New version

Resolves: rhbz#1527710 Fixed buffer overflow in utility function Resolves: CVE-2018-6789 Updated and defuzzified patches Dropped mariadb-macro-fix patch (not needed) Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, CVE-2017-16944 patches (all upstreamed)
2018-02-14 13:28:19 +01:00 · 2018-02-14 13:28:19 +01:00 · 892636a58d
commit 892636a58d
parent 0b331bc81c
20 changed files with 107 additions and 814 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
-exim-*.tar.bz2
+exim-*.tar.xz
 /exim-4.89.tar.xz
--- a/exim-4.89-CVE-2017-1000369.patch
+++ b/exim-4.89-CVE-2017-1000369.patch
@ -1,37 +0,0 @@
 diff --git a/src/exim.c b/src/exim.c
 index a6a1ea8..394bf84 100644
 --- a/src/exim.c
 +++ b/src/exim.c
@@ -3092,7 +3092,14 @@ for (i = 1; i < argc; i++)
       /* -oMr: Received protocol */
 -      else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
 +      else if (Ustrcmp(argrest, "Mr") == 0)
 +
 +        if (received_protocol)
 +          {
 +          fprintf(stderr, "received_protocol is set already\n");
 +          exit(EXIT_FAILURE);
 +          }
 +        else received_protocol = argv[++i];
       /* -oMs: Set sender host name */
@@ -3188,7 +3195,15 @@ for (i = 1; i < argc; i++)
     if (*argrest != 0)
       {
 -      uschar *hn = Ustrchr(argrest, ':');
 +      uschar *hn;
 +
 +      if (received_protocol)
 +        {
 +        fprintf(stderr, "received_protocol is set already\n");
 +        exit(EXIT_FAILURE);
 +        }
 +
 +      hn = Ustrchr(argrest, ':');
       if (hn == NULL)
         {
         received_protocol = argrest;
--- a/exim-4.89-CVE-2017-16943.patch
+++ b/exim-4.89-CVE-2017-16943.patch
@ -1,27 +0,0 @@
 diff --git a/src/receive.c b/src/receive.c
 index 7980c32..3246621 100644
 --- a/src/receive.c
 +++ b/src/receive.c
@@ -1772,8 +1772,8 @@ for (;;)
   (and sometimes lunatic messages can have ones that are 100s of K long) we
   call store_release() for strings that have been copied - if the string is at
   the start of a block (and therefore the only thing in it, because we aren't
 -  doing any other gets), the block gets freed. We can only do this because we
 -  know there are no other calls to store_get() going on. */
 +  doing any other gets), the block gets freed. We can only do this release if
 +  there were no allocations since the once that we want to free. */
   if (ptr >= header_size - 4)
     {
@@ -1782,9 +1782,10 @@ for (;;)
     header_size *= 2;
     if (!store_extend(next->text, oldsize, header_size))
       {
 +      BOOL release_ok = store_last_get[store_pool] == next->text;
       uschar *newtext = store_get(header_size);
       memcpy(newtext, next->text, ptr);
 -      store_release(next->text);
 +      if (release_ok) store_release(next->text);
       next->text = newtext;
       }
     }
--- a/exim-4.89-CVE-2017-16944.patch
+++ b/exim-4.89-CVE-2017-16944.patch
@ -1,41 +0,0 @@
 diff --git a/src/receive.c b/src/receive.c
 index 3246621..f19c8b9 100644
 --- a/src/receive.c
 +++ b/src/receive.c
@@ -1827,7 +1827,7 @@ for (;;)
   prevent further reading), and break out of the loop, having freed the
   empty header, and set next = NULL to indicate no data line. */
 -  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
 +  if (ptr == 0 && ch == '.' && dot_ends)
     {
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
     if (ch == '\r')
 diff --git a/src/smtp_in.c b/src/smtp_in.c
 index 1b45f84..0207540 100644
 --- a/src/smtp_in.c
 +++ b/src/smtp_in.c
@@ -4955,16 +4955,23 @@ while (done <= 0)
       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
 				    (int)chunking_state, chunking_data_left);
 +      /* push the current receive_* function on the "stack", and
 +      replace them by bdat_getc(), which in turn will use the lwr_receive_*
 +      functions to do the dirty work. */
       lwr_receive_getc = receive_getc;
       lwr_receive_ungetc = receive_ungetc;
 +
       receive_getc = bdat_getc;
       receive_ungetc = bdat_ungetc;
 +      dot_ends = FALSE;
 +
       goto DATA_BDAT;
       }
     case DATA_CMD:
     HAD(SCH_DATA);
 +    dot_ends = TRUE;
     DATA_BDAT:		/* Common code for DATA and BDAT */
     if (!discarded && recipients_count <= 0)
--- a/exim-4.89-calloutsize.patch
+++ b/exim-4.89-calloutsize.patch
@ -1,524 +0,0 @@
 --- exim-4.89/src/exim.c.calloutsize	2017-03-04 16:21:35.000000000 -0500
 +++ exim-4.89/src/exim.c	2017-08-16 15:52:41.424866990 -0400
@@ -2738,7 +2738,7 @@
     /* -MCD: set the smtp_use_dsn flag; this indicates that the host
        that exim is connected to supports the esmtp extension DSN */
 -	case 'D': smtp_peer_options |= PEER_OFFERED_DSN; break;
 +	case 'D': smtp_peer_options |= OPTION_DSN; break;
     /* -MCG: set the queue name, to a non-default value */
@@ -2748,12 +2748,12 @@
     /* -MCK: the peer offered CHUNKING.  Must precede -MC */
 -	case 'K': smtp_peer_options |= PEER_OFFERED_CHUNKING; break;
 +	case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
     /* -MCP: set the smtp_use_pipelining flag; this is useful only when
     it preceded -MC (see above) */
 -	case 'P': smtp_peer_options |= PEER_OFFERED_PIPE; break;
 +	case 'P': smtp_peer_options |= OPTION_PIPE; break;
     /* -MCQ: pass on the pid of the queue-running process that started
     this chain of deliveries and the fd of its synchronizing pipe; this
@@ -2768,14 +2768,14 @@
     /* -MCS: set the smtp_use_size flag; this is useful only when it
     precedes -MC (see above) */
 -	case 'S': smtp_peer_options |= PEER_OFFERED_SIZE; break;
 +	case 'S': smtp_peer_options |= OPTION_SIZE; break;
 #ifdef SUPPORT_TLS
     /* -MCT: set the tls_offered flag; this is useful only when it
     precedes -MC (see above). The flag indicates that the host to which
     Exim is connected has offered TLS support. */
 -	case 'T': smtp_peer_options |= PEER_OFFERED_TLS; break;
 +	case 'T': smtp_peer_options |= OPTION_TLS; break;
 #endif
 	default:  badarg = TRUE; break;
 --- exim-4.89/src/macros.h.calloutsize	2017-03-04 16:21:35.000000000 -0500
 +++ exim-4.89/src/macros.h	2017-08-16 15:38:52.876969094 -0400
@@ -959,14 +959,14 @@
 /* Codes for ESMTP facilities offered by peer */
 -#define PEER_OFFERED_TLS	BIT(0)
 -#define PEER_OFFERED_IGNQ	BIT(1)
 -#define PEER_OFFERED_PRDR	BIT(2)
 -#define PEER_OFFERED_UTF8	BIT(3)
 -#define PEER_OFFERED_DSN	BIT(4)
 -#define PEER_OFFERED_PIPE	BIT(5)
 -#define PEER_OFFERED_SIZE	BIT(6)
 -#define PEER_OFFERED_CHUNKING	BIT(7)
 +#define OPTION_TLS	BIT(0)
 +#define OPTION_IGNQ	BIT(1)
 +#define OPTION_PRDR	BIT(2)
 +#define OPTION_UTF8	BIT(3)
 +#define OPTION_DSN	BIT(4)
 +#define OPTION_PIPE	BIT(5)
 +#define OPTION_SIZE	BIT(6)
 +#define OPTION_CHUNKING	BIT(7)
 /* Argument for *_getc */
 --- exim-4.89/src/transport.c.calloutsize	2017-08-16 15:38:52.876969094 -0400
 +++ exim-4.89/src/transport.c	2017-08-16 15:55:23.681414193 -0400
@@ -1976,13 +1976,12 @@
   argv = CUSS child_exec_exim(CEE_RETURN_ARGV, TRUE, &i, FALSE, 0);
   if (smtp_authenticated) argv[i++] = US"-MCA";
 -
 -  if (smtp_peer_options & PEER_OFFERED_CHUNKING) argv[i++] = US"-MCK";
 -  if (smtp_peer_options & PEER_OFFERED_DSN) argv[i++] = US"-MCD";
 -  if (smtp_peer_options & PEER_OFFERED_PIPE) argv[i++] = US"-MCP";
 -  if (smtp_peer_options & PEER_OFFERED_SIZE) argv[i++] = US"-MCS";
 +  if (smtp_peer_options & OPTION_CHUNKING)       argv[i++] = US"-MCK";
 +  if (smtp_peer_options & OPTION_DSN)            argv[i++] = US"-MCD";
 +  if (smtp_peer_options & OPTION_PIPE)           argv[i++] = US"-MCP";
 +  if (smtp_peer_options & OPTION_SIZE)           argv[i++] = US"-MCS";
 #ifdef SUPPORT_TLS
 -  if (smtp_peer_options & PEER_OFFERED_TLS) argv[i++] = US"-MCT";
 +  if (smtp_peer_options & OPTION_TLS) argv[i++] = US"-MCT";
 #endif
   if (queue_run_pid != (pid_t)0)
 --- exim-4.89/src/transports/smtp.c.calloutsize	2017-03-04 16:21:35.000000000 -0500
 +++ exim-4.89/src/transports/smtp.c	2017-08-16 16:08:51.572126172 -0400
@@ -1291,44 +1291,44 @@
 size_t bsize = Ustrlen(buf);
 #ifdef SUPPORT_TLS
 -if (  checks & PEER_OFFERED_TLS
 +if (  checks & OPTION_TLS
    && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_TLS;
 +  checks &= ~OPTION_TLS;
 #endif
 -if (  checks & PEER_OFFERED_IGNQ
 +if (  checks & OPTION_IGNQ
    && pcre_exec(regex_IGNOREQUOTA, NULL, CS buf, bsize, 0,
 		PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_IGNQ;
 +  checks &= ~OPTION_IGNQ;
 -if (  checks & PEER_OFFERED_CHUNKING
 +if (  checks & OPTION_CHUNKING
    && pcre_exec(regex_CHUNKING, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_CHUNKING;
 +  checks &= ~OPTION_CHUNKING;
 #ifndef DISABLE_PRDR
 -if (  checks & PEER_OFFERED_PRDR
 +if (  checks & OPTION_PRDR
    && pcre_exec(regex_PRDR, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_PRDR;
 +  checks &= ~OPTION_PRDR;
 #endif
 #ifdef SUPPORT_I18N
 -if (  checks & PEER_OFFERED_UTF8
 +if (  checks & OPTION_UTF8
    && pcre_exec(regex_UTF8, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_UTF8;
 +  checks &= ~OPTION_UTF8;
 #endif
 -if (  checks & PEER_OFFERED_DSN
 +if (  checks & OPTION_DSN
    && pcre_exec(regex_DSN, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_DSN;
 +  checks &= ~OPTION_DSN;
 -if (  checks & PEER_OFFERED_PIPE
 +if (  checks & OPTION_PIPE
    && pcre_exec(regex_PIPELINING, NULL, CS buf, bsize, 0,
 		PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_PIPE;
 +  checks &= ~OPTION_PIPE;
 -if (  checks & PEER_OFFERED_SIZE
 +if (  checks & OPTION_SIZE
    && pcre_exec(regex_SIZE, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
 -  checks &= ~PEER_OFFERED_SIZE;
 +  checks &= ~OPTION_SIZE;
 return checks;
 }
@@ -1479,6 +1479,7 @@
 if ((sx->max_rcpt = sx->tblock->max_addresses) == 0) sx->max_rcpt = 999999;
 sx->peer_offered = 0;
 +sx->avoid_option = 0;
 sx->igquotstr = US"";
 if (!sx->helo_data) sx->helo_data = sx->ob->helo_data;
 #ifdef EXPERIMENTAL_DSN_INFO
@@ -1715,7 +1716,7 @@
 #ifdef SUPPORT_TLS
   if (sx->smtps)
     {
 -    smtp_peer_options |= PEER_OFFERED_TLS;
 +    smtp_peer_options |= OPTION_TLS;
     suppress_tls = FALSE;
     sx->ob->tls_tempfail_tryclear = FALSE;
     smtp_command = US"SSL-on-connect";
@@ -1780,18 +1781,18 @@
       }
     }
 -  sx->peer_offered = smtp_peer_options = 0;
 +  sx->avoid_option = sx->peer_offered = smtp_peer_options = 0;
   if (sx->esmtp || sx->lmtp)
     {
     sx->peer_offered = ehlo_response(sx->buffer,
 -      PEER_OFFERED_TLS	/* others checked later */
 +      OPTION_TLS	/* others checked later */
       );
   /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
 #ifdef SUPPORT_TLS
 -    smtp_peer_options |= sx->peer_offered & PEER_OFFERED_TLS;
 +    smtp_peer_options |= sx->peer_offered & OPTION_TLS;
 #endif
     }
   }
@@ -1825,7 +1826,7 @@
 for error analysis. */
 #ifdef SUPPORT_TLS
 -if (  smtp_peer_options & PEER_OFFERED_TLS
 +if (  smtp_peer_options & OPTION_TLS
    && !suppress_tls
    && verify_check_given_host(&sx->ob->hosts_avoid_tls, sx->host) != OK
    && (  !sx->verify
@@ -1970,7 +1971,7 @@
   {
   errno = ERRNO_TLSREQUIRED;
   message = string_sprintf("a TLS session is required, but %s",
 -    smtp_peer_options & PEER_OFFERED_TLS
 +    smtp_peer_options & OPTION_TLS
     ? "an attempt to start TLS failed" : "the server did not offer TLS support");
   goto TLS_FAILED;
   }
@@ -1991,60 +1992,60 @@
     {
     sx->peer_offered = ehlo_response(sx->buffer,
 	0 /* no TLS */
 -	| (sx->lmtp && sx->ob->lmtp_ignore_quota ? PEER_OFFERED_IGNQ : 0)
 -	| PEER_OFFERED_CHUNKING
 -	| PEER_OFFERED_PRDR
 +	| (sx->lmtp && sx->ob->lmtp_ignore_quota ? OPTION_IGNQ : 0)
 +	| OPTION_CHUNKING
 +	| OPTION_PRDR
 #ifdef SUPPORT_I18N
 -	| (sx->addrlist->prop.utf8_msg ? PEER_OFFERED_UTF8 : 0)
 +	| (sx->addrlist->prop.utf8_msg ? OPTION_UTF8 : 0)
 	  /*XXX if we hand peercaps on to continued-conn processes,
 		must not depend on this addr */
 #endif
 -	| PEER_OFFERED_DSN
 -	| PEER_OFFERED_PIPE
 -	| (sx->ob->size_addition >= 0 ? PEER_OFFERED_SIZE : 0)
 +	| OPTION_DSN
 +	| OPTION_PIPE
 +	| (sx->ob->size_addition >= 0 ? OPTION_SIZE : 0)
       );
     /* Set for IGNOREQUOTA if the response to LHLO specifies support and the
     lmtp_ignore_quota option was set. */
 -    sx->igquotstr = sx->peer_offered & PEER_OFFERED_IGNQ ? US" IGNOREQUOTA" : US"";
 +    sx->igquotstr = sx->peer_offered & OPTION_IGNQ ? US" IGNOREQUOTA" : US"";
     /* If the response to EHLO specified support for the SIZE parameter, note
     this, provided size_addition is non-negative. */
 -    smtp_peer_options |= sx->peer_offered & PEER_OFFERED_SIZE;
 +    smtp_peer_options |= sx->peer_offered & OPTION_SIZE;
     /* Note whether the server supports PIPELINING. If hosts_avoid_esmtp matched
     the current host, esmtp will be false, so PIPELINING can never be used. If
     the current host matches hosts_avoid_pipelining, don't do it. */
 -    if (  sx->peer_offered & PEER_OFFERED_PIPE
 +    if (  sx->peer_offered & OPTION_PIPE
        && verify_check_given_host(&sx->ob->hosts_avoid_pipelining, sx->host) != OK)
 -      smtp_peer_options |= PEER_OFFERED_PIPE;
 +      smtp_peer_options |= OPTION_PIPE;
     DEBUG(D_transport) debug_printf("%susing PIPELINING\n",
 -      smtp_peer_options & PEER_OFFERED_PIPE ? "" : "not ");
 +      smtp_peer_options & OPTION_PIPE ? "" : "not ");
 -    if (  sx->peer_offered & PEER_OFFERED_CHUNKING
 +    if (  sx->peer_offered & OPTION_CHUNKING
        && verify_check_given_host(&sx->ob->hosts_try_chunking, sx->host) != OK)
 -      sx->peer_offered &= ~PEER_OFFERED_CHUNKING;
 +      sx->peer_offered &= ~OPTION_CHUNKING;
 -    if (sx->peer_offered & PEER_OFFERED_CHUNKING)
 +    if (sx->peer_offered & OPTION_CHUNKING)
       {DEBUG(D_transport) debug_printf("CHUNKING usable\n");}
 #ifndef DISABLE_PRDR
 -    if (  sx->peer_offered & PEER_OFFERED_PRDR
 +    if (  sx->peer_offered & OPTION_PRDR
        && verify_check_given_host(&sx->ob->hosts_try_prdr, sx->host) != OK)
 -      sx->peer_offered &= ~PEER_OFFERED_PRDR;
 +      sx->peer_offered &= ~OPTION_PRDR;
 -    if (sx->peer_offered & PEER_OFFERED_PRDR)
 +    if (sx->peer_offered & OPTION_PRDR)
       {DEBUG(D_transport) debug_printf("PRDR usable\n");}
 #endif
     /* Note if the server supports DSN */
 -    smtp_peer_options |= sx->peer_offered & PEER_OFFERED_DSN;
 +    smtp_peer_options |= sx->peer_offered & OPTION_DSN;
     DEBUG(D_transport) debug_printf("%susing DSN\n",
 -			sx->peer_offered & PEER_OFFERED_DSN ? "" : "not ");
 +			sx->peer_offered & OPTION_DSN ? "" : "not ");
     /* Note if the response to EHLO specifies support for the AUTH extension.
     If it has, check that this host is one we want to authenticate to, and do
@@ -2061,7 +2062,7 @@
       }
     }
   }
 -pipelining_active = !!(smtp_peer_options & PEER_OFFERED_PIPE);
 +pipelining_active = !!(smtp_peer_options & OPTION_PIPE);
 /* The setting up of the SMTP call is now complete. Any subsequent errors are
 message-specific. */
@@ -2079,7 +2080,7 @@
   }
 /* If this is an international message we need the host to speak SMTPUTF8 */
 -if (sx->utf8_needed && !(sx->peer_offered & PEER_OFFERED_UTF8))
 +if (sx->utf8_needed && !(sx->peer_offered & OPTION_UTF8))
   {
   errno = ERRNO_UTF8_FWD;
   goto RESPONSE_FAILED;
@@ -2202,14 +2203,15 @@
 *p = 0;
 -/* If we know the receiving MTA supports the SIZE qualification,
 +/* If we know the receiving MTA supports the SIZE qualification, and we know it,
 send it, adding something to the message size to allow for imprecision
 and things that get added en route. Exim keeps the number of lines
 in a message, so we can give an accurate value for the original message, but we
 need some additional to handle added headers. (Double "." characters don't get
 included in the count.) */
 -if (sx->peer_offered & PEER_OFFERED_SIZE)
 +if (  message_size > 0
 +   && sx->peer_offered & OPTION_SIZE && !(sx->avoid_option & OPTION_SIZE))
   {
   sprintf(CS p, " SIZE=%d", message_size+message_linecount+sx->ob->size_addition);
   while (*p) p++;
@@ -2220,7 +2222,7 @@
 request that */
 sx->prdr_active = FALSE;
 -if (sx->peer_offered & PEER_OFFERED_PRDR)
 +if (sx->peer_offered & OPTION_PRDR)
   for (addr = addrlist; addr; addr = addr->next)
     if (addr->transport_return == PENDING_DEFER)
       {
@@ -2239,7 +2241,7 @@
 /* If it supports internationalised messages, and this meesage need that,
 request it */
 -if (  sx->peer_offered & PEER_OFFERED_UTF8
 +if (  sx->peer_offered & OPTION_UTF8
    && addrlist->prop.utf8_msg
    && !addrlist->prop.utf8_downcvt
    )
@@ -2261,7 +2263,7 @@
 /* Add any DSN flags to the mail command */
 -if (sx->peer_offered & PEER_OFFERED_DSN && !sx->dsn_all_lasthop)
 +if (sx->peer_offered & OPTION_DSN && !sx->dsn_all_lasthop)
   {
   if (dsn_ret == dsn_ret_hdrs)
     { Ustrcpy(p, " RET=HDRS"); p += 9; }
@@ -2297,7 +2299,7 @@
 /* Add any DSN flags to the rcpt command */
 -if (sx->peer_offered & PEER_OFFERED_DSN && !(addr->dsn_flags & rf_dsnlasthop))
 +if (sx->peer_offered & OPTION_DSN && !(addr->dsn_flags & rf_dsnlasthop))
   {
   if (addr->dsn_flags & rf_dsnflags)
     {
@@ -2367,7 +2369,7 @@
   the delivery log line. */
   if (  sx->addrlist->prop.utf8_msg
 -     && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & PEER_OFFERED_UTF8))
 +     && (sx->addrlist->prop.utf8_downcvt || !(sx->peer_offered & OPTION_UTF8))
      )
     {
     if (s = string_address_utf8_to_alabel(s, &errstr), errstr)
@@ -2431,7 +2433,7 @@
   BOOL no_flush;
   uschar * rcpt_addr;
 -  addr->dsn_aware = sx->peer_offered & PEER_OFFERED_DSN
 +  addr->dsn_aware = sx->peer_offered & OPTION_DSN
     ? dsn_support_yes : dsn_support_no;
   address_count++;
@@ -2594,10 +2596,10 @@
   if (  transport_filter_argv
      && *transport_filter_argv
      && **transport_filter_argv
 -     && sx.peer_offered & PEER_OFFERED_CHUNKING
 +     && sx.peer_offered & OPTION_CHUNKING
      )
     {
 -    sx.peer_offered &= ~PEER_OFFERED_CHUNKING;
 +    sx.peer_offered &= ~OPTION_CHUNKING;
     DEBUG(D_transport) debug_printf("CHUNKING not usable due to transport filter\n");
     }
   }
@@ -2656,7 +2658,7 @@
 If using CHUNKING, do not send a BDAT until we know how big a chunk we want
 to send is. */
 -if (  !(sx.peer_offered & PEER_OFFERED_CHUNKING)
 +if (  !(sx.peer_offered & OPTION_CHUNKING)
    && (sx.ok || (pipelining_active && !mua_wrapper)))
   {
   int count = smtp_write_command(&sx.outblock, FALSE, "DATA\r\n");
@@ -2686,7 +2688,7 @@
 well as body. Set the appropriate timeout value to be used for each chunk.
 (Haven't been able to make it work using select() for writing yet.) */
 -if (!(sx.peer_offered & PEER_OFFERED_CHUNKING) && !sx.ok)
 +if (!(sx.peer_offered & OPTION_CHUNKING) && !sx.ok)
   {
   /* Save the first address of the next batch. */
   sx.first_addr = sx.next_addr;
@@ -2712,7 +2714,7 @@
   of responses.  The callback needs a whole bunch of state so set up
   a transport-context structure to be passed around. */
 -  if (sx.peer_offered & PEER_OFFERED_CHUNKING)
 +  if (sx.peer_offered & OPTION_CHUNKING)
     {
     tctx.check_string = tctx.escape_string = NULL;
     tctx.options |= topt_use_bdat;
@@ -2737,7 +2739,7 @@
   transport_write_timeout = sx.ob->data_timeout;
   smtp_command = US"sending data block";   /* For error messages */
   DEBUG(D_transport|D_v)
 -    if (sx.peer_offered & PEER_OFFERED_CHUNKING)
 +    if (sx.peer_offered & OPTION_CHUNKING)
       debug_printf("         will write message using CHUNKING\n");
     else
       debug_printf("  SMTP>> writing message and terminating \".\"\n");
@@ -2771,7 +2773,7 @@
   smtp_command = US"end of data";
 -  if (sx.peer_offered & PEER_OFFERED_CHUNKING && sx.cmd_count > 1)
 +  if (sx.peer_offered & OPTION_CHUNKING && sx.cmd_count > 1)
     {
     /* Reap any outstanding MAIL & RCPT commands, but not a DATA-go-ahead */
     switch(sync_responses(&sx, sx.cmd_count-1, 0))
@@ -2926,7 +2928,7 @@
 #ifndef DISABLE_PRDR
       if (sx.prdr_active) addr->flags |= af_prdr_used;
 #endif
 -      if (sx.peer_offered & PEER_OFFERED_CHUNKING) addr->flags |= af_chunking_used;
 +      if (sx.peer_offered & OPTION_CHUNKING) addr->flags |= af_chunking_used;
       flag = '-';
 #ifndef DISABLE_PRDR
 --- exim-4.89/src/transports/smtp.h.calloutsize	2017-03-04 16:21:35.000000000 -0500
 +++ exim-4.89/src/transports/smtp.h	2017-08-16 15:38:52.877969104 -0400
@@ -127,6 +127,7 @@
   int		cmd_count;
   uschar	peer_offered;
 +  uschar	avoid_option;
   uschar *	igquotstr;
   uschar *	helo_data;
 #ifdef EXPERIMENTAL_DSN_INFO
 --- exim-4.89/src/verify.c.calloutsize	2017-03-04 16:21:35.000000000 -0500
 +++ exim-4.89/src/verify.c	2017-08-16 15:51:37.913261370 -0400
@@ -779,8 +779,12 @@
       postmaster-verify.
       The sync_responses() would need to be taught about it and we'd
       need another return code filtering out to here.
 +
 +      Avoid using a SIZE option on the MAIL for all randon-rcpt checks.
       */
 +      sx.avoid_option = OPTION_SIZE;
 +
       /* Remember when we last did a random test */
       new_domain_record.random_stamp = time(NULL);
@@ -790,8 +794,9 @@
 	  case PENDING_OK:
 	    new_domain_record.random_result = ccache_accept;
 	    break;
 -	  case FAIL:
 +	  case FAIL:            /* the preferred result */
 	    new_domain_record.random_result = ccache_reject;
 +	    sx.avoid_option = 0;
 	    /* Between each check, issue RSET, because some servers accept only
 	    one recipient after MAIL FROM:<>.
@@ -836,12 +841,14 @@
     else
       done = TRUE;
 -    /* Main verify. If the host is accepting all local parts, as determined
 -    by the "random" check, we don't need to waste time doing any further
 -    checking. */
 +    /* Main verify.  For rcpt-verify use SIZE if we know it and we're not cacheing;
 +    for sndr-verify never use it. */
     if (done)
       {
 +      if (!(options & vopt_is_recipient  &&  options & vopt_callout_no_cache))
 +	sx.avoid_option = OPTION_SIZE;
 +
       done = FALSE;
       switch(smtp_write_mail_and_rcpt_cmds(&sx, &yield))
 	{
@@ -850,12 +857,12 @@
 		    case PENDING_OK:  done = TRUE;
 				      new_address_record.result = ccache_accept;
 				      break;
 -		    case FAIL:	      done = TRUE;
 +		    case FAIL:	    done = TRUE;
 				      yield = FAIL;
 				      *failure_ptr = US"recipient";
 				      new_address_record.result = ccache_reject;
 				      break;
 -		    default:	      break;
 +		    default:	    break;
 		    }
 		  break;
@@ -908,6 +915,7 @@
 	sx.ok = FALSE;
 	sx.send_rset = TRUE;
 	sx.completed_addr = FALSE;
 +	sx.avoid_option = OPTION_SIZE;
 	if(  smtp_write_mail_and_rcpt_cmds(&sx, &yield) == 0
 	  && addr->transport_return == PENDING_OK
--- a/exim-4.89-mariadb-macro-fix.patch
+++ b/exim-4.89-mariadb-macro-fix.patch
@ -1,73 +0,0 @@
 diff --git a/src/lookups/mysql.c b/src/lookups/mysql.c
 index 5cf15af..b5133bc 100644
 --- a/src/lookups/mysql.c
 +++ b/src/lookups/mysql.c
@@ -14,6 +14,53 @@ functions. */
 #include <mysql.h>       /* The system header */
 +/* We define symbols for *_VERSION_ID (numeric), *_VERSION_STR (char*)
 +and *_BASE_STR (char*). It's a bit of guesswork. Especially for mariadb
 +with versions before 10.2, as they do not define there there specific symbols.
 +*/
 +
 +// Newer (>= 10.2) MariaDB
 +#if defined                   MARIADB_VERSION_ID
 +#define EXIM_MxSQL_VERSION_ID MARIADB_VERSION_ID
 +
 +// MySQL defines MYSQL_VERSION_ID, and MariaDB does so
 +// https://dev.mysql.com/doc/refman/5.7/en/c-api-server-client-versions.html
 +#elif defined                 LIBMYSQL_VERSION_ID
 +#define EXIM_MxSQL_VERSION_ID LIBMYSQL_VERSION_ID
 +#elif defined                 MYSQL_VERSION_ID
 +#define EXIM_MxSQL_VERSION_ID MYSQL_VERSION_ID
 +
 +#else
 +#define EXIM_MYSQL_VERSION_ID  0
 +#endif
 +
 +// Newer (>= 10.2) MariaDB
 +#ifdef                         MARIADB_CLIENT_VERSION_STR
 +#define EXIM_MxSQL_VERSION_STR MARIADB_CLIENT_VERSION_STR
 +
 +// Mysql uses MYSQL_SERVER_VERSION
 +#elif defined                  LIBMYSQL_VERSION
 +#define EXIM_MxSQL_VERSION_STR LIBMYSQL_VERSION
 +#elif defined                  MYSQL_SERVER_VERSION
 +#define EXIM_MxSQL_VERSION_STR MYSQL_SERVER_VERSION
 +
 +#else
 +#define EXIM_MxSQL_VERSION_STR  "N.A."
 +#endif
 +
 +#if defined                 MARIADB_BASE_VERSION
 +#define EXIM_MxSQL_BASE_STR MARIADB_BASE_VERSION
 +
 +#elif defined               MARIADB_PACKAGE_VERSION
 +#define EXIM_MxSQL_BASE_STR "mariadb"
 +
 +#elif defined               MYSQL_BASE_VERSION
 +#define EXIM_MxSQL_BASE_STR MYSQL_BASE_VERSION
 +
 +#else
 +#define EXIM_MxSQL_BASE_STR  "n.A."
 +#endif
 +
 /* Structure and anchor for caching connections. */
@@ -432,10 +479,10 @@ return quoted;
 void
 mysql_version_report(FILE *f)
 {
 -fprintf(f, "Library version: MySQL: Compile: %s [%s]\n"
 -           "                        Runtime: %s\n",
 -        MYSQL_SERVER_VERSION, MYSQL_COMPILATION_COMMENT,
 -        mysql_get_client_info());
 +fprintf(f, "Library version: MySQL: Compile: %lu %s [%s]\n"
 +           "                        Runtime: %lu %s\n",
 +        (long)EXIM_MxSQL_VERSION_ID, EXIM_MxSQL_VERSION_STR, EXIM_MxSQL_BASE_STR,
 +        mysql_get_client_version(), mysql_get_client_info());
 #ifdef DYNLOOKUP
 fprintf(f, "                        Exim version %s\n", EXIM_VERSION_STR);
 #endif
--- a/exim-4.90.1-allow-filter.patch
+++ b/exim-4.90.1-allow-filter.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 1e3c63f..0e7854c 100644
+index 2cce34b..50e9236 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -724,7 +724,7 @@ userforward:
+@@ -727,7 +727,7 @@ userforward:
 # local_part_suffix = +* : -*
 # local_part_suffix_optional
   file = $home/.forward
--- a/exim-4.90.1-config.patch
+++ b/exim-4.90.1-config.patch
@ -1,8 +1,8 @@
 diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
-index 3e486a6..6c4afec 100755
+index 2af1927..e461505 100755
 --- a/scripts/Configure-Makefile
 +++ b/scripts/Configure-Makefile
-@@ -269,7 +269,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
+@@ -296,7 +296,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
   mv $mft $mftt
   echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
@ -12,7 +12,7 @@ index 3e486a6..6c4afec 100755
   echo "" >>$mft
   cat $mftt >> $mft
 diff --git a/src/EDITME b/src/EDITME
-index df74aac..0caf02d 100644
+index 72e26ce..0bd97f1 100644
 --- a/src/EDITME
 +++ b/src/EDITME
@@ -98,7 +98,7 @@
@ -51,7 +51,7 @@ index df74aac..0caf02d 100644
 # Many sites define a user called "exim", with an appropriate default group,
 # and use
-@@ -232,7 +232,7 @@ TRANSPORT_SMTP=yes
+@@ -237,7 +237,7 @@ TRANSPORT_SMTP=yes
 # This one is special-purpose, and commonly not required, so it is not
 # included by default.
@ -60,7 +60,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -241,9 +241,9 @@ TRANSPORT_SMTP=yes
+@@ -246,9 +246,9 @@ TRANSPORT_SMTP=yes
 # MBX, is included only when requested. If you do not know what this is about,
 # leave these settings commented out.
@ -73,7 +73,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -301,19 +301,21 @@ LOOKUP_DBM=yes
+@@ -306,20 +306,22 @@ LOOKUP_DBM=yes
 LOOKUP_LSEARCH=yes
 LOOKUP_DNSDB=yes
@ -84,6 +84,7 @@ index df74aac..0caf02d 100644
 # LOOKUP_IBASE=yes
 -# LOOKUP_LDAP=yes
 -# LOOKUP_MYSQL=yes
 -# LOOKUP_MYSQL_PC=mariadb
 -# LOOKUP_NIS=yes
 -# LOOKUP_NISPLUS=yes
 +LOOKUP_LDAP=yes
@ -91,6 +92,7 @@ index df74aac..0caf02d 100644
 +LOOKUP_INCLUDE=-I/usr/include/mysql
 +LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
 +LOOKUP_MYSQL=yes
 +LOOKUP_MYSQL_PC=mariadb
 +LOOKUP_NIS=yes
 +LOOKUP_NISPLUS=yes
 # LOOKUP_ORACLE=yes
@ -105,7 +107,7 @@ index df74aac..0caf02d 100644
 # LOOKUP_WHOSON=yes
 # These two settings are obsolete; all three lookups are compiled when
-@@ -390,7 +392,7 @@ EXIM_MONITOR=eximon.bin
+@@ -396,7 +398,7 @@ EXIM_MONITOR=eximon.bin
 # and the MIME ACL. Please read the documentation to learn more about these
 # features.
@ -114,7 +116,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
 # If you're using ClamAV and are backporting fixes to an old version, instead
-@@ -577,7 +579,7 @@ FIXED_NEVER_USERS=root
+@@ -584,7 +586,7 @@ FIXED_NEVER_USERS=root
 # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
 # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
@ -123,7 +125,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -622,17 +624,14 @@ FIXED_NEVER_USERS=root
+@@ -629,17 +631,14 @@ FIXED_NEVER_USERS=root
 # included in the Exim binary. You will then need to set up the run time
 # configuration to make use of the mechanism(s) selected.
@ -149,7 +151,7 @@ index df74aac..0caf02d 100644
 # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
 # requires multiple pkg-config files to work with Exim, so the second example
-@@ -656,7 +655,7 @@ FIXED_NEVER_USERS=root
+@@ -663,7 +662,7 @@ FIXED_NEVER_USERS=root
 # one that is set in the headers_charset option. The default setting is
 # defined by this setting:
@ -158,7 +160,7 @@ index df74aac..0caf02d 100644
 # If you are going to make use of $header_xxx expansions in your configuration
 # file, or if your users are going to use them in filter files, and the normal
-@@ -676,7 +675,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -683,7 +682,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # the Sieve filter support. For those OS where iconv() is known to be installed
 # as standard, the file in OS/Makefile-xxxx contains
 #
@ -167,7 +169,7 @@ index df74aac..0caf02d 100644
 #
 # If you are not using one of those systems, but have installed iconv(), you
 # need to uncomment that line above. In some cases, you may find that iconv()
-@@ -745,11 +744,11 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -752,11 +751,11 @@ HEADERS_CHARSET="ISO-8859-1"
 # leave these settings commented out.
 # This setting is required for any TLS support (either OpenSSL or GnuTLS)
@ -182,7 +184,7 @@ index df74aac..0caf02d 100644
 # Uncomment the first and either the second or the third of these if you
 # are using GnuTLS.  If you have pkg-config, then the second, else the third.
-@@ -818,7 +817,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -825,7 +824,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # Once you have done this, "make install" will build the info files and
 # install them in the directory you have defined.
@ -191,7 +193,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -831,7 +830,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -838,7 +837,7 @@ HEADERS_CHARSET="ISO-8859-1"
 # %s. This will be replaced by one of the strings "main", "panic", or "reject"
 # to form the final file names. Some installations may want something like this:
@ -200,7 +202,7 @@ index df74aac..0caf02d 100644
 # which results in files with names /var/log/exim_mainlog, etc. The directory
 # in which the log files are placed must exist; Exim does not try to create
-@@ -903,7 +902,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -910,7 +909,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
 # Perl costs quite a lot of resources. Only do this if you really need it.
@ -209,7 +211,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -913,7 +912,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -920,7 +919,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # that the local_scan API is made available by the linker. You may also need
 # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
@ -218,7 +220,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -923,7 +922,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -930,7 +929,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # support, which is intended for use in conjunction with the SMTP AUTH
 # facilities, is included only when requested by the following setting:
@ -227,7 +229,7 @@ index df74aac..0caf02d 100644
 # You probably need to add -lpam to EXTRALIBS, and in some releases of
 # GNU/Linux -ldl is also needed.
-@@ -1021,7 +1020,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1028,7 +1027,7 @@ ZCAT_COMMAND=/usr/bin/zcat
 # group. Once you have installed saslauthd, you should arrange for it to be
 # started by root at boot time.
@ -236,20 +238,18 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -1034,9 +1033,9 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1042,8 +1041,8 @@ ZCAT_COMMAND=/usr/bin/zcat
 # You may well also have to specify a local "include" file and an additional
 # library for TCP wrappers, so you probably need something like this:
 #
-# USE_TCP_WRAPPERS=yes
+ # USE_TCP_WRAPPERS=yes
 -# CFLAGS=-O -I/usr/local/include
 -# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
 +USE_TCP_WRAPPERS=yes
 +CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
-+EXTRALIBS_EXIM=-lwrap -lpam -ldl -export-dynamic -rdynamic
+EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic
 #
 # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
 # as well.
-@@ -1088,7 +1087,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1095,7 +1094,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 # is "yes", as well as supporting line editing, a history of input lines in the
 # current run is maintained.
@ -258,7 +258,7 @@ index df74aac..0caf02d 100644
 # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
 # Note that this option adds to the size of the Exim binary, because the
-@@ -1098,7 +1097,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1112,7 +1111,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 #------------------------------------------------------------------------------
 # Uncomment this setting to include IPv6 support.
@ -267,7 +267,7 @@ index df74aac..0caf02d 100644
 ###############################################################################
 #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
-@@ -1119,13 +1118,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1133,13 +1132,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
 # haven't got Perl, Exim will still build and run; you just won't be able to
 # use those utilities.
@ -288,7 +288,7 @@ index df74aac..0caf02d 100644
 #------------------------------------------------------------------------------
-@@ -1327,7 +1326,7 @@ EXIM_TMPDIR="/tmp"
+@@ -1341,7 +1340,7 @@ EXIM_TMPDIR="/tmp"
 # (process id) to a file so that it can easily be identified. The path of the
 # file can be specified here. Some installations may want something like this:
--- a/exim-4.90.1-cyrus.patch
+++ b/exim-4.90.1-cyrus.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 8b6162b..d588898 100644
+index 562d0be..1138335 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -765,6 +765,16 @@ address_reply:
+@@ -768,6 +768,16 @@ address_reply:
   driver = autoreply
--- a/exim-4.90.1-dlopen-localscan.patch
+++ b/exim-4.90.1-dlopen-localscan.patch
@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index 0caf02d..6957546 100644
+index 0bd97f1..ce2b047 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -802,6 +802,20 @@ TLS_LIBS=-lssl -lcrypto
+@@ -809,6 +809,20 @@ TLS_LIBS=-lssl -lcrypto
 #------------------------------------------------------------------------------
@ -24,10 +24,10 @@ index 0caf02d..6957546 100644
 # documentation. Other forms are available separately. If you want to install
 # the documentation in "info" format, first fetch the Texinfo documentation
 diff --git a/src/config.h.defaults b/src/config.h.defaults
-index 58e1813..9b18f98 100644
+index 4750523..e3943a8 100644
 --- a/src/config.h.defaults
 +++ b/src/config.h.defaults
-@@ -28,6 +28,8 @@ it's a default value. */
+@@ -31,6 +31,8 @@ Do not put spaces between # and the 'define'.
 #define AUTH_VARS                     3
@ -37,7 +37,7 @@ index 58e1813..9b18f98 100644
 #define CONFIGURE_FILE
 diff --git a/src/globals.c b/src/globals.c
-index 79ac37f..b7d690f 100644
+index 5df84bd..74724fd 100644
 --- a/src/globals.c
 +++ b/src/globals.c
@@ -167,6 +167,10 @@ uschar *tls_verify_hosts       = NULL;
@ -52,7 +52,7 @@ index 79ac37f..b7d690f 100644
 /* Per Recipient Data Response variables */
 BOOL    prdr_enable            = FALSE;
 diff --git a/src/globals.h b/src/globals.h
-index 340f1ae..4b65781 100644
+index 37d4cad..2b313e0 100644
 --- a/src/globals.h
 +++ b/src/globals.h
@@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts;   /* Optional client verification */
@ -251,10 +251,10 @@ index 3500047..8599172 100644
 +
 /* End of local_scan.c */
 diff --git a/src/readconf.c b/src/readconf.c
-index 790f073..6e88bcd 100644
+index 8d5f38c..73095be 100644
 --- a/src/readconf.c
 +++ b/src/readconf.c
-@@ -318,6 +318,9 @@ static optionlist optionlist_config[] = {
+@@ -195,6 +195,9 @@ static optionlist optionlist_config[] = {
   { "local_from_prefix",        opt_stringptr,   &local_from_prefix },
   { "local_from_suffix",        opt_stringptr,   &local_from_suffix },
   { "local_interfaces",         opt_stringptr,   &local_interfaces },
--- a/exim-4.90.1-dynlookup-config.patch
+++ b/exim-4.90.1-dynlookup-config.patch
@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index df3dcc8..de01565 100644
+index ce2b047..ad06440 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -306,14 +306,16 @@ LOOKUP_DSEARCH=yes
+@@ -311,15 +311,17 @@ LOOKUP_DSEARCH=yes
 # LOOKUP_IBASE=yes
 LOOKUP_LDAP=yes
 LDAP_LIB_TYPE=OPENLDAP2
@ -10,10 +10,11 @@ index df3dcc8..de01565 100644
 -LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
 -LOOKUP_MYSQL=yes
 +LOOKUP_LIBS=-lldap -llber -lsqlite3
-+LOOKUP_MYSQL_INCLUDE=-I/usr/include/mysql
+LOOKUP_INCLUDE=-I/usr/include/mysql
-+LOOKUP_MYSQL_LIBS=-L/usr/${_lib}/mysql -lmysqlclient
+LOOKUP_MYSQL_LIBS=-lmysqlclient
 +LOOKUP_PGSQL_LIBS=-lpq
 +LOOKUP_MYSQL=2
 LOOKUP_MYSQL_PC=mariadb
 LOOKUP_NIS=yes
 LOOKUP_NISPLUS=yes
 # LOOKUP_ORACLE=yes
--- a/exim-4.90.1-environment.patch
+++ b/exim-4.90.1-environment.patch
@ -1,7 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
 index b955c6e..590c664 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -357,8 +357,8 @@ timeout_frozen_after = 7d
+@@ -360,8 +360,8 @@ timeout_frozen_after = 7d
 # Note that TZ is handled separately by the timezone runtime option
 # and TIMEZONE_DEFAULT buildtime option.
--- a/exim-4.90.1-greylist-conf.patch
+++ b/exim-4.90.1-greylist-conf.patch
@ -1,5 +1,5 @@
 diff --git a/src/configure.default b/src/configure.default
-index 921c53b..a92c954 100644
+index 72675be..30ffc8c 100644
 --- a/src/configure.default
 +++ b/src/configure.default
@@ -107,6 +107,7 @@ hostlist   relay_from_hosts = localhost
@ -10,7 +10,7 @@ index 921c53b..a92c954 100644
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
 acl_smtp_mime = acl_check_mime
-@@ -368,6 +369,29 @@ timeout_frozen_after = 7d
+@@ -371,6 +372,29 @@ timeout_frozen_after = 7d
 begin acl
@ -40,7 +40,7 @@ index 921c53b..a92c954 100644
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.
-@@ -493,7 +517,8 @@ acl_check_rcpt:
+@@ -496,7 +520,8 @@ acl_check_rcpt:
   # There are no default checks on DNS black lists because the domains that
   # contain these lists are changing all the time. However, here are two
   # examples of how you can get Exim to perform a DNS black list lookup at this
@ -50,7 +50,7 @@ index 921c53b..a92c954 100644
   #
   # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
   #         dnslists      = black.list.example
-@@ -501,6 +526,10 @@ acl_check_rcpt:
+@@ -504,6 +529,10 @@ acl_check_rcpt:
   # warn    dnslists      = black.list.example
   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
   #         log_message   = found in $dnslist_domain
@ -61,7 +61,7 @@ index 921c53b..a92c954 100644
   #############################################################################
   #############################################################################
-@@ -514,6 +543,10 @@ acl_check_rcpt:
+@@ -517,6 +546,10 @@ acl_check_rcpt:
   # require verify = csa
   #############################################################################
@ -72,7 +72,7 @@ index 921c53b..a92c954 100644
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
-@@ -546,6 +579,12 @@ acl_check_data:
+@@ -549,6 +582,12 @@ acl_check_data:
   # deny    condition  = ${if !def:h_Message-ID: {1}}
   #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
   #                      Most messages without it are spam, so your mail has been rejected.
@ -85,7 +85,7 @@ index 921c53b..a92c954 100644
   # Deny if the message contains a virus. Before enabling this check, you
   # must install a virus scanner and set the av_scanner option above.
-@@ -580,8 +619,30 @@ acl_check_data:
+@@ -583,8 +622,30 @@ acl_check_data:
   #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
   #  	    	        $spam_report
--- a/exim-4.90.1-pamconfig.patch
+++ b/exim-4.90.1-pamconfig.patch
@ -1,5 +1,5 @@
 diff --git a/src/configure.default b/src/configure.default
-index d588898..61bdae8 100644
+index 1138335..0675b40 100644
 --- a/src/configure.default
 +++ b/src/configure.default
@@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data
@ -20,9 +20,9 @@ index d588898..61bdae8 100644
 +tls_certificate = /etc/pki/tls/certs/exim.pem
 +tls_privatekey = /etc/pki/tls/private/exim.pem
- # In order to support roaming users who wish to send email from anywhere,
+ # For OpenSSL, prefer EC- over RSA-authenticated ciphers
- # you may want to make Exim listen on other ports as well as port 25, in
+ # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
-@@ -162,8 +162,8 @@ acl_smtp_data = acl_check_data
+@@ -165,8 +165,8 @@ acl_smtp_data = acl_check_data
 # them you should also allow TLS-on-connect on the traditional but
 # non-standard port 465.
@ -33,7 +33,7 @@ index d588898..61bdae8 100644
 # Specify the domain you want to be added to all unqualified addresses
-@@ -221,6 +221,24 @@ never_users = root
+@@ -224,6 +224,24 @@ never_users = root
 host_lookup = *
@ -58,7 +58,7 @@ index d588898..61bdae8 100644
 # The settings below cause Exim to make RFC 1413 (ident) callbacks
 # for all incoming SMTP calls. You can limit the hosts to which these
-@@ -844,7 +862,7 @@ begin authenticators
+@@ -847,7 +865,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth2
 #  server_prompts             = :
@ -67,7 +67,7 @@ index d588898..61bdae8 100644
 #  server_advertise_condition = ${if def:tls_in_cipher }
 # LOGIN authentication has traditional prompts and responses. There is no
-@@ -856,7 +874,7 @@ begin authenticators
+@@ -859,7 +877,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth1
 #  server_prompts             = <| Username: | Password:
--- a/exim-4.90.1-procmail.patch
+++ b/exim-4.90.1-procmail.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index ecc3d6e..1e3c63f 100644
+index 8b4575c..2cce34b 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -732,6 +732,12 @@ userforward:
+@@ -735,6 +735,12 @@ userforward:
   pipe_transport = address_pipe
   reply_transport = address_reply
@ -15,7 +15,7 @@ index ecc3d6e..1e3c63f 100644
 # This router matches local user mailboxes. If the router fails, the error
 # message is "Unknown user".
-@@ -773,6 +779,16 @@ remote_smtp:
+@@ -776,6 +782,16 @@ remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
--- a/exim-4.90.1-rhl.patch
+++ b/exim-4.90.1-rhl.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index 985f1d0..8b6162b 100644
+index 1dc9b91..562d0be 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -630,7 +630,7 @@ system_aliases:
+@@ -633,7 +633,7 @@ system_aliases:
   driver = redirect
   allow_fail
   allow_defer
@ -11,7 +11,7 @@ index 985f1d0..8b6162b 100644
 # user = exim
   file_transport = address_file
   pipe_transport = address_pipe
-@@ -731,8 +731,8 @@ local_delivery:
+@@ -734,8 +734,8 @@ local_delivery:
   delivery_date_add
   envelope_to_add
   return_path_add
--- a/exim-4.90.1-smarthost-config.patch
+++ b/exim-4.90.1-smarthost-config.patch
@ -1,8 +1,8 @@
 diff --git a/src/configure.default b/src/configure.default
-index a92c954..13599ae 100644
+index 30ffc8c..b955c6e 100644
 --- a/src/configure.default
 +++ b/src/configure.default
-@@ -840,6 +840,15 @@ remote_smtp:
+@@ -843,6 +843,15 @@ remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
@ -18,7 +18,7 @@ index a92c954..13599ae 100644
 # This transport invokes procmail to deliver mail
 procmail:
   driver = pipe
-@@ -948,6 +957,21 @@ begin rewrite
+@@ -951,6 +960,21 @@ begin rewrite
 #                   AUTHENTICATION CONFIGURATION                     #
 ######################################################################
@ -40,7 +40,7 @@ index a92c954..13599ae 100644
 # The following authenticators support plaintext username/password
 # authentication using the standard PLAIN mechanism and the traditional
 # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -963,7 +987,7 @@ begin rewrite
+@@ -966,7 +990,7 @@ begin rewrite
 # The default RCPT ACL checks for successful authentication, and will accept
 # messages from authenticated users from anywhere on the Internet.
--- a/exim-4.90.1-spamdconf.patch
+++ b/exim-4.90.1-spamdconf.patch
@ -1,5 +1,7 @@
--- a/src/configure.default.spamd	2016-12-25 21:06:57.453758443 +0000
+diff --git a/src/configure.default b/src/configure.default
-+++ b/src/configure.default	2016-12-25 21:07:49.940188407 +0000
+index 0675b40..8b4575c 100644
 --- a/src/configure.default
 +++ b/src/configure.default
@@ -109,6 +109,7 @@ hostlist   relay_from_hosts = localhost
 acl_smtp_rcpt = acl_check_rcpt
@ -17,7 +19,7 @@
 # For spam scanning, there is a similar option that defines the interface to
-@@ -431,7 +432,8 @@ acl_check_rcpt:
+@@ -434,7 +435,8 @@ acl_check_rcpt:
   accept  local_parts   = postmaster
           domains       = +local_domains
@ -27,7 +29,7 @@
   require verify        = sender
-@@ -535,27 +537,63 @@ acl_check_data:
+@@ -538,27 +540,63 @@ acl_check_data:
                        got $max_received_linelength
           condition  = ${if > {$max_received_linelength}{998}}
@ -50,17 +52,17 @@
 -  # Add headers to a message if it is judged to be spam. Before enabling this,
 -  # you must install SpamAssassin. You may also need to set the spamd_address
 -  # option above.
-  #
+  # Bypass SpamAssassin checks if the message is too large.
   #
 -  # warn    spam       = nobody
 -  #         add_header = X-Spam_score: $spam_score\n\
 -  #                      X-Spam_score_int: $spam_score_int\n\
 -  #                      X-Spam_bar: $spam_bar\n\
 -  #                      X-Spam_report: $spam_report
 +  # Bypass SpamAssassin checks if the message is too large.
 +  #
 +  # accept  condition  = ${if >={$message_size}{100000} {1}}
 +  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
-+
+ 
 -  # Accept the message.
 +  # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
 +  # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
 +  # score exceeds the SA system threshold.
@ -76,8 +78,7 @@
 +  #
 +  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
 +  #                      X-Spam-Report: $spam_report
- 
+
 -  # Accept the message.
 +  # And reject if the SpamAssassin score is greater than ten
 +  #
 +  # deny    condition = ${if >{$spam_score_int}{100} {1}}
--- a/exim.spec
+++ b/exim.spec
@ -13,8 +13,8 @@
 Summary: The exim mail transfer agent
 Name: exim
-Version: 4.89
+Version: 4.90.1
-Release: 7%{?dist}
+Release: 1%{?dist}
 License: GPLv2+
 Url: http://www.exim.org/
 Group: System Environment/Daemons
@ -46,33 +46,21 @@ Source24: exim.service
 Source25: exim-gen-cert
 Source26: clamd.exim.service
-Patch4: exim-4.88-rhl.patch
+Patch4: exim-4.90.1-rhl.patch
-Patch6: exim-4.89-config.patch
+Patch6: exim-4.90.1-config.patch
 Patch8: exim-4.82-libdir.patch
-Patch12: exim-4.88-cyrus.patch
+Patch12: exim-4.90.1-cyrus.patch
-Patch13: exim-4.88-pamconfig.patch
+Patch13: exim-4.90.1-pamconfig.patch
-Patch14: exim-4.87-spamdconf.patch
+Patch14: exim-4.90.1-spamdconf.patch
-Patch18: exim-4.89-dlopen-localscan.patch
+Patch18: exim-4.90.1-dlopen-localscan.patch
-Patch19: exim-4.88-procmail.patch
+Patch19: exim-4.90.1-procmail.patch
-Patch20: exim-4.88-allow-filter.patch
+Patch20: exim-4.90.1-allow-filter.patch
 Patch21: exim-4.87-localhost-is-local.patch
-Patch22: exim-4.88-greylist-conf.patch
+Patch22: exim-4.90.1-greylist-conf.patch
-Patch23: exim-4.88-smarthost-config.patch
+Patch23: exim-4.90.1-smarthost-config.patch
-Patch25: exim-4.87-dynlookup-config.patch
+Patch25: exim-4.90.1-dynlookup-config.patch
 # Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584
 Patch26: exim-4.85-pic.patch
-Patch27: exim-4.89-environment.patch
+Patch27: exim-4.90.1-environment.patch
 # Backported from upstream:
 # https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
 Patch28: exim-4.89-CVE-2017-1000369.patch
 # Backported from upstream:
 # https://git.exim.org/exim.git/commitdiff/14de8063d82edc5bf003ed50abdea55ac542679b
 Patch29: exim-4.89-calloutsize.patch
 Patch30: exim-4.89-mariadb-macro-fix.patch
 # Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2199
 Patch31: exim-4.89-CVE-2017-16943.patch
 # Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2201
 Patch32: exim-4.89-CVE-2017-16944.patch
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@ -219,11 +207,6 @@ greylisting unconditional.
 %patch25 -p1 -b .dynconfig
 %patch26 -p1 -b .fpic
 %patch27 -p1 -b .environment
 %patch28 -p1 -b .CVE-2017-1000369
 %patch29 -p1 -b .calloutsize
 %patch30 -p1 -b .mariadb-macro-fix
 %patch31 -p1 -b .CVE-2017-16943
 %patch32 -p1 -b .CVE-2017-16944
 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -604,6 +587,16 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 %changelog
 * Tue Feb 13 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-1
 - New version
  Resolves: rhbz#1527710
 - Fixed buffer overflow in utility function
  Resolves: CVE-2018-6789
 - Updated and defuzzified patches
 - Dropped mariadb-macro-fix patch (not needed)
 - Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
  CVE-2017-16944 patches (all upstreamed)
 * Fri Dec  1 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-7
 - Fixed denial of service
  Resolves: CVE-2017-16944
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (exim-4.89.tar.xz) = ce5faef3847a5baf1b4fec1ffe46ce7efaafb24e63bcc52a61f38e8312a88eccaa816c3947ba428bef3eed38b1e91e606f6ed07bc0a3e14c6a6ed0ecb41eb9fa
+SHA512 (exim-4.90.1.tar.xz) = b4830a2e03023b2bafc9e62535f467bb61b0f1398b6b3af0a7ef6f49e6cba60a9496e6762d0898b7ac1c2823db8cf96ed9f37e26b05809b4ba01725d9e72b806
`@ -1,2 +1 @@`
	`exim-*.tar.bz2`	`exim-*.tar.xz`
	`/exim-4.89.tar.xz`
`@ -1 +1 @@`
	`SHA512 (exim-4.89.tar.xz) = ce5faef3847a5baf1b4fec1ffe46ce7efaafb24e63bcc52a61f38e8312a88eccaa816c3947ba428bef3eed38b1e91e606f6ed07bc0a3e14c6a6ed0ecb41eb9fa`	`SHA512 (exim-4.90.1.tar.xz) = b4830a2e03023b2bafc9e62535f467bb61b0f1398b6b3af0a7ef6f49e6cba60a9496e6762d0898b7ac1c2823db8cf96ed9f37e26b05809b4ba01725d9e72b806`