David Brownlee Patch improving local interface IP address detection +Eugene Bujak Security patch fixing buffer overflow in string_format +Adam Ciarcinski Patch for TLS-enabled LDAP (alternative to ldaps) +Dennis Davis Patches fixing compilation in older compilers + Reported dynlookup framework build issues on Solaris +Serge Demonchaux Maintained dynamically loadable module code out-of-tree + Patch fixing sign/unsigned and UTF mismatches +Uwe Doering Patch fixing DKIM multiple signature generation +Maxim Dounin Patch portability of accept() len +Frank Elsner Fixed build reliability by exporting LC_ALL=C +Paul Fisher Diagnosed smtp_cmd_buffer_size affecting GSSAPI SASL + initial response, raised buffer size + Patch adjusting connection_max_messages wait-DB usage +Oliver Fleischmann Patches fixing compilation in older compilers +Julian Gilbey Helped improve userforward local_part_suffix docs +Richard Godbee Patch fixing usage fprintf +Steve Haslam Maintained dynamically loadable module code out-of-tree +Oliver Heesakkers Debugged dynamic lookup build issues for LOOKUP_foo. +Dmitry Isaikin Spotted short writes to local files + Patch for format string regression +Alun Jones Patch for NULL dereference in localhost_number +Brad Jorsch Patches fixing Resent-*: header handling +John Hall Updated PCRE to 7.4 (when in-tree) +Jeremy Harris Patch to log authentication information in reject log + Reported a ${extract error message typo +Jakob Hirsch Patch implementing freeze_signal on pipe transports + Suggested X-Envelope-Sender: for content-scanning + Patch fixing Base64 decode bugs +John Horne Patch adding $av_failed + Patch escaping log text after lookup expansion defer + Documentation fixes + Pointed out ClamAV ExtendedDetectionInfo compat issue +Regid Ichira Documentation fixes +Andreas M. Kirchwitz Let /dev/null have normal permissions (4.73 fallout) +J. Nick Koston Patch adding force_command pipe transport option +Roberto Lima Patch letting exicyclog rotate paniclog +Todd Lyons Patch handling TAB in MAIL arguments +Christof Meerwald Provided insight & suggested patch for GnuTLS update +Andreas Metzler Patch upgrading PolarSSL (DKIM) + Reported delivery logging problems (4.73 fallout) + Patch to build without WITH_CONTENT_SCAN + Patches fixing docs for max_rcpts, relay hosts/domains + Documentation fixes +Kirill Miazine Multiple patches improving Dovecot authenticator +Robert Millan Wrote SPF Best Guess support +Marcin MirosÅ‚aw Running static analysis tools for us, catching issues +Dirk Mueller Patch extending use of our printf() compiler checking +Andrey Oktyabrski Patch fixing wide character breakage in rfc2047 coding + Patch keeping SQL errors from being returned over SMTP +Phil Pennock Patch adding gnutls_compat_mode + Patches adding bool{} and later bool_lax{} + Patch for TLS library version reporting build/runtime + Patch letting EXPN work under TLS + More patches built up & applied when became maintainer +Mark Daniel Reidel Patch adding f-protd malware scanner support +Steven A Reisman Pointed out ${eval:x % 0} SIGFPE +Todd Rinaldo Patch fixing transport filter timeout +Dan Rosenberg Security notification & patch for hardlink attack on + sticky mail directory + Security notification of race condition in MBX locking +Jay Rouman Kept our copyright claim in the 21st century, not 11th + Drew attention to SSL docs and epoch issue on 32bit +Heiko Schlittermann Patch making maildir_use_size_file expand + Patch fixing maildir quota file races + Patch fixing make parallelisation + Updates to eximstats, exiwhat +Janne Snabb TLS extensive debugging & failure root cause analysis + Added SPF record type support to dnsdb lookup +Jan Srzednicki Patch improving Dovecot authenticator + Reported crash in Dovecot authenticator +Samuel Thibault Patch fixing IPv6 interface address detection on Hurd +Martin Tscholak Reported issue with TLS anonymous ciphersuites +Stephen Usher Patch fixing use of Oracle's LDAP libraries on Solaris +Holger Weiß Patch leting ${run} return more data than OS pipe + buffer size +Moritz Wilhelmy Pointed out PCRE_PRERELEASE glitch +Alain Williams Patch supporting MySQL stored procedures +Mark Zealey Patch updating $message_linecount for maildir_tag + Patch improving spamd server selection + Patch to allow multiple TCP clamd servers + + +Packagers +--------- +Mark Baker Debian, through Exim 3 +Hilko Bengen Debian, Exim 4, current(*) maintenance +Tim Cutts Debian, initial packaging +Marc Haber Debian, Exim 4, current(*) maintenance +Steve Haslam Debian, Exim 4 +Andreas Metzler Debian, current(*) maintenance +Christian Perrier Debian, current(*) maintenance + +(*) Current as of our last information as of release: Exim 4.82 + + +# vim: set fileencoding=utf-8 expandtab : diff -Nru exim4-4.80/debian/changelog exim4-4.82/debian/changelog --- exim4-4.80/debian/changelog 2013-11-04 12:15:16.000000000 +0000 +++ exim4-4.82/debian/changelog 2013-12-10 17:18:07.000000000 +0000 @@ -1,3 +1,96 @@ +exim4 (4.82-3ubuntu1) trusy; urgency=low + + * Merge from Debian unstable (LP: #1259620). Remaining changes: + - Show Ubuntu distribution on smtp: + + debian/patches/fix_smtp_banner.patch: updated SMTP banner + with Ubuntu distribution + + debian/control: added lsb-release build dependency + - Don't provide default-mta; in Ubuntu, we want postfix to be the + default. + - Build-depend on libdb5.3-dev, instead of libdb5.1-dev. + + -- Yolanda Robla Tue, 10 Dec 2013 17:07:20 +0000 + +exim4 (4.82-3) unstable; urgency=low + + * Upload to unstable. + + -- Andreas Metzler Wed, 27 Nov 2013 19:51:26 +0100 + +exim4 (4.82-2) experimental; urgency=low + + * Pull two post-release fixes from upstream git master: + + 75_unbind-ldap-connection.diff - Only unbind ldap connection if bind + succeeded. + + 77_close-the-server-side-of-TLS.diff - Correctly close the server side + of TLS when forking for delivery. + * Pull 76_fix_ldap_option_setting.diff from Todd Lyons testing tree. See + . + + -- Andreas Metzler Sat, 09 Nov 2013 17:24:59 +0100 + +exim4 (4.82-1) experimental; urgency=low + + * New upstream stable release. + * Drop exim4-config_files.5 symlinks for local_host_whitelist and + local_sender_whitelist, add symlinks for host_local_deny_exceptions and + sender_local_deny_exceptions instead. Closes: #661365 + + -- Andreas Metzler Sat, 09 Nov 2013 11:52:58 +0100 + +exim4 (4.82~rc5-1) experimental; urgency=low + + * New upstream version. + + -- Andreas Metzler Sat, 26 Oct 2013 08:50:58 +0200 + +exim4 (4.82~rc3-1) experimental; urgency=low + + * New upstream version. + + TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard + Hall. + + TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors + looking up a hostname or reverse DNS when processing a host list. Used + suggestions from multiple comments on this bug. + + TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey. + * Add macros for sending a client certificate on outgoing TLS connections. + (REMOTE_SMTP_TLS_CERTIFICATE/REMOTE_SMTP_PRIVATEKEY, + REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE/REMOTE_SMTP_SMARTHOST_PRIVATEKEY) + Closes: #677826 + + -- Andreas Metzler Sat, 12 Oct 2013 09:30:28 +0200 + +exim4 (4.82~rc2-1) experimental; urgency=low + + * exim-gencert: Generate 2048bit key by default. LP: #1200581 + * New upstream version. + + Drop 80_addmanuallybuiltdocs.diff + + -- Andreas Metzler Thu, 03 Oct 2013 19:24:59 +0200 + +exim4 (4.82~rc1-1) experimental; urgency=low + + * New upstream version. + + TL/02 Add +smtp_confirmation as a default logging option. + Closes: #649600 + + JH/05 Permit multiple router/transport headers_add/remove lines. + Closes: #276126 + + See /usr/share/doc/exim4-base/NewStuff.gz for other newly added + features. + * Upload to experimental. + * Drop unnecessary patches (30_dontoverridecflags.dpatch + 75_openssl_sni.diff 76_tls_dh_min_bits.diff 77_docsfortls_dh_min_bits.diff + 78_pkcs11_init.diff 84_CVE-2012-5671.patch 85_server_set_id_SPA.diff + 86_Dovecot-robustness.diff 87_localinjected_mimeacl.diff), unfuzz patches. + * Applying upstream's default configuration updates to Debian configuration + change 30_exim4-config_examples to use tls_in_cipher/tls_out_cipher + instead of tls_out_cipher. - exim4-config therefore Breaks + exim daemon << 4.82~rc1. + * 80_addmanuallybuiltdocs.diff: Upstream rc tarball ships empty filter.txt + and spec.txt, replace these with correct handbuilt versions. + + -- Andreas Metzler Sun, 29 Sep 2013 14:43:25 +0200 + exim4 (4.80-9ubuntu2) trusty; urgency=low * Build-depend on libdb5.3-dev, instead of libdb5.1-dev. diff -Nru exim4-4.80/debian/control exim4-4.82/debian/control --- exim4-4.80/debian/control 2013-11-04 12:14:52.000000000 +0000 +++ exim4-4.82/debian/control 2013-12-10 16:58:28.000000000 +0000 @@ -5,7 +5,7 @@ XSBC-Original-Maintainer: Exim4 Maintainers Uploaders: Andreas Metzler ,Marc Haber Homepage: http://www.exim.org/ -Standards-Version: 3.9.4 +Standards-Version: 3.9.5 #Vcs-Git: git://git.debian.org/git/pkg-exim4/exim4.git #Vcs-Browser: http://git.debian.org/?p=pkg-exim4/exim4.git Vcs-Git: git://anonscm.debian.org/pkg-exim4/exim4.git @@ -58,7 +58,7 @@ Package: exim4-config Architecture: all -Breaks: exim4-daemon-light (<<4.69.1), exim4-daemon-heavy (<<4.69.1) +Breaks: exim4-daemon-light (<<4.82~rc1), exim4-daemon-heavy (<<4.82~rc1) Provides: exim4-config-2 Conflicts: exim, exim-tls, exim4-config, exim4-config-2, ${MTA-Conflicts} Depends: ${shlibs:Depends}, ${misc:Depends}, adduser diff -Nru exim4-4.80/debian/debconf/conf.d/auth/30_exim4-config_examples exim4-4.82/debian/debconf/conf.d/auth/30_exim4-config_examples --- exim4-4.80/debian/debconf/conf.d/auth/30_exim4-config_examples 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/debconf/conf.d/auth/30_exim4-config_examples 2013-12-10 16:58:28.000000000 +0000 @@ -36,7 +36,7 @@ # server_set_id = $auth2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # LOGIN authentication has traditional prompts and responses. There is no @@ -51,7 +51,7 @@ # server_condition = "${if crypteq{$auth2}{${extract{1}{:}{${lookup{$auth1}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # cram_md5_server: @@ -77,7 +77,7 @@ # server_set_id = $auth2 # server_prompts = : # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # login_saslauthd_server: @@ -88,7 +88,7 @@ # server_condition = ${if saslauthd{{$auth1}{$auth2}}{1}{0}} # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # ntlm_sasl_server: @@ -97,7 +97,7 @@ # server_realm = # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # digest_md5_sasl_server: @@ -106,7 +106,7 @@ # server_realm = # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # Authentcate against cyrus-sasl @@ -124,7 +124,7 @@ # server_realm = # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # # login_sasl_server: @@ -133,7 +133,7 @@ # server_realm = # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # Authenticate against courier authdaemon @@ -152,7 +152,7 @@ # fail} # server_set_id = $auth2 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # login_courier_authdaemon: @@ -167,7 +167,7 @@ # fail} # server_set_id = $auth1 # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif # This one is a bad hack to support the broken version 4.xx of @@ -188,7 +188,7 @@ # server_prompts = User Name : Password # server_condition = no # .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS -# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}} +# server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} # .endif ############## @@ -222,7 +222,7 @@ driver = plaintext public_name = PLAIN .ifndef AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS - client_send = "<; ${if !eq{$tls_cipher}{}\ + client_send = "<; ${if !eq{$tls_out_cipher}{}\ {^${extract{1}{:}{PASSWDLINE}}\ ^${sg{PASSWDLINE}{\\N([^:]+:)(.*)\\N}{\\$2}}\ }fail}" @@ -238,7 +238,7 @@ # Return empty string if not non-TLS AND looking up $host in passwd-file # yields a non-empty string; fail otherwise. client_send = "<; ${if and{\ - {!eq{$tls_cipher}{}}\ + {!eq{$tls_out_cipher}{}}\ {!eq{PASSWDLINE}{}}\ }\ {}fail}\ diff -Nru exim4-4.80/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp exim4-4.82/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp --- exim4-4.80/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp 2013-12-10 16:58:28.000000000 +0000 @@ -39,3 +39,9 @@ .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif +.ifdef REMOTE_SMTP_TLS_CERTIFICATE +tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE +.endif +.ifdef REMOTE_SMTP_PRIVATEKEY +tls_privatekey = REMOTE_SMTP_PRIVATEKEY +.endif diff -Nru exim4-4.80/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost exim4-4.82/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost --- exim4-4.80/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/debconf/conf.d/transport/30_exim4-config_remote_smtp_smarthost 2013-12-10 16:58:28.000000000 +0000 @@ -30,3 +30,9 @@ .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif +.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE +tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE +.endif +.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY +tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY +.endif diff -Nru exim4-4.80/debian/example.conf.md5 exim4-4.82/debian/example.conf.md5 --- exim4-4.80/debian/example.conf.md5 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/example.conf.md5 2013-12-10 16:58:28.000000000 +0000 @@ -1 +1 @@ -b2257965b2f4c7300ab1ae9b3460ed54 - +c181c27925094f50dbb2f1388602cf03 - diff -Nru exim4-4.80/debian/exim4-config.links exim4-4.82/debian/exim4-config.links --- exim4-4.80/debian/exim4-config.links 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/exim4-config.links 2013-12-10 16:58:28.000000000 +0000 @@ -2,8 +2,8 @@ usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/etc-email-addresses.5.gz usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_host_blacklist.5.gz usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_sender_blacklist.5.gz -usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_host_whitelist.5.gz -usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_sender_whitelist.5.gz +usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_host_local_deny_exceptions.5.gz +usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_sender_local_deny_exceptions.5.gz usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_sender_callout.5.gz usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_rcpt_callout.5.gz usr/share/man/man5/exim4-config_files.5.gz usr/share/man/man5/exim4_local_domain_dnsbl_whitelist.5.gz diff -Nru exim4-4.80/debian/exim-gencert exim4-4.82/debian/exim-gencert --- exim4-4.80/debian/exim-gencert 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/exim-gencert 2013-12-10 16:58:28.000000000 +0000 @@ -37,7 +37,7 @@ cat > $SSLEAY < -Last-Update: 2011-01-23 -Forwarded: not-needed (upstream wants to keep non-GNU make compat) - -diff -NurBbp a/OS/Makefile-Linux b/OS/Makefile-Linux ---- a/OS/Makefile-Linux 2011-01-23 11:50:26.000000000 +0100 -+++ b/OS/Makefile-Linux 2011-01-23 13:30:41.000000000 +0100 -@@ -10,7 +10,7 @@ CHOWN_COMMAND=look_for_it - CHGRP_COMMAND=look_for_it - CHMOD_COMMAND=look_for_it - --CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -+CFLAGS ?= -O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE - CFLAGS_DYNAMIC=-shared -rdynamic - - DBMLIB = -ldb diff -Nru exim4-4.80/debian/patches/31_eximmanpage.dpatch exim4-4.82/debian/patches/31_eximmanpage.dpatch --- exim4-4.80/debian/patches/31_eximmanpage.dpatch 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/31_eximmanpage.dpatch 2013-12-10 16:58:28.000000000 +0000 @@ -2,12 +2,11 @@ accordingly. Author: Marc Haber , Andreas Metzler -Last-Update: 2011-01-23 +Last-Update: 2013-09-28 Forwarded: not-needed (upstream uses the "exim" name) -diff -NurbBp a/doc/exim.8 b/doc/exim.8 ---- a/doc/exim.8 2011-01-23 12:08:08.000000000 +0100 -+++ b/doc/exim.8 2011-01-23 13:39:01.000000000 +0100 +--- exim4-4.82~rc1.orig/doc/exim.8 ++++ exim4-4.82~rc1/doc/exim.8 @@ -1,9 +1,9 @@ -.TH EXIM 8 +.TH EXIM4 8 @@ -30,24 +29,18 @@ CTRL-D .sp -@@ -118,12 +118,10 @@ By default, Exim listens for incoming co - all the host's running interfaces. However, it is possible to listen on other - ports, on multiple ports, and only on specific interfaces. +@@ -125,8 +125,8 @@ ports, on multiple ports, and only on sp .sp --When a listening daemon --is started without the use of \fB\-oX\fP (that is, without overriding the normal + When a listening daemon + is started without the use of \fB\-oX\fP (that is, without overriding the normal -configuration), it writes its process id to a file called exim\-daemon.pid -in Exim's spool directory. This location can be overridden by setting --PID_FILE_PATH in Local/Makefile. The file is written while Exim is still --running as root. -+When a listening daemon is started without the use of \fB\-oX\fP (that -+is, without overriding the normal configuration), it writes its -+process id to a file called /var/run/exim4/exim.pid. The file is -+written while Exim is still running as root. - .sp - When \fB\-oX\fP is used on the command line to start a listening daemon, the - process id is not written to the normal pid file path. However, \fB\-oP\fP can be -@@ -170,7 +168,7 @@ of lookups, you will just get the same r ++configuration), it writes its process id to a file called ++/var/run/exim4/exim.pid. This location can be overridden by setting + PID_FILE_PATH in Local/Makefile. The file is written while Exim is still + running as root. + .sp +@@ -175,7 +175,7 @@ of lookups, you will just get the same r This option operates like \fB\-be\fP except that it must be followed by the name of a file. For example: .sp @@ -56,7 +49,7 @@ .sp The file is read as a message (as if receiving a locally\-submitted non\-SMTP message) before any of the test expansions are done. Thus, message\-specific -@@ -196,7 +194,7 @@ If you want to test a system filter file +@@ -201,7 +201,7 @@ If you want to test a system filter file can use both \fB\-bF\fP and \fB\-bf\fP on the same command, in order to test a system filter and a user filter in the same run. For example: .sp @@ -65,7 +58,7 @@ .sp This is helpful when the system filter adds header lines or sets filter variables that are used by the user filter. -@@ -248,8 +246,8 @@ This option runs a fake SMTP session as +@@ -253,8 +253,8 @@ This option runs a fake SMTP session as standard input and output. The IP address may include a port number at the end, after a full stop. For example: .sp @@ -76,7 +69,7 @@ .sp When an IPv6 address is given, it is converted into canonical form. In the case of the second example above, the value of \fI$sender_host_address\fP after -@@ -370,7 +368,7 @@ main configuration options to be written +@@ -411,7 +411,7 @@ main configuration options to be written of one or more specific options can be requested by giving their names as arguments, for example: .sp @@ -85,7 +78,7 @@ .sp However, any option setting that is preceded by the word "hide" in the configuration file is not shown in full, except to an admin user. For other -@@ -391,7 +389,7 @@ written directly into the spool director +@@ -434,7 +434,7 @@ written directly into the spool director .sp If \fB\-bP\fP is followed by a name preceded by +, for example, .sp @@ -94,7 +87,7 @@ .sp it searches for a matching named list of any type (domain, host, address, or local part) and outputs what it finds. -@@ -400,7 +398,7 @@ If one of the words \fBrouter\fP, \fBtra +@@ -443,7 +443,7 @@ If one of the words \fBrouter\fP, \fBtra followed by the name of an appropriate driver instance, the option settings for that driver are output. For example: .sp @@ -103,7 +96,7 @@ .sp The generic driver options are output first, followed by the driver's private options. A list of the names of drivers of a particular type can be obtained by -@@ -479,7 +477,7 @@ This option is for testing retry rules, +@@ -522,7 +522,7 @@ This option is for testing retry rules, arguments. It causes Exim to look for a retry rule that matches the values and to write it to the standard output. For example: .sp @@ -112,7 +105,7 @@ Retry rule: *.comp.mus.example F,2h,15m; F,4d,30m; .sp The first -@@ -492,7 +490,7 @@ rule is found that matches the host, one +@@ -535,7 +535,7 @@ rule is found that matches the host, one sought. Finally, an argument that is the name of a specific delivery error, as used in setting up retry rules, can be given. For example: .sp @@ -121,7 +114,25 @@ Retry rule: *@haydn.comp.mus.example quota_3d F,1h,15m .TP 10 \fB\-brw\fP -@@ -734,14 +732,14 @@ command line item. \fB\-D\fP can be used +@@ -638,7 +638,7 @@ doing such tests. + .TP 10 + \fB\-bV\fP + This option causes Exim to write the current version number, compilation +-number, and compilation date of the \fIexim\fP binary to the standard output. ++number, and compilation date of the \fIexim4\fP binary to the standard output. + It also lists the DBM library that is being used, the optional modules (such as + specific lookup types), the drivers that are included in the binary, and the + name of the run time configuration file that is in use. +@@ -666,7 +666,7 @@ If no arguments are given, Exim runs in + right angle bracket for addresses to be verified. + .sp + Unlike the \fB\-be\fP test option, you cannot arrange for Exim to use the +-readline() function, because it is running as \fIexim\fP and there are ++readline() function, because it is running as \fIexim4\fP and there are + security issues. + .sp + Verification differs from address testing (the \fB\-bt\fP option) in that routers +@@ -779,14 +779,14 @@ command line item. \fB\-D\fP can be used string, in which case the equals sign is optional. These two commands are synonymous: .sp @@ -139,7 +150,7 @@ .sp \fB\-D\fP may be repeated up to 10 times on a command line. .TP 10 -@@ -870,8 +868,8 @@ never provoke a bounce. An empty sender +@@ -915,8 +915,8 @@ never provoke a bounce. An empty sender string, or as a pair of angle brackets with nothing between them, as in these examples of shell commands: .sp @@ -150,7 +161,7 @@ .sp In addition, the use of \fB\-f\fP is not restricted when testing a filter file with \fB\-bf\fP or when testing or verifying addresses using the \fB\-bt\fP or -@@ -1206,12 +1204,12 @@ other circumstances, they are ignored un +@@ -1267,12 +1267,12 @@ other circumstances, they are ignored un The \fB\-oMa\fP option sets the sender host address. This may include a port number at the end, after a full stop (period). For example: .sp @@ -165,7 +176,7 @@ .sp The IP address is placed in the \fI$sender_host_address\fP variable, and the port, if present, in \fI$sender_host_port\fP. If both \fB\-oMa\fP and \fB\-bh\fP -@@ -1397,13 +1395,13 @@ When scanning the queue, Exim can be mad +@@ -1458,13 +1458,13 @@ When scanning the queue, Exim can be mad lexically less than a given value by following the \fB\-q\fP option with a starting message id. For example: .sp @@ -181,7 +192,7 @@ .sp just one delivery process is started, for that message. This differs from \fB\-M\fP in that retry data is respected, and it also differs from \fB\-Mc\fP in -@@ -1419,7 +1417,7 @@ starting a queue runner process at inter +@@ -1480,7 +1480,7 @@ starting a queue runner process at inter single daemon process handles both functions. A common way of starting up a combined daemon at system boot time is to use a command such as .sp @@ -190,7 +201,7 @@ .sp Such a daemon listens for incoming SMTP calls, and also starts a queue runner process every 30 minutes. -@@ -1450,7 +1448,7 @@ regular expression; otherwise it is a li +@@ -1511,7 +1511,7 @@ regular expression; otherwise it is a li If you want to do periodic queue runs for messages with specific recipients, you can combine \fB\-R\fP with \fB\-q\fP and a time value. For example: .sp @@ -199,8 +210,8 @@ .sp This example does a queue run for messages with recipients in the given domain every 25 minutes. Any additional flags that are specified with \fB\-q\fP are -@@ -1556,6 +1554,27 @@ this option. - .sp +@@ -1620,6 +1620,26 @@ This option is interpreted by Sendmail t + to the named file. It is ignored by Exim. . .SH "SEE ALSO" +.BR exicyclog (8), @@ -226,4 +237,3 @@ +.SH AUTHOR +This manual page was provided with the upstream Exim source package. +It was enhanced for the Debian GNU/Linux system. -+ diff -Nru exim4-4.80/debian/patches/32_exim4.dpatch exim4-4.82/debian/patches/32_exim4.dpatch --- exim4-4.80/debian/patches/32_exim4.dpatch 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/patches/32_exim4.dpatch 2013-12-10 16:58:28.000000000 +0000 @@ -1,11 +1,12 @@ -## 32_exim4.dpatch by Andreas Metzler +Description: Accomodate source for installing exim as exim4. +Author: Andreas Metzler +Origin: vendor +Forwarded: not-needed +Last-Update: 2013-09-28 -## DP: The main binary is installed as /usr/sbin/exim4 - -diff -NurBbp exim-4.71.orig/OS/Makefile-Linux exim-4.71/OS/Makefile-Linux ---- exim-4.71.orig/OS/Makefile-Linux 2009-11-28 10:52:23.000000000 +0100 -+++ exim-4.71/OS/Makefile-Linux 2009-11-28 10:53:07.000000000 +0100 -@@ -24,9 +24,9 @@ XLFLAGS=-L$(X11)/lib +--- exim4-4.82~rc1.orig/OS/Makefile-Linux ++++ exim4-4.82~rc1/OS/Makefile-Linux +@@ -28,9 +28,9 @@ XLFLAGS=-L$(X11)/lib X11_LD_LIB=$(X11)/lib EXIWHAT_PS_ARG=ax @@ -17,10 +18,9 @@ EXIWHAT_KILL_SIGNAL=-USR1 # End -diff -NurBbp exim-4.71.orig/src/exicyclog.src exim-4.71/src/exicyclog.src ---- exim-4.71.orig/src/exicyclog.src 2009-11-16 20:50:36.000000000 +0100 -+++ exim-4.71/src/exicyclog.src 2009-11-28 10:53:07.000000000 +0100 -@@ -145,7 +145,7 @@ done +--- exim4-4.82~rc1.orig/src/exicyclog.src ++++ exim4-4.82~rc1/src/exicyclog.src +@@ -144,7 +144,7 @@ done st=' ' exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"` @@ -29,10 +29,9 @@ spool_directory=`$exim_path -C $config -bP spool_directory | sed 's/.*=[ ]*//'` -diff -NurBbp exim-4.71.orig/src/exim_checkaccess.src exim-4.71/src/exim_checkaccess.src ---- exim-4.71.orig/src/exim_checkaccess.src 2009-11-16 20:50:36.000000000 +0100 -+++ exim-4.71/src/exim_checkaccess.src 2009-11-28 10:55:19.000000000 +0100 -@@ -53,7 +53,7 @@ done +--- exim4-4.82~rc1.orig/src/exim_checkaccess.src ++++ exim4-4.82~rc1/src/exim_checkaccess.src +@@ -52,7 +52,7 @@ done # a tab to keep the tab in one place. exim_path=`perl -ne 'chop;if (/^\s*exim_path\s*=\s*(.*)/){print "$1\n";last;}' $config` @@ -41,10 +40,9 @@ ######################################################################### -diff -NurBbp exim-4.71.orig/src/eximon.src exim-4.71/src/eximon.src ---- exim-4.71.orig/src/eximon.src 2004-10-07 12:39:01.000000000 +0200 -+++ exim-4.71/src/eximon.src 2009-11-28 10:53:07.000000000 +0100 -@@ -66,7 +66,7 @@ config=${EXIMON_EXIM_CONFIG-$config} +--- exim4-4.82~rc1.orig/src/eximon.src ++++ exim4-4.82~rc1/src/eximon.src +@@ -72,7 +72,7 @@ config=${EXIMON_EXIM_CONFIG-$config} st=' ' EXIM_PATH=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"` @@ -53,10 +51,9 @@ SPOOL_DIRECTORY=`$EXIM_PATH -C $config -bP spool_directory | sed 's/.*=[ ]*//'` LOG_FILE_PATH=`$EXIM_PATH -C $config -bP log_file_path | sed 's/.*=[ ]*//'` -diff -NurBbp exim-4.71.orig/src/exinext.src exim-4.71/src/exinext.src ---- exim-4.71.orig/src/exinext.src 2009-11-16 20:50:36.000000000 +0100 -+++ exim-4.71/src/exinext.src 2009-11-28 10:53:07.000000000 +0100 -@@ -91,7 +91,7 @@ if [ "$exim_path" = "" ]; then +--- exim4-4.82~rc1.orig/src/exinext.src ++++ exim4-4.82~rc1/src/exinext.src +@@ -90,7 +90,7 @@ if [ "$exim_path" = "" ]; then exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"` fi @@ -65,7 +62,7 @@ spool_directory=`$exim_path $eximmacdef -C $config -bP spool_directory | sed 's/.*=[ ]*//'` qualify_domain=`$exim_path $eximmacdef -C $config -bP qualify_domain | sed 's/.*=[ ]*//'` -@@ -172,7 +172,7 @@ perl - $exim_path "$eximmacdef" $argone +@@ -171,7 +171,7 @@ perl - $exim_path "$eximmacdef" $argone # Run exim_dumpdb to get out the retry data and pick off what we want @@ -74,10 +71,9 @@ die "can't run exim_dumpdb"; while () -diff -NurBbp exim-4.71.orig/src/exiqgrep.src exim-4.71/src/exiqgrep.src ---- exim-4.71.orig/src/exiqgrep.src 2004-10-07 12:39:01.000000000 +0200 -+++ exim-4.71/src/exiqgrep.src 2009-11-28 10:53:07.000000000 +0100 -@@ -22,7 +22,7 @@ use strict; +--- exim4-4.82~rc1.orig/src/exiqgrep.src ++++ exim4-4.82~rc1/src/exiqgrep.src +@@ -21,7 +21,7 @@ use strict; use Getopt::Std; # Have this variable point to your exim binary. @@ -86,10 +82,9 @@ my $eargs = '-bpu'; my %id; my %opt; -diff -NurBbp exim-4.71.orig/src/exiwhat.src exim-4.71/src/exiwhat.src ---- exim-4.71.orig/src/exiwhat.src 2009-11-16 20:50:36.000000000 +0100 -+++ exim-4.71/src/exiwhat.src 2009-11-28 10:53:07.000000000 +0100 -@@ -89,7 +89,7 @@ fi +--- exim4-4.82~rc1.orig/src/exiwhat.src ++++ exim4-4.82~rc1/src/exiwhat.src +@@ -88,7 +88,7 @@ fi st=' ' exim_path=`grep "^[$st]*exim_path" $config | sed "s/.*=[$st]*//"` @@ -98,10 +93,9 @@ spool_directory=`$exim_path -C $config -bP spool_directory | sed "s/.*=[ ]*//"` process_log_path=`$exim_path -C $config -bP process_log_path | sed "s/.*=[ ]*//"` -diff -NurBbp exim-4.71.orig/src/globals.c exim-4.71/src/globals.c ---- exim-4.71.orig/src/globals.c 2009-11-16 20:50:37.000000000 +0100 -+++ exim-4.71/src/globals.c 2009-11-28 10:53:07.000000000 +0100 -@@ -569,7 +569,7 @@ int errors_sender_rc = EXIT_FA +--- exim4-4.82~rc1.orig/src/globals.c ++++ exim4-4.82~rc1/src/globals.c +@@ -633,7 +633,7 @@ int errors_sender_rc = EXIT_FA gid_t exim_gid = EXIM_GID; BOOL exim_gid_set = TRUE; /* This gid is always set */ diff -Nru exim4-4.80/debian/patches/34_eximstatsmanpage.dpatch exim4-4.82/debian/patches/34_eximstatsmanpage.dpatch --- exim4-4.80/debian/patches/34_eximstatsmanpage.dpatch 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/patches/34_eximstatsmanpage.dpatch 2013-12-10 16:58:28.000000000 +0000 @@ -1,14 +1,13 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 34_eximstatsmanpage.dpatch by Andreas Metzler -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Add note about installing perl-modules on Debian to -## DP: generated manpage +Description: Add note about installing perl-modules on Debian to + generated manpage +Author: Andreas Metzler +Origin: vendor +Forwarded: not-needed +Last-Update: 2013-09-28 -diff -NurbBp exim.orig/src/eximstats.src exim/src/eximstats.src ---- exim.orig/src/eximstats.src 2009-10-19 14:26:34.000000000 +0200 -+++ exim/src/eximstats.src 2009-11-15 12:16:19.000000000 +0100 -@@ -500,6 +500,10 @@ To install these, download and unpack th +--- exim4-4.82~rc1.orig/src/eximstats.src ++++ exim4-4.82~rc1/src/eximstats.src +@@ -501,6 +501,10 @@ To install these, download and unpack th make test make install diff -Nru exim4-4.80/debian/patches/35_install.dpatch exim4-4.82/debian/patches/35_install.dpatch --- exim4-4.80/debian/patches/35_install.dpatch 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/patches/35_install.dpatch 2013-12-10 16:58:28.000000000 +0000 @@ -1,14 +1,13 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 35_install.dpatch by Andreas Metzler -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Exim's installation scripts install the binary as exim- -## DP: - disable this feature. +Description: Exim's installation scripts install the binary as + exim- - disable this feature. +Author: Andreas Metzler +Origin: vendor +Forwarded: not-needed +Last-Update: 2013-09-28 -diff -NurbBp exim.orig/scripts/exim_install exim/scripts/exim_install ---- exim.orig/scripts/exim_install 2009-10-30 16:14:04.000000000 +0100 -+++ exim/scripts/exim_install 2009-11-15 12:16:39.000000000 +0100 -@@ -218,8 +218,9 @@ while [ $# -gt 0 ]; do +--- exim4-4.82~rc1.orig/scripts/exim_install ++++ exim4-4.82~rc1/scripts/exim_install +@@ -217,8 +217,9 @@ while [ $# -gt 0 ]; do # The exim binary is handled specially if [ $name = exim${EXE} ]; then @@ -20,7 +19,7 @@ if [ "${version}" = "exim-${EXE}" ]; then echo $com "" -@@ -369,10 +370,8 @@ done +@@ -368,10 +369,8 @@ done @@ -33,7 +32,7 @@ # However, if CONFIGURE_FILE specifies a list of files, skip this code. -@@ -395,7 +394,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then +@@ -394,7 +393,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then ${real} ${MKDIR} -p `${DIRNAME} ${CONFIGURE_FILE}` echo sed -e '\\' @@ -42,7 +41,7 @@ echo " ../src/configure.default > \${CONFIGURE_FILE}" # I can't find a way of writing this using the ${real} feature because -@@ -404,7 +403,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then +@@ -403,7 +402,7 @@ elif [ ! -f ${CONFIGURE_FILE} ]; then if [ "$real" = "" ] ; then sed -e \ diff -Nru exim4-4.80/debian/patches/50_localscan_dlopen.dpatch exim4-4.82/debian/patches/50_localscan_dlopen.dpatch --- exim4-4.80/debian/patches/50_localscan_dlopen.dpatch 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/50_localscan_dlopen.dpatch 2013-12-10 16:58:28.000000000 +0000 @@ -1,28 +1,19 @@ ## 50_localscan_dlopen.dpatch by Marc MERLIN -## DP: Allow to use and switch between different local_scan functions without -## DP: recompiling exim. -## DP: http://marc.merlins.org/linux/exim/files/sa-exim-current/ -## DP: Original patch from David Woodhouse, modified first by Derrick 'dman' -## DP: Hudson and then by Marc MERLIN for SA-Exim and minor/major API version -## DP: tracking -diff -NurBbp exim-4.80.orig/src/config.h.defaults exim-4.80/src/config.h.defaults ---- exim-4.80.orig/src/config.h.defaults 2012-05-21 06:32:11.000000000 +0200 -+++ exim-4.80/src/config.h.defaults 2012-05-21 19:31:11.000000000 +0200 -@@ -27,6 +27,8 @@ it's a default value. */ - - #define AUTH_VARS 3 - -+#define DLOPEN_LOCAL_SCAN -+ - #define BIN_DIRECTORY - - #define CONFIGURE_FILE -diff -NurBbp exim-4.80.orig/src/EDITME exim-4.80/src/EDITME ---- exim-4.80.orig/src/EDITME 2012-05-21 06:32:11.000000000 +0200 -+++ exim-4.80/src/EDITME 2012-05-21 19:31:11.000000000 +0200 -@@ -736,6 +736,21 @@ HEADERS_CHARSET="ISO-8859-1" +Description: Allow to use and switch between different local_scan functions + without recompiling exim. + http://marc.merlins.org/linux/exim/files/sa-exim-current/ Original patch from + David Woodhouse, modified first by Derrick 'dman' Hudson and then by Marc + MERLIN for SA-Exim and minor/major API version tracking +Author: David Woodhouse, Derrick 'dman' Hudson, Marc MERLIN +Origin: other, http://marc.merlins.org/linux/exim/files/sa-exim-current/ +Forwarded: no +Last-Update: 2013-09-28 + +--- exim4-4.82~rc1.orig/src/EDITME ++++ exim4-4.82~rc1/src/EDITME +@@ -752,6 +752,21 @@ HEADERS_CHARSET="ISO-8859-1" #------------------------------------------------------------------------------ @@ -44,23 +35,32 @@ # The default distribution of Exim contains only the plain text form of the # documentation. Other forms are available separately. If you want to install # the documentation in "info" format, first fetch the Texinfo documentation -diff -NurBbp exim-4.80.orig/src/globals.c exim-4.80/src/globals.c ---- exim-4.80.orig/src/globals.c 2012-05-21 19:29:24.000000000 +0200 -+++ exim-4.80/src/globals.c 2012-05-21 19:31:11.000000000 +0200 -@@ -129,6 +129,9 @@ uschar *tls_verify_certificates= NULL; - uschar *tls_verify_hosts = NULL; - #endif +--- exim4-4.82~rc1.orig/src/config.h.defaults ++++ exim4-4.82~rc1/src/config.h.defaults +@@ -27,6 +27,8 @@ it's a default value. */ + + #define AUTH_VARS 3 + ++#define DLOPEN_LOCAL_SCAN ++ + #define BIN_DIRECTORY + + #define CONFIGURE_FILE +--- exim4-4.82~rc1.orig/src/globals.c ++++ exim4-4.82~rc1/src/globals.c +@@ -116,6 +116,9 @@ tls_support tls_out = { + NULL /* tls_sni */ + }; +#ifdef DLOPEN_LOCAL_SCAN +uschar *local_scan_path = NULL; +#endif - /* Input-reading functions for messages, so we can use special ones for - incoming TCP/IP. The defaults use stdin. We never need these for any -diff -NurBbp exim-4.80.orig/src/globals.h exim-4.80/src/globals.h ---- exim-4.80.orig/src/globals.h 2012-05-21 06:32:11.000000000 +0200 -+++ exim-4.80/src/globals.h 2012-05-21 19:31:11.000000000 +0200 -@@ -108,6 +108,9 @@ extern uschar *tls_verify_certificates;/ + #ifdef SUPPORT_TLS + BOOL gnutls_compat_mode = FALSE; +--- exim4-4.82~rc1.orig/src/globals.h ++++ exim4-4.82~rc1/src/globals.h +@@ -113,6 +113,9 @@ extern uschar *tls_verify_certificates;/ extern uschar *tls_verify_hosts; /* Mandatory client verification */ #endif @@ -70,9 +70,8 @@ /* Input-reading functions for messages, so we can use special ones for incoming TCP/IP. */ -diff -NurBbp exim-4.80.orig/src/local_scan.c exim-4.80/src/local_scan.c ---- exim-4.80.orig/src/local_scan.c 2012-05-21 06:32:11.000000000 +0200 -+++ exim-4.80/src/local_scan.c 2012-05-21 19:31:11.000000000 +0200 +--- exim4-4.82~rc1.orig/src/local_scan.c ++++ exim4-4.82~rc1/src/local_scan.c @@ -5,60 +5,131 @@ /* Copyright (c) University of Cambridge 1995 - 2009 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -252,9 +251,8 @@ +#endif /* DLOPEN_LOCAL_SCAN */ + /* End of local_scan.c */ -diff -NurBbp exim-4.80.orig/src/local_scan.h exim-4.80/src/local_scan.h ---- exim-4.80.orig/src/local_scan.h 2012-05-21 06:32:11.000000000 +0200 -+++ exim-4.80/src/local_scan.h 2012-05-21 19:31:11.000000000 +0200 +--- exim4-4.82~rc1.orig/src/local_scan.h ++++ exim4-4.82~rc1/src/local_scan.h @@ -17,6 +17,7 @@ settings, and the store functions. */ #include @@ -270,10 +268,9 @@ +#pragma GCC visibility pop + /* End of local_scan.h */ -diff -NurBbp exim-4.80.orig/src/readconf.c exim-4.80/src/readconf.c ---- exim-4.80.orig/src/readconf.c 2012-05-21 06:32:11.000000000 +0200 -+++ exim-4.80/src/readconf.c 2012-05-21 19:31:11.000000000 +0200 -@@ -276,6 +276,9 @@ static optionlist optionlist_config[] = +--- exim4-4.82~rc1.orig/src/readconf.c ++++ exim4-4.82~rc1/src/readconf.c +@@ -286,6 +286,9 @@ static optionlist optionlist_config[] = { "local_from_prefix", opt_stringptr, &local_from_prefix }, { "local_from_suffix", opt_stringptr, &local_from_suffix }, { "local_interfaces", opt_stringptr, &local_interfaces }, diff -Nru exim4-4.80/debian/patches/60_convert4r4.dpatch exim4-4.82/debian/patches/60_convert4r4.dpatch --- exim4-4.80/debian/patches/60_convert4r4.dpatch 2012-09-23 10:07:23.000000000 +0000 +++ exim4-4.82/debian/patches/60_convert4r4.dpatch 2013-12-10 16:58:28.000000000 +0000 @@ -1,13 +1,12 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 60_convert4r4.dpatch by Marc Haber -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: No description. +Description: Add a warning message to convert4r4 +Author: Marc Haber +Origin: vendor +Forwarded: no +Last-Update: 2013-09-28 -diff -NurbBp exim.orig/src/convert4r4.src exim/src/convert4r4.src ---- exim.orig/src/convert4r4.src 2004-10-07 12:39:01.000000000 +0200 -+++ exim/src/convert4r4.src 2009-11-15 12:17:21.000000000 +0100 -@@ -653,6 +653,32 @@ return defined $main{$_[0]} && $main{$_[ +--- exim4-4.82~rc1.orig/src/convert4r4.src ++++ exim4-4.82~rc1/src/convert4r4.src +@@ -652,6 +652,32 @@ return defined $main{$_[0]} && $main{$_[ print STDERR "Runtime configuration file converter for Exim release 4.\n"; diff -Nru exim4-4.80/debian/patches/66_enlarge-dh-parameters-size.dpatch exim4-4.82/debian/patches/66_enlarge-dh-parameters-size.dpatch --- exim4-4.80/debian/patches/66_enlarge-dh-parameters-size.dpatch 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/66_enlarge-dh-parameters-size.dpatch 2013-12-10 16:58:28.000000000 +0000 @@ -1,16 +1,15 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 66_enlarge-dh-parameters-size.dpatch by Marc Haber -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Enlarge default server side size of DH parameters to 2048 from 1024. -## DP: This patch has no effect if building against gnutls >= 2.12, because -## DP: exim is using gnutls_sec_param_to_pk_bits() to get correct number -## DP: of dh_bits when built against newer gnutls-versions. +Description: Enlarge default server side size of DH parameters to 2048 + from 1024. This patch has no effect if building against gnutls >= 2.12, + because exim is using gnutls_sec_param_to_pk_bits() to get correct number + of dh_bits when built against newer gnutls-versions. +Author: Marc Haber +Origin: vendor +Forwarded: no +Last-Update: 2013-09-28 -diff -NurBbp exim-4.80.orig/src/tls-gnu.c exim-4.80/src/tls-gnu.c ---- exim-4.80.orig/src/tls-gnu.c 2012-05-19 01:17:38.000000000 +0200 -+++ exim-4.80/src/tls-gnu.c 2012-05-20 12:01:24.000000000 +0200 -@@ -159,7 +159,7 @@ callbacks. */ +--- exim4-4.82~rc1.orig/src/tls-gnu.c ++++ exim4-4.82~rc1/src/tls-gnu.c +@@ -164,7 +164,7 @@ callbacks. */ can ask for a bit-strength. Without that, we stick to the constant we had before, for now. */ #ifndef EXIM_SERVER_DH_BITS_PRE2_12 diff -Nru exim4-4.80/debian/patches/75_openssl_sni.diff exim4-4.82/debian/patches/75_openssl_sni.diff --- exim4-4.80/debian/patches/75_openssl_sni.diff 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/75_openssl_sni.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,30 +0,0 @@ -From 2c9a0e86055f1e86ca5cdde421f5f8c9a48b0194 Mon Sep 17 00:00:00 2001 -From: Phil Pennock -Date: Wed, 6 Jun 2012 19:46:40 -0400 -Subject: [PATCH] BUGFIX: forced-fail smtp option tls_sni would dereference - NULL - ---- - src/tls-openssl.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/tls-openssl.c b/src/tls-openssl.c -index 22c0730..17cc721 100644 ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -1289,7 +1289,11 @@ if (sni) - { - if (!expand_check(sni, US"tls_sni", &tls_sni)) - return FAIL; -- if (!Ustrlen(tls_sni)) -+ if (tls_sni == NULL) -+ { -+ DEBUG(D_tls) debug_printf("Setting TLS SNI forced to fail, not sending\n"); -+ } -+ else if (!Ustrlen(tls_sni)) - tls_sni = NULL; - else - { --- -1.7.10 - diff -Nru exim4-4.80/debian/patches/75_unbind-ldap-connection.diff exim4-4.82/debian/patches/75_unbind-ldap-connection.diff --- exim4-4.80/debian/patches/75_unbind-ldap-connection.diff 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/75_unbind-ldap-connection.diff 2013-12-10 16:58:28.000000000 +0000 @@ -0,0 +1,26 @@ +From ff2c417d0b970db22a382cb692d066d8fe3c32ae Mon Sep 17 00:00:00 2001 +From: Todd Lyons +Date: Thu, 31 Oct 2013 06:04:27 -0700 +Subject: [PATCH 1/8] Only unbind ldap connection if bind succeeded + +--- + src/lookups/ldap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/lookups/ldap.c b/src/lookups/ldap.c +index bb29b43..6129b4b 100644 +--- a/src/lookups/ldap.c ++++ b/src/lookups/ldap.c +@@ -1367,7 +1367,8 @@ while ((lcp = ldap_connections) != NULL) + { + DEBUG(D_lookup) debug_printf("unbind LDAP connection to %s:%d\n", lcp->host, + lcp->port); +- ldap_unbind(lcp->ld); ++ if(lcp->bound == TRUE) ++ ldap_unbind(lcp->ld); + ldap_connections = lcp->next; + } + } +-- +1.7.10.4 + diff -Nru exim4-4.80/debian/patches/76_fix_ldap_option_setting.diff exim4-4.82/debian/patches/76_fix_ldap_option_setting.diff --- exim4-4.80/debian/patches/76_fix_ldap_option_setting.diff 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/76_fix_ldap_option_setting.diff 2013-12-10 16:58:28.000000000 +0000 @@ -0,0 +1,106 @@ +From f535f98390710c48b0fe2bf3bbe751a3459ca72b Mon Sep 17 00:00:00 2001 +From: Todd Lyons +Date: Thu, 31 Oct 2013 09:42:15 -0700 +Subject: [PATCH] Fix ldap option setting. + +Some client libs set a global context, newer client libs set a global + default which then needs to be reloaded. + +diff --git a/src/lookups/ldap.c b/src/lookups/ldap.c +index 6129b4b..a25868f 100644 +--- a/src/lookups/ldap.c ++++ b/src/lookups/ldap.c +@@ -280,6 +280,13 @@ if (lcp == NULL) + { + LDAP *ld; + ++ #ifdef LDAP_OPT_X_TLS_NEWCTX ++ int am_server = 0; ++ LDAP *ldsetctx; ++ #else ++ LDAP *ldsetctx = NULL; ++ #endif ++ + + /* --------------------------- OpenLDAP ------------------------ */ + +@@ -365,6 +372,10 @@ if (lcp == NULL) + goto RETURN_ERROR; + } + ++ #ifdef LDAP_OPT_X_TLS_NEWCTX ++ ldsetctx = ld; ++ #endif ++ + /* Set the TCP connect time limit if available. This is something that is + in Netscape SDK v4.1; I don't know about other libraries. */ + +@@ -461,31 +472,31 @@ if (lcp == NULL) + #ifdef LDAP_OPT_X_TLS_CACERTFILE + if (eldap_ca_cert_file != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTFILE, eldap_ca_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_CACERTDIR + if (eldap_ca_cert_dir != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CACERTDIR, eldap_ca_cert_dir); + } + #endif + #ifdef LDAP_OPT_X_TLS_CERTFILE + if (eldap_cert_file != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CERTFILE, eldap_cert_file); + } + #endif + #ifdef LDAP_OPT_X_TLS_KEYFILE + if (eldap_cert_key != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_KEYFILE, eldap_cert_key); + } + #endif + #ifdef LDAP_OPT_X_TLS_CIPHER_SUITE + if (eldap_cipher_suite != NULL) + { +- ldap_set_option(ld, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); ++ ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_CIPHER_SUITE, eldap_cipher_suite); + } + #endif + #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT +@@ -508,8 +519,26 @@ if (lcp == NULL) + { + cert_option = LDAP_OPT_X_TLS_TRY; + } +- /* Use NULL ldap handle because is a global option */ +- ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); ++ /* This ldap handle is set at compile time based on client libs. Older ++ * versions want it to be global and newer versions can force a reload ++ * of the TLS context (to reload these settings we are changing from the ++ * default that loaded at instantiation). */ ++ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); ++ if (rc) ++ { ++ DEBUG(D_lookup) ++ debug_printf("Unable to set TLS require cert_option(%d) globally: %s\n", ++ cert_option, ldap_err2string(rc)); ++ } ++ } ++ #endif ++ #ifdef LDAP_OPT_X_TLS_NEWCTX ++ rc = ldap_set_option(ldsetctx, LDAP_OPT_X_TLS_NEWCTX, &am_server); ++ if (rc) ++ { ++ DEBUG(D_lookup) ++ debug_printf("Unable to reload TLS context %d: %s\n", ++ rc, ldap_err2string(rc)); + } + #endif + +-- +1.6.3.2 + diff -Nru exim4-4.80/debian/patches/76_tls_dh_min_bits.diff exim4-4.82/debian/patches/76_tls_dh_min_bits.diff --- exim4-4.80/debian/patches/76_tls_dh_min_bits.diff 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/76_tls_dh_min_bits.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,186 +0,0 @@ -From 54c90be16587ca315041c964e251f07fc2bcf0e9 Mon Sep 17 00:00:00 2001 -From: Phil Pennock -Date: Fri, 1 Jun 2012 05:52:31 -0400 -Subject: [PATCH] tls_dh_min_bits smtp transport option - -Could not find an API for use with OpenSSL, so GnuTLS only ---- - src/buildconfig.c | 11 ++++++----- - src/config.h.defaults | 3 ++- - src/functions.h | 2 +- - src/tls-gnu.c | 15 +++++++++++++-- - src/tls-openssl.c | 4 +++- - src/transports/smtp.c | 9 +++++++-- - src/transports/smtp.h | 3 ++- - 11 files changed, 70 insertions(+), 13 deletions(-) - -diff --git a/src/buildconfig.c b/src/buildconfig.c -index 62114fc..f3390cb 100644 ---- a/src/buildconfig.c -+++ b/src/buildconfig.c -@@ -847,16 +847,17 @@ else if (isgroup) - } - - /* how many bits Exim, as a client, demands must be in D-H */ -- /* as of GnuTLS 2.12.x, we ask for "normal" for D-H PK; before that, we -- specify the number of bits. We've stuck with the historical value, but -- it can be overridden. */ -- else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_BITS") == 0) || -+ /* 1024 is a historical figure; some sites actually use lower, so we -+ permit the value to be lowered "dangerously" low, but not "insanely" -+ low. Though actually, 1024 is becoming "dangerous". */ -+ else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_MIN_BITS") == 0) || -+ (strcmp(name, "EXIM_CLIENT_DH_DEFAULT_MIN_BITS") == 0) || - (strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0)) - { - long nv; - char *end; - nv = strtol(value, &end, 10); -- if (end != value && *end == '\0' && nv >= 1000 && nv < 50000) -+ if (end != value && *end == '\0' && nv >= 512 && nv < 500000) - { - fprintf(new, "%s\n", value); - } -diff --git a/src/config.h.defaults b/src/config.h.defaults -index 92a4cd3..f02aef1 100644 ---- a/src/config.h.defaults -+++ b/src/config.h.defaults -@@ -49,7 +49,8 @@ it's a default value. */ - #define EXIMDB_LOCK_TIMEOUT 60 - #define EXIMDB_LOCKFILE_MODE 0640 - #define EXIMDB_MODE 0640 --#define EXIM_CLIENT_DH_MIN_BITS -+#define EXIM_CLIENT_DH_MIN_MIN_BITS 512 -+#define EXIM_CLIENT_DH_DEFAULT_MIN_BITS 1024 - #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL - #define EXIM_SERVER_DH_BITS_PRE2_12 - #define EXIM_PERL -diff --git a/src/functions.h b/src/functions.h -index fa9d558..2758a4a 100644 ---- a/src/functions.h -+++ b/src/functions.h -@@ -27,7 +27,7 @@ extern const char * - std_dh_prime_named(const uschar *); - extern int tls_client_start(int, host_item *, address_item *, uschar *, - uschar *, uschar *, uschar *, uschar *, uschar *, uschar *, -- int); -+ int, int); - extern void tls_close(BOOL); - extern int tls_feof(void); - extern int tls_ferror(void); -diff --git a/src/tls-gnu.c b/src/tls-gnu.c -index c8bf634..cf315b6 100644 ---- a/src/tls-gnu.c -+++ b/src/tls-gnu.c -@@ -1536,6 +1536,7 @@ Arguments: - verify_certs file for certificate verify - verify_crl CRL for verify - require_ciphers list of allowed ciphers or NULL -+ dh_min_bits minimum number of bits acceptable in server's DH prime - timeout startup timeout - - Returns: OK/DEFER/FAIL (because using common functions), -@@ -1547,7 +1548,7 @@ tls_client_start(int fd, host_item *host, - address_item *addr ARG_UNUSED, uschar *dhparam ARG_UNUSED, - uschar *certificate, uschar *privatekey, uschar *sni, - uschar *verify_certs, uschar *verify_crl, -- uschar *require_ciphers, int timeout) -+ uschar *require_ciphers, int dh_min_bits, int timeout) - { - int rc; - const char *error; -@@ -1559,7 +1560,17 @@ rc = tls_init(host, certificate, privatekey, - sni, verify_certs, verify_crl, require_ciphers, &state); - if (rc != OK) return rc; - --gnutls_dh_set_prime_bits(state->session, EXIM_CLIENT_DH_MIN_BITS); -+if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS) -+ { -+ DEBUG(D_tls) -+ debug_printf("WARNING: tls_dh_min_bits far too low, clamping %d up to %d\n", -+ dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS); -+ dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS; -+ } -+ -+DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n", -+ dh_min_bits); -+gnutls_dh_set_prime_bits(state->session, dh_min_bits); - - if (verify_certs == NULL) - { -diff --git a/src/tls-openssl.c b/src/tls-openssl.c -index 22c0730..fdcb95e 100644 ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -1233,6 +1233,8 @@ Argument: - verify_certs file for certificate verify - crl file containing CRL - require_ciphers list of allowed ciphers -+ dh_min_bits minimum number of bits acceptable in server's DH prime -+ (unused in OpenSSL) - timeout startup timeout - - Returns: OK on success -@@ -1244,7 +1246,7 @@ int - tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam, - uschar *certificate, uschar *privatekey, uschar *sni, - uschar *verify_certs, uschar *crl, -- uschar *require_ciphers, int timeout) -+ uschar *require_ciphers, int dh_min_bits ARG_UNUSED, int timeout) - { - static uschar txt[256]; - uschar *expciphers; -diff --git a/src/transports/smtp.c b/src/transports/smtp.c -index f9f225f..b3856f5 100644 ---- a/src/transports/smtp.c -+++ b/src/transports/smtp.c -@@ -129,6 +129,8 @@ optionlist smtp_transport_options[] = { - (void *)offsetof(smtp_transport_options_block, tls_certificate) }, - { "tls_crl", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, tls_crl) }, -+ { "tls_dh_min_bits", opt_int, -+ (void *)offsetof(smtp_transport_options_block, tls_dh_min_bits) }, - { "tls_privatekey", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, tls_privatekey) }, - { "tls_require_ciphers", opt_stringptr, -@@ -195,9 +197,11 @@ smtp_transport_options_block smtp_transport_option_defaults = { - NULL, /* gnutls_require_kx */ - NULL, /* gnutls_require_mac */ - NULL, /* gnutls_require_proto */ -+ NULL, /* tls_sni */ - NULL, /* tls_verify_certificates */ -- TRUE, /* tls_tempfail_tryclear */ -- NULL /* tls_sni */ -+ EXIM_CLIENT_DH_DEFAULT_MIN_BITS, -+ /* tls_dh_min_bits */ -+ TRUE /* tls_tempfail_tryclear */ - #endif - #ifndef DISABLE_DKIM - ,NULL, /* dkim_canon */ -@@ -1136,6 +1140,7 @@ if (tls_offered && !suppress_tls && - ob->tls_verify_certificates, - ob->tls_crl, - ob->tls_require_ciphers, -+ ob->tls_dh_min_bits, - ob->command_timeout); - - /* TLS negotiation failed; give an error. From outside, this function may -diff --git a/src/transports/smtp.h b/src/transports/smtp.h -index 621cb6b..17b75cf 100644 ---- a/src/transports/smtp.h -+++ b/src/transports/smtp.h -@@ -52,9 +52,10 @@ typedef struct { - uschar *gnutls_require_kx; - uschar *gnutls_require_mac; - uschar *gnutls_require_proto; -+ uschar *tls_sni; - uschar *tls_verify_certificates; -+ int tls_dh_min_bits; - BOOL tls_tempfail_tryclear; -- uschar *tls_sni; - #endif - #ifndef DISABLE_DKIM - uschar *dkim_domain; --- -1.7.10 - diff -Nru exim4-4.80/debian/patches/77_close-the-server-side-of-TLS.diff exim4-4.82/debian/patches/77_close-the-server-side-of-TLS.diff --- exim4-4.80/debian/patches/77_close-the-server-side-of-TLS.diff 1970-01-01 00:00:00.000000000 +0000 +++ exim4-4.82/debian/patches/77_close-the-server-side-of-TLS.diff 2013-12-10 16:58:28.000000000 +0000 @@ -0,0 +1,40 @@ +From a400eccf287c55558ae7197c831828cf10b0a35c Mon Sep 17 00:00:00 2001 +From: Tony Finch +Date: Tue, 5 Nov 2013 12:18:02 +0000 +Subject: [PATCH 2/8] Correctly close the server side of TLS when forking for + delivery. + +--- + src/daemon.c | 2 +- + src/exim.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/daemon.c b/src/daemon.c +index 3467f14..8e61dcf 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -639,7 +639,7 @@ if (pid == 0) + the data structures if necessary. */ + + #ifdef SUPPORT_TLS +- tls_close(FALSE, FALSE); ++ tls_close(TRUE, FALSE); + #endif + + /* Reset SIGHUP and SIGCHLD in the child in both cases. */ +diff --git a/src/exim.c b/src/exim.c +index a715c0b..856e655 100644 +--- a/src/exim.c ++++ b/src/exim.c +@@ -526,7 +526,7 @@ close_unwanted(void) + if (smtp_input) + { + #ifdef SUPPORT_TLS +- tls_close(FALSE, FALSE); /* Shut down the TLS library */ ++ tls_close(TRUE, FALSE); /* Shut down the TLS library */ + #endif + (void)close(fileno(smtp_in)); + (void)close(fileno(smtp_out)); +-- +1.7.10.4 + diff -Nru exim4-4.80/debian/patches/77_docsfortls_dh_min_bits.diff exim4-4.82/debian/patches/77_docsfortls_dh_min_bits.diff --- exim4-4.80/debian/patches/77_docsfortls_dh_min_bits.diff 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/77_docsfortls_dh_min_bits.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -diff -NurBbp a/doc/spec.txt exim-4.80/doc/spec.txt ---- a/doc/spec.txt 2012-05-31 11:35:23.000000000 +0200 -+++ exim-4.80/doc/spec.txt 2012-06-08 13:08:19.000000000 +0200 -@@ -21221,6 +21221,17 @@ This option specifies a certificate revo - the name of a file that contains a CRL in PEM format. - - +--------------+---------+-------------+--------------+ -+|tls_dh_min_bits|Use: smtp|Type: integer|Default: 1024| -++-----------------------------------------------------+ -+ -+When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman key -+agreement is negotiated, the server will provide a large prime number for use. -+This option establishes the minimum acceptable size of that number. If the -+parameter offered by the server is too small, then the TLS handshake will fail. -+ -+Only supported when using GnuTLS. -+ -++--------------+---------+-------------+--------------+ - |tls_privatekey|Use: smtp|Type: string*|Default: unset| - +--------------+---------+-------------+--------------+ - -@@ -23630,6 +23641,11 @@ There are some differences in usage when - * The tls_require_ciphers options operate differently, as described in the - sections 41.4 and 41.5. - -+ * The tls_dh_min_bits SMTP transport option is only honoured by GnuTLS. When -+ using OpenSSL, this option is ignored. (If an API is found to let OpenSSL -+ be configured in this way, let the Exim Maintainers know and we'll likely -+ use it). -+ - * Some other recently added features may only be available in one or the - other. This should be documented with the feature. If the documentation - does not explicitly state that the feature is infeasible in the other TLS diff -Nru exim4-4.80/debian/patches/78_pkcs11_init.diff exim4-4.82/debian/patches/78_pkcs11_init.diff --- exim4-4.80/debian/patches/78_pkcs11_init.diff 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/78_pkcs11_init.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -Description: Disable autoloading of PKCS#11 modules. -Author: Phil Pennock -Origin: upstream -Bug-Debian: http://bugs.debian.org/678238 -Forwarded: http://article.gmane.org/gmane.mail.exim.devel/5732 -Last-Update: 2012-06-23 - -Index: b/src/tls-gnu.c -=================================================================== ---- a/src/tls-gnu.c 2012-06-23 18:17:41.000000000 +0200 -+++ b/src/tls-gnu.c 2012-06-23 18:18:31.000000000 +0200 -@@ -39,6 +39,8 @@ require current GnuTLS, then we'll drop - #include - /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */ - #include -+/* needed for gnutls_pkcs11_init */ -+#include - - /* GnuTLS 2 vs 3 - -@@ -910,6 +912,8 @@ if (!exim_gnutls_base_init_done) - { - DEBUG(D_tls) debug_printf("GnuTLS global init required.\n"); - -+ rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); -+ exim_gnutls_err_check(US"gnutls_pkcs11_init"); - rc = gnutls_global_init(); - exim_gnutls_err_check(US"gnutls_global_init"); - -@@ -1942,6 +1946,8 @@ if (exim_gnutls_base_init_done) - log_write(0, LOG_MAIN|LOG_PANIC, - "already initialised GnuTLS, Exim developer bug"); - -+rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL); -+validate_check_rc(US"gnutls_pkcs11_init"); - rc = gnutls_global_init(); - validate_check_rc(US"gnutls_global_init()"); - exim_gnutls_base_init_done = TRUE; diff -Nru exim4-4.80/debian/patches/84_CVE-2012-5671.patch exim4-4.82/debian/patches/84_CVE-2012-5671.patch --- exim4-4.80/debian/patches/84_CVE-2012-5671.patch 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/84_CVE-2012-5671.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ -From 4263f395efd136dece52d765dfcff3c96f17506e Mon Sep 17 00:00:00 2001 -From: Phil Pennock -Date: Wed, 24 Oct 2012 23:26:29 -0400 -Subject: [PATCH 1/3] SECURITY: DKIM DNS buffer overflow protection - -CVE-2012-5671 - -malloc/heap overflow, with a 60kB window of overwrite. -Requires DNS under control of person sending email, leaves plenty of -evidence, but is very likely exploitable on OSes that have not been -well hardened. - ---- exim4-4.72.orig/src/dkim.c -+++ exim4-4.72/src/dkim.c -@@ -44,6 +44,9 @@ int dkim_exim_query_dns_txt(char *name, - "%.*s", (int)len, (char *)((rr->data)+rr_offset)); - rr_offset+=len; - answer_offset+=len; -+ if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) { -+ return PDKIM_FAIL; -+ } - } - } - else return PDKIM_FAIL; ---- exim4-4.72.orig/src/pdkim/pdkim.h -+++ exim4-4.72/src/pdkim/pdkim.h -@@ -29,8 +29,8 @@ - - /* -------------------------------------------------------------------------- */ - /* Length of the preallocated buffer for the "answer" from the dns/txt -- callback function. */ --#define PDKIM_DNS_TXT_MAX_RECLEN 4096 -+ callback function. This should match the maximum RDLENGTH from DNS. */ -+#define PDKIM_DNS_TXT_MAX_RECLEN (1 << 16) - - /* -------------------------------------------------------------------------- */ - /* Function success / error codes */ diff -Nru exim4-4.80/debian/patches/85_server_set_id_SPA.diff exim4-4.82/debian/patches/85_server_set_id_SPA.diff --- exim4-4.80/debian/patches/85_server_set_id_SPA.diff 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/85_server_set_id_SPA.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,73 +0,0 @@ -From f68fe5f62128effcce35efca90d74bc6df066765 Mon Sep 17 00:00:00 2001 -From: Phil Pennock -Date: Wed, 7 Nov 2012 01:53:37 -0500 -Subject: [PATCH] Fix server_set_id for SPA/NTLM auth. - -Broken in 4.80 release, commit 08488c86. - -We need to leave $auth1 available after the authenticator returns, so -that server_set_id can be evaluated by the caller. We need to do this -whether we succeed or fail, because server_set_id only makes it into -$authenticated_id if we return OK, but is logged regardless. - -Updated test config to set server_set_id; updated logs. ---- - -diff --git a/src/auths/spa.c b/src/auths/spa.c -index 1abd657..0bf7b04 100644 ---- a/src/auths/spa.c -+++ b/src/auths/spa.c -@@ -196,17 +196,14 @@ that causes failure if the size of msgbuf is exceeded. ****/ - /***************************************************************/ - - /* Put the username in $auth1 and $1. The former is now the preferred variable; --the latter is the original variable. */ -+the latter is the original variable. These have to be out of stack memory, and -+need to be available once known even if not authenticated, for error messages -+(server_set_id, which only makes it to authenticated_id if we return OK) */ - --auth_vars[0] = expand_nstring[1] = msgbuf; -+auth_vars[0] = expand_nstring[1] = string_copy(msgbuf); - expand_nlength[1] = Ustrlen(msgbuf); - expand_nmax = 1; - --/* clean up globals which aren't referenced, but still shouldn't be left --pointing to stack memory */ --#define CLEANUP_RETURN(Code) do { auth_vars[0] = expand_nstring[1] = NULL; \ -- expand_nlength[1] = expand_nmax = 0; return (Code); } while (0); -- - debug_print_string(ablock->server_debug_string); /* customized debug */ - - /* look up password */ -@@ -218,13 +215,13 @@ if (clearpass == NULL) - { - DEBUG(D_auth) debug_printf("auth_spa_server(): forced failure while " - "expanding spa_serverpassword\n"); -- CLEANUP_RETURN(FAIL); -+ return FAIL; - } - else - { - DEBUG(D_auth) debug_printf("auth_spa_server(): error while expanding " - "spa_serverpassword: %s\n", expand_string_message); -- CLEANUP_RETURN(DEFER); -+ return DEFER; - } - } - -@@ -240,13 +237,12 @@ if (memcmp(ntRespData, - 24) == 0) - /* success. we have a winner. */ - { -- int rc = auth_check_serv_cond(ablock); -- CLEANUP_RETURN(rc); -+ return auth_check_serv_cond(ablock); - } - - /* Expand server_condition as an authorization check (PH) */ - --CLEANUP_RETURN(FAIL); -+return FAIL; - } - - diff -Nru exim4-4.80/debian/patches/86_Dovecot-robustness.diff exim4-4.82/debian/patches/86_Dovecot-robustness.diff --- exim4-4.80/debian/patches/86_Dovecot-robustness.diff 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/patches/86_Dovecot-robustness.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,308 +0,0 @@ -From 3f1df0e341c4ddc4add38fa97d9d34972655a6c7 Mon Sep 17 00:00:00 2001 -From: Phil Pennock -Date: Mon, 19 Nov 2012 23:44:33 -0500 -Subject: [PATCH] Dovecot: robustness; better msg on missing mech. - -If the dovecot protocol response doesn't include the MECH message for -the SMTP AUTH protocol the client has requested, that's not a protocol -failure, don't log it as such. Instead, explicitly log that it didn't -advertise the mechanism we're looking for. This lets administrators fix -either their Exim or their Dovecot configurations. - -Also: make the Dovecot handling more resistant to bad data from the auth -server; handle too many fields with debug-log message to explain what's -going on, permit lines of 8192 length per spec and detect if the line is -too long, so that we can fail auth instead of becoming unsynchronised. - -Stop using the CUID from the server as the AUTH id counter. They're -different, by my reading of the spec. - -TESTED: works against Dovecot 2.1.10. - -Thanks to Brady Catherman for reporting the problem with diagnosis. ---- - -diff --git a/src/auths/dovecot.c b/src/auths/dovecot.c -index 0824240..032a089 100644 ---- a/src/auths/dovecot.c -+++ b/src/auths/dovecot.c -@@ -12,12 +12,42 @@ commented them specially, but now they are getting quite extensive, so I have - ceased doing that. The biggest change is to use unbuffered I/O on the socket - because using C buffered I/O gives problems on some operating systems. PH */ - -+/* Protocol specifications: -+ * Dovecot 1, protocol version 1.1 -+ * http://wiki.dovecot.org/Authentication%20Protocol -+ * -+ * Dovecot 2, protocol version 1.1 -+ * http://wiki2.dovecot.org/Design/AuthProtocol -+ */ -+ - #include "../exim.h" - #include "dovecot.h" - - #define VERSION_MAJOR 1 - #define VERSION_MINOR 0 - -+/* http://wiki.dovecot.org/Authentication%20Protocol -+"The maximum line length isn't defined, -+ but it's currently expected to fit into 8192 bytes" -+*/ -+#define DOVECOT_AUTH_MAXLINELEN 8192 -+ -+/* This was hard-coded as 8. -+AUTH req C->S sends {"AUTH", id, mechanism, service } + params, 5 defined for -+Dovecot 1; Dovecot 2 (same protocol version) defines 9. -+ -+Master->Server sends {"USER", id, userid} + params, 6 defined. -+Server->Client only gives {"OK", id} + params, unspecified, only 1 guaranteed. -+ -+We only define here to accept S->C; max seen is 3+, plus the two -+for the command and id, where unspecified might include _at least_ user=... -+ -+So: allow for more fields than we ever expect to see, while aware that count -+can go up without changing protocol version. -+The cost is the length of an array of pointers on the stack. -+*/ -+#define DOVECOT_AUTH_MAXFIELDCOUNT 16 -+ - /* Options specific to the authentication mechanism. */ - optionlist auth_dovecot_options[] = { - { -@@ -43,7 +73,7 @@ auth_dovecot_options_block auth_dovecot_option_defaults = { - /* Static variables for reading from the socket */ - - static uschar sbuffer[256]; --static int sbp; -+static int socket_buffer_left; - - - -@@ -67,9 +97,28 @@ void auth_dovecot_init(auth_instance *ablock) - ablock->client = FALSE; - } - --static int strcut(uschar *str, uschar **ptrs, int nptrs) -+/************************************************* -+ * "strcut" to split apart server lines * -+ *************************************************/ -+ -+/* Dovecot auth protocol uses TAB \t as delimiter; a line consists -+of a command-name, TAB, and then any parameters, each separated by a TAB. -+A parameter can be param=value or a bool, just param. -+ -+This function modifies the original str in-place, inserting NUL characters. -+It initialises ptrs entries, setting all to NULL and only setting -+non-NULL N entries, where N is the return value, the number of fields seen -+(one more than the number of tabs). -+ -+Note that the return value will always be at least 1, is the count of -+actual fields (so last valid offset into ptrs is one less). -+*/ -+ -+static int -+strcut(uschar *str, uschar **ptrs, int nptrs) - { -- uschar *tmp = str; -+ uschar *last_sub_start = str; -+ uschar *lastvalid = str + Ustrlen(str); - int n; - - for (n = 0; n < nptrs; n++) -@@ -79,19 +128,44 @@ static int strcut(uschar *str, uschar **ptrs, int nptrs) - while (*str) { - if (*str == '\t') { - if (n <= nptrs) { -- *ptrs++ = tmp; -- tmp = str + 1; -- *str = 0; -+ *ptrs++ = last_sub_start; -+ last_sub_start = str + 1; -+ *str = '\0'; - } - n++; - } - str++; - } - -- if (n < nptrs) -- *ptrs = tmp; -+ if (last_sub_start < lastvalid) { -+ if (n <= nptrs) { -+ *ptrs = last_sub_start; -+ } else { -+ HDEBUG(D_auth) debug_printf("dovecot: warning: too many results from tab-splitting; saw %d fields, room for %d\n", n, nptrs); -+ n = nptrs; -+ } -+ } else { -+ n--; -+ HDEBUG(D_auth) debug_printf("dovecot: warning: ignoring trailing tab\n"); -+ } -+ -+ return n <= nptrs ? n : nptrs; -+} - -- return n; -+static void debug_strcut(uschar **ptrs, int nlen, int alen) ARG_UNUSED; -+static void -+debug_strcut(uschar **ptrs, int nlen, int alen) -+{ -+ int i; -+ debug_printf("%d read but unreturned bytes; strcut() gave %d results: ", -+ socket_buffer_left, nlen); -+ for (i = 0; i < nlen; i++) { -+ debug_printf(" {%s}", ptrs[i]); -+ } -+ if (nlen < alen) -+ debug_printf(" last is %s\n", ptrs[i] ? ptrs[i] : US""); -+ else -+ debug_printf(" (max for capacity)\n"); - } - - #define CHECK_COMMAND(str, arg_min, arg_max) do { \ -@@ -125,27 +199,27 @@ int count = 0; - - for (;;) - { -- if (sbp == 0) -+ if (socket_buffer_left == 0) - { -- sbp = read(fd, sbuffer, sizeof(sbuffer)); -- if (sbp == 0) { if (count == 0) return NULL; else break; } -+ socket_buffer_left = read(fd, sbuffer, sizeof(sbuffer)); -+ if (socket_buffer_left == 0) { if (count == 0) return NULL; else break; } - p = 0; - } - -- while (p < sbp) -+ while (p < socket_buffer_left) - { - if (count >= n - 1) break; - s[count++] = sbuffer[p]; - if (sbuffer[p++] == '\n') break; - } - -- memmove(sbuffer, sbuffer + p, sbp - p); -- sbp -= p; -+ memmove(sbuffer, sbuffer + p, socket_buffer_left - p); -+ socket_buffer_left -= p; - - if (s[count-1] == '\n' || count >= n - 1) break; - } - --s[count] = 0; -+s[count] = '\0'; - return s; - } - -@@ -161,12 +235,14 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data) - auth_dovecot_options_block *ob = - (auth_dovecot_options_block *)(ablock->options_block); - struct sockaddr_un sa; -- uschar buffer[4096]; -- uschar *args[8]; -+ uschar buffer[DOVECOT_AUTH_MAXLINELEN]; -+ uschar *args[DOVECOT_AUTH_MAXFIELDCOUNT]; - uschar *auth_command; - uschar *auth_extra_data = US""; -+ uschar *p; - int nargs, tmp; -- int cuid = 0, cont = 1, found = 0, fd, ret = DEFER; -+ int crequid = 1, cont = 1, fd, ret = DEFER; -+ BOOL found = FALSE; - - HDEBUG(D_auth) debug_printf("dovecot authentication\n"); - -@@ -198,37 +274,46 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data) - - auth_defer_msg = US"authentication socket protocol error"; - -- sbp = 0; /* Socket buffer pointer */ -+ socket_buffer_left = 0; /* Global, used to read more than a line but return by line */ - while (cont) { - if (dc_gets(buffer, sizeof(buffer), fd) == NULL) - OUT("authentication socket read error or premature eof"); -- -- buffer[Ustrlen(buffer) - 1] = 0; -+ p = buffer + Ustrlen(buffer) - 1; -+ if (*p != '\n') { -+ OUT("authentication socket protocol line too long"); -+ } -+ *p = '\0'; - HDEBUG(D_auth) debug_printf("received: %s\n", buffer); - nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0])); -+ /* HDEBUG(D_auth) debug_strcut(args, nargs, sizeof(args) / sizeof(args[0])); */ - - /* Code below rewritten by Kirill Miazine (km@krot.org). Only check commands that - Exim will need. Original code also failed if Dovecot server sent unknown - command. E.g. COOKIE in version 1.1 of the protocol would cause troubles. */ -- if (Ustrcmp(args[0], US"CUID") == 0) { -- CHECK_COMMAND("CUID", 1, 1); -- cuid = Uatoi(args[1]); -- } else if (Ustrcmp(args[0], US"VERSION") == 0) { -+ /* pdp: note that CUID is a per-connection identifier sent by the server, -+ which increments at server discretion. -+ By contrast, the "id" field of the protocol is a connection-specific request -+ identifier, which needs to be unique per request from the client and is not -+ connected to the CUID value, so we ignore CUID from server. It's purely for -+ diagnostics. */ -+ if (Ustrcmp(args[0], US"VERSION") == 0) { - CHECK_COMMAND("VERSION", 2, 2); - if (Uatoi(args[1]) != VERSION_MAJOR) - OUT("authentication socket protocol version mismatch"); - } else if (Ustrcmp(args[0], US"MECH") == 0) { - CHECK_COMMAND("MECH", 1, INT_MAX); - if (strcmpic(US args[1], ablock->public_name) == 0) -- found = 1; -+ found = TRUE; - } else if (Ustrcmp(args[0], US"DONE") == 0) { - CHECK_COMMAND("DONE", 0, 0); - cont = 0; - } - } - -- if (!found) -+ if (!found) { -+ auth_defer_msg = string_sprintf("Dovecot did not advertise mechanism \"%s\" to us", ablock->public_name); - goto out; -+ } - - /* Added by PH: data must not contain tab (as it is - b64 it shouldn't, but check for safety). */ -@@ -264,14 +349,11 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data) - - Subsequently, the command was modified to add "secured" and "valid-client- - cert" when relevant. -- -- The auth protocol is documented here: -- http://wiki.dovecot.org/Authentication_Protocol - ****************************************************************************/ - - auth_command = string_sprintf("VERSION\t%d\t%d\nCPID\t%d\n" - "AUTH\t%d\t%s\tservice=smtp\t%srip=%s\tlip=%s\tnologin\tresp=%s\n", -- VERSION_MAJOR, VERSION_MINOR, getpid(), cuid, -+ VERSION_MAJOR, VERSION_MINOR, getpid(), crequid, - ablock->public_name, auth_extra_data, sender_host_address, - interface_address, data ? (char *) data : ""); - -@@ -295,7 +377,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data) - HDEBUG(D_auth) debug_printf("received: %s\n", buffer); - nargs = strcut(buffer, args, sizeof(args) / sizeof(args[0])); - -- if (Uatoi(args[1]) != cuid) -+ if (Uatoi(args[1]) != crequid) - OUT("authentication socket connection id mismatch"); - - switch (toupper(*args[0])) { -@@ -316,7 +398,7 @@ int auth_dovecot_server(auth_instance *ablock, uschar *data) - goto out; - } - -- temp = string_sprintf("CONT\t%d\t%s\n", cuid, data); -+ temp = string_sprintf("CONT\t%d\t%s\n", crequid, data); - if (write(fd, temp, Ustrlen(temp)) < 0) - OUT("authentication socket write error"); - break; --- -1.7.10.4 - diff -Nru exim4-4.80/debian/patches/87_localinjected_mimeacl.diff exim4-4.82/debian/patches/87_localinjected_mimeacl.diff --- exim4-4.80/debian/patches/87_localinjected_mimeacl.diff 2013-08-08 17:37:11.000000000 +0000 +++ exim4-4.82/debian/patches/87_localinjected_mimeacl.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,32 +0,0 @@ -From f4c1088bb7af23e4b613672230868056d46239a5 Mon Sep 17 00:00:00 2001 -From: Phil Pennock -Date: Wed, 31 Jul 2013 18:50:04 -0400 -Subject: [PATCH] Fix segfault in stdio with non-SMTP MIME ACL. - -When injecting a message locally in non-SMTP mode, and with MIME ACLs -configured, if the ACL rejected the message, Exim would try to -`fprintf(NULL, "%s", the_message)`. This fixes that. - -Most ACLs are plumbed in SMTP-only and looking through the others in -receive.c, they all appear to be safely guarded, so it was just this one -that slipped through. - -Crash report and assistance tracking down the root cause from Warren -Baker. - - ---- exim4-4.80.orig/src/receive.c -+++ exim4-4.80/src/receive.c -@@ -1184,9 +1184,10 @@ else if (rc != OK) - #ifdef EXPERIMENTAL_DCC - dcc_ok = 0; - #endif -- if (smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0) -+ if (smtp_input && smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0) { - *smtp_yield_ptr = FALSE; /* No more messsages after dropped connection */ -- *smtp_reply_ptr = US""; /* Indicate reply already sent */ -+ *smtp_reply_ptr = US""; /* Indicate reply already sent */ -+ } - message_id[0] = 0; /* Indicate no message accepted */ - return FALSE; /* Cause skip to end of receive function */ - } diff -Nru exim4-4.80/debian/patches/fix_smtp_banner.patch exim4-4.82/debian/patches/fix_smtp_banner.patch --- exim4-4.80/debian/patches/fix_smtp_banner.patch 2013-10-28 18:52:39.000000000 +0000 +++ exim4-4.82/debian/patches/fix_smtp_banner.patch 2013-12-10 17:06:41.000000000 +0000 @@ -4,21 +4,11 @@ Last-Update: 2013-06-20 === modified file 'src/exim.h' ---- a/src/exim.h 2012-05-29 19:33:07 +0000 -+++ b/src/exim.h 2013-06-19 09:39:24 +0000 -@@ -566,4 +566,8 @@ - #endif - #endif - -+#ifndef EXIM_DISTRIBUTION -+ #define EXIM_DISTRIBUTION "" -+#endif -+ - /* End of exim.h */ - ---- a/src/globals.c 2013-06-19 13:20:00.809922000 +0000 -+++ b/src/globals.c 2013-06-20 08:16:19.212132999 +0000 -@@ -1104,7 +1104,7 @@ +Index: exim4_ubuntu/src/globals.c +=================================================================== +--- exim4_ubuntu.orig/src/globals.c 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/src/globals.c 2013-12-10 17:06:29.190997355 +0000 +@@ -1175,7 +1175,7 @@ uschar *smtp_active_hostname = NULL; BOOL smtp_authenticated = FALSE; uschar *smtp_banner = US"$smtp_active_hostname ESMTP " @@ -27,18 +17,21 @@ "\0<---------------Space to patch smtp_banner->"; BOOL smtp_batched_input = FALSE; BOOL smtp_check_spool_space = TRUE; ---- a/src/config.h.defaults 2013-06-19 13:20:00.809922000 +0000 -+++ b/src/config.h.defaults 2013-06-20 09:43:43.948132999 +0000 -@@ -195,4 +195,6 @@ - #define SC_EXIM_DEC "%" SCNd64 /* scanf decimal */ - #endif +Index: exim4_ubuntu/src/config.h.defaults +=================================================================== +--- exim4_ubuntu.orig/src/config.h.defaults 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/src/config.h.defaults 2013-12-10 17:06:29.190997355 +0000 +@@ -196,4 +196,6 @@ + #define SC_EXIM_ARITH "%" SCNi64 /* scanf incl. 0x prefix */ + #define SC_EXIM_DEC "%" SCNd64 /* scanf decimal */ +#define EXIM_DISTRIBUTION + /* End of config.h.defaults */ - ---- a/scripts/Configure-config.h 2013-06-19 13:20:00.809922000 +0000 -+++ b/scripts/Configure-config.h 2013-06-20 13:45:07.676132999 +0000 +Index: exim4_ubuntu/scripts/Configure-config.h +=================================================================== +--- exim4_ubuntu.orig/scripts/Configure-config.h 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/scripts/Configure-config.h 2013-12-10 17:06:29.190997355 +0000 @@ -23,6 +23,12 @@ if [ "$1" != "" ] ; then MAKE=$1 ; fi if [ "$MAKE" = "" ] ; then MAKE=make ; fi @@ -52,4 +45,16 @@ $MAKE buildconfig || exit 1 # BEWARE: tab characters needed in the following sed command. They have had - +Index: exim4_ubuntu/src/exim.h +=================================================================== +--- exim4_ubuntu.orig/src/exim.h 2013-12-10 17:06:29.194997355 +0000 ++++ exim4_ubuntu/src/exim.h 2013-12-10 17:06:29.190997355 +0000 +@@ -580,4 +580,8 @@ + #endif + #endif + ++#ifndef EXIM_DISTRIBUTION ++ #define EXIM_DISTRIBUTION "" ++#endif ++ + /* End of exim.h */ diff -Nru exim4-4.80/debian/patches/series exim4-4.82/debian/patches/series --- exim4-4.80/debian/patches/series 2013-10-28 18:52:46.000000000 +0000 +++ exim4-4.82/debian/patches/series 2013-12-10 17:01:17.000000000 +0000 @@ -1,4 +1,3 @@ -30_dontoverridecflags.dpatch 31_eximmanpage.dpatch 32_exim4.dpatch 33_eximon.binary.dpatch @@ -9,12 +8,7 @@ 66_enlarge-dh-parameters-size.dpatch 67_unnecessaryCopt.diff 70_remove_exim-users_references.dpatch -75_openssl_sni.diff -76_tls_dh_min_bits.diff -77_docsfortls_dh_min_bits.diff -78_pkcs11_init.diff -84_CVE-2012-5671.patch -85_server_set_id_SPA.diff -86_Dovecot-robustness.diff -87_localinjected_mimeacl.diff +75_unbind-ldap-connection.diff +76_fix_ldap_option_setting.diff +77_close-the-server-side-of-TLS.diff fix_smtp_banner.patch diff -Nru exim4-4.80/debian/README.Debian.xml exim4-4.82/debian/README.Debian.xml --- exim4-4.80/debian/README.Debian.xml 2013-08-06 17:19:04.000000000 +0000 +++ exim4-4.82/debian/README.Debian.xml 2013-12-10 16:58:28.000000000 +0000 @@ -1107,6 +1107,13 @@ presented by the remote host is not checked unless you specify a tls_verify_certificate option on the transport. + + To make exim send a TLS certificate to the remote host set + REMOTE_SMTP_TLS_CERTIFICATE/REMOTE_SMTP_PRIVATEKEY or for + the remote_smtp_smarthost transport + REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE/REMOTE_SMTP_SMARTHOST_PRIVATEKEY + respectively. + TLS on connect is not natively supported. @@ -1164,6 +1171,11 @@ certificates which causes the interoperabilty problems with Outlook et.al. noted above. + + The server certificate is only used for incoming connections, + please consult for the + corresponding outgoing conncection options. +
Troubleshooting diff -Nru exim4-4.80/doc/ChangeLog exim4-4.82/doc/ChangeLog --- exim4-4.80/doc/ChangeLog 2012-05-31 00:40:15.000000000 +0000 +++ exim4-4.82/doc/ChangeLog 2013-10-25 00:46:27.000000000 +0000 @@ -1,6 +1,278 @@ Change log file for Exim from version 4.21 ------------------------------------------- +Exim version 4.82 +----------------- + +PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities. + +PP/02 Make -n do something, by making it not do something. + When combined with -bP, the name of an option is not output. + +PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured + by GnuTLS. + +PP/04 First step towards DNSSEC, provide $sender_host_dnssec for + $sender_host_name and config options to manage this, and basic check + routines. + +PP/05 DSCP support for outbound connections and control modifier for inbound. + +PP/06 Cyrus SASL: set local and remote IP;port properties for driver. + (Only plugin which currently uses this is kerberos4, which nobody should + be using, but we should make it available and other future plugins might + conceivably use it, even though it would break NAT; stuff *should* be + using channel bindings instead). + +PP/07 Handle "exim -L " to indicate to use syslog with tag as the process + name; added for Sendmail compatibility; requires admin caller. + Handle -G as equivalent to "control = suppress_local_fixups" (we used to + just ignore it); requires trusted caller. + Also parse but ignore: -Ac -Am -X + Bugzilla 1117. + +TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing. + +TL/02 Add +smtp_confirmation as a default logging option. + +TL/03 Bugzilla 198 - Implement remove_header ACL modifier. + Patch by Magnus Holmgren from 2007-02-20. + +TL/04 Bugzilla 1281 - Spec typo. + Bugzilla 1283 - Spec typo. + Bugzilla 1290 - Spec grammar fixes. + +TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation. + +TL/06 Add Experimental DMARC support using libopendmarc libraries. + +TL/07 Fix an out of order global option causing a segfault. Reported to dev + mailing list by by Dmitry Isaikin. + +JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support. + +JH/02 Support "G" suffix to numbers in ${if comparisons. + +PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL. + +NM/01 Bugzilla 1197 - Spec typo + Bugzilla 1196 - Spec examples corrections + +JH/03 Add expansion operators ${listnamed:name} and ${listcount:string} + +PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called + gnutls_enable_pkcs11, but renamed to more accurately indicate its + function. + +PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC. + Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler. + +JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition + "acl {{name}{arg}...}", and optional args on acl condition + "acl = name arg..." + +JH/05 Permit multiple router/transport headers_add/remove lines. + +JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination. + +JH/07 Avoid using a waiting database for a single-message-only transport. + Performance patch from Paul Fisher. Bugzilla 1262. + +JH/08 Strip leading/trailing newlines from add_header ACL modifier data. + Bugzilla 884. + +JH/09 Add $headers_added variable, with content from use of ACL modifier + add_header (but not yet added to the message). Bugzilla 199. + +JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line. + Pulled from Bugzilla 817 by Wolfgang Breyha. + +PP/11 SECURITY: protect DKIM DNS decoding from remote exploit. + CVE-2012-5671 + (nb: this is the same fix as in Exim 4.80.1) + +JH/11 Add A= logging on delivery lines, and a client_set_id option on + authenticators. + +JH/12 Add optional authenticated_sender logging to A= and a log_selector + for control. + +PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29. + +PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not + advertise SMTP AUTH mechanism to us, instead of a generic + protocol violation error. Also, make Exim more robust to bad + data from the Dovecot auth socket. + +TF/01 Fix ultimate retry timeouts for intermittently deliverable recipients. + + When a queue runner is handling a message, Exim first routes the + recipient addresses, during which it prunes them based on the retry + hints database. After that it attempts to deliver the message to + any remaining recipients. It then updates the hints database using + the retry rules. + + So if a recipient address works intermittently, it can get repeatedly + deferred at routing time. The retry hints record remains fresh so the + address never reaches the final cutoff time. + + This is a fairly common occurrence when a user is bumping up against + their storage quota. Exim had some logic in its local delivery code + to deal with this. However it did not apply to per-recipient defers + in remote deliveries, e.g. over LMTP to a separate IMAP message store. + + This change adds a proper retry rule check during routing so that the + final cutoff time is checked against the message's age. We only do + this check if there is an address retry record and there is not a + domain retry record; this implies that previous attempts to handle + the address had the retry_use_local_parts option turned on. We use + this as an approximation for the destination being like a local + delivery, as in LMTP. + + I suspect this new check makes the old local delivery cutoff check + redundant, but I have not verified this so I left the code in place. + +TF/02 Correct gecos expansion when From: is a prefix of the username. + + Test 0254 submits a message to Exim with the header + + Resent-From: f + + When I ran the test suite under the user fanf2, Exim expanded + the header to contain my full name, whereas it should have added + a Resent-Sender: header. It erroneously treats any prefix of the + username as equal to the username. + + This change corrects that bug. + +GF/01 DCC debug and logging tidyup + Error conditions log to paniclog rather than rejectlog. + Debug lines prefixed by "DCC: " to remove any ambiguity. + +TF/03 Avoid unnecessary rebuilds of lookup-related code. + +PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server. + Bug spotted by Jeremy Harris; was flawed since initial commit. + Would have resulted in OCSP responses post-SNI triggering an Exim + NULL dereference and crash. + +JH/13 Add $router_name and $transport_name variables. Bugzilla 308. + +PP/15 Define SIOCGIFCONF_GIVES_ADDR for GNU Hurd. + Bug detection, analysis and fix by Samuel Thibault. + Bugzilla 1331, Debian bug #698092. + +SC/01 Update eximstats to watch out for senders sending 'HELO [IpAddr]' + +JH/14 SMTP PRDR (http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt). + Server implementation by Todd Lyons, client by JH. + Only enabled when compiled with EXPERIMENTAL_PRDR. A new + config variable "prdr_enable" controls whether the server + advertises the facility. If the client requests PRDR a new + acl_data_smtp_prdr ACL is called once for each recipient, after + the body content is received and before the acl_smtp_data ACL. + The client is controlled by bolth of: a hosts_try_prdr option + on the smtp transport, and the server advertisement. + Default client logging of deliveries and rejections involving + PRDR are flagged with the string "PRDR". + +PP/16 Fix problems caused by timeouts during quit ACLs trying to double + fclose(). Diagnosis by Todd Lyons. + +PP/17 Update configure.default to handle IPv6 localhost better. + Patch by Alain Williams (plus minor tweaks). + Bugzilla 880. + +PP/18 OpenSSL made graceful with empty tls_verify_certificates setting. + This is now consistent with GnuTLS, and is now documented: the + previous undocumented portable approach to treating the option as + unset was to force an expansion failure. That still works, and + an empty string is now equivalent. + +PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it + clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag, + not performing validation itself. + +PP/20 Added force_command boolean option to pipe transport. + Patch from Nick Koston, of cPanel Inc. + +JH/15 AUTH support on callouts (and hence cutthrough-deliveries). + Bugzilla 321, 823. + +TF/04 Added udpsend ACL modifer and hexquote expansion operator + +PP/21 Fix eximon continuous updating with timestamped log-files. + Broken in a format-string cleanup in 4.80, missed when I repaired the + other false fix of the same issue. + Report and fix from Heiko Schlichting. + Bugzilla 1363. + +PP/22 Guard LDAP TLS usage against Solaris LDAP variant. + Report from Prashanth Katuri. + +PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options. + It's SecureTransport, so affects any MacOS clients which use the + system-integrated TLS libraries, including email clients. + +PP/24 Fix segfault from trying to fprintf() to a NULL stdio FILE* if + using a MIME ACL for non-SMTP local injection. + Report and assistance in diagnosis by Warren Baker. + +TL/08 Adjust exiqgrep to be case-insensitive for sender/receiver. + +JH/16 Fix comparisons for 64b. Bugzilla 1385. + +TL/09 Add expansion variable $authenticated_fail_id to keep track of + last id that failed so it may be referenced in subsequent ACL's. + +TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by + Alexander Miroch. + +TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls + ldap library initialization, allowing self-signed CA's to be + used. Also properly sets require_cert option later in code by + using NULL (global ldap config) instead of ldap handle (per + session). Bug diagnosis and testing by alxgomz. + +TL/12 Enhanced documentation in the ratelimit.pl script provided in + the src/util/ subdirectory. + +TL/13 Bug 1301 - Imported transport SQL logging patch from Axel Rau + renamed to Transport Post Delivery Action by Jeremy Harris, as + EXPERIMENTAL_TPDA. + +TL/14 Bugzilla 1217 - Redis lookup support has been added. It is only enabled + when Exim is compiled with EXPERIMENTAL_REDIS. A new config variable + redis_servers = needs to be configured which will be used by the redis + lookup. Patch from Warren Baker, of The Packet Hub. + +TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard Hall. + +TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a + hostname or reverse DNS when processing a host list. Used suggestions + from multiple comments on this bug. + +TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey. + +TL/18 Had previously added a -CONTINUE option to runtest in the test suite. + Missed a few lines, added it to make the runtest require no keyboard + interaction. + +TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite + contains upper case chars. Make router use caseful_local_part. + +TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS + support when GnuTLS has been built with p11-kit. + + +Exim version 4.80.1 +------------------- + +PP/01 SECURITY: protect DKIM DNS decoding from remote exploit. + CVE-2012-5671 + This, or similar/improved, will also be change PP/11 of 4.82. + + Exim version 4.80 ----------------- @@ -772,7 +1044,7 @@ NM/33 Bugzilla 898: Transport filter timeout fix. Patch by Todd Rinaldo. -NM/34 Bugzilla 901: Fix sign/unsigned and UTF mistmatches. +NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches. Patch by Serge Demonchaux. NM/35 Bugzilla 39: Base64 decode bug fixes. diff -Nru exim4-4.80/doc/exim.8 exim4-4.82/doc/exim.8 --- exim4-4.80/doc/exim.8 2012-05-31 09:35:26.000000000 +0000 +++ exim4-4.82/doc/exim.8 2013-10-28 12:57:57.000000000 +0000 @@ -100,6 +100,11 @@ This option is an alias for \fB\-bV\fP and causes version information to be displayed. .TP 10 +\fB\-Ac\fP +\fB\-Am\fP +These options are used by Sendmail for selecting configuration files and are +ignored by Exim. +.TP 10 \fB\-B\fP<\fItype\fP> This is a Sendmail option for selecting 7 or 8 bit processing. Exim is 8\-bit clean; it ignores this option. @@ -308,9 +313,28 @@ if this is required. If the \fBbi_command\fP option is not set, calling Exim with \fB\-bi\fP is a no\-op. .TP 10 +\fB\-bI:help\fP +We shall provide various options starting \-bI: for querying Exim for +information. The output of many of these will be intended for machine +consumption. This one is not. The \fB\-bI:help\fP option asks Exim for a +synopsis of supported options beginning \-bI:. Use of any of these +options shall cause Exim to exit after producing the requested output. +.TP 10 +\fB\-bI:dscp\fP +This option causes Exim to emit an alphabetically sorted list of all +recognised DSCP names. +.TP 10 +\fB\-bI:sieve\fP +This option causes Exim to emit an alphabetically sorted list of all supported +Sieve protocol extensions on stdout, one per line. This is anticipated to be +useful for ManageSieve (RFC 5804) implementations, in providing that protocol's +SIEVE capability response line. As the precise list may depend upon +compile\-time build options, which this option will adapt to, this is the only +way to guarantee a correct response. +.TP 10 \fB\-bm\fP This option runs an Exim receiving process that accepts an incoming, -locally\-generated message on the current input. The recipients are given as the +locally\-generated message on the standard input. The recipients are given as the command arguments (except when \fB\-t\fP is also present \- see below). Each argument can be a comma\-separated list of RFC 2822 addresses. This is the default option for selecting the overall action of an Exim call; it is assumed @@ -399,6 +423,8 @@ configuration file is output. If a list of configuration files was supplied, the value that is output here is the name of the file that was actually used. +If the \fB\-n\fP flag is given, then for most modes of \fB\-bP\fP operation the +name will not be output. .sp If \fBlog_file_path\fP or \fBpid_file_path\fP are given, the names of the directories where log files and daemon pid files are written are output, @@ -909,7 +935,14 @@ if \fB\-f\fP is also present, it overrides "From ". .TP 10 \fB\-G\fP -This is a Sendmail option which is ignored by Exim. +This option is equivalent to an ACL applying: +.sp + control = suppress_local_fixups +for every message received. Note that Sendmail will complain about such +bad formatting, where Exim silently just does not fix it up. This may change +in future. +As this affects audit information, the caller must be a trusted user to use +this option. .TP 10 \fB\-h\fP <\fInumber\fP> This option is accepted for compatibility with Sendmail, but has no effect. (In @@ -922,6 +955,14 @@ no documentation for this option in Solaris 2.4 Sendmail, but the \fImailx\fP command in Solaris 2.4 uses it. See also \fB\-ti\fP. .TP 10 +\fB\-L\fP <\fItag\fP> +This option is equivalent to setting \fBsyslog_processname\fP in the config +file and setting \fBlog_file_path\fP to syslog. +Its use is restricted to administrators. The configuration file has to be +read and parsed, to determine access rights, before this is set and takes +effect, so early configuration file errors will not honour this flag. +The tag should not be longer than 32 characters. +.TP 10 \fB\-M\fP <\fImessage id\fP> <\fImessage id\fP> ... This option requests Exim to run a delivery attempt on each message in turn. If any of the messages are frozen, they are automatically thawed before the @@ -1094,8 +1135,9 @@ for that message. .TP 10 \fB\-n\fP -This option is interpreted by Sendmail to mean "no aliasing". It is ignored -by Exim. +This option is interpreted by Sendmail to mean "no aliasing". +For normal modes of operation, it is ignored by Exim. +When combined with \fB\-bP\fP it suppresses the name of an option from being output. .TP 10 \fB\-O\fP <\fIdata\fP> This option is interpreted by Sendmail to mean set option. It is ignored by @@ -1184,8 +1226,8 @@ Provided this error message is successfully sent, the Exim receiving process exits with a return code of zero. If not, the return code is 2 if the problem -is that the original message has no recipients, or 1 any other error. This is -the default \fB\-oe\fP\fIx\fP option if Exim is called as \fIrmail\fP. +is that the original message has no recipients, or 1 for any other error. +This is the default \fB\-oe\fP\fIx\fP option if Exim is called as \fIrmail\fP. .TP 10 \fB\-oem\fP This is the same as \fB\-oee\fP, except that Exim always exits with a non\-zero @@ -1337,7 +1379,7 @@ It sets the incoming protocol and host name (for trusted callers). The host name and its colon can be omitted when only the protocol is to be set. Note the Exim already has two private options, \fB\-pd\fP and \fB\-ps\fP, that refer -to embedded Perl. It is therefore impossible to set a protocol value of p +to embedded Perl. It is therefore impossible to set a protocol value of d or s using this option (but that does not seem a real limitation). .TP 10 \fB\-q\fP @@ -1505,7 +1547,7 @@ has \fIf\fP or \fIff\fP in its flags, the associated action is taken. .TP 10 \fB\-Tqt\fP <\fItimes\fP> -This an option that is exclusively for use by the Exim testing suite. It is not +This is an option that is exclusively for use by the Exim testing suite. It is not recognized when Exim is run normally. It allows for the setting up of explicit "queue times" so that various warning/retry features can be tested. .TP 10 @@ -1572,7 +1614,10 @@ National Language Support extended characters in the body of the mail item"). It sets \fB\-x\fP when calling the MTA from its \fBmail\fP command. Exim ignores this option. -.sp +.TP 10 +\fB\-X\fP <\fIlogfile\fP> +This option is interpreted by Sendmail to cause debug information to be sent +to the named file. It is ignored by Exim. . .SH "SEE ALSO" .rs diff -Nru exim4-4.80/doc/experimental-spec.txt exim4-4.82/doc/experimental-spec.txt --- exim4-4.80/doc/experimental-spec.txt 2012-05-31 00:40:15.000000000 +0000 +++ exim4-4.82/doc/experimental-spec.txt 2013-10-25 00:46:27.000000000 +0000 @@ -2,14 +2,42 @@ While a feature is experimental, there will be a build-time option whose name starts "EXPERIMENTAL_" that must be set in order to include the feature. This file contains information -about experimenatal features, all of which are unstable and -liable to incompatibile change. +about experimental features, all of which are unstable and +liable to incompatible change. + + +PRDR support +-------------------------------------------------------------- + +Per-Recipient Data Reponse is an SMTP extension proposed by Eric Hall +in a (now-expired) IETF draft from 2007. It's not hit mainstream +use, but has apparently been implemented in the META1 MTA. + +There is mention at http://mail.aegee.org/intern/sendmail.html +of a patch to sendmail "to make it PRDR capable". + + ref: http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt + +If Exim is built with EXPERIMENTAL_PRDR there is a new config +boolean "prdr_enable" which controls whether PRDR is advertised +as part of an EHLO response, a new "acl_data_smtp_prdr" ACL +(called for each recipient, after data arrives but before the +data ACL), and a new smtp transport option "hosts_try_prdr". + +PRDR may be used to support per-user content filtering. Without it +one must defer any recipient after the first that has a different +content-filter configuration. With PRDR, the RCPT-time check +for this can be disabled when the MAIL-time $smtp_command included +"PRDR". Any required difference in behaviour of the main DATA-time +ACL should however depend on the PRDR-time ACL having run, as Exim +will avoid doing so in some situations (eg. single-recipient mails). + OCSP Stapling support -------------------------------------------------------------- -X509 PKI certificates expire and can be revoked; to handle this, the +X.509 PKI certificates expire and can be revoked; to handle this, the clients need some way to determine if a particular certificate, from a particular Certificate Authority (CA), is still valid. There are three main ways to do so. @@ -41,7 +69,7 @@ proof expires. The downside is that it requires server support. If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL, -then it gains one new option: "tls_ocsp_file". +then it gains a new global option: "tls_ocsp_file". The file specified therein is expected to be in DER format, and contain an OCSP proof. Exim will serve it as part of the TLS handshake. This @@ -58,10 +86,30 @@ Exim will check for a valid next update timestamp in the OCSP proof; if not present, or if the proof has expired, it will be ignored. +Also, given EXPERIMENTAL_OCSP and OpenSSL, the smtp transport gains +a "hosts_require_ocsp" option; a host-list for which an OCSP Stapling +is requested and required for the connection to proceed. The host(s) +should also be in "hosts_require_tls", and "tls_verify_certificates" +configured for the transport. + +For the client to be able to verify the stapled OCSP the server must +also supply, in its stapled information, any intermediate +certificates for the chain leading to the OCSP proof from the signer +of the server certificate. There may be zero or one such. These +intermediate certificates should be added to the server OCSP stapling +file (named by tls_ocsp_file). + At this point in time, we're gathering feedback on use, to determine if it's worth adding complexity to the Exim daemon to periodically re-fetch -OCSP files and somehow handling multiple files. There is no client support -for OCSP in Exim, this is feature expected to be used by mail clients. +OCSP files and somehow handling multiple files. + + A helper script "ocsp_fetch.pl" for fetching a proof from a CA + OCSP server is supplied. The server URL may be included in the + server certificate, if the CA is helpful. + + One fail mode seen was the OCSP Signer cert expiring before the end + of vailidity of the OCSP proof. The checking done by Exim/OpenSSL + noted this as invalid overall, but the re-fetch script did not. @@ -380,7 +428,7 @@ You can now run SPF checks in incoming SMTP by using the "spf" ACL condition in either the MAIL, RCPT or DATA ACLs. When -using it in the RCPT ACL, you can make the checks dependend on +using it in the RCPT ACL, you can make the checks dependent on the RCPT address (or domain), so you can check SPF records only for certain target domains. This gives you the possibility to opt-out certain customers that do not want @@ -491,7 +539,7 @@ When the spf_guess condition has run, it sets up the same expansion variables as when spf condition is run, described above. -Additionally, since Best-guess is not standarized, you may redefine +Additionally, since Best-guess is not standardized, you may redefine what "Best-guess" means to you by redefining spf_guess variable in global config. For example, the following: @@ -546,7 +594,7 @@ After that "$dcc_header" contains the X-DCC-Header. -Returnvalues are: +Return values are: fail for overall "R", "G" from dccifd defer for overall "T" from dccifd accept for overall "A", "S" from dccifd @@ -570,10 +618,403 @@ If you want to pass even more headers in the middle of the DATA stage you can set $acl_m_dcc_add_header -to tell the DCC routines add more information; eg, you might set +to tell the DCC routines to add more information; eg, you might set this to some results from ClamAV. Be careful. Header syntax is not checked and is added "as is". +In case you've troubles with sites sending the same queue items from several +hosts and fail to get through greylisting you can use +$acl_m_dcc_override_client_ip + +Setting $acl_m_dcc_override_client_ip to an IP address overrides the default +of $sender_host_address. eg. use the following ACL in DATA stage: + + warn set acl_m_dcc_override_client_ip = \ + ${lookup{$sender_helo_name}nwildlsearch{/etc/mail/multipleip_sites}{$value}{}} + condition = ${if def:acl_m_dcc_override_client_ip} + log_message = dbg: acl_m_dcc_override_client_ip set to \ + $acl_m_dcc_override_client_ip + +Then set something like +# cat /etc/mail/multipleip_sites +mout-xforward.gmx.net 82.165.159.12 +mout.gmx.net 212.227.15.16 + +Use a reasonable IP. eg. one the sending cluster acutally uses. + +DMARC Support +-------------------------------------------------------------- + +DMARC combines feedback from SPF, DKIM, and header From: in order +to attempt to provide better indicators of the authenticity of an +email. This document does not explain the fundamentals, you +should read and understand how it works by visiting the website at +http://www.dmarc.org/. + +DMARC support is added via the libopendmarc library. Visit: + + http://sourceforge.net/projects/opendmarc/ + +to obtain a copy, or find it in your favorite rpm package +repository. If building from source, this description assumes +that headers will be in /usr/local/include, and that the libraries +are in /usr/local/lib. + +1. To compile Exim with DMARC support, you must first enable SPF. +Please read the above section on enabling the EXPERIMENTAL_SPF +feature. You must also have DKIM support, so you cannot set the +DISABLE_DKIM feature. Once both of those conditions have been met +you can enable DMARC in Local/Makefile: + +EXPERIMENTAL_DMARC=yes +LDFLAGS += -lopendmarc +# CFLAGS += -I/usr/local/include +# LDFLAGS += -L/usr/local/lib + +The first line sets the feature to include the correct code, and +the second line says to link the libopendmarc libraries into the +exim binary. The commented out lines should be uncommented if you +built opendmarc from source and installed in the default location. +Adjust the paths if you installed them elsewhere, but you do not +need to uncomment them if an rpm (or you) installed them in the +package controlled locations (/usr/include and /usr/lib). + + +2. Use the following global settings to configure DMARC: + +Required: +dmarc_tld_file Defines the location of a text file of valid + top level domains the opendmarc library uses + during domain parsing. Maintained by Mozilla, + the most current version can be downloaded + from a link at http://publicsuffix.org/list/. + +Optional: +dmarc_history_file Defines the location of a file to log results + of dmarc verification on inbound emails. The + contents are importable by the opendmarc tools + which will manage the data, send out DMARC + reports, and expire the data. Make sure the + directory of this file is writable by the user + exim runs as. + +dmarc_forensic_sender The email address to use when sending a + forensic report detailing alignment failures + if a sender domain's dmarc record specifies it + and you have configured Exim to send them. + Default: do-not-reply@$default_hostname + + +3. By default, the DMARC processing will run for any remote, +non-authenticated user. It makes sense to only verify DMARC +status of messages coming from remote, untrusted sources. You can +use standard conditions such as hosts, senders, etc, to decide that +DMARC verification should *not* be performed for them and disable +DMARC with a control setting: + + control = dmarc_disable_verify + +A DMARC record can also specify a "forensic address", which gives +exim an email address to submit reports about failed alignment. +Exim does not do this by default because in certain conditions it +results in unintended information leakage (what lists a user might +be subscribed to, etc). You must configure exim to submit forensic +reports to the owner of the domain. If the DMARC record contains a +forensic address and you specify the control statement below, then +exim will send these forensic emails. It's also advised that you +configure a dmarc_forensic_sender because the default sender address +construction might be inadequate. + + control = dmarc_forensic_enable + +(AGAIN: You can choose not to send these forensic reports by simply +not putting the dmarc_forensic_enable control line at any point in +your exim config. If you don't tell it to send them, it will not +send them.) + +There are no options to either control. Both must appear before +the DATA acl. + + +4. You can now run DMARC checks in incoming SMTP by using the +"dmarc_status" ACL condition in the DATA ACL. You are required to +call the spf condition first in the ACLs, then the "dmarc_status" +condition. Putting this condition in the ACLs is required in order +for a DMARC check to actually occur. All of the variables are set +up before the DATA ACL, but there is no actual DMARC check that +occurs until a "dmarc_status" condition is encountered in the ACLs. + +The dmarc_status condition takes a list of strings on its +right-hand side. These strings describe recommended action based +on the DMARC check. To understand what the policy recommendations +mean, refer to the DMARC website above. Valid strings are: + + o accept The DMARC check passed and the library recommends + accepting the email. + o reject The DMARC check failed and the library recommends + rejecting the email. + o quarantine The DMARC check failed and the library recommends + keeping it for further inspection. + o none The DMARC check passed and the library recommends + no specific action, neutral. + o norecord No policy section in the DMARC record for this + sender domain. + o nofrom Unable to determine the domain of the sender. + o temperror Library error or dns error. + o off The DMARC check was disabled for this email. + +You can prefix each string with an exclamation mark to invert its +meaning, for example "!accept" will match all results but +"accept". The string list is evaluated left-to-right in a +short-circuit fashion. When a string matches the outcome of the +DMARC check, the condition succeeds. If none of the listed +strings matches the outcome of the DMARC check, the condition +fails. + +Of course, you can also use any other lookup method that Exim +supports, including LDAP, Postgres, MySQL, etc, as long as the +result is a list of colon-separated strings; + +Several expansion variables are set before the DATA ACL is +processed, and you can use them in this ACL. The following +expansion variables are available: + + o $dmarc_status + This is a one word status indicating what the DMARC library + thinks of the email. + + o $dmarc_status_text + This is a slightly longer, human readable status. + + o $dmarc_used_domain + This is the domain which DMARC used to look up the DMARC + policy record. + + o $dmarc_ar_header + This is the entire Authentication-Results header which you can + add using an add_header modifier. + + +5. How to enable DMARC advanced operation: +By default, Exim's DMARC configuration is intended to be +non-intrusive and conservative. To facilitate this, Exim will not +create any type of logging files without explicit configuration by +you, the admin. Nor will Exim send out any emails/reports about +DMARC issues without explicit configuration by you, the admin (other +than typical bounce messages that may come about due to ACL +processing or failure delivery issues). + +In order to log statistics suitable to be imported by the opendmarc +tools, you need to: +a. Configure the global setting dmarc_history_file. +b. Configure cron jobs to call the appropriate opendmarc history + import scripts and truncating the dmarc_history_file. + +In order to send forensic reports, you need to: +a. Configure the global setting dmarc_forensic_sender. +b. Configure, somewhere before the DATA ACL, the control option to + enable sending DMARC forensic reports. + + +6. Example usage: +(RCPT ACL) + warn domains = +local_domains + hosts = +local_hosts + control = dmarc_disable_verify + + warn !domains = +screwed_up_dmarc_records + control = dmarc_enable_forensic + +(DATA ACL) + warn dmarc_status = accept : none : off + !authenticated = * + log_message = DMARC DEBUG: $dmarc_status $dmarc_used_domain + add_header = $dmarc_ar_header + + warn dmarc_status = !accept + !authenticated = * + log_message = DMARC DEBUG: '$dmarc_status' for $dmarc_used_domain + + warn dmarc_status = quarantine + !authenticated = * + set $acl_m_quarantine = 1 + # Do something in a transport with this flag variable + + deny dmarc_status = reject + !authenticated = * + message = Message from $domain_used_domain failed sender's DMARC policy, REJECT + + + +Transport post-delivery actions +-------------------------------------------------------------- + +An arbitrary per-transport string can be expanded on successful delivery, +and (for SMTP transports) a second string on deferrals caused by a host error. +This feature may be used, for example, to write exim internal log information +(not available otherwise) into a database. + +In order to use the feature, you must set + +EXPERIMENTAL_TPDA=yes + +in your Local/Makefile + +and define the expandable strings in the runtime config file, to +be executed at end of delivery. + +Additionally, there are 6 more variables, available at end of +delivery: + +tpda_delivery_ip IP of host, which has accepted delivery +tpda_delivery_port Port of remote host which has accepted delivery +tpda_delivery_fqdn FQDN of host, which has accepted delivery +tpda_delivery_local_part local part of address being delivered +tpda_delivery_domain domain part of address being delivered +tpda_delivery_confirmation SMTP confirmation message + +In case of a deferral caused by a host-error: +tpda_defer_errno Error number +tpda_defer_errstr Error string possibly containing more details + +The $router_name and $transport_name variables are also usable. + + +To take action after successful deliveries, set the following option +on any transport of interest. + +tpda_delivery_action + +An example might look like: + +tpda_delivery_action = \ +${lookup pgsql {SELECT * FROM record_Delivery( \ + '${quote_pgsql:$sender_address_domain}',\ + '${quote_pgsql:${lc:$sender_address_local_part}}', \ + '${quote_pgsql:$tpda_delivery_domain}', \ + '${quote_pgsql:${lc:$tpda_delivery_local_part}}', \ + '${quote_pgsql:$tpda_delivery_ip}', \ + '${quote_pgsql:${lc:$tpda_delivery_fqdn}}', \ + '${quote_pgsql:$message_exim_id}')}} + +The string is expanded after the delivery completes and any +side-effects will happen. The result is then discarded. +Note that for complex operations an ACL expansion can be used. + + +In order to log host deferrals, add the following option to an SMTP +transport: + +tpda_host_defer_action + +This is a private option of the SMTP transport. It is intended to +log failures of remote hosts. It is executed only when exim has +attempted to deliver a message to a remote host and failed due to +an error which doesn't seem to be related to the individual +message, sender, or recipient address. +See section 47.2 of the exim documentation for more details on how +this is determined. + +Example: + +tpda_host_defer_action = \ +${lookup mysql {insert into delivlog set \ + msgid = '${quote_mysql:$message_exim_id}', \ + senderlp = '${quote_mysql:${lc:$sender_address_local_part}}', \ + senderdom = '${quote_mysql:$sender_address_domain}', \ + delivlp = '${quote_mysql:${lc:$tpda_delivery_local_part}}', \ + delivdom = '${quote_mysql:$tpda_delivery_domain}', \ + delivip = '${quote_mysql:$tpda_delivery_ip}', \ + delivport = '${quote_mysql:$tpda_delivery_port}', \ + delivfqdn = '${quote_mysql:$tpda_delivery_fqdn}', \ + deliverrno = '${quote_mysql:$tpda_defer_errno}', \ + deliverrstr = '${quote_mysql:$tpda_defer_errstr}' \ + }} + + +Redis Lookup +-------------------------------------------------------------- + +Redis is open source advanced key-value data store. This document +does not explain the fundamentals, you should read and understand how +it works by visiting the website at http://www.redis.io/. + +Redis lookup support is added via the hiredis library. Visit: + + https://github.com/redis/hiredis + +to obtain a copy, or find it in your operating systems package repository. +If building from source, this description assumes that headers will be in +/usr/local/include, and that the libraries are in /usr/local/lib. + +1. In order to build exim with Redis lookup support add + +EXPERIMENTAL_REDIS=yes + +to your Local/Makefile. (Re-)build/install exim. exim -d should show +Experimental_Redis in the line "Support for:". + +EXPERIMENTAL_REDIS=yes +LDFLAGS += -lhiredis +# CFLAGS += -I/usr/local/include +# LDFLAGS += -L/usr/local/lib + +The first line sets the feature to include the correct code, and +the second line says to link the hiredis libraries into the +exim binary. The commented out lines should be uncommented if you +built hiredis from source and installed in the default location. +Adjust the paths if you installed them elsewhere, but you do not +need to uncomment them if an rpm (or you) installed them in the +package controlled locations (/usr/include and /usr/lib). + + +2. Use the following global settings to configure Redis lookup support: + +Required: +redis_servers This option provides a list of Redis servers + and associated connection data, to be used in + conjunction with redis lookups. The option is + only available if Exim is configured with Redis + support. + +For example: + +redis_servers = 127.0.0.1/10/ - using database 10 with no password +redis_servers = 127.0.0.1//password - to make use of the default database of 0 with a password +redis_servers = 127.0.0.1// - for default database of 0 with no password + +3. Once you have the Redis servers defined you can then make use of the +experimental Redis lookup by specifying ${lookup redis{}} in a lookup query. + +4. Example usage: + +(Host List) +hostlist relay_from_ips = <\n ${lookup redis{SMEMBERS relay_from_ips}} + +Where relay_from_ips is a Redis set which contains entries such as "192.168.0.0/24" "10.0.0.0/8" and so on. +The result set is returned as +192.168.0.0/24 +10.0.0.0/8 +.. +. + +(Domain list) +domainlist virtual_domains = ${lookup redis {HGET $domain domain}} + +Where $domain is a hash which includes the key 'domain' and the value '$domain'. + +(Adding or updating an existing key) +set acl_c_spammer = ${if eq{${lookup redis{SPAMMER_SET}}}{OK}} + +Where SPAMMER_SET is a macro and it is defined as + +"SET SPAMMER " + +(Getting a value from Redis) + +set acl_c_spam_host = ${lookup redis{GET...}} + + -------------------------------------------------------------- End of file diff -Nru exim4-4.80/doc/filter.txt exim4-4.82/doc/filter.txt --- exim4-4.80/doc/filter.txt 2012-05-31 09:35:26.000000000 +0000 +++ exim4-4.82/doc/filter.txt 2013-10-28 12:57:57.000000000 +0000 @@ -6,7 +6,7 @@ +-----------------------------------------------------------------------------+ +-------------------------------------+--------------------------------+------+ -|Revision 4.80 |17 May 2012 |PH | +|Revision 4.82 |28 Oct 2013 |PH | +-------------------------------------+--------------------------------+------+ ------------------------------------------------------------------------------- @@ -78,8 +78,8 @@ 1. FORWARDING AND FILTERING IN EXIM This document describes the user interfaces to Exim's in-built mail filtering -facilities, and is copyright (c) University of Cambridge 2007. It corresponds -to Exim version 4.80. +facilities, and is copyright (c) University of Cambridge 2010. It corresponds +to Exim version 4.82. 1.1 Introduction diff -Nru exim4-4.80/doc/GnuTLS-FAQ.txt exim4-4.82/doc/GnuTLS-FAQ.txt --- exim4-4.80/doc/GnuTLS-FAQ.txt 2012-05-31 00:40:15.000000000 +0000 +++ exim4-4.82/doc/GnuTLS-FAQ.txt 2013-10-25 00:46:27.000000000 +0000 @@ -103,9 +103,9 @@ MD5 was once very popular. It still is far too popular. Real world attacks have been proven possible against MD5. Including an attack against PKI (Public Key Infrastructure) certificates used for SSL/TLS. In that attack, -the attackers got a certificate for one identity but we able to then public a -certificate with the same signature but a different identity. This undermines -the whole purpose of having certificates. +the attackers got a certificate for one identity but were able to then publish +a certificate with the same signature but a different identity. This +undermines the whole purpose of having certificates. So GnuTLS stopped trusting any certificate with an MD5-based hash used in it. The world has been hurriedly moving away from MD5 in certificates for a while. @@ -150,7 +150,7 @@ DH, Diffie-Hellman (or Diffie-Hellman-Merkle, or something naming Williamson) is the common name for a way for two parties to a communication stream to exchange some private random data so that both end up with a shared secret -which no evesdropper can get. It does not provide for proof of the identity +which no eavesdropper can get. It does not provide for proof of the identity of either party, so on its own is subject to man-in-the-middle attacks, but is often combined with systems which do provide such proof, improving them by separating the session key (the shared secret) from the long-term identity, @@ -159,7 +159,7 @@ To do this, the server sends to the client a very large prime number; this is in the clear, an attacker can see it. This is not a problem; it's so not a problem, that there are standard named primes which applications can use, and -which a future release of Exim will probably support. +which Exim now supports. The size of the prime number affects how difficult it is to break apart the shared secret and decrypt the data. As time passes, the size required to @@ -177,13 +177,14 @@ One of the new pieces of the GnuTLS API is a means for an application to ask it for guidance and advice on how large some numbers should be. This is not -entirely internal to GnuTLS since generating the numbers is slow, an +entirely internal to GnuTLS, since generating the numbers is slow, an application might want to use a standard prime, etc. So, in an attempt to get away from being involved in cryptographic policy, and to get rid of a hard-coded "1024" in Exim's source-code, we switched to asking GnuTLS how many -bits should be in the prime number generated for use for Diffie-Hellman. To -give back to GnuTLS for use We can ask for various sizes, and did not expose -this to the administrator but instead just asked for "NORMAL" protection. +bits should be in the prime number generated for use for Diffie-Hellman. We +then give this number straight back to GnuTLS when generating a DH prime. +We can ask for various sizes, and did not expose this to the administrator but +instead just asked for "NORMAL" protection. Literally: dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); @@ -299,7 +300,7 @@ The current documentation, for the most recent release of GnuTLS, is available online at: - http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + http://www.gnutls.org/manual/html_node/Priority-Strings.html Beware that if you are not using the most recent GnuTLS release then this documentation will be wrong for you! You should find the "info" documentation diff -Nru exim4-4.80/doc/NewStuff exim4-4.82/doc/NewStuff --- exim4-4.80/doc/NewStuff 2012-05-31 00:40:15.000000000 +0000 +++ exim4-4.82/doc/NewStuff 2013-10-25 00:46:27.000000000 +0000 @@ -6,6 +6,167 @@ test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.82 +------------ + + 1. New command-line option -bI:sieve will list all supported sieve extensions + of this Exim build on standard output, one per line. + ManageSieve (RFC 5804) providers managing scripts for use by Exim should + query this to establish the correct list to include in the protocol's + SIEVE capability line. + + 2. If the -n option is combined with the -bP option, then the name of an + emitted option is not output, only the value (if visible to you). + For instance, "exim -n -bP pid_file_path" should just emit a pathname + followed by a newline, and no other text. + + 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now + has a "tls_dh_min_bits" option, to set the minimum acceptable number of + bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites) + acceptable for security. (Option accepted but ignored if using OpenSSL). + Defaults to 1024, the old value. May be lowered only to 512, or raised as + far as you like. Raising this may hinder TLS interoperability with other + sites and is not currently recommended. Lowering this will permit you to + establish a TLS session which is not as secure as you might like. + + Unless you really know what you are doing, leave it alone. + + 4. If not built with DISABLE_DNSSEC, Exim now has the main option + dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library + to send the DO flag to your recursive resolver. If you have a recursive + resolver, which can set the Authenticated Data (AD) flag in results, Exim + can now detect this. Exim does not perform validation itself, instead + relying upon a trusted path to the resolver. + + Current status: work-in-progress; $sender_host_dnssec variable added. + + 5. DSCP support for outbound connections: on a transport using the smtp driver, + set "dscp = ef", for instance, to cause the connections to have the relevant + DSCP (IPv4 TOS or IPv6 TCLASS) value in the header. + + Similarly for inbound connections, there is a new control modifier, dscp, + so "warn control = dscp/ef" in the connect ACL, or after authentication. + + Supported values depend upon system libraries. "exim -bI:dscp" to list the + ones Exim knows of. You can also set a raw number 0..0x3F. + + 6. The -G command-line flag is no longer ignored; it is now equivalent to an + ACL setting "control = suppress_local_fixups". The -L command-line flag + is now accepted and forces use of syslog, with the provided tag as the + process name. A few other flags used by Sendmail are now accepted and + ignored. + + 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery" + ACL modifier; works for single-recipient mails which are recieved on and + deliverable via SMTP. Using the connection made for a recipient verify, + if requested before the verify, or a new one made for the purpose while + the inbound connection is still active. The bulk of the mail item is copied + direct from the inbound socket to the outbound (as well as the spool file). + When the source notifies the end of data, the data acceptance by the destination + is negociated before the acceptance is sent to the source. If the destination + does not accept the mail item, for example due to content-scanning, the item + is not accepted from the source and therefore there is no need to generate + a bounce mail. This is of benefit when providing a secondary-MX service. + The downside is that delays are under the control of the ultimate destination + system not your own. + + The Recieved-by: header on items delivered by cutthrough is generated + early in reception rather than at the end; this will affect any timestamp + included. The log line showing delivery is recorded before that showing + reception; it uses a new ">>" tag instead of "=>". + + To support the feature, verify-callout connections can now use ESMTP and TLS. + The usual smtp transport options are honoured, plus a (new, default everything) + hosts_verify_avoid_tls. + + New variable families named tls_in_cipher, tls_out_cipher etc. are introduced + for specific access to the information for each connection. The old names + are present for now but deprecated. + + Not yet supported: IGNOREQUOTA, SIZE, PIPELINING. + + 8. New expansion operators ${listnamed:name} to get the content of a named list + and ${listcount:string} to count the items in a list. + + 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS + rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 + modules. For some situations this is desirable, but we expect admin in + those situations to know they want the feature. More commonly, it means + that GUI user modules get loaded and are broken by the setuid Exim being + unable to access files specified in environment variables and passed + through, thus breakage. So we explicitly inhibit the PKCS11 initialisation + unless this new option is set. + + Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability, + so have also added a build option which can be used to build Exim with GnuTLS + but without trying to use any kind of PKCS11 support. Uncomment this in the + Local/Makefile: + + AVOID_GNUTLS_PKCS11=yes + +10. The "acl = name" condition on an ACL now supports optional arguments. + New expansion item "${acl {name}{arg}...}" and expansion condition + "acl {{name}{arg}...}" are added. In all cases up to nine arguments + can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL. + Variable $acl_narg contains the number of arguments. If the ACL sets + a "message =" value this becomes the result of the expansion item, + or the value of $value for the expansion condition. If the ACL returns + accept the expansion condition is true; if reject, false. A defer + return results in a forced fail. + +11. Routers and transports can now have multiple headers_add and headers_remove + option lines. The concatenated list is used. + +12. New ACL modifier "remove_header" can remove headers before message gets + handled by routers/transports. + +13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured), + "aaaa" and "a" lookups is done and the full set of results returned. + +14. New expansion variable $headers_added with content from ACL add_header + modifier (but not yet added to messsage). + +15. New 8bitmime status logging option for received messages. Log field "M8S". + +16. New authenticated_sender logging option, adding to log field "A". + +17. New expansion variables $router_name and $transport_name. Useful + particularly for debug_print as -bt commandline option does not + require privilege whereas -d does. + +18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a + proposed extension to SMTP from Eric Hall. + +19. The pipe transport has gained the force_command option, to allow + decorating commands from user .forward pipe aliases with prefix + wrappers, for instance. + +20. Callout connections can now AUTH; the same controls as normal delivery + connections apply. + +21. Support for DMARC, using opendmarc libs, can be enabled. It adds new + options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file. + It adds new expansion variables $dmarc_ar_header, $dmarc_status, + $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier + dmarc_status. It adds new control flags dmarc_disable_verify and + dmarc_enable_forensic. + +22. Add expansion variable $authenticated_fail_id, which is the username + provided to the authentication method which failed. It is available + for use in subsequent ACL processing (typically quit or notquit ACLs). + +23. New ACL modifer "udpsend" can construct a UDP packet to send to a given + UDP host and port. + +24. New ${hexquote:..string..} expansion operator converts non-printable + characters in the string to \xNN form. + +25. Experimental TPDA (Transport Post Delivery Action) function added. + Patch provided by Axel Rau. + +26. Experimental Redis lookup added. Patch provided by Warren Baker. + + Version 4.80 ------------ @@ -76,7 +237,7 @@ gnutls_require_mac & gnutls_require_protocols are no longer supported. tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority string, documentation for which is at: - http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + http://www.gnutls.org/manual/html_node/Priority-Strings.html SNI support has been added to Exim's GnuTLS integration too. @@ -252,13 +413,13 @@ then henceforth you will have to maintain your own local patches to strip the safeties off. - 8. There is a new expansion operator, bool_lax{}. Where bool{} uses the ACL + 8. There is a new expansion condition, bool_lax{}. Where bool{} uses the ACL condition logic to determine truth/failure and will fail to expand many strings, bool_lax{} uses the router condition logic, where most strings do evaluate true. Note: bool{00} is false, bool_lax{00} is true. - 9. Routers now support multiple "condition" tests, + 9. Routers now support multiple "condition" tests. 10. There is now a runtime configuration option "tcp_wrappers_daemon_name". Setting this allows an admin to define which entry in the tcpwrappers diff -Nru exim4-4.80/doc/OptionLists.txt exim4-4.82/doc/OptionLists.txt --- exim4-4.80/doc/OptionLists.txt 2012-05-31 00:40:15.000000000 +0000 +++ exim4-4.82/doc/OptionLists.txt 2013-10-25 00:46:27.000000000 +0000 @@ -54,6 +54,8 @@ acl_smtp_auth string* unset main 4.00 acl_smtp_connect string* unset main 4.11 acl_smtp_data string* unset main 4.00 +acl_smtp_data_prdr string* unset main 4.82 with expreimental_prdr +acl_smtp_dkim string* unset main 4.70 unless disable_dkim acl_smtp_etrn string* unset main 4.00 acl_smtp_expn string* unset main 4.00 acl_smtp_helo string* unset main 4.20 @@ -171,6 +173,9 @@ disable_ipv6 boolean false main 4.61 disable_logging boolean false routers 4.11 false transports 4.11 +dmarc_forensic_sender string unset main 4.82 if experimental_dmarc +dmarc_history_file string unset main 4.82 if experimental_dmarc +dmarc_tld_file string unset main 4.82 if experimental_dmarc dns_again_means_nonexist domain list unset main 1.89 dns_check_names_pattern string + main 2.11 dns_csa_search_limit integer 5 main 4.60 @@ -180,12 +185,14 @@ dns_retrans time 0s main 1.60 dns_retry integer 0 main 1.60 dns_search_parents boolean false smtp +dns_use_dnssec integer -1 main 4.82 dns_use_edns0 integer -1 main 4.76 domains domain list unset routers 4.00 driver string unset authenticators unset routers 4.00 unset transports drop_cr boolean false main 4.00 became a no-op in 4.21 +dscp string unset smtp 4.82 dsn_from string* + main 4.67 envelope_to_add boolean false transports envelope_to_remove boolean true main @@ -233,6 +240,7 @@ forbid_pipe boolean false redirect 4.00 forbid_sieve_filter boolean false redirect 4.44 forbid_smtp_code boolean false redirect 4.63 +force_command boolean false pipe 4.82 freeze_exec_fail boolean false pipe 1.89 freeze_signal boolean false pipe 4.75 freeze_tell boolean false main 4.00 replaces freeze_tell_mailmaster @@ -240,6 +248,7 @@ gecos_name string* unset main gecos_pattern string unset main gethostbyname boolean false smtp +gnutls_allow_auto_pkcs11 boolean false main 4.82 gnutls_compat_mode boolean unset main 4.70 gnutls_require_kx string* unset main 4.67 deprecated, warns string* unset smtp 4.67 deprecated, warns @@ -286,9 +295,11 @@ hosts_randomize boolean false manualroute 4.00 false smtp 3.14 hosts_require_auth host list unset smtp 4.00 +hosts_require_ocsp host list unset smtp 4.82 if experimental_ocsp hosts_require_tls host list unset smtp 3.20 hosts_treat_as_local domain list unset main 1.95 hosts_try_auth host list unset smtp 4.00 +hosts_try_prdr host list unset smtp 4.82 if experimental_prdr ibase_servers string unset main 4.23 ignore_bounce_errors_after time 0s main 4.00 ignore_eacces boolean false redirect 4.00 @@ -393,6 +404,7 @@ port integer 0 iplookup 4.00 string "smtp" smtp preserve_message_logs boolean false main +prdr_enable boolean false main 4.82 if experimental_prdr primary_hostname string + main print_topbitchars boolean false main 1.89 process_log_path string unset main 4.21 @@ -548,7 +560,9 @@ tls_certificate string* unset main 3.20 unset smtp 3.20 tls_dh_max_bits integer 2236 main 4.80 +tls_dh_min_bits integer 1024 smtp 4.82 tls_dhparam string* unset main 3.20 +tls_ocsp_file string* unset main 4.80 if experimental_ocsp tls_on_connect_ports string unset main 4.43 tls_privatekey string* unset main 3.20 unset smtp 3.20 @@ -623,6 +637,7 @@ -bh Test incoming SMTP call, omitting callouts -bhc Test incoming SMTP call, with callouts -bi * Run bi_command +-bI:help Show list of accepted -bI: options -bm Accept message on standard input -bmalware + Invoke configured malware scanning against supplied filename -bnq Don't qualify addresses in locally submitted messages @@ -838,6 +853,7 @@ DELIVER_IN_BUFFER_SIZE optional* DELIVER_OUT_BUFFER_SIZE optional* DISABLE_DKIM optional disables DKIM support +DISABLE_DNSSEC optional disables attempts to use DNSSEC DISABLE_D_OPTION optional disables -D option ERRNO_QUOTA optional* error code for system quota failures EXICYCLOG_MAX optional number of old log files to keep diff -Nru exim4-4.80/doc/spec.txt exim4-4.82/doc/spec.txt --- exim4-4.80/doc/spec.txt 2012-05-31 09:35:23.000000000 +0000 +++ exim4-4.82/doc/spec.txt 2013-10-28 12:57:55.000000000 +0000 @@ -2,11 +2,11 @@ Exim Maintainers -Copyright (c) 2012 University of Cambridge +Copyright (c) 2013 University of Cambridge +-----------------------------------------------------------------------------+ +-------------------------------------+--------------------------------+------+ -|Revision 4.80 |17 May 2012 |EM | +|Revision 4.82 |28 Oct 2013 |EM | +-------------------------------------+--------------------------------+------+ ------------------------------------------------------------------------------- @@ -411,34 +411,35 @@ 42.21. Use of the control modifier 42.22. Summary of message fixup control 42.23. Adding header lines in ACLs - 42.24. ACL conditions - 42.25. Using DNS lists - 42.26. Specifying the IP address for a DNS list lookup - 42.27. DNS lists keyed on domain names - 42.28. Multiple explicit keys for a DNS list - 42.29. Data returned by DNS lists - 42.30. Variables set from DNS lists - 42.31. Additional matching conditions for DNS lists - 42.32. Negated DNS matching conditions - 42.33. Handling multiple DNS records from a DNS list - 42.34. Detailed information from merged DNS lists - 42.35. DNS lists and IPv6 - 42.36. Rate limiting incoming messages - 42.37. Ratelimit options for what is being measured - 42.38. Ratelimit update modes - 42.39. Ratelimit options for handling fast clients - 42.40. Limiting the rate of different events - 42.41. Using rate limiting - 42.42. Address verification - 42.43. Callout verification - 42.44. Additional parameters for callouts - 42.45. Callout caching - 42.46. Sender address verification reporting - 42.47. Redirection while verifying - 42.48. Client SMTP authorization (CSA) - 42.49. Bounce address tag validation - 42.50. Using an ACL to control relaying - 42.51. Checking a relay configuration + 42.24. Removing header lines in ACLs + 42.25. ACL conditions + 42.26. Using DNS lists + 42.27. Specifying the IP address for a DNS list lookup + 42.28. DNS lists keyed on domain names + 42.29. Multiple explicit keys for a DNS list + 42.30. Data returned by DNS lists + 42.31. Variables set from DNS lists + 42.32. Additional matching conditions for DNS lists + 42.33. Negated DNS matching conditions + 42.34. Handling multiple DNS records from a DNS list + 42.35. Detailed information from merged DNS lists + 42.36. DNS lists and IPv6 + 42.37. Rate limiting incoming messages + 42.38. Ratelimit options for what is being measured + 42.39. Ratelimit update modes + 42.40. Ratelimit options for handling fast clients + 42.41. Limiting the rate of different events + 42.42. Using rate limiting + 42.43. Address verification + 42.44. Callout verification + 42.45. Additional parameters for callouts + 42.46. Callout caching + 42.47. Sender address verification reporting + 42.48. Redirection while verifying + 42.49. Client SMTP authorization (CSA) + 42.50. Bounce address tag validation + 42.51. Using an ACL to control relaying + 42.52. Checking a relay configuration 43. Content scanning at ACL time @@ -583,17 +584,19 @@ 54.2. Root privilege 54.3. Running Exim without privilege 54.4. Delivering to local files - 54.5. IPv4 source routing - 54.6. The VRFY, EXPN, and ETRN commands in SMTP - 54.7. Privileged users - 54.8. Spool files - 54.9. Use of argv[0] - 54.10. Use of %f formatting - 54.11. Embedded Exim path - 54.12. Dynamic module directory - 54.13. Use of sprintf() - 54.14. Use of debug_printf() and log_write() - 54.15. Use of strcat() and strcpy() + 54.5. Running local commands + 54.6. Trust in configuration data + 54.7. IPv4 source routing + 54.8. The VRFY, EXPN, and ETRN commands in SMTP + 54.9. Privileged users + 54.10. Spool files + 54.11. Use of argv[0] + 54.12. Use of %f formatting + 54.13. Embedded Exim path + 54.14. Dynamic module directory + 54.15. Use of sprintf() + 54.16. Use of debug_printf() and log_write() + 54.17. Use of strcat() and strcpy() 55. Format of spool files @@ -653,8 +656,8 @@ 1.1 Exim documentation ---------------------- -This edition of the Exim specification applies to version 4.80 of Exim. -Substantive changes from the 4.75 edition are marked in some renditions of the +This edition of the Exim specification applies to version 4.82 of Exim. +Substantive changes from the 4.80 edition are marked in some renditions of the document; this paragraph is so marked if the rendition is capable of showing a change indicator. @@ -801,10 +804,25 @@ contain identical data; the only difference is the type of compression. The .bz2 file is usually a lot smaller than the .gz file. -The distributions are currently signed with Nigel Metheringham's GPG key. The -corresponding public key is available from a number of keyservers, and there is -also a copy in the file nigel-pubkey.asc. The signatures for the tar bundles -are in: +The distributions will be PGP signed by an individual key of the Release +Coordinator. This key will have a uid containing an email address in the +exim.org domain and will have signatures from other people, including other +Exim maintainers. We expect that the key will be in the "strong set" of PGP +keys. There should be a trust path to that key from Nigel Metheringham's PGP +key, a version of which can be found in the release directory in the file +nigel-pubkey.asc. All keys used will be available in public keyserver pools, +such as pool.sks-keyservers.net. + +At time of last update, releases were being made by Phil Pennock and signed +with key 0x403043153903637F, although that key is expected to be replaced in +2013. A trust path from Nigel's key to Phil's can be observed at https:// +www.security.spodhuis.org/exim-trustpath. + +Releases have also been authorized to be performed by Todd Lyons who signs with +key 0xC4F4F94804D29EBA. A direct trust path exists between previous RE Phil +Pennock and Todd Lyons through a common associate. + +The signatures for the tar bundles are in: exim-n.nn.tar.gz.asc exim-n.nn.tar.bz2.asc @@ -1070,6 +1088,12 @@ OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * The DMARC implementation uses the OpenDMARC library which is Copyrighted by + The Trusted Domain Project. Portions of Exim source which use OpenDMARC + derived code are indicated in the respective source files. The full + OpenDMARC license is provided in the LICENSE.opendmarc file contained in + the distributed source code. + * Many people have contributed code fragments, some large, some small, that were not covered by any specific licence requirements. It is assumed that the contributors are happy to see their code incorporated into Exim under @@ -1511,6 +1535,8 @@ verify_sender and verify_recipient, which independently control the use of the router for sender and recipient verification. You can set these options directly if you want a router to be used for only one type of verification. + Note that cutthrough delivery is classed as a recipient verification for + this purpose. * If the address_test option is set false, the router is skipped when Exim is run with the -bt option to test an address routing. This can be helpful @@ -1519,7 +1545,8 @@ having to simulate the effect of the scanner. * Routers can be designated for use only when verifying an address, as - opposed to routing it for delivery. The verify_only option controls this. + opposed to routing it for delivery. The verify_only option controls this. + Again, cutthrough delivery counts as a verification. * Individual routers can be explicitly skipped when running the routers to check an address given in the SMTP EXPN command (see the expn option). @@ -1738,7 +1765,7 @@ Exim is distributed as a gzipped or bzipped tar file which, when unpacked, creates a directory with the name of the current release (for example, -exim-4.80) into which the following files are placed: +exim-4.82) into which the following files are placed: ACKNOWLEDGMENTS contains some acknowledgments CHANGES contains a reference to where changes are documented @@ -2028,8 +2055,8 @@ in your /etc/hosts.allow file allows connections from the local host, from the subnet 192.168.1.0/24, and from all hosts in friendly.domain.example. All other connections are denied. The daemon name used by tcpwrappers can be changed at -build time by setting TCP_WRAPPERS_DAEMON_NAME in in Local/Makefile, or by -setting tcp_wrappers_daemon_name in the configure file. Consult the tcpwrappers +build time by setting TCP_WRAPPERS_DAEMON_NAME in Local/Makefile, or by setting +tcp_wrappers_daemon_name in the configure file. Consult the tcpwrappers documentation for further details. @@ -2348,7 +2375,7 @@ For the utility programs, old versions are renamed by adding the suffix .O to their names. The Exim binary itself, however, is handled differently. It is installed under a name that includes the version number and the compile number, -for example exim-4.80-1. The script then arranges for a symbolic link called +for example exim-4.82-1. The script then arranges for a symbolic link called exim to point to the binary. If you are updating a previous version of Exim, the script takes care to ensure that the name exim is never absent from the directory (as seen by other processes). @@ -2673,6 +2700,11 @@ This option is an alias for -bV and causes version information to be displayed. +-Ac, -Am + + These options are used by Sendmail for selecting configuration files and + are ignored by Exim. + -B This is a Sendmail option for selecting 7 or 8 bit processing. Exim is @@ -2852,7 +2884,7 @@ actually perform an ident callout when testing using -bh because there is no incoming SMTP connection. - Warning 2: Address verification callouts (see section 42.43) are also + Warning 2: Address verification callouts (see section 42.44) are also skipped when testing using -bh. If you want these callouts to occur, use -bhc instead. @@ -2893,11 +2925,33 @@ alias files if this is required. If the bi_command option is not set, calling Exim with -bi is a no-op. +-bI:help + + We shall provide various options starting "-bI:" for querying Exim for + information. The output of many of these will be intended for machine + consumption. This one is not. The -bI:help option asks Exim for a synopsis + of supported options beginning "-bI:". Use of any of these options shall + cause Exim to exit after producing the requested output. + +-bI:dscp + + This option causes Exim to emit an alphabetically sorted list of all + recognised DSCP names. + +-bI:sieve + + This option causes Exim to emit an alphabetically sorted list of all + supported Sieve protocol extensions on stdout, one per line. This is + anticipated to be useful for ManageSieve (RFC 5804) implementations, in + providing that protocol's "SIEVE" capability response line. As the precise + list may depend upon compile-time build options, which this option will + adapt to, this is the only way to guarantee a correct response. + -bm This option runs an Exim receiving process that accepts an incoming, - locally-generated message on the current input. The recipients are given as - the command arguments (except when -t is also present - see below). Each + locally-generated message on the standard input. The recipients are given + as the command arguments (except when -t is also present - see below). Each argument can be a comma-separated list of RFC 2822 addresses. This is the default option for selecting the overall action of an Exim call; it is assumed if no other conflicting option is present. @@ -2988,6 +3042,9 @@ supplied, the value that is output here is the name of the file that was actually used. + If the -n flag is given, then for most modes of -bP operation the name will + not be output. + If log_file_path or pid_file_path are given, the names of the directories where log files and daemon pid files are written are output, respectively. If these values are unset, log files are written in a sub-directory of the @@ -3525,7 +3582,16 @@ -G - This is a Sendmail option which is ignored by Exim. + This option is equivalent to an ACL applying: + + control = suppress_local_fixups + + for every message received. Note that Sendmail will complain about such bad + formatting, where Exim silently just does not fix it up. This may change in + future. + + As this affects audit information, the caller must be a trusted user to use + this option. -h @@ -3540,6 +3606,16 @@ find no documentation for this option in Solaris 2.4 Sendmail, but the mailx command in Solaris 2.4 uses it. See also -ti. +-L + + This option is equivalent to setting syslog_processname in the config file + and setting log_file_path to "syslog". Its use is restricted to + administrators. The configuration file has to be read and parsed, to + determine access rights, before this is set and takes effect, so early + configuration file errors will not honour this flag. + + The tag should not be longer than 32 characters. + -M ... This option requests Exim to run a delivery attempt on each message in @@ -3738,8 +3814,9 @@ -n - This option is interpreted by Sendmail to mean "no aliasing". It is ignored - by Exim. + This option is interpreted by Sendmail to mean "no aliasing". For normal + modes of operation, it is ignored by Exim. When combined with -bP it + suppresses the name of an option from being output. -O @@ -3837,8 +3914,8 @@ Provided this error message is successfully sent, the Exim receiving process exits with a return code of zero. If not, the return code is 2 if - the problem is that the original message has no recipients, or 1 any other - error. This is the default -oex option if Exim is called as rmail. + the problem is that the original message has no recipients, or 1 for any + other error. This is the default -oex option if Exim is called as rmail. -oem @@ -4021,7 +4098,7 @@ It sets the incoming protocol and host name (for trusted callers). The host name and its colon can be omitted when only the protocol is to be set. Note the Exim already has two private options, -pd and -ps, that refer to - embedded Perl. It is therefore impossible to set a protocol value of "p" or + embedded Perl. It is therefore impossible to set a protocol value of "d" or "s" using this option (but that does not seem a real limitation). -q @@ -4205,9 +4282,9 @@ -Tqt - This an option that is exclusively for use by the Exim testing suite. It is - not recognized when Exim is run normally. It allows for the setting up of - explicit "queue times" so that various warning/retry features can be + This is an option that is exclusively for use by the Exim testing suite. It + is not recognized when Exim is run normally. It allows for the setting up + of explicit "queue times" so that various warning/retry features can be tested. -t @@ -4282,6 +4359,11 @@ item"). It sets -x when calling the MTA from its mail command. Exim ignores this option. +-X + + This option is interpreted by Sendmail to cause debug information to be + sent to the named file. It is ignored by Exim. + =============================================================================== @@ -4970,7 +5052,7 @@ The first three non-comment configuration lines are as follows: -domainlist local_domains = @ +domainlist local_domains = @ domainlist relay_to_domains = hostlist relay_from_hosts = 127.0.0.1 @@ -5270,7 +5352,7 @@ address is refused. Verification consists of trying to route the address, to see if a bounce message could be delivered to it. In the case of remote addresses, basic verification checks only the domain, but callouts can be used -for more verification if required. Section 42.42 discusses the details of +for more verification if required. Section 42.43 discusses the details of address verification. accept hosts = +relay_from_hosts @@ -5297,7 +5379,7 @@ until you complete the authenticator definitions. require message = relay not permitted - domains = +local_domains : +relay_domains + domains = +local_domains : +relay_to_domains This statement rejects the address if its domain is neither a local domain nor one of the domains for which this host is a relay. @@ -5651,7 +5733,7 @@ # server_set_id = $auth2 # server_prompts = : # server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# server_advertise_condition = ${if def:tls_in_cipher } And the example LOGIN authenticator looks like this: @@ -5660,7 +5742,7 @@ # server_set_id = $auth1 # server_prompts = <| Username: | Password: # server_condition = Authentication is not yet configured -# server_advertise_condition = ${if def:tls_cipher } +# server_advertise_condition = ${if def:tls_in_cipher } The server_set_id option makes Exim remember the authenticated username in $authenticated_id, which can be used later in ACLs or routers. The @@ -6357,7 +6439,7 @@ list. A third pseudo-type is CSA (Client SMTP Authorization). This looks up SRV -records according to the CSA rules, which are described in section 42.48. +records according to the CSA rules, which are described in section 42.49. Although dnsdb supports SRV lookups directly, this is not sufficient because of the extra parent domain search behaviour of CSA. The result of a successful lookup such as: @@ -6368,6 +6450,12 @@ The authorization code can be "Y" for yes, "N" for no, "X" for explicit authorization required but absent, or "?" for unknown. +The pseudo-type A+ performs an A6 lookup (if configured) followed by an AAAA +and then an A lookup. All results are returned; defer processing (see below) is +handled separately for each lookup. Example: + +${lookup dnsdb {>; a+=$sender_helo_name}} + 9.12 Multiple dnsdb lookups --------------------------- @@ -6921,7 +7009,7 @@ In a list, the syntax is similar. For example: -domainlist relay_domains = sqlite;/some/thing/sqlitedb \ +domainlist relay_to_domains = sqlite;/some/thing/sqlitedb \ select * from relays where ip='$sender_host_address'; The only character affected by the quote_sqlite operator is a single quote, @@ -6994,13 +7082,13 @@ subject having matched any of the patterns, it is in the set if the last item was a negative one, but not if it was a positive one. For example, the list in -domainlist relay_domains = !a.b.c : *.b.c +domainlist relay_to_domains = !a.b.c : *.b.c matches any domain ending in .b.c except for a.b.c. Domains that match neither a.b.c nor *.b.c do not match, because the last item in the list is positive. However, if the setting were -domainlist relay_domains = !a.b.c +domainlist relay_to_domains = !a.b.c then all domains other than a.b.c would match because the last item in the list is negative. In other words, a list that ends with a negative item behaves as @@ -7098,7 +7186,7 @@ Then there follows the name that you are defining, followed by an equals sign and the list itself. For example: -hostlist relay_hosts = 192.168.23.0/24 : my.friend.example +hostlist relay_from_hosts = 192.168.23.0/24 : my.friend.example addresslist bad_senders = cdb;/etc/badsenders A named list may refer to other named lists: @@ -7516,7 +7604,7 @@ There are several types of pattern that require Exim to know the name of the remote host. These are either wildcard patterns or lookups by name. (If a complete hostname is given without any wildcarding, it is used to find an IP -address to match against, as described in the section 10.11 above.) +address to match against, as described in section 10.11 above.) If the remote host name is not already known when Exim encounters one of these patterns, it has to be found from the IP address. Although many sites on the @@ -7584,10 +7672,12 @@ Note: This section applies to permanent lookup failures. It does not apply to temporary DNS errors, whose handling is described in the next section. -By default, Exim behaves as if the host does not match the list. This may not -always be what you want to happen. To change Exim's behaviour, the special -items "+include_unknown" or "+ignore_unknown" may appear in the list (at top -level - they are not recognized in an indirected file). +Exim parses a host list from left to right. If it encounters a permanent lookup +failure in any item in the host list before it has found a match, Exim treats +it as a failure and the default behavior is as if the host does not match the +list. This may not always be what you want to happen. To change Exim's +behaviour, the special items "+include_unknown" or "+ignore_unknown" may appear +in the list (at top level - they are not recognized in an indirected file). * If any item that follows "+include_unknown" requires information that cannot found, Exim behaves as if the host does match the list. For example, @@ -7611,6 +7701,31 @@ Both "+include_unknown" and "+ignore_unknown" may appear in the same list. The effect of each one lasts until the next, or until the end of the list. +To explain the host/ip processing logic a different way for the same ACL: + + * If you have name lookups or wildcarded host names and IP addresses in the + same host list, you should normally put the IP addresses first. For + example, in an ACL you could have: + + accept hosts = 10.9.8.7 : *.friend.example + + The reason you normally would order it this way lies in the left-to-right + way that Exim processes lists. It can test IP addresses without doing any + DNS lookups, but when it reaches an item that requires a host name, it + fails if it cannot find a host name to compare with the pattern. If the + above list is given in the opposite order, the accept statement fails for a + host whose name cannot be found, even if its IP address is 10.9.8.7. + + * If you really do want to do the name check first, and still recognize the + IP address, you can rewrite the ACL like this: + + accept hosts = *.friend.example + accept hosts = 10.9.8.7 + + If the first accept fails, Exim goes on to try the second one. See chapter + 42 for details of ACLs. Alternatively, you can use "+ignore_unknown", which + was discussed in depth in the first example in this section. + 10.15 Temporary DNS errors when looking up host information ----------------------------------------------------------- @@ -7665,7 +7780,7 @@ operator. If the query contains a reference to $sender_host_name, Exim automatically -looks up the host name if has not already done so. (See section 10.13 for +looks up the host name if it has not already done so. (See section 10.13 for comments on finding host names.) Historical note: prior to release 4.30, Exim would always attempt to find a @@ -7842,7 +7957,7 @@ breaks. White space surrounding the colons is ignored. For example: aol.com: spammer1 : spammer2 : ^[0-9]+$ : - spammer3 : spammer4 + spammer3 : spammer4 As in all colon-separated lists in Exim, a colon can be included in an item by doubling. @@ -8069,6 +8184,19 @@ This item inserts "basic" header lines. It is described with the header expansion item below. +${acl{}{}...} + + The name and zero to nine argument strings are first expanded separately. + The expanded arguments are assigned to the variables $acl_arg1 to $acl_arg9 + in order. Any unused are made empty. The variable $acl_narg is set to the + number of arguments. The named ACL (see chapter 42) is called and may use + the variables; if another acl expansion is used the values are restored + after it returns. If the ACL sets a value using a "message =" modifier and + returns accept or deny, the value becomes the result of the expansion. If + no message is set and the ACL returns accept or deny the expansion result + is an empty string. If the ACL returns defer the result is a forced-fail. + Otherwise the expansion fails. + ${dlfunc{}{}{}{}...} This expansion dynamically loads and then calls a locally-written C @@ -8487,7 +8615,7 @@ absent, it defaults to 0. The result of the expansion is a prvs-signed email address, to be typically used with the return_path option on an smtp transport as part of a bounce address tag validation (BATV) scheme. For - more discussion and an example, see section 42.49. + more discussion and an example, see section 42.50. ${prvscheck{
}{}{}} @@ -8513,7 +8641,7 @@ All three variables can be used in the expansion of the third argument. However, once the expansion is complete, only $prvscheck_result remains - set. For more discussion and an example, see section 42.49. + set. For more discussion and an example, see section 42.50. ${readfile{}{}} @@ -8639,6 +8767,18 @@ command does not succeed. If both strings are omitted, the result is contents of the standard output/error on success, and nothing on failure. + The standard output/error of the command is put in the variable $value. In + this ACL example, the output of a command is logged for the admin to + troubleshoot: + + warn condition = ${run{/usr/bin/id}{yes}{no}} + log_message = Output of id: $value + + If the command requires shell idioms, such as the > redirect operator, the + shell must be invoked directly, such as with: + + ${run{/bin/bash -c "/usr/bin/id >/tmp/id"}{yes}{yes}} + The return code from the command is put in the variable $runrc, and this remains set afterwards, so in a filter file you can do things like this: @@ -8783,6 +8923,29 @@ address. See the filter, map, and reduce items for ways of processing lists. + To clarify "list of addresses in RFC 2822 format" mentioned above, Exim + follows a strict interpretation of header line formatting. Exim parses the + bare, unquoted portion of an email address and if it finds a comma, treats + it as an email address seperator. For the example header line: + + From: =?iso-8859-2?Q?Last=2C_First?= + + The first example below demonstrates that Q-encoded email addresses are + parsed properly if it is given the raw header (in this example, + "$rheader_from:"). It does not see the comma because it's still encoded as + "=2C". The second example below is passed the contents of "$header_from:", + meaning it gets de-mimed. Exim sees the decoded "," so it treats it as two + email addresses. The third example shows that the presence of a comma is + skipped when it is quoted. + + # exim -be '${addresses:From: \ + =?iso-8859-2?Q?Last=2C_First?= }' + user@example.com + # exim -be '${addresses:From: Last, First }' + Last:user@example.com + # exim -be '${addresses:From: "Last, First" }' + user@example.com + ${base62:} The string must consist entirely of decimal digits. The number is converted @@ -8915,6 +9078,13 @@ can be useful for processing the output of the MD5 and SHA-1 hashing functions. +${hexquote:} + + This operator converts non-printable characters in a string into a hex + escape form. Byte values between 33 (!) and 126 (~) inclusive are left as + is, and other byte values are converted to "\xNN", for example a byte value + 127 is converted to "\x7f". + ${lc:} This forces the letters in the string into lower-case, for example: @@ -8933,6 +9103,19 @@ length is not the same as strlen. The abbreviation l can be used when length is used as an operator. +${listcount:} + + The string is interpreted as a list and the number of items is returned. + +${listnamed:} and ${listnamed_:} + + The name is interpreted as a named list and the content of the list is + returned, expanding any referenced lists, re-quoting as needed for + colon-separation. If the optional type is given it must be one of "a", "d", + "h" or "l" and selects address-, domain-, host- or localpart- lists to + search among respectively. Otherwise all types are searched in an undefined + order and the first matching list is returned. + ${local_part:} The string is interpreted as an RFC 2822 address and the local part is @@ -9022,14 +9205,11 @@ This operator returns a somewhat random number which is less than the supplied number and is at least 0. The quality of this randomness depends on how Exim was built; the values are not suitable for keying material. If - Exim is linked against OpenSSL then RAND_pseudo_bytes() is used. - - If Exim is linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used, - for versions of GnuTLS with that function. - - Otherwise, the implementation may be arc4random(), random() seeded by - srandomdev() or srandom(), or a custom implementation even weaker than - random(). + Exim is linked against OpenSSL then RAND_pseudo_bytes() is used. If Exim is + linked against GnuTLS then gnutls_rnd(GNUTLS_RND_NONCE) is used, for + versions of GnuTLS with that function. Otherwise, the implementation may be + arc4random(), random() seeded by srandomdev() or srandom(), or a custom + implementation even weaker than random(). ${reverse_ip:} @@ -9039,12 +9219,12 @@ for DNS. For example, ${reverse_ip:192.0.2.4} - ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3} + ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.127} returns 4.2.0.192 - 3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2 + f.7.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2 ${rfc2047:} @@ -9166,14 +9346,27 @@ Note that the general negation operator provides for inequality testing. The two strings must take the form of optionally signed decimal integers, - optionally followed by one of the letters "K" or "M" (in either upper or - lower case), signifying multiplication by 1024 or 1024*1024, respectively. - As a special case, the numerical value of an empty string is taken as zero. + optionally followed by one of the letters "K", "M" or "G" (in either upper + or lower case), signifying multiplication by 1024, 1024*1024 or + 1024*1024*1024, respectively. As a special case, the numerical value of an + empty string is taken as zero. In all cases, a relative comparator OP is testing if OP ; the above example is checking if $message_size is larger than 10M, not if 10M is larger than $message_size. +acl {{}{}{}...} + + The name and zero to nine argument strings are first expanded separately. + The expanded arguments are assigned to the variables $acl_arg1 to $acl_arg9 + in order. Any unused are made empty. The variable $acl_narg is set to the + number of arguments. The named ACL (see chapter 42) is called and may use + the variables; if another acl expansion is used the values are restored + after it returns. If the ACL sets a value using a "message =" modifier the + variable $value becomes the result of the expansion, otherwise it is empty. + If the ACL returns accept the condition is true; if deny, false. If the ACL + returns defer the result is a forced-fail. + bool {} This condition turns a string holding a true or false representation into a @@ -9338,6 +9531,8 @@ The value of $item is saved and restored while forany or forall is being processed, to enable these expansion items to be nested. + To scan a named list, expand it with the listnamed operator. + ge {}{}, gei {}{} The two substrings are first expanded. The condition is true if the first @@ -9812,6 +10007,16 @@ login name of the calling process. However, a trusted user can override this by means of the -oMai command line option. +$authenticated_fail_id + + When an authentication attempt fails, the variable $authenticated_fail_id + will contain the failed authentication id. If more than one authentication + id is attempted, it will contain only the last one. The variable is + available for processing in the ACL's, generally the quit or notquit ACL. A + message to a local recipient could still be accepted without requiring + authentication, which means this variable could also be visible in all of + the ACL's as well. + $authenticated_sender When acting as a server, Exim takes note of the AUTH= parameter on an @@ -9906,7 +10111,7 @@ When a DNS (black) list lookup succeeds, these variables are set to contain the following data from the lookup: the list's domain name, the key that was looked up, the contents of any associated TXT record, and the value - from the main A record. See section 42.30 for more details. + from the main A record. See section 42.31 for more details. $domain @@ -9992,6 +10197,12 @@ must be terminated by colon or white space, because it may contain a wide variety of characters. Note also that braces must not be used. +$headers_added + + Within an ACL this variable contains the headers added so far by the ACL + modifier add_header (section 42.23). The headers are a newline-separated + list. + $home When the check_local_user option is set for a router, the user's home @@ -10421,17 +10632,17 @@ $prvscheck_address This variable is used in conjunction with the prvscheck expansion item, - which is described in sections 11.5 and 42.49. + which is described in sections 11.5 and 42.50. $prvscheck_keynum This variable is used in conjunction with the prvscheck expansion item, - which is described in sections 11.5 and 42.49. + which is described in sections 11.5 and 42.50. $prvscheck_result This variable is used in conjunction with the prvscheck expansion item, - which is described in sections 11.5 and 42.49. + which is described in sections 11.5 and 42.50. $qualify_domain @@ -10613,6 +10824,10 @@ This is an obsolete name for $bounce_return_size_limit. +$router_name + + During the running of a router this variable contains its name. + $runrc This variable contains the return code from a command that is run by the $ @@ -10704,6 +10919,27 @@ was received. It is empty if there was no successful authentication. See also $authenticated_id. +$sender_host_dnssec + + If $sender_host_name has been populated (by reference, hosts_lookup or + otherwise) then this boolean will have been set true if, and only if, the + resolver library states that the reverse DNS was authenticated data. At all + other times, this variable is false. + + It is likely that you will need to coerce DNSSEC support on in the resolver + library, by setting: + + dns_use_dnssec = 1 + + Exim does not perform DNSSEC validation itself, instead leaving that to a + validating resolver (eg, unbound, or bind with suitable configuration). + + Exim does not (currently) check to see if the forward DNS was also secured + with DNSSEC, only the reverse DNS. + + If you have changed host_lookup_order so that "bydns" is not the first + mechanism in the list, then this variable will be false. + $sender_host_name When a message is received from a remote host, this variable contains the @@ -10769,7 +11005,7 @@ $sender_rate_xxx A number of variables whose names begin $sender_rate_ are set as part of - the ratelimit ACL condition. Details are given in section 42.36. + the ratelimit ACL condition. Details are given in section 42.37. $sender_rcvhost @@ -10896,20 +11132,39 @@ command, which can be found in the separate document entitled Exim's interfaces to mail filtering. -$tls_bits +$tls_in_bits + + Contains an approximation of the TLS cipher's bit-strength on the inbound + connection; the meaning of this depends upon the TLS implementation used. + If TLS has not been negotiated, the value will be 0. The value of this is + automatically fed into the Cyrus SASL authenticator when acting as a + server, to specify the "external SSF" (a SASL term). + + The deprecated $tls_bits variable refers to the inbound side except when + used in the context of an outbound SMTP delivery, when it refers to the + outbound. + +$tls_out_bits - Contains an approximation of the TLS cipher's bit-strength; the meaning of - this depends upon the TLS implementation used. If TLS has not been - negotiated, the value will be 0. The value of this is automatically fed - into the Cyrus SASL authenticator when acting as a server, to specify the - "external SSF" (a SASL term). + Contains an approximation of the TLS cipher's bit-strength on an outbound + SMTP connection; the meaning of this depends upon the TLS implementation + used. If TLS has not been negotiated, the value will be 0. -$tls_certificate_verified +$tls_in_certificate_verified This variable is set to "1" if a TLS certificate was verified when the message was received, and "0" otherwise. -$tls_cipher + The deprecated $tls_certificate_verfied variable refers to the inbound side + except when used in the context of an outbound SMTP delivery, when it + refers to the outbound. + +$tls_out_certificate_verified + + This variable is set to "1" if a TLS certificate was verified when an + outbound SMTP connection was made, and "0" otherwise. + +$tls_in_cipher When a message is received from a remote host over an encrypted SMTP connection, this variable is set to the cipher suite that was negotiated, @@ -10918,23 +11173,36 @@ Testing $tls_cipher for emptiness is one way of distinguishing between encrypted and non-encrypted connections during ACL processing. - The $tls_cipher variable retains its value during message delivery, except - when an outward SMTP delivery takes place via the smtp transport. In this - case, $tls_cipher is cleared before any outgoing SMTP connection is made, - and then set to the outgoing cipher suite if one is negotiated. See chapter - 41 for details of TLS support and chapter 30 for details of the smtp + The deprecated $tls_cipher variable is the same as $tls_in_cipher during + message reception, but in the context of an outward SMTP delivery taking + place via the smtp transport becomes the same as $tls_out_cipher. + +$tls_out_cipher + + This variable is cleared before any outgoing SMTP connection is made, and + then set to the outgoing cipher suite if one is negotiated. See chapter 41 + for details of TLS support and chapter 30 for details of the smtp transport. -$tls_peerdn +$tls_in_peerdn When a message is received from a remote host over an encrypted SMTP connection, and Exim is configured to request a certificate from the client, the value of the Distinguished Name of the certificate is made - available in the $tls_peerdn during subsequent processing. Like $tls_cipher - , the value is retained during message delivery, except during outbound - SMTP deliveries. + available in the $tls_in_peerdn during subsequent processing. -$tls_sni + The deprecated $tls_peerdn variable refers to the inbound side except when + used in the context of an outbound SMTP delivery, when it refers to the + outbound. + +$tls_out_peerdn + + When a message is being delivered to a remote host over an encrypted SMTP + connection, and Exim is configured to request a certificate from the + server, the value of the Distinguished Name of the certificate is made + available in the $tls_out_peerdn during subsequent processing. + +$tls_in_sni When a TLS session is being established, if the client sends the Server Name Indication extension, the value will be placed in this variable. If @@ -10943,9 +11211,14 @@ a different certificate to be presented (and optionally a different key to be used) to the client, based upon the value of the SNI extension. - The value will be retained for the lifetime of the message. During outbound - SMTP deliveries, it reflects the value of the tls_sni option on the - transport. + The deprecated $tls_sni variable refers to the inbound side except when + used in the context of an outbound SMTP delivery, when it refers to the + outbound. + +$tls_out_sni + + During outbound SMTP deliveries, this variable reflects the value of the + tls_sni option on the transport. $tod_bsdinbox @@ -10989,6 +11262,10 @@ This variable contains the UTC date and time in "Zulu" format, as specified by ISO 8601, for example: 20030221154023Z. +$transport_name + + During the running of a transport, this variable contains its name. + $value This variable contains the result of an expansion lookup, extraction @@ -11371,7 +11648,7 @@ To specify listening on the default port on specific interfaces only: -local_interfaces = 192.168.34.67 : 192.168.34.67 +local_interfaces = 10.0.0.67 : 192.168.34.67 Warning: Such a setting excludes listening on the loopback interfaces. @@ -11647,20 +11924,21 @@ 14.13 TLS --------- -gnutls_compat_mode use GnuTLS compatibility mode -openssl_options adjust OpenSSL compatibility options -tls_advertise_hosts advertise TLS to these hosts -tls_certificate location of server certificate -tls_crl certificate revocation list -tls_dh_max_bits clamp D-H bit count suggestion -tls_dhparam DH parameters for server -tls_on_connect_ports specify SSMTP (SMTPS) ports -tls_privatekey location of server private key -tls_remember_esmtp don't reset after starting TLS -tls_require_ciphers specify acceptable ciphers -tls_try_verify_hosts try to verify client certificate -tls_verify_certificates expected client certificates -tls_verify_hosts insist on client certificate verify +gnutls_compat_mode use GnuTLS compatibility mode +gnutls_allow_auto_pkcs11 allow GnuTLS to autoload PKCS11 modules +openssl_options adjust OpenSSL compatibility options +tls_advertise_hosts advertise TLS to these hosts +tls_certificate location of server certificate +tls_crl certificate revocation list +tls_dh_max_bits clamp D-H bit count suggestion +tls_dhparam DH parameters for server +tls_on_connect_ports specify SSMTP (SMTPS) ports +tls_privatekey location of server private key +tls_remember_esmtp don't reset after starting TLS +tls_require_ciphers specify acceptable ciphers +tls_try_verify_hosts try to verify client certificate +tls_verify_certificates expected client certificates +tls_verify_hosts insist on client certificate verify 14.14 Local user handling @@ -11783,6 +12061,7 @@ dns_ipv4_lookup only v4 lookup for these domains dns_retrans parameter for resolver dns_retry parameter for resolver +dns_use_dnssec parameter for resolver dns_use_edns0 parameter for resolver hold_domains hold delivery for these domains local_interfaces for routing checks @@ -11841,6 +12120,10 @@ http://cr.yp.to/smtp/8bitmime.html +To log received 8BITMIME status use + +log_selector = +8bitmime + +------------+---------+-------------+--------------+ |acl_not_smtp|Use: main|Type: string*|Default: unset| +------------+---------+-------------+--------------+ @@ -12051,9 +12334,9 @@ encrypted using TLS, you can make use of the fact that the value of this option is expanded, with a setting like this: -auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}} +auth_advertise_hosts = ${if eq{$tls_in_cipher}{}{}{*}} -If $tls_cipher is empty, the session is not encrypted, and the result of the +If $tls_in_cipher is empty, the session is not encrypted, and the result of the expansion is empty, thus matching no hosts. Otherwise, the result of the expansion is *, which matches all hosts. @@ -12167,32 +12450,32 @@ +------------------------------+---------+----------+-----------+ This option specifies the expiry time for negative callout cache data for a -domain. See section 42.43 for details of callout verification, and section -42.45 for details of the caching. +domain. See section 42.44 for details of callout verification, and section +42.46 for details of the caching. +------------------------------+---------+----------+-----------+ |callout_domain_positive_expire|Use: main|Type: time|Default: 7d| +------------------------------+---------+----------+-----------+ This option specifies the expiry time for positive callout cache data for a -domain. See section 42.43 for details of callout verification, and section -42.45 for details of the caching. +domain. See section 42.44 for details of callout verification, and section +42.46 for details of the caching. +-----------------------+---------+----------+-----------+ |callout_negative_expire|Use: main|Type: time|Default: 2h| +-----------------------+---------+----------+-----------+ This option specifies the expiry time for negative callout cache data for an -address. See section 42.43 for details of callout verification, and section -42.45 for details of the caching. +address. See section 42.44 for details of callout verification, and section +42.46 for details of the caching. +-----------------------+---------+----------+------------+ |callout_positive_expire|Use: main|Type: time|Default: 24h| +-----------------------+---------+----------+------------+ This option specifies the expiry time for positive callout cache data for an -address. See section 42.43 for details of callout verification, and section -42.45 for details of the caching. +address. See section 42.44 for details of callout verification, and section +42.46 for details of the caching. +-------------------------+---------+-------------+------------------+ |callout_random_local_part|Use: main|Type: string*|Default: see below| @@ -12203,7 +12486,7 @@ $primary_hostname-$tod_epoch-testing -See section 42.44 for details of how this value is used. +See section 42.45 for details of how this value is used. +----------------+---------+-------------+----------+ |check_log_inodes|Use: main|Type: integer|Default: 0| @@ -12450,7 +12733,7 @@ +--------------------+---------+-------------+----------+ This option controls the depth of parental searching for CSA SRV records in the -DNS, as described in more detail in section 42.48. +DNS, as described in more detail in section 42.49. +-------------------+---------+-------------+-------------+ |dns_csa_use_reverse|Use: main|Type: boolean|Default: true| @@ -12458,7 +12741,7 @@ This option controls whether or not an IP address, given as a CSA domain, is reversed and looked up in the reverse DNS, as described in more detail in -section 42.48. +section 42.49. +---------------+---------+------------------+--------------+ |dns_ipv4_lookup|Use: main|Type: domain list*|Default: unset| @@ -12492,6 +12775,16 @@ See dns_retrans above. ++--------------+---------+-------------+-----------+ +|dns_use_dnssec|Use: main|Type: integer|Default: -1| ++--------------+---------+-------------+-----------+ + +If this option is set to a non-negative number then Exim will initialise the +DNS resolver library to either use or not use DNSSEC, overriding the system +default. A value of 0 coerces DNSSEC off, a value of 1 coerces DNSSEC on. + +If the resolver library does not support DNSSEC then this option has no effect. + +-------------+---------+-------------+-----------+ |dns_use_edns0|Use: main|Type: integer|Default: -1| +-------------+---------+-------------+-----------+ @@ -12713,6 +13006,13 @@ server. This reduces security slightly, but improves interworking with older implementations of TLS. +option gnutls_allow_auto_pkcs11 main boolean unset This option will let GnuTLS +(2.12.0 or later) autoload PKCS11 modules with the p11-kit configuration files +in /etc/pkcs11/modules/. + +See http://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs for +documentation. + +---------------+---------+------------+------------------+ |headers_charset|Use: main|Type: string|Default: see below| +---------------+---------+------------+------------------+ @@ -13456,6 +13756,8 @@ * "no_tlsv1_2" + * "safari_ecdhe_ecdsa_bug" + * "single_dh_use" * "single_ecdh_use" @@ -13470,6 +13772,13 @@ * "tls_rollback_bug" +As an aside, the "safari_ecdhe_ecdsa_bug" item is a misnomer and affects all +clients connecting using the MacOS SecureTransport TLS facility prior to MacOS +10.8.4, including email clients. If you see old MacOS clients failing to +negotiate TLS then this option value might help, provided that your OpenSSL +release is new enough to contain this work-around. This may be a situation +where you have to upgrade OpenSSL to get buggy clients working. + +--------------+---------+-----------------+--------------+ |oracle_servers|Use: main|Type: string list|Default: unset| +--------------+---------+-----------------+--------------+ @@ -13795,7 +14104,7 @@ ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ ${if def:received_protocol {with $received_protocol}} \ - ${if def:tls_cipher {($tls_cipher)\n\t}}\ + ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ {(envelope-from <$sender_address>)\n\t}}\ @@ -14035,9 +14344,9 @@ setting this option. The default value makes it apply to all hosts. By changing the value, you can exclude any badly-behaved hosts that you have to live with. -+---------------------------------+---------+-------------+-------------+ -|smtp_accept_max_per_ connection|Use: main|Type: integer|Default: 1000| -+---------------------------------+---------+-------------+-------------+ ++------------------------------+---------+-------------+-------------+ +|smtp_accept_max_per_connection|Use: main|Type: integer|Default: 1000| ++------------------------------+---------+-------------+-------------+ The value of this option limits the number of MAIL commands that Exim is prepared to accept over a single SMTP connection, whether or not each command @@ -14082,9 +14391,9 @@ queue_only, queue_only_load, queue_smtp_domains, and the various -odx command line options. -+-----------------------------------+---------+-------------+-----------+ -|smtp_accept_queue_per_ connection|Use: main|Type: integer|Default: 10| -+-----------------------------------+---------+-------------+-----------+ ++--------------------------------+---------+-------------+-----------+ +|smtp_accept_queue_per_connection|Use: main|Type: integer|Default: 10| ++--------------------------------+---------+-------------+-----------+ This option limits the number of delivery processes that Exim starts automatically when receiving messages via SMTP, whether via the daemon or by @@ -14281,7 +14590,7 @@ Exim has two rate-limiting facilities. This section describes the older facility, which can limit rates within a single connection. The newer ratelimit -ACL condition can limit rates across all connections. See section 42.36 for +ACL condition can limit rates across all connections. See section 42.37 for details of the newer facility. When a host matches smtp_ratelimit_hosts, the values of smtp_ratelimit_mail and @@ -14641,10 +14950,10 @@ use when sending messages as a client, you must set the tls_certificate option in the relevant smtp transport. -If the option contains $tls_sni and Exim is built against OpenSSL, then if the -OpenSSL build supports TLS extensions and the TLS client sends the Server Name -Indication extension, then this option and others documented in 41.10 will be -re-expanded. +If the option contains $tls_out_sni and Exim is built against OpenSSL, then if +the OpenSSL build supports TLS extensions and the TLS client sends the Server +Name Indication extension, then this option and others documented in 41.10 will +be re-expanded. +-------+---------+-------------+--------------+ |tls_crl|Use: main|Type: string*|Default: unset| @@ -14716,6 +15025,20 @@ Some of these will be too small to be accepted by clients. Some may be too large to be accepted by clients. +The TLS protocol does not negotiate an acceptable size for this; clients tend +to hard-drop connections if what is offered by the server is unacceptable, +whether too large or too small, and there's no provision for the client to tell +the server what these constraints are. Thus, as a server operator, you need to +make an educated guess as to what is most likely to work for your userbase. + +Some known size constraints suggest that a bit-size in the range 2048 to 2236 +is most likely to maximise interoperability. The upper bound comes from +applications using the Mozilla Network Security Services (NSS) library, which +used to set its "DH_MAX_P_BITS" upper-bound to 2236. This affects many mail +user agents (MUAs). The lower bound comes from Debian installs of Exim4 prior +to the 4.80 release, as Debian used to patch Exim to raise the minimum +acceptable bound from 1024 to 2048. + +--------------------+---------+-----------------+--------------+ |tls_on_connect_ports|Use: main|Type: string list|Default: unset| +--------------------+---------+-----------------+--------------+ @@ -14785,6 +15108,9 @@ See 41.10 for discussion of when this option might be re-expanded. +A forced expansion failure or setting to an empty string is equivalent to being +unset. + +----------------+---------+----------------+--------------+ |tls_verify_hosts|Use: main|Type: host list*|Default: unset| +----------------+---------+----------------+--------------+ @@ -15096,7 +15422,7 @@ If the result is any other value, the router is run (as this is the last precondition to be evaluated, all the other preconditions must be true). -This option is unique in that multiple condition options may be present. All +This option is unusual in that multiple condition options may be present. All condition options must succeed. The condition option provides a means of applying custom conditions to the @@ -15123,16 +15449,17 @@ |debug_print|Use: routers|Type: string*|Default: unset| +-----------+------------+-------------+--------------+ -If this option is set and debugging is enabled (see the -d command line -option), the string is expanded and included in the debugging output. If -expansion of the string fails, the error message is written to the debugging -output, and Exim carries on processing. This option is provided to help with -checking out the values of variables and so on when debugging router -configurations. For example, if a condition option appears not to be working, -debug_print can be used to output the variables it references. The output -happens after checks for domains, local_parts, and check_local_user but before -any other preconditions are tested. A newline is added to the text if it does -not end with one. +If this option is set and debugging is enabled (see the -d command line option) +or in address-testing mode (see the -bt command line option), the string is +expanded and included in the debugging output. If expansion of the string +fails, the error message is written to the debugging output, and Exim carries +on processing. This option is provided to help with checking out the values of +variables and so on when debugging router configurations. For example, if a +condition option appears not to be working, debug_print can be used to output +the variables it references. The output happens after checks for domains, +local_parts, and check_local_user but before any other preconditions are +tested. A newline is added to the text if it does not end with one. The +variable $router_name contains the name of the router. +---------------+------------+-------------+--------------+ |disable_logging|Use: routers|Type: boolean|Default: false| @@ -15284,6 +15611,9 @@ to fail, the option has no effect. Other expansion failures are treated as configuration errors. +Unlike most options, headers_add can be specified multiple times for a router; +all listed headers are added. + Warning 1: The headers_add option cannot be used for a redirect router that has the one_time option set. @@ -15313,6 +15643,9 @@ before transport. If the expansion is forced to fail, the option has no effect. Other expansion failures are treated as configuration errors. +Unlike most options, headers_remove can be specified multiple times for a +router; all listed headers are removed. + Warning 1: The headers_remove option cannot be used for a redirect router that has the one_time option set. @@ -15909,11 +16242,11 @@ |verify_only|Use: routers**|Type: boolean|Default: false| +-----------+--------------+-------------+--------------+ -If this option is set, the router is used only when verifying an address or -testing with the -bv option, not when actually doing a delivery, testing with -the -bt option, or running the SMTP EXPN command. It can be further restricted -to verifying only senders or recipients by means of verify_sender and -verify_recipient. +If this option is set, the router is used only when verifying an address, +delivering in cutthrough mode or testing with the -bv option, not when actually +doing a delivery, testing with the -bt option, or running the SMTP EXPN +command. It can be further restricted to verifying only senders or recipients +by means of verify_sender and verify_recipient. Warning: When the router is being run to verify addresses for an incoming SMTP message, Exim is not running as root, but under its own uid. If the router @@ -15925,8 +16258,9 @@ +----------------+--------------+-------------+-------------+ If this option is false, the router is skipped when verifying recipient -addresses or testing recipient verification using -bv. See section 3.12 for a -list of the order in which preconditions are evaluated. +addresses, delivering in cutthrough mode or testing recipient verification +using -bv. See section 3.12 for a list of the order in which preconditions are +evaluated. +-------------+--------------+-------------+-------------+ |verify_sender|Use: routers**|Type: boolean|Default: true| @@ -17187,6 +17521,16 @@ is interpreted as a pipe with a rather strange command name, and no arguments. + Note that the above example assumes that the text comes from a lookup + source of some sort, so that the quotes are part of the data. If composing + a redirect router with a data option directly specifying this command, the + quotes will be used by the configuration parser to define the extent of one + string, but will not be passed down into the redirect router itself. There + are two main approaches to get around this: escape quotes to be part of the + data itself, or avoid using this mechanism and instead create a custom + transport with the command option set and reference that transport from an + accept router. + * An item is interpreted as a path name if it begins with "/" and does not parse as a valid RFC 2822 address that includes a domain. For example, @@ -18100,6 +18444,9 @@ working properly, debug_print could be used to output the variables it references. A newline is added to the text if it does not end with one. +The variables $transport_name and $router_name contain the name of the +transport and the router that called it. + +-----------------+---------------+-------------+--------------+ |delivery_date_add|Use: transports|Type: boolean|Default: false| +-----------------+---------------+-------------+--------------+ @@ -18149,6 +18496,9 @@ is taken. Other expansion failures are treated as errors and cause the delivery to be deferred. +Unlike most options, headers_add can be specified multiple times for a +transport; all listed headers are added. + +------------+---------------+-------------+--------------+ |headers_only|Use: transports|Type: boolean|Default: false| +------------+---------------+-------------+--------------+ @@ -18169,6 +18519,9 @@ fail, no action is taken. Other expansion failures are treated as errors and cause the delivery to be deferred. +Unlike most options, headers_remove can be specified multiple times for a +router; all listed headers are added. + +---------------+---------------+------------+--------------+ |headers_rewrite|Use: transports|Type: string|Default: unset| +---------------+---------------+------------+--------------+ @@ -18455,7 +18808,7 @@ |transport_filter_timeout|Use: transports|Type: time|Default: 5m| +------------------------+---------------+----------+-----------+ -When Exim is reading the output of a transport filter, it a applies a timeout +When Exim is reading the output of a transport filter, it applies a timeout that can be set by this option. Exceeding the timeout is normally treated as a temporary delivery failure. However, if a transport filter is used with a pipe transport, a timeout in the transport filter is treated in the same way as a @@ -20054,10 +20407,10 @@ * A router redirects an address directly to a pipe command (for example, from an alias or forward file). In this case, $address_pipe contains the text of - the pipe command, and the command option on the transport is ignored. If - only one address is being transported (batch_max is not greater than one, - or only one address was redirected to this pipe command), $local_part - contains the local part that was redirected. + the pipe command, and the command option on the transport is ignored unless + force_command is set. If only one address is being transported (batch_max + is not greater than one, or only one address was redirected to this pipe + command), $local_part contains the local part that was redirected. The pipe transport is a non-interactive delivery method. Exim can also deliver messages over pipes using the LMTP interactive protocol. This is implemented by @@ -20156,6 +20509,15 @@ any problems with spaces or shell metacharacters, and is of use when a pipe transport is handling groups of addresses in a batch. +If force_command is enabled on the transport, Special handling takes place for +an argument that consists of precisely the text "$address_pipe". It is handled +similarly to $pipe_addresses above. It is expanded and each argument is +inserted in the argument list at that point as a separate argument. The +"$address_pipe" item does not need to be the only item in the argument; in +fact, if it were then force_command should behave as a no-op. Rather, it should +be used to adjust the command run while preserving the argument vector +separation. + After splitting up into arguments and expansion, the resulting command is run in a subprocess directly from the transport, not under a shell. The message that is being delivered is supplied on the standard input, and the standard @@ -20310,6 +20672,22 @@ in Exim's queue instead. +-------------+---------+-------------+--------------+ +|force_command|Use: pipe|Type: boolean|Default: false| ++-------------+---------+-------------+--------------+ + +Normally when a router redirects an address directly to a pipe command the +command option on the transport is ignored. If force_command is set, the +command option will used. This is especially useful for forcing a wrapper or +additional argument to be added to the command. For example: + +command = /usr/bin/remote_exec myhost -- $address_pipe +force_command + +Note that $address_pipe is handled specially in command when force_command is +set, expanding out to the original argument vector as separate items, similarly +to a Unix shell ""$@"" construct. + ++-------------+---------+-------------+--------------+ |ignore_status|Use: pipe|Type: boolean|Default: false| +-------------+---------+-------------+--------------+ @@ -20680,6 +21058,9 @@ the values that are in force when any authenticators are run and when the authenticated_sender option is expanded. +These variables are deprecated in favour of $tls_in_cipher et. al. and will be +removed in a future release. + 30.4 Private options for smtp ----------------------------- @@ -20720,8 +21101,8 @@ ignored. The expansion happens after the outgoing connection has been made and TLS -started, if required. This means that the $host, $host_address, $tls_cipher, -and $tls_peerdn variables are set according to the particular connection. +started, if required. This means that the $host, $host_address, $tls_out_cipher +, and $tls_out_peerdn variables are set according to the particular connection. If the SMTP session is not authenticated, the expansion of authenticated_sender still happens (and can cause the delivery to be deferred if it fails), but no @@ -20822,6 +21203,22 @@ option is false, the RES_DNSRCH resolver option is set. See the search_parents option in chapter 17 for more details. ++----+---------+-------------+--------------+ +|dscp|Use: smtp|Type: string*|Default: unset| ++----+---------+-------------+--------------+ + +This option causes the DSCP value associated with a socket to be set to one of +a number of fixed strings or to numeric value. The -bI:dscp option may be used +to ask Exim which names it knows of. Common values include "throughput", +"mincost", and on newer systems "ef", "af41", etc. Numeric values may be in the +range 0 to 0x3F. + +The outbound packets from Exim will be marked with this value in the header +(for IPv4, the TOS field; for IPv6, the TCLASS field); there is no guarantee +that these values will have any effect, not be stripped by networking +equipment, or do much of anything without cooperation with your Network +Engineer and those of all network operators between the source and destination. + +--------------+---------+-----------------+--------------+ |fallback_hosts|Use: smtp|Type: string list|Default: unset| +--------------+---------+-----------------+--------------+ @@ -20961,6 +21358,14 @@ Exim will not try to start a TLS session when delivering to any host that matches this list. See chapter 41 for details of TLS. ++----------------------+---------+----------------+----------+ +|hosts_verify_avoid_tls|Use: smtp|Type: host list*|Default: *| ++----------------------+---------+----------------+----------+ + +Exim will not try to start a TLS session for a verify callout, or when +delivering in cutthrough mode, to any host that matches this list. Note that +the default is to not use TLS. + +-------------+---------+-------------+----------+ |hosts_max_try|Use: smtp|Type: integer|Default: 5| +-------------+---------+-------------+----------+ @@ -21220,6 +21625,17 @@ This option specifies a certificate revocation list. The expanded value must be the name of a file that contains a CRL in PEM format. ++---------------+---------+-------------+-------------+ +|tls_dh_min_bits|Use: smtp|Type: integer|Default: 1024| ++---------------+---------+-------------+-------------+ + +When establishing a TLS session, if a ciphersuite which uses Diffie-Hellman key +agreement is negotiated, the server will provide a large prime number for use. +This option establishes the minimum acceptable size of that number. If the +parameter offered by the server is too small, then the TLS handshake will fail. + +Only supported when using GnuTLS. + +--------------+---------+-------------+--------------+ |tls_privatekey|Use: smtp|Type: string*|Default: unset| +--------------+---------+-------------+--------------+ @@ -21248,14 +21664,15 @@ |tls_sni|Use: smtp|Type: string*|Default: unset| +-------+---------+-------------+--------------+ -If this option is set then it sets the $tls_sni variable and causes any TLS +If this option is set then it sets the $tls_out_sni variable and causes any TLS session to pass this value as the Server Name Indication extension to the remote side, which can be used by the remote side to select an appropriate certificate and private key for the session. See 41.10 for more information. -OpenSSL only, also requiring a build of OpenSSL that supports TLS extensions. +Note that for OpenSSL, this feature requires a build of OpenSSL that supports +TLS extensions. +---------------------+---------+-------------+-------------+ |tls_tempfail_tryclear|Use: smtp|Type: boolean|Default: true| @@ -21867,9 +22284,9 @@ applies only to temporary failures involving the local part alice. In practice, almost all rules start with a domain name pattern without a local part. -Warning: If you use a regular expression in a routing rule pattern, it must -match a complete address, not just a domain, because that is how regular -expressions work in address lists. +Warning: If you use a regular expression in a retry rule pattern, it must match +a complete address, not just a domain, because that is how regular expressions +work in address lists. ^\Nxyz\d+\.abc\.example$\N * G,1h,10m,2 Wrong ^\N[^@]+@xyz\d+\.abc\.example$\N * G,1h,10m,2 Right @@ -22377,17 +22794,15 @@ in Local/Makefile, respectively. The first of these supports the CRAM-MD5 authentication mechanism (RFC 2195), and the second provides an interface to -the Cyrus SASL authentication library. - -The third is an interface to Dovecot's authentication system, delegating the -work via a socket interface. The fourth provides an interface to the GNU SASL -authentication library, which provides mechanisms but typically not data -sources. The fifth provides direct access to Heimdal GSSAPI, geared for -Kerberos, but supporting setting a server keytab. The sixth can be configured -to support the PLAIN authentication mechanism (RFC 2595) or the LOGIN -mechanism, which is not formally documented, but used by several MUAs. The -seventh authenticator supports Microsoft's Secure Password Authentication -mechanism. +the Cyrus SASL authentication library. The third is an interface to Dovecot's +authentication system, delegating the work via a socket interface. The fourth +provides an interface to the GNU SASL authentication library, which provides +mechanisms but typically not data sources. The fifth provides direct access to +Heimdal GSSAPI, geared for Kerberos, but supporting setting a server keytab. +The sixth can be configured to support the PLAIN authentication mechanism (RFC +2595) or the LOGIN mechanism, which is not formally documented, but used by +several MUAs. The seventh authenticator supports Microsoft's Secure Password +Authentication mechanism. The authenticators are configured using the same syntax as other drivers (see section 6.22). If no authenticators are required, no authentication section @@ -22453,11 +22868,15 @@ example, to skip plain text authenticators when the connection is not encrypted by a setting such as: -client_condition = ${if !eq{$tls_cipher}{}} +client_condition = ${if !eq{$tls_out_cipher}{}} + ++-------------+-------------------+-------------+--------------+ +|client_set_id|Use: authenticators|Type: string*|Default: unset| ++-------------+-------------------+-------------+--------------+ -(Older documentation incorrectly states that $tls_cipher contains the cipher -used for incoming messages. In fact, during SMTP delivery, it contains the -cipher used for the delivery.) +When client authentication succeeds, this condition is expanded; the result is +used in the log lines for outbound messasges. Typically it will be the user +name used for authentication. +------+-------------------+------------+--------------+ |driver|Use: authenticators|Type: string|Default: unset| @@ -22615,9 +23034,9 @@ advertisement of a particular mechanism to encrypted connections, by a setting such as: -server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}} +server_advertise_condition = ${if eq{$tls_in_cipher}{}{no}{yes}} -If the session is encrypted, $tls_cipher is not empty, and so the expansion +If the session is encrypted, $tls_in_cipher is not empty, and so the expansion yields "yes", which allows the advertisement to happen. When an Exim server receives an AUTH command from a client, it rejects it @@ -22804,7 +23223,8 @@ authentication fails. If the result of the expansion is "1", "yes", or "true", authentication succeeds and the generic server_set_id option is expanded and saved in $authenticated_id. For any other result, a temporary error code is -returned, with the expanded string as the error text. +returned, with the expanded string as the error text , and the failed id saved +in $authenticated_fail_id. Warning: If you use a lookup in the expansion to find the user's password, be sure to make the authentication fail if the user is unknown. There are good and @@ -23616,7 +24036,7 @@ * Distinguished Name (DN) strings reported by the OpenSSL library use a slash for separating fields; GnuTLS uses commas, in accordance with RFC 2253. - This affects the value of the $tls_peerdn variable. + This affects the value of the $tls_in_peerdn and $tls_out_peerdn variables. * OpenSSL identifies cipher suites using hyphens as separators, for example: DES-CBC3-SHA. GnuTLS historically used underscores, for example: @@ -23630,6 +24050,11 @@ * The tls_require_ciphers options operate differently, as described in the sections 41.4 and 41.5. + * The tls_dh_min_bits SMTP transport option is only honoured by GnuTLS. When + using OpenSSL, this option is ignored. (If an API is found to let OpenSSL + be configured in this way, let the Exim Maintainers know and we'll likely + use it). + * Some other recently added features may only be available in one or the other. This should be documented with the feature. If the documentation does not explicitly state that the feature is infeasible in the other TLS @@ -23793,11 +24218,10 @@ feature enhancements of GnuTLS. Documentation of the strings accepted may be found in the GnuTLS manual, under -"Priority strings". This is online as http://www.gnu.org/software/gnutls/manual -/html_node/Priority-Strings.html, but beware that this relates to GnuTLS 3, -which may be newer than the version installed on your system. If you are using -GnuTLS 3, then the example code on that site can be used to test a given -string. +"Priority strings". This is online as http://www.gnutls.org/manual/html_node/ +Priority-Strings.html, but beware that this relates to GnuTLS 3, which may be +newer than the version installed on your system. If you are using GnuTLS 3, +then the example code on that site can be used to test a given string. Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three additional options, "gnutls_require_kx", "gnutls_require_mac" and " @@ -23871,15 +24295,14 @@ tls_dhparam = /some/file/name is set, the SSL library is initialized for the use of Diffie-Hellman ciphers -with the parameters contained in the file. - -Set this to "none" to disable use of DH entirely, by making no prime available: +with the parameters contained in the file. Set this to "none" to disable use of +DH entirely, by making no prime available: tls_dhparam = none This may also be set to a string identifying a standard prime to be used for DH; if it is set to "default" or, for OpenSSL, is unset, then the prime used is -"ike23". There are a few standard primes available, see the documetnation for +"ike23". There are a few standard primes available, see the documentation for tls_dhparam for the complete list. See the command @@ -23894,13 +24317,12 @@ in $sender_host_address to control the expansion. If a string expansion is forced to fail, Exim behaves as if the option is not set. -The variable $tls_cipher is set to the cipher suite that was negotiated for an -incoming TLS connection. It is included in the Received: header of an incoming -message (by default - you can, of course, change this), and it is also included -in the log line that records a message's arrival, keyed by "X=", unless the -tls_cipher log selector is turned off. The encrypted condition can be used to -test for specific cipher suites in ACLs. (For outgoing SMTP deliveries, -$tls_cipher is reset - see section 41.9.) +The variable $tls_in_cipher is set to the cipher suite that was negotiated for +an incoming TLS connection. It is included in the Received: header of an +incoming message (by default - you can, of course, change this), and it is also +included in the log line that records a message's arrival, keyed by "X=", +unless the tls_cipher log selector is turned off. The encrypted condition can +be used to test for specific cipher suites in ACLs. Once TLS has been established, the ACLs that run for subsequent SMTP commands can check the name of the cipher suite and vary their actions accordingly. The @@ -23909,6 +24331,9 @@ contexts is known as TLS_RSA_WITH_3DES_EDE_CBC_SHA. Check the OpenSSL or GnuTLS documentation for more details. +For outgoing SMTP deliveries, $tls_out_cipher is used and logged (again +depending on the tls_cipher log selector). + 41.7 Requesting and verifying client certificates ------------------------------------------------- @@ -23945,13 +24370,13 @@ When a client supplies a certificate (whether it verifies or not), the value of the Distinguished Name of the certificate is made available in the variable -$tls_peerdn during subsequent processing of the message. +$tls_in_peerdn during subsequent processing of the message. Because it is often a long text string, it is not included in the log line or Received: header by default. You can arrange for it to be logged, keyed by "DN= ", by setting the tls_peerdn log selector, and you can use received_header_text -to change the Received: header. When no certificate is supplied, $tls_peerdn is -empty. +to change the Received: header. When no certificate is supplied, $tls_in_peerdn +is empty. 41.8 Revoked certificates @@ -24023,11 +24448,11 @@ client is connected. Forced failure of an expansion causes Exim to behave as if the relevant option were unset. -Before an SMTP connection is established, the $tls_bits, $tls_cipher, -$tls_peerdn and $tls_sni variables are emptied. (Until the first connection, -they contain the values that were set when the message was received.) If -STARTTLS is subsequently successfully obeyed, these variables are set to the -relevant values for the outgoing connection. +Before an SMTP connection is established, the $tls_out_bits, $tls_out_cipher, +$tls_out_peerdn and $tls_out_sni variables are emptied. (Until the first +connection, they contain the values that were set when the message was +received.) If STARTTLS is subsequently successfully obeyed, these variables are +set to the relevant values for the outgoing connection. 41.10 Use of TLS Server Name Indication @@ -24058,13 +24483,13 @@ The tls_sni option on an SMTP transport is an expanded string; the result, if not empty, will be sent on a TLS session as part of the handshake. There's nothing more to it. Choosing a sensible value not derived insecurely is the -only point of caution. The $tls_sni variable will be set to this string for the -lifetime of the client connection (including during authentication). +only point of caution. The $tls_out_sni variable will be set to this string for +the lifetime of the client connection (including during authentication). -Except during SMTP client sessions, if $tls_sni is set then it is a string +Except during SMTP client sessions, if $tls_in_sni is set then it is a string received from a client. It can be logged with the log_selector item "+tls_sni". -If the string "tls_sni" appears in the main section's tls_certificate option +If the string "tls_in_sni" appears in the main section's tls_certificate option (prior to expansion) then the following options will be re-expanded during TLS session handshake, to permit alternative values to be chosen: @@ -24180,6 +24605,15 @@ is not helpful if you are going to use this certificate and key in an MTA, where prompting is not possible. +NB: we are now past the point where 9999 days takes us past the 32-bit Unix +epoch. If your system uses unsigned time_t (most do) and is 32-bit, then the +above command might produce a date in the past. Think carefully about the +lifetime of the systems you're deploying, and either reduce the duration of the +certificate or reconsider your platform deployment. (At time of writing, +reducing the duration is the most likely choice, but the inexorable progression +of time takes us steadily towards an era where this will not be a sensible +resolution). + A self-signed certificate made in this way is sufficient for testing, and may be adequate for all your requirements if you are mainly interested in encrypting transfers, and not in secure identification. @@ -24227,7 +24661,7 @@ The -bh command line option provides a way of testing your ACL configuration locally by running a fake SMTP session with which you interact. The host relay-test.mail-abuse.org provides a service for checking your relaying -configuration (see section 42.51 for more details). +configuration (see section 42.52 for more details). 42.2 Specifying when ACLs are used @@ -24354,6 +24788,9 @@ after the data) correctly - they keep the message on their queues and try again later, but that is their problem, though it does waste some of your resources. +The acl_smtp_data ACL is run after both the acl_smtp_dkim and the acl_smtp_mime +ACLs. + 42.7 The SMTP DKIM ACL ---------------------- @@ -24365,6 +24802,8 @@ received, and is executed for each DKIM signature found in a message. If not otherwise specified, the default action is to accept. +This ACL is evaluated before acl_smtp_mime and acl_smtp_data. + For details on the operation of DKIM, see chapter 56. @@ -24374,6 +24813,8 @@ The acl_smtp_mime option is available only when Exim is compiled with the content-scanning extension. For details, see chapter 43. +This ACL is evaluated after acl_smtp_dkim but before acl_smtp_data. + 42.9 The QUIT ACL ----------------- @@ -24406,7 +24847,7 @@ ---------------------- The not-QUIT ACL, specified by acl_smtp_notquit, is run in most cases when an -SMTP session ends without sending QUIT. However, when Exim itself is is bad +SMTP session ends without sending QUIT. However, when Exim itself is in bad trouble, such as being unable to write to its log files, this ACL is not run, because it might try to do things (such as write to log files) that make the situation even worse. @@ -24716,9 +25157,9 @@ be written, use the logwrite modifier instead. If log_message is not present, a warn verb just checks its conditions and - obeys any "immediate" modifiers (such as control, set, logwrite, and - add_header) that appear before the first failing condition. There is more - about adding header lines in section 42.23. + obeys any "immediate" modifiers (such as control, set, logwrite, add_header + , and remove_header) that appear before the first failing condition. There + is more about adding header lines in section 42.23. If any condition on a warn statement cannot be completed (that is, there is some sort of defer), the log line specified by log_message is not written. @@ -24828,7 +25269,7 @@ warning is generated. The control modifier affects the way an incoming message is handled. -The positioning of the modifiers in an ACL statement important, because the +The positioning of the modifiers in an ACL statement is important, because the processing of a verb ceases as soon as its outcome is known. Only those modifiers that have already been encountered will take effect. For example, consider this use of the message modifier: @@ -24934,12 +25375,12 @@ delay =