- Add procmail router and transport (#146848)

- Add localhost and localhost.localdomain as local domains (#198511)
- Fix mispatched authenticators (#204591)
- Other cleanups of config file and extra examples
- Add exim-clamav subpackage

exim-4.33-cyrus.patch

@@ -5,9 +5,9 @@
  
  
 +# This transport is used to deliver local mail to cyrus IMAP server via UNIX 
-+# socket.
++# socket. You'll need to configure the 'localuser' router above to use it.
 +#
-+#local_delivery:
++#lmtp_delivery:
 +#  driver = lmtp
 +#  command = "/usr/lib/cyrus-imapd/deliver -l"
 +#  batch_max = 20

exim-4.43-pamconfig.patch

@@ -1,25 +1,40 @@
 --- exim-4.43/src/configure.default.pam	2004-12-16 13:27:55.000000000 +0000
 +++ exim-4.43/src/configure.default	2004-12-16 15:41:34.000000000 +0000
-@@ -238,6 +238,40 @@
+@@ -160,7 +160,7 @@ acl_smtp_data = acl_check_data
+ 
+ # Allow any client to use TLS.
+ 
+-# tls_advertise_hosts = *
++tls_advertise_hosts = *
+ 
+ # Specify the location of the Exim server's TLS certificate and private key.
+ # The private key must not be encrypted (password protected). You can put
+@@ -168,8 +168,8 @@ acl_smtp_data = acl_check_data
+ # need the first setting, or in separate files, in which case you need both
+ # options.
+ 
+-# tls_certificate = /etc/ssl/exim.crt
+-# tls_privatekey = /etc/ssl/exim.pem
++tls_certificate = /etc/pki/tls/certs/exim.pem
++tls_privatekey = /etc/pki/tls/private/exim.pem
+ 
+ # In order to support roaming users who wish to send email from anywhere,
+ # you may want to make Exim listen on other ports as well as port 25, in
+@@ -180,8 +180,8 @@ acl_smtp_data = acl_check_data
+ # them you should also allow TLS-on-connect on the traditional but
+ # non-standard port 465.
+ 
+-# daemon_smtp_ports = 25 : 465 : 587
+-# tls_on_connect_ports = 465
++daemon_smtp_ports = 25 : 465 : 587
++tls_on_connect_ports = 465
+ 
+ 
+ # Specify the domain you want to be added to all unqualified addresses
+@@ -238,6 +238,24 @@
  
  timeout_frozen_after = 7d
  
-+# This option, if uncommented, allows Exim to listen on ports other than
-+# just the default port 25. For example, you may wish Exim to sldo listen
-+# on the 'message submission' port 587 for roaming clients which cannot
-+# use port 25 directly from their current location. (cf. RFC 2476).
-+#
-+# daemon_smtp_ports = smtp : msa
-+
-+# This option instructs Exim to advertise the availability of encrypted
-+# connections to all hosts, and uses the certificate which is automatically
-+# generated when the RPM is installed. You can disable TLS, should you need
-+# to do so, by commenting out the three lines below.
-+
-+tls_advertise_hosts = *
-+tls_certificate = /etc/pki/tls/certs/exim.pem
-+tls_privatekey = /etc/pki/tls/private/exim.pem
-+
 +# This setting, if uncommented, allows users to authenticate using
 +# their system passwords against saslauthd if they connect over a
 +# secure connection. If you have network logins such as NIS or
@@ -41,23 +56,21 @@
  
  
  ######################################################################
-@@ -657,6 +691,19 @@
+@@ -850,7 +837,7 @@ begin authenticators
+ #  driver                     = plaintext
+ #  server_set_id              = $auth2
+ #  server_prompts             = :
+-#  server_condition           = Authentication is not yet configured
++#  server_condition           = ${if saslauthd{{$2}{$3}{smtp}} {1}}
+ #  server_advertise_condition = ${if def:tls_cipher }
  
- begin authenticators
- 
-+plain:
-+   driver = plaintext
-+   public_name = PLAIN
-+   server_prompts = :
-+   server_condition = "${if saslauthd{{$2}{$3}{smtp}} {1}}"
-+   server_set_id = $2
-+
-+login:
-+   driver = plaintext
-+   public_name = LOGIN
-+   server_prompts = "Username:: : Password::"
-+   server_condition = "${if saslauthd{{$1}{$2}{smtp}} {1}}"
-+   server_set_id = $1
+ # LOGIN authentication has traditional prompts and responses. There is no
+@@ -862,7 +849,7 @@ begin authenticators
+ #  driver                     = plaintext
+ #  server_set_id              = $auth1
+ #  server_prompts             = <| Username: | Password:
+-#  server_condition           = Authentication is not yet configured
++#  server_condition           = ${if saslauthd{{$1}{$2}{smtp}} {1}}
+ #  server_advertise_condition = ${if def:tls_cipher }
  
  
- ######################################################################

exim-4.50-spamdconf.patch

@@ -1,86 +1,102 @@
 --- exim-4.50/src/configure.default.orig	2005-02-22 19:49:15.000000000 +0000
 +++ exim-4.50/src/configure.default	2005-02-22 19:46:55.000000000 +0000
-@@ -108,6 +108,26 @@
+@@ -108,6 +108,7 @@
+ 
+ acl_smtp_rcpt = acl_check_rcpt
+ acl_smtp_data = acl_check_data
++acl_smtp_mime = acl_check_mime
  
  # You should not change that setting until you understand how ACLs work.
  
-+# The following ACL entries are used if you want to do content scanning with
-+# the exiscan-acl patch. When you uncomment one of these lines, you must also
-+# review the respective entries in the ACL section further below.
-+
-+# acl_smtp_mime = acl_check_mime
-+# acl_smtp_data = acl_check_content
-+
-+# This configuration variable defines the virus scanner that is used with
-+# the 'malware' ACL condition of the exiscan acl-patch. If you do not use
-+# virus scanning, leave it commented. Please read doc/exiscan-acl-readme.txt
-+# for a list of supported scanners.
-+
-+# av_scanner = sophie:/var/run/sophie
-+
-+# The following setting is only needed if you use the 'spam' ACL condition
-+# of the exiscan-acl patch. It specifies on which host and port the SpamAssassin
-+# "spamd" daemon is listening. If you do not use this condition, or you use
-+# the default of "127.0.0.1 783", you can omit this option.
-+
-+# spamd_address = 127.0.0.1 783
+@@ -120,7 +120,7 @@ acl_smtp_mime = acl_check_mime
+ # of what to set for other virus scanners. The second modification is in the
+ # acl_check_data access control list (see below).
  
- # Specify the domain you want to be added to all unqualified addresses
- # here. An unqualified address is one that does not contain an "@" character
-@@ -376,6 +396,56 @@
-   deny    message       = relay not permitted
+-# av_scanner = clamd:/tmp/clamd
++av_scanner = clamd:/var/run/clamd.exim/clamd.sock
  
  
-+# These access control lists are used for content scanning with the exiscan-acl
-+# patch. You must also uncomment the entries for acl_smtp_data and acl_smtp_mime
-+# (scroll up), otherwise the ACLs will not be used. IMPORTANT: the default entries here
-+# should be treated as EXAMPLES. You MUST read the file doc/exiscan-acl-spec.txt
-+# to fully understand what you are doing ...
+ # For spam scanning, there is a similar option that defines the interface to
+@@ -365,7 +365,8 @@ acl_check_rcpt:
+   accept  local_parts   = postmaster
+           domains       = +local_domains
+ 
+-  # Deny unless the sender address can be verified.
++  # Deny unless the sender address can be routed. For proper verification of the
++  # address, read the documentation on callouts and add the /callout modifier.
+ 
+   require verify        = sender
+ 
+@@ -455,26 +456,62 @@ acl_check_rcpt:
+ 
+ acl_check_data:
+ 
++  # Put simple tests first. A good one is to check for the presence of a
++  # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
++  # or misconfigured mailer software occasionally omits this from genuine
++  # messages too, though -- although it's not hard for the offender to fix
++  # after they receive a bounce because of it.
++  #
++  # deny    condition  = ${if !def:h_Message-ID: {1}}
++  #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
++  #                      Most messages without it are spam, so your mail has been rejected.
++
+   # Deny if the message contains a virus. Before enabling this check, you
+   # must install a virus scanner and set the av_scanner option above.
+   #
+   # deny    malware    = *
+   #         message    = This message contains a virus ($malware_name).
+ 
+-  # Add headers to a message if it is judged to be spam. Before enabling this,
+-  # you must install SpamAssassin. You may also need to set the spamd_address
+-  # option above.
+-  #
+-  # warn    spam       = nobody
+-  #         add_header = X-Spam_score: $spam_score\n\
+-  #                      X-Spam_score_int: $spam_score_int\n\
+-  #                      X-Spam_bar: $spam_bar\n\
+-  #                      X-Spam_report: $spam_report
++  # Bypass SpamAssassin checks if the message is too large.
++  #
++  # accept  condition  = ${if >={$message_size}{100000} {1}}
++  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
+ 
+-  # Accept the message.
++  # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
++  # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
++  # score exceeds the SA system threshold.
++  #
++  # warn    spam       = nobody/defer_ok
++  #         add_header = X-Spam-Flag: YES
++  #
++  # accept  condition  = ${if !def:spam_score_int {1}}
++  #         add_header = X-Spam-Note: SpamAssassin invocation failed
++  #
++  
++  # Unconditionally add score and report headers
++  #
++  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
++  #                      X-Spam-Report: $spam_report
++
++  # And reject if the SpamAssassin score is greater than ten
++  #
++  # deny    condition = ${if >{$spam_score_int}{100} {1}}
++  #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
++  #  	    	        $spam_report
+ 
+   accept
+ 
 +
 +acl_check_mime:
 +
-+  # Decode MIME parts to disk. This will support virus scanners later.
-+  warn decode = default
-+
 +  # File extension filtering.
 +  deny message = Blacklisted file extension detected
 +       condition = ${if match \
 +                        {${lc:$mime_filename}} \
 +                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
 +                     {1}{0}}
-+  
-+#  # Reject messages that carry chinese character sets.
-+#  # WARNING: This is an EXAMPLE.
-+#  deny message = Sorry, noone speaks chinese here
-+#       condition = ${if eq{$mime_charset}{gb2312}{1}{0}}
 +
 +  accept
-+
-+acl_check_content:
-+
-+  # Reject virus infested messages.
-+  deny  message = This message contains malware ($malware_name)
-+        malware = *
-+
-+  # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings
-+  # (user "nobody"), no matter if over threshold or not.
-+  warn  message = X-Spam-Score: $spam_score ($spam_bar)
-+        spam = nobody:true
-+  warn  message = X-Spam-Report: $spam_report
-+        spam = nobody:true
-+
-+  # Add X-Spam-Flag if spam is over system-wide threshold
-+  warn message = X-Spam-Flag: YES
-+       spam = nobody
-+
-+  # Reject spam messages with score over 10, using an extra condition.
-+  deny  message = This message scored $spam_score points. Congratulations!
-+        spam = nobody:true
-+        condition = ${if >{$spam_score_int}{100}{1}{0}}
-+
-+  # finally accept all the rest
-+  accept
-+  
  
  ######################################################################
  #                      ROUTERS CONFIGURATION                         #

exim-4.63-allow-filter.patch

@@ -0,0 +1,11 @@
+--- exim-4.63/src/configure.default~	2006-09-03 15:02:28.000000000 -0700
++++ exim-4.63/src/configure.default	2006-09-03 15:46:53.000000000 -0700
+@@ -672,7 +672,7 @@ userforward:
+ # local_part_suffix = +* : -*
+ # local_part_suffix_optional
+   file = $home/.forward
+-# allow_filter
++  allow_filter
+   no_verify
+   no_expn
+   check_ancestor

exim-4.63-localhost-is-local.patch

@@ -0,0 +1,11 @@
+--- exim-4.63/src/configure.default~	2006-09-03 19:31:28.000000000 -0700
++++ exim-4.63/src/configure.default	2006-09-03 19:37:42.000000000 -0700
+@@ -56,7 +56,7 @@
+ # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
+ # are all colon-separated lists:
+ 
+-domainlist local_domains = @
++domainlist local_domains = @ : localhost : localhost.localdomain
+ domainlist relay_to_domains =
+ hostlist   relay_from_hosts = 127.0.0.1
+ 

exim-4.63-procmail.patch

@@ -0,0 +1,32 @@
+--- exim-4.63/src/configure.default~	2006-09-03 15:02:28.000000000 -0700
++++ exim-4.63/src/configure.default	2006-09-03 15:46:53.000000000 -0700
+@@ -680,6 +680,12 @@ userforward:
+   pipe_transport = address_pipe
+   reply_transport = address_reply
+ 
++procmail:
++  driver = accept
++  check_local_user
++  require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
++  transport = procmail
++  no_verify
+ 
+ # This router matches local user mailboxes. If the router fails, the error
+ # message is "Unknown user".
+@@ -717,6 +723,16 @@ begin transports
+ remote_smtp:
+   driver = smtp
+ 
++# This transport invokes procmail to deliver mail
++procmail:
++  driver = pipe
++  command = "/usr/bin/procmail -d $local_part"
++  return_path_add
++  delivery_date_add
++  envelope_to_add
++  user = $local_part
++  initgroups
++  return_output
+ 
+ # This transport is used for local delivery to user mailboxes in traditional
+ # BSD mailbox format. By default it will be run under the uid and gid of the

exim.spec

@@ -1,11 +1,18 @@
 # SA-Exim has long since been obsoleted by the proper built-in ACL support
 # from exiscan. Disable it for FC6 unless people scream.
-# %define buildsa 1
+%if 0%{?fedora} < 6
+%define buildsa 1
+%endif
+
+# Build clamav subpackage for FC5 and above.
+%if 0%{?fedora} >= 5
+%define buildclam 1
+%endif
 
 Summary: The exim mail transfer agent
 Name: exim
 Version: 4.63
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@@ -15,6 +22,9 @@ Provides: /usr/sbin/sendmail /usr/bin/mailq /usr/bin/rmail
 Requires(post): /sbin/chkconfig /sbin/service %{_sbindir}/alternatives
 Requires(preun): /sbin/chkconfig /sbin/service %{_sbindir}/alternatives
 Requires(pre): %{_sbindir}/groupadd, %{_sbindir}/useradd
+%if 0%{?buildclam}
+BuildRequires: clamav-devel
+%endif
 Source: ftp://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2
 Source2: exim.init
 Source3: exim.sysconfig
@@ -32,6 +42,9 @@ Patch14: exim-4.50-spamdconf.patch
 Patch15: exim-4.52-dynamic-pcre.patch
 Patch17: exim-4.61-ldap-deprecated.patch
 Patch18: exim-4.62-dlopen-localscan.patch
+Patch19: exim-4.63-procmail.patch
+Patch20: exim-4.63-allow-filter.patch
+Patch21: exim-4.63-localhost-is-local.patch
 
 Requires: /etc/aliases
 BuildRequires: db4-devel openssl-devel openldap-devel pam-devel
@@ -70,6 +83,31 @@ Requires: exim = %{version}-%{release}
 Allows running of SA on incoming mail and rejection at SMTP time as
 well as other nasty things like teergrubing.
 
+%package clamav
+Summary: Clam Antivirus scanner dæmon configuration for use with Exim
+Group: System Environment/Daemons
+Requires: clamav-server
+Obsoletes: clamav-exim <= 0.86.2
+Requires(post): /sbin/chkconfig /sbin/service
+Requires(preun): /sbin/chkconfig /sbin/service
+
+%description clamav
+This package contains configuration files which invoke a copy of the
+clamav dæmon for use with Exim. It can be activated by adding (or
+uncommenting)
+
+   av_scanner = clamd:%{_var}/run/clamd.exim/clamd.sock
+
+in your exim.conf, and using the 'malware' condition in the DATA ACL,
+as follows:
+
+   deny message = This message contains malware ($malware_name)
+      malware = *
+
+For further details of Exim content scanning, see chapter 40 of the Exim
+specification:
+http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch40.html#SECTscanvirus
+
 %prep
 %setup -q
 %if 0%{?buildsa}
@@ -87,6 +125,9 @@ cp exim_monitor/EDITME Local/eximon.conf
 %patch15 -p1 -b .pcre
 %patch17 -p1 -b .ldap
 %patch18 -p1 -b .dl
+%patch19 -p1 -b .procmail
+%patch20 -p1 -b .filter
+%patch21 -p1 -b .localhost
 
 %build
 %ifnarch s390 s390x
@@ -159,8 +200,8 @@ pod2man --center=EXIM --section=8 \
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
 install -m 644 %SOURCE3 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/exim
 
-mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d
-install %SOURCE2 $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/exim
+mkdir -p $RPM_BUILD_ROOT%{_initrddir}
+install %SOURCE2 $RPM_BUILD_ROOT%{_initrddir}/exim
 
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
 install -m 0644 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/exim
@@ -179,12 +220,41 @@ mkdir -p $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}
 touch $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem
 chmod 600 $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem
 
+%if 0%{?buildclam}
+# Munge the clamav init and config files from clamav-devel. This really ought
+# to be a subpackage of clamav, but this hack will have to do for now.
+function clamsubst() {
+	 sed -e "s!<SERVICE>!$3!g;s!<USER>!$4!g;""$5" %{_datadir}/clamav/template/"$1" >"$RPM_BUILD_ROOT$2"
+}
+
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/clamd.d
+clamsubst clamd.conf %{_sysconfdir}/clamd.d/exim.conf exim exim \
+       's!^##*\(\(LogFile\|LocalSocket\|PidFile\|User\)\s\|\(StreamSaveToDisk\|ScanMail\|LogTime\|ScanArchive\)$\)!\1!;s!^Example!#Example!;'
+
+clamsubst clamd.init %{_initrddir}/clamd.exim exim exim ''
+clamsubst clamd.logrotate %{_sysconfdir}/logrotate.d/clamd.exim exim exim ''
+cat <<EOF > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/clamd.exim
+CLAMD_CONFIG='%_sysconfdir/clamd.d/exim.conf'
+CLAMD_SOCKET=%{_var}/run/clamd.exim/clamd.sock
+EOF
+ln -sf clamd $RPM_BUILD_ROOT/usr/sbin/clamd.exim
+
+mkdir -p $RPM_BUILD_ROOT%{_var}/run/clamd.exim
+%endif
+
 
 %clean
 rm -rf $RPM_BUILD_ROOT
 
 %pre
 %{_sbindir}/useradd -d %{_var}/spool/exim -s /sbin/nologin -G mail -M -r -u 93 exim 2>/dev/null
+# Copy TLS certs from old location to new -- don't move them, because the
+# config file may be modified and may be pointing to the old location.
+if [ ! -f /etc/pki/tls/certs/exim.pem -a -f %{_datadir}/ssl/certs/exim.pem ] ; then
+   cp %{_datadir}/ssl/certs/exim.pem /etc/pki/tls/certs/exim.pem
+   cp %{_datadir}/ssl/private/exim.pem /etc/pki/tls/private/exim.pem
+fi
+
 exit 0
 
 %post
@@ -301,7 +371,35 @@ fi
 %doc sa-exim*/{ACKNOWLEDGEMENTS,INSTALL,LICENSE,TODO}
 %endif
 
+%if 0%{?buildclam}
+%post clamav
+/sbin/chkconfig --add clamd.exim
+
+%preun clamav
+test "$1" != 0 || %{_initrddir}/clamd.exim stop &>/dev/null || :
+test "$1" != 0 || /sbin/chkconfig --del clamd.exim
+
+%postun clamav
+test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null || :
+
+%files clamav
+%defattr(0644,root,root,-)
+%attr(0755,root,root)%{_sbindir}/clamd.exim
+%config %{_initrddir}/clamd.exim
+%config(noreplace) %verify(not mtime) %{_sysconfdir}/clamd.d/exim.conf
+%config(noreplace) %verify(not mtime) %{_sysconfdir}/sysconfig/clamd.exim
+%config(noreplace) %verify(not mtime) %{_sysconfdir}/logrotate.d/clamd.exim
+%attr(0750,exim,exim) %dir %{_var}/run/clamd.exim
+%endif
+
 %changelog
+* Sun Sep 3 2006 David Woodhouse <dwmw2@infradead.org> - 4.63-2
+- Add procmail router and transport (#146848)
+- Add localhost and localhost.localdomain as local domains (#198511)
+- Fix mispatched authenticators (#204591)
+- Other cleanups of config file and extra examples
+- Add exim-clamav subpackage
+
 * Sat Aug 26 2006 David Woodhouse <dwmw2@infradead.org> - 4.63-1
 - Update to 4.63
 - Disable sa-exim, but leave the dlopen patch in

needs.rebuild

@@ -1 +0,0 @@
-http://fedoraproject.org/wiki/Extras/Schedule/FC6MassRebuild