From: Jeremy Harris Date: Mon, 7 Dec 2015 15:22:38 +0000 (+0000) Subject: SOCKS: move from Experimental to mainline X-Git-Tag: exim-4_87_RC1~7 X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=74f150bf80451e34b2fae10c14019e37d644420a;p=exim.git SOCKS: move from Experimental to mainline --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 8b2bb4dab..677b4ef50 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -23729,6 +23729,14 @@ Alternatively, if the value of &%size_addition%& is set negative, it disables the use of the SIZE option altogether. +.new +.option socks_proxy smtp string&!! unset +.cindex proxy SOCKS +This option enables use of SOCKS proxies for connections made by the +transport. For details see &<>&. +.wen + + .option tls_certificate smtp string&!! unset .cindex "TLS" "client certificate, location of" .cindex "certificate" "client, location of" @@ -38008,6 +38016,83 @@ for more information of what they mean. . //////////////////////////////////////////////////////////////////////////// . //////////////////////////////////////////////////////////////////////////// +.chapter "Proxies" "CHAPproxies" &&& + "Proxy support" +.cindex "proxy support" +.cindex "proxy" "access via" + +.new +A proxy is an intermediate system through which communication is passed. +Proxies may provide a security, availability or load-distribution function. + +.section "Outbound proxies" SECTproxySOCKS +.cindex proxy outbound +.cindex proxy "client side" +.cindex proxy SOCKS +.cindex SOCKS proxy +Exim has support for sending outbound SMTP via a proxy +using a protocol called SOCKS5 (defined by RFC1928). +The support can be removed by defining DISABLE_SOCKS=yes in Local/Makefile. + +Use of a proxy is enabled by setting the &%socks_proxy%& on an smtp transport. +The option value is expanded and should then be a list +(colon-separated by default) of proxy specifiers. +Each proxy specifier is a list +(space-separated by default) where the initial element +is an IP address and any subsequent elements are options. + +Options are a string =. +The list of options is in the following table: +.display +&`auth `& authentication method +&`name `& authentication username +&`pass `& authentication password +&`port `& tcp port +&`tmo `& connection timeout +&`pri `& priority +&`weight `& selection bias +.endd + +More details on each of these options follows: + +.ilist +.cindex authentication "to proxy" +.cindex proxy authentication +&%auth%&: Either &"none"& (default) or &"name"&. +Using &"name"& selects username/password authentication per RFC 1929 +for access to the proxy. +Default is &"none"&. +.next +&%name%&: sets the username for the &"name"& authentication method. +Default is empty. +.next +&%pass%&: sets the password for the &"name"& authentication method. +Default is empty. +.next +&%port%&: the TCP port number to use for the connection to the proxy. +Default is 1080. +.next +&%tmo%&: sets a connection timeout in seconds for this proxy. +Default is 5. +.next +&%pri%&: specifies a priority for the proxy within the list, +higher values being tried first. +The default priority is 1. +.next +&%weight%&: specifies a selection bias. +Within a priority set servers are queried in a random fashion, +weighted by this value. +The default value for selection bias is 1. +.endlist + +Proxies from the list are tried according to their priority +and weight settings until one responds. The timeout for the +overall connection applies to the set of proxied attempts. +.wen + +. //////////////////////////////////////////////////////////////////////////// +. //////////////////////////////////////////////////////////////////////////// + .chapter "Adding new drivers or lookup types" "CHID13" &&& "Adding drivers or lookups" .cindex "adding drivers" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 20623997f..e78f49cf4 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -112,6 +112,9 @@ JH/21 Bug 1720: Add support for priority groups and weighted-random proxy JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalisation for DKIM processing. +JH/23 Move SOCKS5 support from Experimental to mainline. It can be left out + from a build by defining DISABLE_SOCKS. + Exim version 4.86 ----------------- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 18a5fd917..f0f1035ea 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -880,6 +880,9 @@ following will be forced: No other use is made of the result string. +If transport proxying is used, the remote IP/port during a +tcp:connect event will be that of the proxy. + Known issues: - the tls:cert event is only called for the cert chain elements @@ -1115,44 +1118,6 @@ QUIT -SOCKS ------------------------------------------------------------- -Support for proxying outbound SMTP via a Socks 5 proxy -(RFC 1928) is included if Exim is compiled with -EXPERIMENTAL_SOCKS defined. - -If an smtp transport has a nonempty socks_proxy option -defined, this is active. The option is expanded and -should be a list (colon-separated by default) of -proxy specifiers. Each proxy specifier is a list -(space-separated by default) where the initial element -is an IP address and any subsequent elements are options. - -Options are a string =. -These options are currently defined: -- "auth", with possible values "none" and "name". - Using "name" selects username/password authentication - per RFC 1929. Default is "none". -- "name" sets the authentication username. Default is empty. -- "pass" sets the authentication password. Default is empty. -- "port" sets the tcp port number for the proxy. Default is 1080. -- "tmo" sets a connection timeout in seconds for this proxy. Default is 5. -- "pri" specifies a priority for the server within the list, higher - values being tried first. The default priority is 1. -- "weight" specifies a selection bias. Within a priority set servers - are queried in a random fashion, weighted by this value. The default - value for selection bias is 1. - -Proxies from the list are tried according to their priority -and weight settings until one responds. The timeout for the -overall connection applies to the set of proxied attempts. - -If events are used, the remote IP/port during a -tcp:connect event will be that of the proxy. - - - - DANE ------------------------------------------------------------ DNS-based Authentication of Named Entities, as applied diff --git a/src/src/EDITME b/src/src/EDITME index c2d95ff40..5b17e53d8 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -431,6 +431,13 @@ EXIM_MONITOR=eximon.bin # DISABLE_DNSSEC=yes +#------------------------------------------------------------------------------ +# By default Exim has support for connecting outbound via a SOCK5 proxy. +# To remove this support uncomment the following line. + +# DISABLE_SOCKS=yes + + #------------------------------------------------------------------------------ # Compiling Exim with experimental features. These are documented in # experimental-spec.txt. "Experimental" means that the way these features are @@ -497,9 +504,6 @@ EXIM_MONITOR=eximon.bin # Note: Enabling this unconditionally overrides DISABLE_DNSSEC # EXPERIMENTAL_DANE=yes -# Uncomment the following line to add SOCKS support -# EXPERIMENTAL_SOCKS=yes - # Uncomment the following to add Internationalisation features. You need to # have the IDN library installed. # EXPERIMENTAL_INTERNATIONAL=yes diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 6af3b4d43..9ebb4f8de 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -41,10 +41,11 @@ it's a default value. */ #define DEFAULT_CRYPT crypt #define DELIVER_IN_BUFFER_SIZE 8192 #define DELIVER_OUT_BUFFER_SIZE 8192 +#define DISABLE_DNSSEC #define DISABLE_DKIM #define DISABLE_PRDR #define DISABLE_OCSP -#define DISABLE_DNSSEC +#define DISABLE_SOCKS #define DISABLE_D_OPTION #define ENABLE_DISABLE_FSYNC @@ -178,7 +179,6 @@ it's a default value. */ #define EXPERIMENTAL_INTERNATIONAL #define EXPERIMENTAL_PROXY #define EXPERIMENTAL_REDIS -#define EXPERIMENTAL_SOCKS #define EXPERIMENTAL_SPF #define EXPERIMENTAL_SRS diff --git a/src/src/exim.c b/src/src/exim.c index 27b73b764..a0477faa1 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -814,20 +814,23 @@ fprintf(f, "Support for:"); #ifdef WITH_CONTENT_SCAN fprintf(f, " Content_Scanning"); #endif -#ifndef DISABLE_DKIM - fprintf(f, " DKIM"); -#endif #ifdef WITH_OLD_DEMIME fprintf(f, " Old_Demime"); #endif +#ifndef DISABLE_DKIM + fprintf(f, " DKIM"); +#endif #ifndef DISABLE_DNSSEC fprintf(f, " DNSSEC"); #endif +#ifndef DISABLE_OCSP + fprintf(f, " OCSP"); +#endif #ifndef DISABLE_PRDR fprintf(f, " PRDR"); #endif -#ifndef DISABLE_OCSP - fprintf(f, " OCSP"); +#ifndef DISABLE_SOCKS + fprintf(f, " SOCKS"); #endif #ifdef EXPERIMENTAL_SPF fprintf(f, " Experimental_SPF"); @@ -862,9 +865,6 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_REDIS fprintf(f, " Experimental_Redis"); #endif -#ifdef EXPERIMENTAL_SOCKS - fprintf(f, " Experimental_SOCKS"); -#endif fprintf(f, "\n"); fprintf(f, "Lookups (built-in):"); diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c index d32ef89b5..abc5b80fe 100644 --- a/src/src/smtp_out.c +++ b/src/src/smtp_out.c @@ -267,7 +267,7 @@ int smtp_connect(host_item *host, int host_af, int port, uschar *interface, int timeout, transport_instance * tb) { -#ifdef EXPERIMENTAL_SOCKS +#ifndef DISABLE_SOCKS smtp_transport_options_block * ob = (smtp_transport_options_block *)tb->options_block; #endif @@ -287,7 +287,7 @@ HDEBUG(D_transport|D_acl|D_v) { uschar * s = US" "; if (interface) s = string_sprintf(" from %s ", interface); -#ifdef EXPERIMENTAL_SOCKS +#ifndef DISABLE_SOCKS if (ob->socks_proxy) s = string_sprintf("%svia proxy ", s); #endif debug_printf("Connecting to %s %s%s... ", host->name, callout_address, s); @@ -295,7 +295,7 @@ HDEBUG(D_transport|D_acl|D_v) /* Create and connect the socket */ -#ifdef EXPERIMENTAL_SOCKS +#ifndef DISABLE_SOCKS if (ob->socks_proxy) return socks_sock_connect(host, host_af, port, interface, tb, timeout); #endif diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 66d632fad..fc1439e93 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -159,7 +159,7 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, serialize_hosts) }, { "size_addition", opt_int, (void *)offsetof(smtp_transport_options_block, size_addition) } -#ifdef EXPERIMENTAL_SOCKS +#ifndef DISABLE_SOCKS ,{ "socks_proxy", opt_stringptr, (void *)offsetof(smtp_transport_options_block, socks_proxy) } #endif @@ -249,7 +249,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { FALSE, /* lmtp_ignore_quota */ NULL, /* expand_retry_include_ip_address */ TRUE /* retry_include_ip_address */ -#ifdef EXPERIMENTAL_SOCKS +#ifndef DISABLE_SOCKS ,NULL /* socks_proxy */ #endif #ifdef SUPPORT_TLS diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 2aeab9add..c77c2c5d9 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -59,7 +59,7 @@ typedef struct { BOOL lmtp_ignore_quota; uschar *expand_retry_include_ip_address; BOOL retry_include_ip_address; -#ifdef EXPERIMENTAL_SOCKS +#ifndef DISABLE_SOCKS uschar *socks_proxy; #endif #ifdef SUPPORT_TLS @@ -111,7 +111,7 @@ extern int smtp_auth(uschar *, unsigned, address_item *, host_item *, extern BOOL smtp_mail_auth_str(uschar *, unsigned, address_item *, smtp_transport_options_block *); -#ifdef EXPERIMENTAL_SOCKS +#ifndef DISABLE_SOCKS extern int socks_sock_connect(host_item *, int, int, uschar *, transport_instance *, int); #endif diff --git a/src/src/transports/smtp_socks.c b/src/src/transports/smtp_socks.c index 6d4e072eb..a7d4e106f 100644 --- a/src/src/transports/smtp_socks.c +++ b/src/src/transports/smtp_socks.c @@ -10,7 +10,7 @@ #include "../exim.h" #include "smtp.h" -#ifdef EXPERIMENTAL_SOCKS /* entire file */ +#ifndef DISABLE_SOCKS /* entire file */ #ifndef nelem # define nelem(arr) (sizeof(arr)/sizeof(*arr)) diff --git a/test/scripts/4020-socks/REQUIRES b/test/scripts/4020-socks/REQUIRES index 135603c74..5c6dbbad6 100644 --- a/test/scripts/4020-socks/REQUIRES +++ b/test/scripts/4020-socks/REQUIRES @@ -1 +1 @@ -support Experimental_SOCKS +support SOCKS diff --git a/test/scripts/4028-GnuTLS-socks/REQUIRES b/test/scripts/4028-GnuTLS-socks/REQUIRES index 0b41941ac..5accf7bf3 100644 --- a/test/scripts/4028-GnuTLS-socks/REQUIRES +++ b/test/scripts/4028-GnuTLS-socks/REQUIRES @@ -1,4 +1,4 @@ -support Experimental_SOCKS +support SOCKS support GnuTLS running IPv4 running socks diff --git a/test/scripts/4029-OpenSSL-socks/REQUIRES b/test/scripts/4029-OpenSSL-socks/REQUIRES index b24bbd9a0..d42ca4cee 100644 --- a/test/scripts/4029-OpenSSL-socks/REQUIRES +++ b/test/scripts/4029-OpenSSL-socks/REQUIRES @@ -1,4 +1,4 @@ -support Experimental_SOCKS +support SOCKS support OpenSSL running IPv4 running socks