exim.git
4 years agoEnable weak/old stuff in OpenSSL
Phil Pennock [Sun, 15 Apr 2018 21:45:48 +0000 (17:45 -0400)]
Enable weak/old stuff in OpenSSL

Configure OpenSSL with:

    enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers

Include explanation as to why.

4 years agoTestsuite: syslog testcase
Jeremy Harris [Sun, 15 Apr 2018 21:03:45 +0000 (22:03 +0100)]
Testsuite: syslog testcase

4 years agoMerge branch '4.next'
Jeremy Harris [Sun, 15 Apr 2018 16:50:14 +0000 (17:50 +0100)]
Merge branch '4.next'

4 years agoTidy logging code
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Tidy logging code

4 years agoClear more globals between messages
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages

4 years agoAdd client-ip info to iprev ${authres } line
Jeremy Harris [Wed, 4 Apr 2018 15:15:22 +0000 (16:15 +0100)]
Add client-ip info to iprev ${authres } line

4 years agoARC: add optional x= tag to signing
Jeremy Harris [Wed, 4 Apr 2018 10:10:56 +0000 (11:10 +0100)]
ARC: add optional x= tag to signing

4 years agoARC: add optional t= tags to signing
Jeremy Harris [Tue, 3 Apr 2018 23:22:49 +0000 (00:22 +0100)]
ARC: add optional t= tags to signing

4 years agoAvoid doing logging in signal-handlers. Bug 1007
Jeremy Harris [Fri, 30 Mar 2018 21:54:55 +0000 (22:54 +0100)]
Avoid doing logging in signal-handlers.  Bug 1007

4 years agoDocs: clean for next release
Jeremy Harris [Sun, 15 Apr 2018 15:29:46 +0000 (16:29 +0100)]
Docs: clean for next release

4 years agoTestsuite: tidyup after myslq testing exim-4_91
Jeremy Harris [Sat, 14 Apr 2018 23:18:10 +0000 (00:18 +0100)]
Testsuite: tidyup after myslq testing

4 years agoLogging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
Jeremy Harris [Sat, 14 Apr 2018 22:31:05 +0000 (23:31 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
         also syslog_pid=no and log_selector +pid

4 years agoDocs: typo
Jeremy Harris [Fri, 13 Apr 2018 16:02:15 +0000 (17:02 +0100)]
Docs: typo

4 years agoLogging: fix syslog logging for syslog_timestamp=no and log_selector +millisec
Jeremy Harris [Fri, 13 Apr 2018 16:17:37 +0000 (17:17 +0100)]
Logging: fix syslog logging for syslog_timestamp=no and log_selector +millisec

4 years agoDKIM downgrade example again; this time debugged
Phil Pennock [Fri, 13 Apr 2018 22:51:23 +0000 (18:51 -0400)]
DKIM downgrade example again; this time debugged

As well as previous commit's `len_3` -> `length_3`, we were missing
braces around the expansion operator, resulting in trying to dereference
an unknown variable `$length_3`, and we were missing the outer braces
from the `or` expansion condition.

We really need a better way to test ACL expansion without a full harness. :(

This bug-fixed version is now running on my system.

4 years agoFix length expansion operator in DKIM downgrade example
Phil Pennock [Fri, 13 Apr 2018 22:35:20 +0000 (18:35 -0400)]
Fix length expansion operator in DKIM downgrade example

4 years agoDKIM: add support for the SubjectPublicKeyInfo wrapped form of pubkey
Jeremy Harris [Fri, 13 Apr 2018 10:51:50 +0000 (11:51 +0100)]
DKIM: add support for the SubjectPublicKeyInfo wrapped form of pubkey

4 years agoDocs: add known broken-version info for OpenSSL behavior
Jeremy Harris [Thu, 12 Apr 2018 15:55:42 +0000 (16:55 +0100)]
Docs: add known broken-version info for OpenSSL behavior

4 years agoMention MTA-STS in DANE context; nit fixes
Phil Pennock [Thu, 12 Apr 2018 02:04:28 +0000 (22:04 -0400)]
Mention MTA-STS in DANE context; nit fixes

Did an audit of text changed since commit 6aa6fc9c5 to look for issues
which stood out, fixed those.  Spelling mistakes, markup issues, minor
grammatical infelicities.

The public/private CA stuff in the DANE text might push people away from
public CAs, but the existence of MTA-STS means that one of those is
probably the best choice.  Mention what exim.org does, to provide
slightly firmer guidance without pressure.

List the `dkim_hash` values, `sha512` appears to be new since that text
was last touched.

4 years agoDoc: website updates and so forth
Phil Pennock [Thu, 12 Apr 2018 01:06:54 +0000 (21:06 -0400)]
Doc: website updates and so forth

I've added <https://downloads.exim.org/> as a new vhost which doesn't
reference FTP and loses the `/pub/exim` prefix.

Fixed various other outdated claims and documented Jeremy's PGP key as
the main key for releases, with mine (Phil's) and Heiko's as fallbacks.

Mention the `.xz` files.

4 years agoAdd `receive_time` to list of log_selector values
Phil Pennock [Mon, 9 Apr 2018 21:52:19 +0000 (17:52 -0400)]
Add `receive_time` to list of log_selector values

4 years agobugfix: heimdal interaction, check length
Phil Pennock [Mon, 9 Apr 2018 21:49:57 +0000 (17:49 -0400)]
bugfix: heimdal interaction, check length

clang noted that taking the address of a struct member will never be 0,
so checking against 0 was wrong.  It was a `.length` member.  I've
compiled RC4 with this change and deployed it to my box and I can still
authenticate fine.

4 years agoARC: fix signing when DKIM-signing is also being done
Jeremy Harris [Mon, 9 Apr 2018 14:08:34 +0000 (15:08 +0100)]
ARC: fix signing when DKIM-signing is also being done

The ordering of headers being signed was wrong when a message
being forwarded arrived with a dkim signature

4 years agoDMARC: fix history file
Jeremy Harris [Mon, 9 Apr 2018 10:19:47 +0000 (11:19 +0100)]
DMARC: fix history file

Too many variables were being cleared between connections
Broken-by: c780096c29 4.91 RC2
4 years agoBetter(?!?) fallback for stat: Perl
Phil Pennock [Mon, 9 Apr 2018 03:46:26 +0000 (23:46 -0400)]
Better(?!?) fallback for stat: Perl

We use Perl extensively in other scripts.

*sigh*

4 years agostat portability
Phil Pennock [Mon, 9 Apr 2018 02:43:36 +0000 (22:43 -0400)]
stat portability

I forgot how much I loathe basic stuff like "get the size of a file,
portably, in shell".  Bleh.

4 years agoAdded util/renew-opendmarc-tlds.sh script to renew PSL
Phil Pennock [Mon, 9 Apr 2018 02:28:56 +0000 (22:28 -0400)]
Added util/renew-opendmarc-tlds.sh script to renew PSL

4 years agoOpenSSL: Revert the disabling of the session-cache. Bug 2255
Jeremy Harris [Sun, 8 Apr 2018 21:45:39 +0000 (22:45 +0100)]
OpenSSL: Revert the disabling of the session-cache.  Bug 2255

Session cacheing is never useful, as we use a new context for every TLS startup.
However, removing the support triggers odd behaviour from Outlook Express (only
when there is an IMAP server on the same machine as Exim): an initial connect
from the OE client fails, the immediate retry works.

4 years agoARC: fix verify to not evaluate the top AMS twice exim-4_91_RC4
Jeremy Harris [Sat, 7 Apr 2018 21:44:39 +0000 (22:44 +0100)]
ARC: fix verify to not evaluate the top AMS twice

4 years agoClear more globals between messages
Jeremy Harris [Sat, 7 Apr 2018 19:58:14 +0000 (20:58 +0100)]
Clear more globals between messages

4 years agoLogging: fix DKIM precis received log line element.
Jeremy Harris [Fri, 6 Apr 2018 09:48:00 +0000 (10:48 +0100)]
Logging: fix DKIM precis received log line element.

Broken-by: 2c47372fad
4 years agocompiler quietening
Heiko Schlittermann (HS12-RIPE) [Wed, 4 Apr 2018 19:39:36 +0000 (21:39 +0200)]
compiler quietening

4 years agoAdd client-ip info to iprev ${authres } line
Jeremy Harris [Wed, 4 Apr 2018 15:15:22 +0000 (16:15 +0100)]
Add client-ip info to iprev ${authres } line

4 years agocompiler quietening
Jeremy Harris [Wed, 4 Apr 2018 11:38:38 +0000 (12:38 +0100)]
compiler quietening

4 years agoActually reap node2 process in redis cluster test
Graeme Fowler [Wed, 4 Apr 2018 10:30:21 +0000 (11:30 +0100)]
Actually reap node2 process in redis cluster test

4 years agoARC: add optional x= tag to signing
Jeremy Harris [Wed, 4 Apr 2018 10:10:56 +0000 (11:10 +0100)]
ARC: add optional x= tag to signing

4 years agolocal_scan: add note on Makefile requirement
Jeremy Harris [Fri, 30 Mar 2018 23:24:28 +0000 (00:24 +0100)]
local_scan: add note on Makefile requirement

4 years agoARC: add optional t= tags to signing
Jeremy Harris [Tue, 3 Apr 2018 23:22:49 +0000 (00:22 +0100)]
ARC: add optional t= tags to signing

4 years agoARC: log signing-spec errors in mainlog only, not paniclog
Jeremy Harris [Wed, 28 Mar 2018 13:15:23 +0000 (14:15 +0100)]
ARC: log signing-spec errors in mainlog only, not paniclog

4 years agoARC: enhance debug for signing; explicitly init signing context
Jeremy Harris [Tue, 27 Mar 2018 21:01:03 +0000 (22:01 +0100)]
ARC: enhance debug for signing; explicitly init signing context

4 years agoFix non-ARC build
Jeremy Harris [Mon, 26 Mar 2018 17:44:33 +0000 (18:44 +0100)]
Fix non-ARC build

4 years agoARC: add guard in verify against lack of the dkim-verify context
Jeremy Harris [Mon, 26 Mar 2018 16:30:47 +0000 (17:30 +0100)]
ARC: add guard in verify against lack of the dkim-verify context
needed for body-hashing

4 years agoARC: cutthrough delivery may not be used with ARC signing
Jeremy Harris [Mon, 26 Mar 2018 14:59:25 +0000 (15:59 +0100)]
ARC: cutthrough delivery may not be used with ARC signing

4 years agoCutthrough: enforce non-use in combination with DKIM signing or transport filter
Jeremy Harris [Mon, 26 Mar 2018 14:53:49 +0000 (15:53 +0100)]
Cutthrough: enforce non-use in combination with DKIM signing or transport filter

Broken-by: 02b41d7106
4 years agoAdd ARC signing caveats
Phil Pennock [Mon, 26 Mar 2018 16:24:48 +0000 (12:24 -0400)]
Add ARC signing caveats

4 years agoARC: give more detail with "bad signing-spec" message
Jeremy Harris [Sat, 24 Mar 2018 13:53:50 +0000 (13:53 +0000)]
ARC: give more detail with "bad signing-spec" message

4 years agoARC: For signing, accept A-R header lacking ARC info as equivalent to "none"
Jeremy Harris [Fri, 23 Mar 2018 16:45:03 +0000 (16:45 +0000)]
ARC: For signing, accept A-R header lacking ARC info as equivalent to "none"

4 years agoARC: add independent-source testcase. Fix signatures by not line-terminating
Jeremy Harris [Fri, 23 Mar 2018 11:06:35 +0000 (11:06 +0000)]
ARC: add independent-source testcase.  Fix signatures by not line-terminating
last header line being hashed.

4 years agoARC: AS header should have no c= tag
Jeremy Harris [Tue, 20 Mar 2018 22:11:24 +0000 (22:11 +0000)]
ARC: AS header should have no c= tag

4 years agoARC: on the smtp transport option take empty or forced-fail to disable signing
Jeremy Harris [Tue, 20 Mar 2018 19:58:00 +0000 (19:58 +0000)]
ARC: on the smtp transport option take empty or forced-fail to disable signing

4 years agoAvast: rework interface exim-4_91_RC3
Heiko Schlittermann (HS12-RIPE) [Mon, 2 Apr 2018 20:11:57 +0000 (22:11 +0200)]
Avast: rework interface

4 years agoAvast: implement pass_unscanned option
Heiko Schlittermann (HS12-RIPE) [Mon, 2 Apr 2018 15:39:39 +0000 (17:39 +0200)]
Avast: implement pass_unscanned option

4 years agoAvast: improve compliance with avast-protocol(5)
Heiko Schlittermann (HS12-RIPE) [Fri, 30 Mar 2018 22:06:47 +0000 (00:06 +0200)]
Avast: improve compliance with avast-protocol(5)

Treat scanner errors as malware. Defer on scanner tmpfail
only.

4 years agoTestsuite: ignore config-optional -bP output
Jeremy Harris [Sat, 31 Mar 2018 13:23:31 +0000 (14:23 +0100)]
Testsuite: ignore config-optional -bP output

4 years agoTestsuite: output changes arising
Jeremy Harris [Sat, 31 Mar 2018 13:21:36 +0000 (14:21 +0100)]
Testsuite: output changes arising

4 years agoDocs: tidy the ChangeLog file
Jeremy Harris [Fri, 30 Mar 2018 23:07:55 +0000 (00:07 +0100)]
Docs: tidy the ChangeLog file

4 years agoMerge branch 'dane_require_tls_ciphers'
Phil Pennock [Sat, 31 Mar 2018 02:28:20 +0000 (22:28 -0400)]
Merge branch 'dane_require_tls_ciphers'

New SMTP Transport option for simplified improved security for DANE.

4 years agoAvoid doing logging in signal-handlers. Bug 1007
Jeremy Harris [Fri, 30 Mar 2018 21:54:55 +0000 (22:54 +0100)]
Avoid doing logging in signal-handlers.  Bug 1007

4 years agoTestsuite: avoid ipv6 use in dane_require_tls_ciphers testcases
Jeremy Harris [Fri, 30 Mar 2018 16:36:30 +0000 (17:36 +0100)]
Testsuite: avoid ipv6 use in dane_require_tls_ciphers testcases

4 years agoTestsuite: avoid ipv6 use in dane_require_tls_ciphers testcases
Jeremy Harris [Fri, 30 Mar 2018 16:36:30 +0000 (17:36 +0100)]
Testsuite: avoid ipv6 use in dane_require_tls_ciphers testcases

4 years agoDANE: smtp transport option dane_require_tls_ciphers
Jeremy Harris [Fri, 30 Mar 2018 15:08:56 +0000 (16:08 +0100)]
DANE: smtp transport option dane_require_tls_ciphers

4 years agoTestcases for dane_require_tls_ciphers
Jeremy Harris [Fri, 30 Mar 2018 14:50:35 +0000 (15:50 +0100)]
Testcases for dane_require_tls_ciphers

4 years agoImplement dane_require_tls_ciphers (theoretically)
Phil Pennock [Thu, 29 Mar 2018 03:01:34 +0000 (23:01 -0400)]
Implement dane_require_tls_ciphers (theoretically)

It compiles with OpenSSL, on Darwin (if restore Darwin OS).
It doesn't crash immediately, but more testing is needed from a place
where port 25 is not just blocked.

4 years agoDocument new dane_require_tls_ciphers
Phil Pennock [Thu, 29 Mar 2018 01:41:20 +0000 (21:41 -0400)]
Document new dane_require_tls_ciphers

Haven't written the code yet, but writing the docs first helped me
affirm that this makes sense and feels clean.  Code in next commit.

4 years agoARC: log signing-spec errors in mainlog only, not paniclog
Jeremy Harris [Wed, 28 Mar 2018 13:15:23 +0000 (14:15 +0100)]
ARC: log signing-spec errors in mainlog only, not paniclog

4 years agoARC: enhance debug for signing; explicitly init signing context
Jeremy Harris [Tue, 27 Mar 2018 21:01:03 +0000 (22:01 +0100)]
ARC: enhance debug for signing; explicitly init signing context

4 years agoFix non-ARC build
Jeremy Harris [Mon, 26 Mar 2018 17:44:33 +0000 (18:44 +0100)]
Fix non-ARC build

4 years agoARC: add guard in verify against lack of the dkim-verify context
Jeremy Harris [Mon, 26 Mar 2018 16:30:47 +0000 (17:30 +0100)]
ARC: add guard in verify against lack of the dkim-verify context
needed for body-hashing

4 years agoCutthrough: for an onward finaldot timeout, generate an initator 450 in defer=pass...
Jeremy Harris [Mon, 26 Mar 2018 15:59:29 +0000 (16:59 +0100)]
Cutthrough: for an onward finaldot timeout, generate an initator 450 in defer=pass mode

4 years agoARC: cutthrough delivery may not be used with ARC signing
Jeremy Harris [Mon, 26 Mar 2018 14:59:25 +0000 (15:59 +0100)]
ARC: cutthrough delivery may not be used with ARC signing

4 years agoCutthrough: enforce non-use in combination with DKIM signing or transport filter
Jeremy Harris [Mon, 26 Mar 2018 14:53:49 +0000 (15:53 +0100)]
Cutthrough: enforce non-use in combination with DKIM signing or transport filter

Broken-by: 02b41d7106
4 years agoAdd ARC signing caveats
Phil Pennock [Mon, 26 Mar 2018 16:24:48 +0000 (12:24 -0400)]
Add ARC signing caveats

4 years agoSPF: remove the deprecated "err_temp" and "err_perm" result names
Jeremy Harris [Mon, 26 Mar 2018 12:49:52 +0000 (13:49 +0100)]
SPF: remove the deprecated "err_temp" and "err_perm" result names

4 years agoDKIM: document proper Ed25519 key-generation methods; remove helper program
Jeremy Harris [Mon, 26 Mar 2018 12:30:13 +0000 (13:30 +0100)]
DKIM: document proper Ed25519 key-generation methods; remove helper program

4 years agoExpand directory opetion for queuefile transport
Jeremy Harris [Mon, 26 Mar 2018 11:23:59 +0000 (12:23 +0100)]
Expand directory opetion for queuefile transport

4 years agoRemove extraneus line - benign but pointless.
Jeremy Harris [Mon, 26 Mar 2018 11:20:50 +0000 (12:20 +0100)]
Remove extraneus line - benign but pointless.

Broken-by: 9e70917d0a
4 years agoTestsuite: for SPF tests, avoid using the ipv4 address
Jeremy Harris [Sun, 25 Mar 2018 16:14:41 +0000 (17:14 +0100)]
Testsuite: for SPF tests, avoid using the ipv4 address

4 years agoAdd non-mtp source info to ${authres }
Jeremy Harris [Sun, 25 Mar 2018 15:42:34 +0000 (16:42 +0100)]
Add non-mtp source info to ${authres }

4 years agoDKIM: document generation of RSA keys
Jeremy Harris [Sun, 25 Mar 2018 13:08:36 +0000 (14:08 +0100)]
DKIM: document generation of RSA keys

4 years agoDKIM: document Ed25519 private key generation under OpenSSL (1.1.1+)
Jeremy Harris [Sat, 24 Mar 2018 23:35:00 +0000 (23:35 +0000)]
DKIM: document Ed25519 private key generation under OpenSSL (1.1.1+)

4 years agoDKIM: move ed25519_privkey_pem_to_pubkey_raw_b64 to src/util/ and add usage notes...
Jeremy Harris [Sat, 24 Mar 2018 15:19:27 +0000 (15:19 +0000)]
DKIM: move ed25519_privkey_pem_to_pubkey_raw_b64 to src/util/ and add usage notes to docs

4 years agoDocs: more on ${authresults }
Jeremy Harris [Sat, 24 Mar 2018 18:38:15 +0000 (18:38 +0000)]
Docs: more on ${authresults }

4 years agoARC: give more detail with "bad signing-spec" message
Jeremy Harris [Sat, 24 Mar 2018 13:53:50 +0000 (13:53 +0000)]
ARC: give more detail with "bad signing-spec" message

4 years agoMark variables that are unused before release of store in the queue-list loop
Jeremy Harris [Sat, 24 Mar 2018 13:43:01 +0000 (13:43 +0000)]
Mark variables that are unused before release of store in the queue-list loop

4 years agoAddress jgh notes re OpenSSL
Phil Pennock [Fri, 23 Mar 2018 22:34:21 +0000 (18:34 -0400)]
Address jgh notes re OpenSSL

* `/usr/local` is fair, on Linux, but I deliberately picked something
  specific to OpenSSL to make the context clear and limit bad
  interactions with other locally-installed software.
* `RPATH` and `RUNPATH` are not the same and are deeply twisty in their
  interactions.
  <https://blog.qt.io/blog/2011/10/28/rpath-and-runpath/> is a decent
  summary.

4 years agoARC: For signing, accept A-R header lacking ARC info as equivalent to "none"
Jeremy Harris [Fri, 23 Mar 2018 16:45:03 +0000 (16:45 +0000)]
ARC: For signing, accept A-R header lacking ARC info as equivalent to "none"

4 years agoDocs: typo
Jeremy Harris [Fri, 23 Mar 2018 16:42:47 +0000 (16:42 +0000)]
Docs: typo

4 years agoFix spool_wireformat final-dot on LMTP transport. Bug 2258
Jeremy Harris [Fri, 23 Mar 2018 12:18:53 +0000 (12:18 +0000)]
Fix spool_wireformat final-dot on LMTP transport.  Bug 2258

Broken-by: 328c5688db
4 years agoARC: add independent-source testcase. Fix signatures by not line-terminating
Jeremy Harris [Fri, 23 Mar 2018 11:06:35 +0000 (11:06 +0000)]
ARC: add independent-source testcase.  Fix signatures by not line-terminating
last header line being hashed.

4 years agoexiqsumm fix: Check @ARGV exists before testing it
Graeme Fowler [Fri, 23 Mar 2018 12:00:54 +0000 (12:00 +0000)]
exiqsumm fix: Check @ARGV exists before testing it

4 years agoSet a TERM handler to terminate properly if running as PID 1
Heiko Schlittermann (HS12-RIPE) [Thu, 22 Mar 2018 22:32:53 +0000 (23:32 +0100)]
Set a TERM handler to terminate properly if running as PID 1

4 years agoSPF: additional variable $spf_result_guessed; tweak authresults string indicating...
Jeremy Harris [Thu, 22 Mar 2018 13:26:58 +0000 (13:26 +0000)]
SPF: additional variable $spf_result_guessed; tweak authresults string indicating guess

4 years agoPipe transport, part two. Bug 2257 exim-4_91_RC2
Jeremy Harris [Wed, 21 Mar 2018 11:34:22 +0000 (11:34 +0000)]
Pipe transport, part two.  Bug 2257

4 years agoARC: AS header should have no c= tag
Jeremy Harris [Tue, 20 Mar 2018 22:11:24 +0000 (22:11 +0000)]
ARC: AS header should have no c= tag

4 years agoARC: on the smtp transport option take empty or forced-fail to disable signing
Jeremy Harris [Tue, 20 Mar 2018 19:58:00 +0000 (19:58 +0000)]
ARC: on the smtp transport option take empty or forced-fail to disable signing

4 years agoNot all the world is binutils ld
Phil Pennock [Wed, 21 Mar 2018 01:43:16 +0000 (21:43 -0400)]
Not all the world is binutils ld

4 years agoFix pipe transport to not use a socket-only syscall. Bug 2257
Jeremy Harris [Tue, 20 Mar 2018 17:54:47 +0000 (17:54 +0000)]
Fix pipe transport to not use a socket-only syscall.  Bug 2257

Broken-by: 42055a3385
4 years agoDKIM: harden signature header parsing
Jeremy Harris [Tue, 20 Mar 2018 16:40:31 +0000 (16:40 +0000)]
DKIM: harden signature header parsing

4 years agoLibreSSL version numbering differe from OpenSSL
Jeremy Harris [Mon, 19 Mar 2018 00:37:28 +0000 (00:37 +0000)]
LibreSSL version numbering differe from OpenSSL

4 years agoDMARC: tescase
Jeremy Harris [Sun, 18 Mar 2018 19:07:50 +0000 (19:07 +0000)]
DMARC: tescase

Extremely basic; we have no control of the DNS use of the dmarc library