diff --git a/.cvsignore b/.cvsignore deleted file mode 100644 index e69de29..0000000 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..53bc958 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +exim-*.tar.xz diff --git a/Makefile b/Makefile deleted file mode 100644 index 5f82566..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: exim -# $Id$ -NAME := exim -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/clamd.exim.service b/clamd.exim.service new file mode 100644 index 0000000..2f60a66 --- /dev/null +++ b/clamd.exim.service @@ -0,0 +1,11 @@ +[Unit] +Description=Clamd Exim An Interface Between MTA And Content Checkers +After=network.target + +[Service] +Type=forking +PIDFile=/run/clamd.exim/clamd.pid +ExecStart=/usr/sbin/clamd -c /etc/clamd.d/exim.conf + +[Install] +WantedBy=multi-user.target diff --git a/exim-4.82-libdir.patch b/exim-4.82-libdir.patch new file mode 100644 index 0000000..bf3cc3a --- /dev/null +++ b/exim-4.82-libdir.patch @@ -0,0 +1,15 @@ +diff --git a/OS/Makefile-Linux b/OS/Makefile-Linux +index 990f884..d1ef114 100644 +--- a/OS/Makefile-Linux ++++ b/OS/Makefile-Linux +@@ -24,8 +24,8 @@ LIBRESOLV = -lresolv + + X11=/usr/X11R6 + XINCLUDE=-I$(X11)/include +-XLFLAGS=-L$(X11)/lib +-X11_LD_LIB=$(X11)/lib ++XLFLAGS=-L$(X11)/$(_lib) ++X11_LD_LIB=$(X11)/$(_lib) + + EXIWHAT_PS_ARG=ax + EXIWHAT_EGREP_ARG='/exim( |$$)' diff --git a/exim-4.85-pic.patch b/exim-4.85-pic.patch new file mode 100644 index 0000000..d61edba --- /dev/null +++ b/exim-4.85-pic.patch @@ -0,0 +1,13 @@ +diff --git a/src/lookups/Makefile b/src/lookups/Makefile +index 6ba0cb1..21a7ad7 100644 +--- a/src/lookups/Makefile ++++ b/src/lookups/Makefile +@@ -22,7 +22,7 @@ lookups.a: $(OBJ) + $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c + + .c.so:; @echo "$(CC) -shared $*.c" +- $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@ ++ $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $(PIC) $*.c -o $@ + + lf_check_file.o: $(PHDRS) lf_check_file.c lf_functions.h + lf_quote.o: $(PHDRS) lf_quote.c lf_functions.h diff --git a/exim-4.90.1-nsl-fix.patch b/exim-4.90.1-nsl-fix.patch new file mode 100644 index 0000000..bb02954 --- /dev/null +++ b/exim-4.90.1-nsl-fix.patch @@ -0,0 +1,14 @@ +diff --git a/src/EDITME b/src/EDITME +index be31066..e48dd93 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -316,6 +316,9 @@ LOOKUP_MYSQL=2 + LOOKUP_MYSQL_PC=mariadb + LOOKUP_NIS=yes + LOOKUP_NISPLUS=yes ++CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc ++LIBS+=-L/usr/$(_lib)/nsl ++ + # LOOKUP_ORACLE=yes + LOOKUP_PASSWD=yes + LOOKUP_PGSQL=2 diff --git a/exim-4.92-allow-filter.patch b/exim-4.92-allow-filter.patch new file mode 100644 index 0000000..d5b5664 --- /dev/null +++ b/exim-4.92-allow-filter.patch @@ -0,0 +1,13 @@ +diff --git a/src/configure.default b/src/configure.default +index cef3779..09f0b36 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -810,7 +810,7 @@ userforward: + # local_part_suffix = +* : -* + # local_part_suffix_optional + file = $home/.forward +-# allow_filter ++ allow_filter + no_verify + no_expn + check_ancestor diff --git a/exim-4.92-config.patch b/exim-4.92-config.patch new file mode 100644 index 0000000..83d09e8 --- /dev/null +++ b/exim-4.92-config.patch @@ -0,0 +1,299 @@ +diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile +index 7e0bf38..c97ccec 100755 +--- a/scripts/Configure-Makefile ++++ b/scripts/Configure-Makefile +@@ -297,7 +297,7 @@ if [ "${EXIM_PERL}" != "" ] ; then + + mv $mft $mftt + echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft +- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft ++ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft + echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft + echo "" >>$mft + cat $mftt >> $mft +diff --git a/src/EDITME b/src/EDITME +index cbb0805..a42cd6f 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -98,7 +98,7 @@ + # /usr/local/sbin. The installation script will try to create this directory, + # and any superior directories, if they do not exist. + +-BIN_DIRECTORY=/usr/exim/bin ++BIN_DIRECTORY=/usr/sbin + + + #------------------------------------------------------------------------------ +@@ -114,7 +114,7 @@ BIN_DIRECTORY=/usr/exim/bin + # don't exist. It will also install a default runtime configuration if this + # file does not exist. + +-CONFIGURE_FILE=/usr/exim/configure ++CONFIGURE_FILE=/etc/exim/exim.conf + + # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. + # In this case, Exim will use the first of them that exists when it is run. +@@ -131,7 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure + # deliveries. (Local deliveries run as various non-root users, typically as the + # owner of a local mailbox.) Specifying these values as root is not supported. + +-EXIM_USER= ++EXIM_USER=93 + + # If you specify EXIM_USER as a name, this is looked up at build time, and the + # uid number is built into the binary. However, you can specify that this +@@ -152,7 +152,7 @@ EXIM_USER= + # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless + # you want to use a group other than the default group for the given user. + +-# EXIM_GROUP= ++EXIM_GROUP=93 + + # Many sites define a user called "exim", with an appropriate default group, + # and use +@@ -237,7 +237,7 @@ TRANSPORT_SMTP=yes + # This one is special-purpose, and commonly not required, so it is not + # included by default. + +-# TRANSPORT_LMTP=yes ++TRANSPORT_LMTP=yes + + + #------------------------------------------------------------------------------ +@@ -246,9 +246,9 @@ TRANSPORT_SMTP=yes + # MBX, is included only when requested. If you do not know what this is about, + # leave these settings commented out. + +-# SUPPORT_MAILDIR=yes +-# SUPPORT_MAILSTORE=yes +-# SUPPORT_MBX=yes ++SUPPORT_MAILDIR=yes ++SUPPORT_MAILSTORE=yes ++SUPPORT_MBX=yes + + + #------------------------------------------------------------------------------ +@@ -306,20 +306,22 @@ LOOKUP_DBM=yes + LOOKUP_LSEARCH=yes + LOOKUP_DNSDB=yes + +-# LOOKUP_CDB=yes +-# LOOKUP_DSEARCH=yes ++LOOKUP_CDB=yes ++LOOKUP_DSEARCH=yes + # LOOKUP_IBASE=yes +-# LOOKUP_LDAP=yes +-# LOOKUP_MYSQL=yes +-# LOOKUP_MYSQL_PC=mariadb +-# LOOKUP_NIS=yes +-# LOOKUP_NISPLUS=yes ++LOOKUP_LDAP=yes ++LDAP_LIB_TYPE=OPENLDAP2 ++LOOKUP_LIBS=-lldap -llber -lsqlite3 ++LOOKUP_MYSQL=2 ++LOOKUP_MYSQL_PC=mariadb ++LOOKUP_NIS=yes ++LOOKUP_NISPLUS=yes + # LOOKUP_ORACLE=yes +-# LOOKUP_PASSWD=yes +-# LOOKUP_PGSQL=yes ++LOOKUP_PASSWD=yes ++LOOKUP_PGSQL=2 ++LOOKUP_PGSQL_LIBS=-lpq + # LOOKUP_REDIS=yes +-# LOOKUP_SQLITE=yes +-# LOOKUP_SQLITE_PC=sqlite3 ++LOOKUP_SQLITE=yes + # LOOKUP_WHOSON=yes + + # These two settings are obsolete; all three lookups are compiled when +@@ -402,7 +404,7 @@ EXIM_MONITOR=eximon.bin + # and the MIME ACL. Please read the documentation to learn more about these + # features. + +-# WITH_CONTENT_SCAN=yes ++WITH_CONTENT_SCAN=yes + + # If you have content scanning you may wish to only include some of the scanner + # interfaces. Uncomment any of these lines to remove that code. +@@ -595,7 +597,7 @@ FIXED_NEVER_USERS=root + # CONFIGURE_OWNER setting, to specify a configuration file which is listed in + # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. + +-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs ++TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs + + + #------------------------------------------------------------------------------ +@@ -640,17 +642,14 @@ FIXED_NEVER_USERS=root + # included in the Exim binary. You will then need to set up the run time + # configuration to make use of the mechanism(s) selected. + +-# AUTH_CRAM_MD5=yes +-# AUTH_CYRUS_SASL=yes +-# AUTH_DOVECOT=yes +-# AUTH_GSASL=yes +-# AUTH_GSASL_PC=libgsasl +-# AUTH_HEIMDAL_GSSAPI=yes +-# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi +-# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 +-# AUTH_PLAINTEXT=yes +-# AUTH_SPA=yes +-# AUTH_TLS=yes ++AUTH_CRAM_MD5=yes ++AUTH_CYRUS_SASL=yes ++AUTH_DOVECOT=yes ++AUTH_GSASL=yes ++AUTH_GSASL_PC=libgsasl ++AUTH_PLAINTEXT=yes ++AUTH_SPA=yes ++AUTH_TLS=yes + + # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 + # requires multiple pkg-config files to work with Exim, so the second example +@@ -674,7 +673,7 @@ FIXED_NEVER_USERS=root + # one that is set in the headers_charset option. The default setting is + # defined by this setting: + +-HEADERS_CHARSET="ISO-8859-1" ++HEADERS_CHARSET="UTF-8" + + # If you are going to make use of $header_xxx expansions in your configuration + # file, or if your users are going to use them in filter files, and the normal +@@ -694,7 +693,7 @@ HEADERS_CHARSET="ISO-8859-1" + # the Sieve filter support. For those OS where iconv() is known to be installed + # as standard, the file in OS/Makefile-xxxx contains + # +-# HAVE_ICONV=yes ++HAVE_ICONV=yes + # + # If you are not using one of those systems, but have installed iconv(), you + # need to uncomment that line above. In some cases, you may find that iconv() +@@ -763,11 +762,11 @@ HEADERS_CHARSET="ISO-8859-1" + # leave these settings commented out. + + # This setting is required for any TLS support (either OpenSSL or GnuTLS) +-# SUPPORT_TLS=yes ++SUPPORT_TLS=yes + + # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not +-# USE_OPENSSL_PC=openssl +-# TLS_LIBS=-lssl -lcrypto ++TLS_INCLUDE=-I/usr/kerberos/include ++TLS_LIBS=-lssl -lcrypto + + # Uncomment the first and either the second or the third of these if you + # are using GnuTLS. If you have pkg-config, then the second, else the third. +@@ -839,7 +838,7 @@ HEADERS_CHARSET="ISO-8859-1" + # Once you have done this, "make install" will build the info files and + # install them in the directory you have defined. + +-# INFO_DIRECTORY=/usr/share/info ++INFO_DIRECTORY=/usr/share/info + + + #------------------------------------------------------------------------------ +@@ -852,7 +851,7 @@ HEADERS_CHARSET="ISO-8859-1" + # %s. This will be replaced by one of the strings "main", "panic", or "reject" + # to form the final file names. Some installations may want something like this: + +-# LOG_FILE_PATH=/var/log/exim_%slog ++LOG_FILE_PATH=/var/log/exim/%s.log + + # which results in files with names /var/log/exim_mainlog, etc. The directory + # in which the log files are placed must exist; Exim does not try to create +@@ -924,7 +923,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded + # Perl costs quite a lot of resources. Only do this if you really need it. + +-# EXIM_PERL=perl.o ++EXIM_PERL=perl.o + + + #------------------------------------------------------------------------------ +@@ -934,7 +933,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # that the local_scan API is made available by the linker. You may also need + # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. + +-# EXPAND_DLFUNC=yes ++EXPAND_DLFUNC=yes + + + #------------------------------------------------------------------------------ +@@ -944,7 +943,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # support, which is intended for use in conjunction with the SMTP AUTH + # facilities, is included only when requested by the following setting: + +-# SUPPORT_PAM=yes ++SUPPORT_PAM=yes + + # You probably need to add -lpam to EXTRALIBS, and in some releases of + # GNU/Linux -ldl is also needed. +@@ -1052,7 +1051,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # group. Once you have installed saslauthd, you should arrange for it to be + # started by root at boot time. + +-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux ++CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux + + + #------------------------------------------------------------------------------ +@@ -1066,8 +1065,8 @@ ZCAT_COMMAND=/usr/bin/zcat + # library for TCP wrappers, so you probably need something like this: + # + # USE_TCP_WRAPPERS=yes +-# CFLAGS=-O -I/usr/local/include +-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap ++CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) ++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic + # + # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM + # as well. +@@ -1119,7 +1118,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases + # is "yes", as well as supporting line editing, a history of input lines in the + # current run is maintained. + +-# USE_READLINE=yes ++USE_READLINE=yes + + # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. + # Note that this option adds to the size of the Exim binary, because the +@@ -1136,7 +1135,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases + #------------------------------------------------------------------------------ + # Uncomment this setting to include IPv6 support. + +-# HAVE_IPV6=yes ++HAVE_IPV6=yes + + ############################################################################### + # THINGS YOU ALMOST NEVER NEED TO MENTION # +@@ -1157,13 +1156,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases + # haven't got Perl, Exim will still build and run; you just won't be able to + # use those utilities. + +-# CHOWN_COMMAND=/usr/bin/chown +-# CHGRP_COMMAND=/usr/bin/chgrp +-# CHMOD_COMMAND=/usr/bin/chmod +-# MV_COMMAND=/bin/mv +-# RM_COMMAND=/bin/rm +-# TOUCH_COMMAND=/usr/bin/touch +-# PERL_COMMAND=/usr/bin/perl ++CHOWN_COMMAND=/usr/bin/chown ++CHGRP_COMMAND=/usr/bin/chgrp ++CHMOD_COMMAND=/usr/bin/chmod ++MV_COMMAND=/usr/bin/mv ++RM_COMMAND=/usr/bin/rm ++TOUCH_COMMAND=/usr/bin/touch ++PERL_COMMAND=/usr/bin/perl + + + #------------------------------------------------------------------------------ +@@ -1365,7 +1364,7 @@ EXIM_TMPDIR="/tmp" + # (process id) to a file so that it can easily be identified. The path of the + # file can be specified here. Some installations may want something like this: + +-# PID_FILE_PATH=/var/lock/exim.pid ++PID_FILE_PATH=/var/run/exim.pid + + # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory + # using the name "exim-daemon.pid". diff --git a/exim-4.92-cyrus.patch b/exim-4.92-cyrus.patch new file mode 100644 index 0000000..f8e2984 --- /dev/null +++ b/exim-4.92-cyrus.patch @@ -0,0 +1,21 @@ +diff --git a/src/configure.default b/src/configure.default +index 69e0ed1..6db4947 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -901,6 +901,16 @@ address_reply: + driver = autoreply + + ++# This transport is used to deliver local mail to cyrus IMAP server via UNIX ++# socket. You'll need to configure the 'localuser' router above to use it. ++# ++#lmtp_delivery: ++# home_directory = /var/spool/imap ++# driver = lmtp ++# command = "/usr/lib/cyrus-imapd/deliver -l" ++# batch_max = 20 ++# user = cyrus ++ + + ###################################################################### + # RETRY CONFIGURATION # diff --git a/exim-4.92-dane-enable.patch b/exim-4.92-dane-enable.patch new file mode 100644 index 0000000..32c6fc9 --- /dev/null +++ b/exim-4.92-dane-enable.patch @@ -0,0 +1,13 @@ +diff --git a/src/EDITME b/src/EDITME +index e3b98e9..d621c46 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -372,7 +372,7 @@ PCRE_CONFIG=yes + # Uncomment the following line to add DANE support + # Note: Enabling this unconditionally overrides DISABLE_DNSSEC + # For DANE under GnuTLS we need an additional library. See TLS_LIBS below. +-# SUPPORT_DANE=yes ++SUPPORT_DANE=yes + + #------------------------------------------------------------------------------ + # Additional libraries and include directories may be required for some diff --git a/exim-4.92-dlopen-localscan.patch b/exim-4.92-dlopen-localscan.patch new file mode 100644 index 0000000..3c2f00c --- /dev/null +++ b/exim-4.92-dlopen-localscan.patch @@ -0,0 +1,267 @@ +diff --git a/src/EDITME b/src/EDITME +index a42cd6f..0acd673 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -822,6 +822,20 @@ TLS_LIBS=-lssl -lcrypto + # specified in INCLUDE. + + ++#------------------------------------------------------------------------------ ++# On systems which support dynamic loading of shared libraries, Exim can ++# load a local_scan function specified in its config file instead of having ++# to be recompiled with the desired local_scan function. For a full ++# description of the API to this function, see the Exim specification. ++ ++DLOPEN_LOCAL_SCAN=yes ++ ++# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the ++# linker flags. Without it, the loaded .so won't be able to access any ++# functions from exim. ++ ++LFLAGS=-rdynamic -ldl -pie ++ + #------------------------------------------------------------------------------ + # The default distribution of Exim contains only the plain text form of the + # documentation. Other forms are available separately. If you want to install +diff --git a/src/config.h.defaults b/src/config.h.defaults +index 7c2e534..3fafe61 100644 +--- a/src/config.h.defaults ++++ b/src/config.h.defaults +@@ -32,6 +32,8 @@ Do not put spaces between # and the 'define'. + + #define AUTH_VARS 3 + ++#define DLOPEN_LOCAL_SCAN ++ + #define BIN_DIRECTORY + + #define CONFIGURE_FILE +diff --git a/src/globals.c b/src/globals.c +index b3362a3..0884fe5 100644 +--- a/src/globals.c ++++ b/src/globals.c +@@ -173,6 +173,10 @@ uschar *tls_verify_hosts = NULL; + uschar *tls_advertise_hosts = NULL; + #endif + ++#ifdef DLOPEN_LOCAL_SCAN ++uschar *local_scan_path = NULL; ++#endif ++ + #ifndef DISABLE_PRDR + /* Per Recipient Data Response variables */ + BOOL prdr_enable = FALSE; +diff --git a/src/globals.h b/src/globals.h +index f71f104..3faf176 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -131,6 +131,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */ + extern uschar *tls_verify_certificates;/* Path for certificates to check */ + extern uschar *tls_verify_hosts; /* Mandatory client verification */ + #endif ++ ++#ifdef DLOPEN_LOCAL_SCAN ++extern uschar *local_scan_path; /* Path to local_scan() library */ ++#endif ++ + extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ + + extern uschar *dsn_envid; /* DSN envid string */ +diff --git a/src/local_scan.c b/src/local_scan.c +index 4dd0b2b..8599172 100644 +--- a/src/local_scan.c ++++ b/src/local_scan.c +@@ -5,61 +5,131 @@ + /* Copyright (c) University of Cambridge 1995 - 2009 */ + /* See the file NOTICE for conditions of use and distribution. */ + ++#include "exim.h" + +-/****************************************************************************** +-This file contains a template local_scan() function that just returns ACCEPT. +-If you want to implement your own version, you should copy this file to, say +-Local/local_scan.c, and edit the copy. To use your version instead of the +-default, you must set +- +-HAVE_LOCAL_SCAN=yes +-LOCAL_SCAN_SOURCE=Local/local_scan.c +- +-in your Local/Makefile. This makes it easy to copy your version for use with +-subsequent Exim releases. +- +-For a full description of the API to this function, see the Exim specification. +-******************************************************************************/ +- +- +-/* This is the only Exim header that you should include. The effect of +-including any other Exim header is not defined, and may change from release to +-release. Use only the documented interface! */ +- +-#include "local_scan.h" +- +- +-/* This is a "do-nothing" version of a local_scan() function. The arguments +-are: +- +- fd The file descriptor of the open -D file, which contains the +- body of the message. The file is open for reading and +- writing, but modifying it is dangerous and not recommended. +- +- return_text A pointer to an unsigned char* variable which you can set in +- order to return a text string. It is initialized to NULL. +- +-The return values of this function are: +- +- LOCAL_SCAN_ACCEPT +- The message is to be accepted. The return_text argument is +- saved in $local_scan_data. +- +- LOCAL_SCAN_REJECT +- The message is to be rejected. The returned text is used +- in the rejection message. +- +- LOCAL_SCAN_TEMPREJECT +- This specifies a temporary rejection. The returned text +- is used in the rejection message. +-*/ ++#ifdef DLOPEN_LOCAL_SCAN ++#include ++static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; ++static int load_local_scan_library(void); ++#endif + + int + local_scan(int fd, uschar **return_text) + { + fd = fd; /* Keep picky compilers happy */ + return_text = return_text; +-return LOCAL_SCAN_ACCEPT; ++#ifdef DLOPEN_LOCAL_SCAN ++/* local_scan_path is defined AND not the empty string */ ++if (local_scan_path && *local_scan_path) ++ { ++ if (!local_scan_fn) ++ { ++ if (!load_local_scan_library()) ++ { ++ char *base_msg , *error_msg , *final_msg ; ++ int final_length = -1 ; ++ ++ base_msg=US"Local configuration error - local_scan() library failure\n"; ++ error_msg = dlerror() ; ++ ++ final_length = strlen(base_msg) + strlen(error_msg) + 1 ; ++ final_msg = (char*)malloc( final_length*sizeof(char) ) ; ++ *final_msg = '\0' ; ++ ++ strcat( final_msg , base_msg ) ; ++ strcat( final_msg , error_msg ) ; ++ ++ *return_text = final_msg ; ++ return LOCAL_SCAN_TEMPREJECT; ++ } ++ } ++ return local_scan_fn(fd, return_text); ++ } ++else ++#endif ++ return LOCAL_SCAN_ACCEPT; + } + ++#ifdef DLOPEN_LOCAL_SCAN ++ ++static int load_local_scan_library(void) ++{ ++/* No point in keeping local_scan_lib since we'll never dlclose() anyway */ ++void *local_scan_lib = NULL; ++int (*local_scan_version_fn)(void); ++int vers_maj; ++int vers_min; ++ ++local_scan_lib = dlopen(local_scan_path, RTLD_NOW); ++if (!local_scan_lib) ++ { ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - " ++ "message temporarily rejected"); ++ return FALSE; ++ } ++ ++local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major"); ++if (!local_scan_version_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan_version_major() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++/* The major number is increased when the ABI is changed in a non ++ backward compatible way. */ ++vers_maj = local_scan_version_fn(); ++ ++local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor"); ++if (!local_scan_version_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan_version_minor() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++/* The minor number is increased each time a new feature is added (in a ++ way that doesn't break backward compatibility) -- Marc */ ++vers_min = local_scan_version_fn(); ++ ++ ++if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR) ++ { ++ dlclose(local_scan_lib); ++ local_scan_lib = NULL; ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major" ++ "version number, you need to recompile your module for this version" ++ "of exim (The module was compiled for version %d.%d and this exim provides" ++ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, ++ LOCAL_SCAN_ABI_VERSION_MINOR); ++ return FALSE; ++ } ++else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR) ++ { ++ dlclose(local_scan_lib); ++ local_scan_lib = NULL; ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor" ++ "version number, you need to recompile your module for this version" ++ "of exim (The module was compiled for version %d.%d and this exim provides" ++ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, ++ LOCAL_SCAN_ABI_VERSION_MINOR); ++ return FALSE; ++ } ++ ++local_scan_fn = dlsym(local_scan_lib, "local_scan"); ++if (!local_scan_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++return TRUE; ++} ++ ++#endif /* DLOPEN_LOCAL_SCAN */ ++ + /* End of local_scan.c */ +diff --git a/src/readconf.c b/src/readconf.c +index 5742d10..3f1d9c1 100644 +--- a/src/readconf.c ++++ b/src/readconf.c +@@ -199,6 +199,9 @@ static optionlist optionlist_config[] = { + { "local_from_prefix", opt_stringptr, &local_from_prefix }, + { "local_from_suffix", opt_stringptr, &local_from_suffix }, + { "local_interfaces", opt_stringptr, &local_interfaces }, ++#ifdef DLOPEN_LOCAL_SCAN ++ { "local_scan_path", opt_stringptr, &local_scan_path }, ++#endif + #ifdef HAVE_LOCAL_SCAN + { "local_scan_timeout", opt_time, &local_scan_timeout }, + #endif diff --git a/exim-4.92-environment.patch b/exim-4.92-environment.patch new file mode 100644 index 0000000..831a4e7 --- /dev/null +++ b/exim-4.92-environment.patch @@ -0,0 +1,15 @@ +diff --git a/src/configure.default b/src/configure.default +index 241a961..1403d4a 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -384,8 +384,8 @@ timeout_frozen_after = 7d + # Note that TZ is handled separately by the timezone runtime option + # and TIMEZONE_DEFAULT buildtime option. + +-# keep_environment = ^LDAP +-# add_environment = PATH=/usr/bin::/bin ++keep_environment = ^LDAP ++add_environment = PATH=/usr/bin::/bin + + + diff --git a/exim-4.92-greylist-conf.patch b/exim-4.92-greylist-conf.patch new file mode 100644 index 0000000..e601fc9 --- /dev/null +++ b/exim-4.92-greylist-conf.patch @@ -0,0 +1,119 @@ +diff --git a/src/configure.default b/src/configure.default +index 9242bac..eabf102 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -119,6 +119,7 @@ hostlist relay_from_hosts = localhost + # manual for details. The lists above are used in the access control lists for + # checking incoming messages. The names of these ACLs are defined here: + ++acl_smtp_mail = acl_check_mail + acl_smtp_rcpt = acl_check_rcpt + .ifdef _HAVE_PRDR + acl_smtp_data_prdr = acl_check_prdr +@@ -395,6 +396,29 @@ timeout_frozen_after = 7d + + begin acl + ++ ++# This access control list is used for the MAIL command in an incoming ++# SMTP message. ++ ++acl_check_mail: ++ ++ # Hosts are required to say HELO (or EHLO) before sending mail. ++ # So don't allow them to use the MAIL command if they haven't ++ # done so. ++ ++ deny condition = ${if eq{$sender_helo_name}{} {1}} ++ message = Nice boys say HELO first ++ ++ # Use the lack of reverse DNS to trigger greylisting. Some people ++ # even reject for it but that would be a little excessive. ++ ++ warn condition = ${if eq{$sender_host_name}{} {1}} ++ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons ++ ++ accept ++ ++ ++ + # This access control list is used for every RCPT command in an incoming + # SMTP message. The tests are run in order until the address is either + # accepted or denied. +@@ -520,7 +544,8 @@ acl_check_rcpt: + # There are no default checks on DNS black lists because the domains that + # contain these lists are changing all the time. However, here are two + # examples of how you can get Exim to perform a DNS black list lookup at this +- # point. The first one denies, whereas the second just warns. ++ # point. The first one denies, whereas the second just warns. The third ++ # triggers greylisting for any host in the blacklist. + # + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example +@@ -528,6 +553,10 @@ acl_check_rcpt: + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain ++ # ++ # warn dnslists = black.list.example ++ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons ++ # + ############################################################################# + + ############################################################################# +@@ -554,6 +583,10 @@ acl_check_rcpt: + # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + ############################################################################# + ++ # Alternatively, greylist for it: ++ # warn !verify = csa ++ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons ++ + # At this point, the address has passed all the checks that have been + # configured, so we accept it unconditionally. + +@@ -612,6 +645,12 @@ acl_check_data: + # deny condition = ${if !def:h_Message-ID: {1}} + # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ + # Most messages without it are spam, so your mail has been rejected. ++ # ++ # Alternatively if we're feeling more lenient we could just use it to ++ # trigger greylisting instead: ++ ++ warn condition = ${if !def:h_Message-ID: {1}} ++ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons + + # Deny if the message contains a virus. Before enabling this check, you + # must install a virus scanner and set the av_scanner option above. +@@ -658,8 +697,31 @@ acl_check_data: + # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ + # $spam_report + ++ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 ++ # ++ # warn condition = ${if >{$spam_score_int}{5} {1}} ++ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons ++ ++ ++ # If you want to greylist _all_ mail rather than only mail which looks like there ++ # might be something wrong with it, then you can do this... ++ # ++ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons ++ ++ # Now, invoke the greylisting. For this you need to have installed the exim-greylist ++ # package which contains this subroutine, and you need to uncomment the bit below ++ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, ++ # greylisting will kick in and will defer the mail to check if the sender is a ++ # proper mail which which retries, or whether it's a zombie. For more details, see ++ # the exim-greylist.conf.inc file itself. ++ # ++ # require acl = greylist_mail ++ + accept + ++# To enable the greylisting, also uncomment this line: ++# .include /etc/exim/exim-greylist.conf.inc ++ + acl_check_mime: + + # File extension filtering. diff --git a/exim-4.92-localhost-is-local.patch b/exim-4.92-localhost-is-local.patch new file mode 100644 index 0000000..02a10a2 --- /dev/null +++ b/exim-4.92-localhost-is-local.patch @@ -0,0 +1,13 @@ +diff --git a/src/configure.default b/src/configure.default +index 09f0b36..9242bac 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -67,7 +67,7 @@ + # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They + # are all colon-separated lists: + +-domainlist local_domains = @ ++domainlist local_domains = @ : localhost : localhost.localdomain + domainlist relay_to_domains = + hostlist relay_from_hosts = localhost + # (We rely upon hostname resolution working for localhost, because the default diff --git a/exim-4.92-pamconfig.patch b/exim-4.92-pamconfig.patch new file mode 100644 index 0000000..bbe3dde --- /dev/null +++ b/exim-4.92-pamconfig.patch @@ -0,0 +1,78 @@ +diff --git a/src/configure.default b/src/configure.default +index 6db4947..f1198b1 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -157,7 +157,7 @@ acl_smtp_data = acl_check_data + + # Allow any client to use TLS. + +-# tls_advertise_hosts = * ++tls_advertise_hosts = * + + # Specify the location of the Exim server's TLS certificate and private key. + # The private key must not be encrypted (password protected). You can put +@@ -165,8 +165,8 @@ acl_smtp_data = acl_check_data + # need the first setting, or in separate files, in which case you need both + # options. + +-# tls_certificate = /etc/ssl/exim.crt +-# tls_privatekey = /etc/ssl/exim.pem ++tls_certificate = /etc/pki/tls/certs/exim.pem ++tls_privatekey = /etc/pki/tls/private/exim.pem + + # For OpenSSL, prefer EC- over RSA-authenticated ciphers + # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT +@@ -180,8 +180,8 @@ acl_smtp_data = acl_check_data + # them you should also allow TLS-on-connect on the traditional but + # non-standard port 465. + +-# daemon_smtp_ports = 25 : 465 : 587 +-# tls_on_connect_ports = 465 ++daemon_smtp_ports = 25 : 465 : 587 ++tls_on_connect_ports = 465 + + + # Specify the domain you want to be added to all unqualified addresses +@@ -239,6 +239,24 @@ never_users = root + + host_lookup = * + ++# This setting, if uncommented, allows users to authenticate using ++# their system passwords against saslauthd if they connect over a ++# secure connection. If you have network logins such as NIS or ++# Kerberos rather than only local users, then you possibly also want ++# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism ++# too. Once a user is authenticated, the acl_check_rcpt ACL then ++# allows them to relay through the system. ++# ++# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} ++# ++# By default, we set this option to allow SMTP AUTH from nowhere ++# (Exim's default would be to allow it from anywhere, even on an ++# unencrypted connection). ++# ++# Comment this one out if you uncomment the above. Did you make sure ++# saslauthd is actually running first? ++# ++auth_advertise_hosts = + + # The setting below causes Exim to try to initialize the system resolver + # library with DNSSEC support. It has no effect if your library lacks +@@ -980,7 +998,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + # LOGIN authentication has traditional prompts and responses. There is no +@@ -992,7 +1010,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + diff --git a/exim-4.92-procmail.patch b/exim-4.92-procmail.patch new file mode 100644 index 0000000..5fd6f73 --- /dev/null +++ b/exim-4.92-procmail.patch @@ -0,0 +1,34 @@ +diff --git a/src/configure.default b/src/configure.default +index 8f88a3b..cef3779 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -818,6 +818,12 @@ userforward: + pipe_transport = address_pipe + reply_transport = address_reply + ++procmail: ++ driver = accept ++ check_local_user ++ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail ++ transport = procmail ++ no_verify + + # This router matches local user mailboxes. If the router fails, the error + # message is "Unknown user". +@@ -866,6 +872,16 @@ remote_smtp: + hosts_try_prdr = * + .endif + ++# This transport invokes procmail to deliver mail ++procmail: ++ driver = pipe ++ command = "/usr/bin/procmail -d $local_part" ++ return_path_add ++ delivery_date_add ++ envelope_to_add ++ user = $local_part ++ initgroups ++ return_output + + # This transport is used for delivering messages to a smarthost, if the + # smarthost router is enabled. This starts from the same basis as diff --git a/exim-4.92-rhl.patch b/exim-4.92-rhl.patch new file mode 100644 index 0000000..236da8f --- /dev/null +++ b/exim-4.92-rhl.patch @@ -0,0 +1,24 @@ +diff --git a/src/configure.default b/src/configure.default +index 555dec3..69e0ed1 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -718,7 +718,7 @@ system_aliases: + driver = redirect + allow_fail + allow_defer +- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} ++ data = ${lookup{$local_part}lsearch{/etc/aliases}} + # user = exim + file_transport = address_file + pipe_transport = address_pipe +@@ -867,8 +867,8 @@ local_delivery: + delivery_date_add + envelope_to_add + return_path_add +-# group = mail +-# mode = 0660 ++ group = mail ++ mode = 0660 + + + # This transport is used for handling pipe deliveries generated by alias or diff --git a/exim-4.92-smarthost-config.patch b/exim-4.92-smarthost-config.patch new file mode 100644 index 0000000..08ecc1c --- /dev/null +++ b/exim-4.92-smarthost-config.patch @@ -0,0 +1,51 @@ +diff --git a/src/configure.default b/src/configure.default +index eabf102..db2d98a 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -934,6 +934,15 @@ remote_smtp: + hosts_try_prdr = * + .endif + ++# This transport is used for delivering messages over SMTP using the ++# "message submission" port (RFC4409). ++ ++remote_msa: ++ driver = smtp ++ port = 587 ++ hosts_require_auth = * ++ ++ + # This transport invokes procmail to deliver mail + procmail: + driver = pipe +@@ -1083,6 +1092,21 @@ begin rewrite + # AUTHENTICATION CONFIGURATION # + ###################################################################### + ++begin authenticators ++ ++# This authenticator supports CRAM-MD5 username/password authentication ++# with Exim acting as a _client_, as it might when sending its outgoing ++# mail to a smarthost rather than directly to the final recipient. ++# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. ++ ++#client_auth: ++# driver = cram_md5 ++# public_name = CRAM-MD5 ++# client_name = SMTPAUTH_USERNAME ++# client_secret = SMTPAUTH_PASSWORD ++ ++# ++ + # The following authenticators support plaintext username/password + # authentication using the standard PLAIN mechanism and the traditional + # but non-standard LOGIN mechanism, with Exim acting as the server. +@@ -1098,7 +1122,7 @@ begin rewrite + # The default RCPT ACL checks for successful authentication, and will accept + # messages from authenticated users from anywhere on the Internet. + +-begin authenticators ++# + + # PLAIN authentication has no server prompts. The client sends its + # credentials in one lump, containing an authorization ID (which we do not diff --git a/exim-4.92-spamdconf.patch b/exim-4.92-spamdconf.patch new file mode 100644 index 0000000..cab7969 --- /dev/null +++ b/exim-4.92-spamdconf.patch @@ -0,0 +1,108 @@ +diff --git a/src/configure.default b/src/configure.default +index f1198b1..8f88a3b 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -124,6 +124,7 @@ acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data_prdr = acl_check_prdr + .endif + acl_smtp_data = acl_check_data ++acl_smtp_mime = acl_check_mime + + # You should not change those settings until you understand how ACLs work. + +@@ -136,7 +137,7 @@ acl_smtp_data = acl_check_data + # of what to set for other virus scanners. The second modification is in the + # acl_check_data access control list (see below). + +-# av_scanner = clamd:/tmp/clamd ++av_scanner = clamd:/var/run/clamd.exim/clamd.sock + + + # For spam scanning, there is a similar option that defines the interface to +@@ -458,7 +459,8 @@ acl_check_rcpt: + accept local_parts = postmaster + domains = +local_domains + +- # Deny unless the sender address can be verified. ++ # Deny unless the sender address can be routed. For proper verification of the ++ # address, read the documentation on callouts and add the /callout modifier. + + require verify = sender + +@@ -601,21 +603,26 @@ acl_check_data: + message = header syntax + log_message = header syntax ($acl_verify_message) + ++ # Put simple tests first. A good one is to check for the presence of a ++ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken ++ # or misconfigured mailer software occasionally omits this from genuine ++ # messages too, though -- although it's not hard for the offender to fix ++ # after they receive a bounce because of it. ++ # ++ # deny condition = ${if !def:h_Message-ID: {1}} ++ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ ++ # Most messages without it are spam, so your mail has been rejected. ++ + # Deny if the message contains a virus. Before enabling this check, you + # must install a virus scanner and set the av_scanner option above. + # + # deny malware = * + # message = This message contains a virus ($malware_name). + +- # Add headers to a message if it is judged to be spam. Before enabling this, +- # you must install SpamAssassin. You may also need to set the spamd_address +- # option above. ++ # Bypass SpamAssassin checks if the message is too large. + # +- # warn spam = nobody +- # add_header = X-Spam_score: $spam_score\n\ +- # X-Spam_score_int: $spam_score_int\n\ +- # X-Spam_bar: $spam_bar\n\ +- # X-Spam_report: $spam_report ++ # accept condition = ${if >={$message_size}{100000} {1}} ++ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size + + ############################################################################# + # No more tests if PRDR was actively used. +@@ -629,11 +636,40 @@ acl_check_data: + # condition = ... + ############################################################################# + ++ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message ++ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA ++ # score exceeds the SA system threshold. ++ # ++ # warn spam = nobody/defer_ok ++ # add_header = X-Spam-Flag: YES ++ # ++ # accept condition = ${if !def:spam_score_int {1}} ++ # add_header = X-Spam-Note: SpamAssassin invocation failed ++ # + +- # Accept the message. ++ # Unconditionally add score and report headers ++ # ++ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ ++ # X-Spam-Report: $spam_report ++ ++ # And reject if the SpamAssassin score is greater than ten ++ # ++ # deny condition = ${if >{$spam_score_int}{100} {1}} ++ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ ++ # $spam_report + + accept + ++acl_check_mime: ++ ++ # File extension filtering. ++ deny message = Blacklisted file extension detected ++ condition = ${if match \ ++ {${lc:$mime_filename}} \ ++ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ ++ {1}{0}} ++ ++ accept + + + ###################################################################### diff --git a/exim-4.92-support-proxies.patch b/exim-4.92-support-proxies.patch new file mode 100644 index 0000000..22f20e7 --- /dev/null +++ b/exim-4.92-support-proxies.patch @@ -0,0 +1,19 @@ +diff --git a/src/EDITME b/src/EDITME +index 4e3a9a3..e3b98e9 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -972,12 +972,12 @@ SUPPORT_PAM=yes + # If you may want to use outbound (client-side) proxying, using Socks5, + # uncomment the line below. + +-# SUPPORT_SOCKS=yes ++SUPPORT_SOCKS=yes + + # If you may want to use inbound (server-side) proxying, using Proxy Protocol, + # uncomment the line below. + +-# SUPPORT_PROXY=yes ++SUPPORT_PROXY=yes + + + #------------------------------------------------------------------------------ diff --git a/exim-clamav-tmpfiles.conf b/exim-clamav-tmpfiles.conf new file mode 100644 index 0000000..df45687 --- /dev/null +++ b/exim-clamav-tmpfiles.conf @@ -0,0 +1 @@ +D /var/run/clamd.exim 0750 exim exim - diff --git a/exim-gen-cert b/exim-gen-cert new file mode 100644 index 0000000..27e8448 --- /dev/null +++ b/exim-gen-cert @@ -0,0 +1,45 @@ +#!/bin/bash + +. /etc/sysconfig/network + +# Source exim configureation. +if [ -f /etc/sysconfig/exim ] ; then + . /etc/sysconfig/exim +fi + +USER=${USER:=exim} +GROUP=${GROUP:=exim} + +gen_cert() { + if [ ! -f /etc/pki/tls/certs/exim.pem ] ; then + umask 077 + FQDN=`hostname` + if [ "x${FQDN}" = "x" ]; then + FQDN=localhost.localdomain + fi + echo -n $"Generating exim certificate: " + cat << EOF | openssl req -new -x509 -days 365 -nodes \ + -out /etc/pki/tls/certs/exim.pem \ + -keyout /etc/pki/tls/private/exim.pem &>/dev/null +-- +SomeState +SomeCity +SomeOrganization +SomeOrganizationalUnit +${FQDN} +root@${FQDN} +EOF + if [ $? -eq 0 ]; then + echo success + chown $USER:$GROUP /etc/pki/tls/{private,certs}/exim.pem + chmod 600 /etc/pki/tls/{private,certs}/exim.pem + else + echo failure + fi + echo + fi +} + +gen_cert + +exit 0 diff --git a/exim-greylist.conf.inc b/exim-greylist.conf.inc new file mode 100644 index 0000000..bb22907 --- /dev/null +++ b/exim-greylist.conf.inc @@ -0,0 +1,120 @@ +# $Id: acl-greylist-sqlite,v 1.3 2007/11/25 19:17:28 dwmw2 Exp $ + +GREYDB=/var/spool/exim/db/greylist.db + +# ACL for greylisting. Place reason(s) for greylisting into a variable named +# $acl_m_greylistreasons before invoking with 'require acl = greylist_mail'. +# The reasons should be separate lines of text, and will be reported in +# the SMTP rejection message as well as the log message. +# +# When a suspicious mail is seen, we temporarily reject it and wait to see +# if the sender tries again. Most spam robots won't bother. Real mail hosts +# _will_ retry, and we'll accept it the second time. For hosts which are +# observed to retry, we don't bother greylisting again in the future -- +# it's obviously pointless. We remember such hosts, or 'known resenders', +# by a tuple of their IP address and the name they used in HELO. +# +# We also include the time of listing for 'known resenders', just in case +# someone wants to expire them after a certain amount of time. So the +# database table for these 'known resenders' looks like this: +# +# CREATE TABLE resenders ( +# host TEXT, +# helo TEXT, +# time INTEGER, +# PRIMARY KEY (host, helo) ); +# +# To remember mail we've rejected, we create an 'identity' from its sender +# and recipient addresses and its Message-ID: header. We don't include the +# sending IP address in the identity, because sometimes the second and +# subsequent attempts may come from a different IP address to the original. +# +# We do record the original IP address and HELO name though, because if +# the message _is_ retried from another machine, it's the _first_ one we +# want to record as a 'known resender'; not just its backup path. +# +# Obviously we record the time too, so the main table of greylisted mail +# looks like this: +# +# CREATE TABLE greylist ( +# id TEXT, +# expire INTEGER, +# host TEXT, +# helo TEXT); +# + +greylist_mail: + # First, accept if it there's absolutely nothing suspicious about it... + accept condition = ${if eq{$acl_m_greylistreasons}{} {1}} + # ... or if it was generated locally or by authenticated clients. + accept hosts = : + accept authenticated = * + + # Secondly, there's _absolutely_ no point in greylisting mail from + # hosts which are known to resend their mail. Just accept it. + accept condition = ${lookup sqlite {GREYDB SELECT host from resenders \ + WHERE helo='${quote_sqlite:$sender_helo_name}' \ + AND host='$sender_host_address';} {1}} + + # Generate a hashed 'identity' for the mail, as described above. + warn set acl_m_greyident = ${hash{20}{62}{$sender_address$recipients$h_message-id:}} + + # Attempt to look up this mail in the greylist database. If it's there, + # remember the expiry time for it; we need to make sure they've waited + # long enough. + warn set acl_m_greyexpiry = ${lookup sqlite {GREYDB SELECT expire FROM greylist \ + WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}} + + # If the mail isn't already the database -- i.e. if the $acl_m_greyexpiry + # variable we just looked up is empty -- then try to add it now. This is + # where the 5 minute timeout is set ($tod_epoch + 300), should you wish + # to change it. + warn condition = ${if eq {$acl_m_greyexpiry}{} {1}} + set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO greylist \ + VALUES ( '$acl_m_greyident', \ + '${eval10:$tod_epoch+300}', \ + '$sender_host_address', \ + '${quote_sqlite:$sender_helo_name}' );}} + + # Be paranoid, and check if the insertion succeeded (by doing another lookup). + # Otherwise, if there's a database error we might end up deferring for ever. + defer condition = ${if eq {$acl_m_greyexpiry}{} {1}} + condition = ${lookup sqlite {GREYDB SELECT expire FROM greylist \ + WHERE id='${quote_sqlite:$acl_m_greyident}';} {1}} + message = Your mail was considered suspicious for the following reason(s):\n$acl_m_greylistreasons \ + The mail has been greylisted for 5 minutes, after which it should be accepted. \ + We apologise for the inconvenience. Your mail system should keep the mail on \ + its queue and retry. When that happens, your system will be added to the list \ + genuine mail systems, and mail from it should not be greylisted any more. \ + In the event of problems, please contact postmaster@$qualify_domain + log_message = Greylisted <$h_message-id:> from <$sender_address> for offences: ${sg {$acl_m_greylistreasons}{\n}{,}} + + # Handle the error case (which should never happen, but would be bad if it did). + # First by whining about it in the logs, so the admin can deal with it... + warn condition = ${if eq {$acl_m_greyexpiry}{} {1}} + log_message = Greylist insertion failed. Bypassing greylist. + # ... and then by just accepting the message. + accept condition = ${if eq {$acl_m_greyexpiry}{} {1}} + + # OK, we've dealt with the "new" messages. Now we deal with messages which + # _were_ already in the database... + + # If the message was already listed but its time hasn't yet expired, keep rejecting it + defer condition = ${if > {$acl_m_greyexpiry}{$tod_epoch}} + message = Your mail was previously greylisted and the time has not yet expired.\n\ + You should wait another ${eval10:$acl_m_greyexpiry-$tod_epoch} seconds.\n\ + Reason(s) for greylisting: \n$acl_m_greylistreasons + + # The message was listed but it's been more than five minutes. Accept it now and whitelist + # the _original_ sending host by its { IP, HELO } so that we don't delay its mail again. + warn set acl_m_orighost = ${lookup sqlite {GREYDB SELECT host FROM greylist \ + WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}} + set acl_m_orighelo = ${lookup sqlite {GREYDB SELECT helo FROM greylist \ + WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}} + set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO resenders \ + VALUES ( '$acl_m_orighost', \ + '${quote_sqlite:$acl_m_orighelo}', \ + '$tod_epoch' ); }} + logwrite = Added host $acl_m_orighost with HELO '$acl_m_orighelo' to known resenders + + accept diff --git a/exim-tidydb.sh b/exim-tidydb.sh new file mode 100755 index 0000000..1b3dddc --- /dev/null +++ b/exim-tidydb.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +SPOOLDIR=/var/spool/exim + +cd $SPOOLDIR/db +for a in retry misc wait-* callout ratelimit; do + [ -r "$a" ] || continue + [ "${a%%.lockfile}" = "$a" ] || continue + /usr/sbin/exim_tidydb $SPOOLDIR $a >/dev/null +done diff --git a/exim.init b/exim.init new file mode 100644 index 0000000..275fae2 --- /dev/null +++ b/exim.init @@ -0,0 +1,132 @@ +#!/bin/bash +# +# exim This shell script takes care of starting and stopping exim +# +# chkconfig: 2345 80 30 +# description: Exim is a Mail Transport Agent, which is the program \ +# that moves mail from one machine to another. +# processname: exim +# config: /etc/exim/exim.conf +# pidfile: /var/run/exim.pid + +# Source function library. +. /etc/init.d/functions + +# Source networking configuration. +[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network + +# Source exim configureation. +if [ -f /etc/sysconfig/exim ] ; then + . /etc/sysconfig/exim +else + DAEMON=yes + QUEUE=1h +fi + +USER=${USER:=exim} +GROUP=${GROUP:=exim} + +gen_cert() { + if [ ! -f /etc/pki/tls/certs/exim.pem ] ; then + umask 077 + FQDN=`hostname` + if [ "x${FQDN}" = "x" ]; then + FQDN=localhost.localdomain + fi + echo -n $"Generating exim certificate: " + cat << EOF | openssl req -new -x509 -days 365 -nodes \ + -out /etc/pki/tls/certs/exim.pem \ + -keyout /etc/pki/tls/private/exim.pem &>/dev/null +-- +SomeState +SomeCity +SomeOrganization +SomeOrganizationalUnit +${FQDN} +root@${FQDN} +EOF + if [ $? -eq 0 ]; then + success + chown $USER:$GROUP /etc/pki/tls/{private,certs}/exim.pem + chmod 600 /etc/pki/tls/{private,certs}/exim.pem + else + failure + fi + echo + fi +} + +start() { + [ "$EUID" != "0" ] && exit 4 + [ "${NETWORKING}" = "no" ] && exit 1 + [ -f /usr/sbin/exim ] || exit 5 + + # check ownerships + # do this by seeing if /var/log/exim/main.log exists and is + # owned by exim - if owned by someone else we fix it up + if [ -f /var/log/exim/main.log ] + then + if [ "exim" != "`ls -l /var/log/exim/main.log | awk '{print $4}'`" ] + then + chown -R $USER:$GROUP /var/log/exim /var/spool/exim + fi + fi + + # generate certificate if doesn't exist + gen_cert + + # Start daemons. + echo -n $"Starting exim: " + daemon /usr/sbin/exim $([ "$DAEMON" = yes ] && echo -bd) \ + $([ -n "$QUEUE" ] && echo -q$QUEUE) + RETVAL=$? + echo + [ $RETVAL = 0 ] && touch /var/lock/subsys/exim +} + +stop() { + [ "$EUID" != "0" ] && exit 4 + # Stop daemons. + echo -n $"Shutting down exim: " + killproc exim + RETVAL=$? + echo + [ $RETVAL = 0 ] && rm -f /var/lock/subsys/exim +} + +restart() { + stop + start +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + reload|force-reload) + status exim > /dev/null || exit 7 + echo -n $"Reloading exim:" + killproc exim -HUP + echo + ;; + condrestart|try-restart) + status exim > /dev/null || exit 0 + restart + ;; + status) + status exim + ;; + *) + echo $"Usage: $0 {start|stop|restart|reload|force-reload|status|condrestart|try-restart}" + exit 2 +esac + +exit $RETVAL + diff --git a/exim.logrotate b/exim.logrotate new file mode 100644 index 0000000..05f13b9 --- /dev/null +++ b/exim.logrotate @@ -0,0 +1,7 @@ +# daemon does not need restarting after log rotate +# so we do not prod it any more +/var/log/exim/*log { + missingok + notifempty + delaycompress +} diff --git a/exim.pam b/exim.pam new file mode 100644 index 0000000..1d78594 --- /dev/null +++ b/exim.pam @@ -0,0 +1,3 @@ +#%PAM-1.0 +auth include password-auth +account include password-auth diff --git a/exim.service b/exim.service new file mode 100644 index 0000000..e6a82ba --- /dev/null +++ b/exim.service @@ -0,0 +1,14 @@ +[Unit] +Description=Exim Mail Transport Agent +After=network.target +Conflicts=sendmail.service postfix.service + +[Service] +PrivateTmp=true +Environment=QUEUE=1h +EnvironmentFile=-/etc/sysconfig/exim +ExecStartPre=-/usr/libexec/exim-gen-cert +ExecStart=/usr/sbin/exim -bd -q${QUEUE} + +[Install] +WantedBy=multi-user.target diff --git a/exim.spec b/exim.spec new file mode 100644 index 0000000..6f93256 --- /dev/null +++ b/exim.spec @@ -0,0 +1,1379 @@ +# By default build clamav subpackage on Fedora, +# do not build on RHEL +%if 0%{?rhel} +%bcond_with clamav +%else +%bcond_without clamav +%endif + +# hardened build if not overridden +%{!?_hardened_build:%global _hardened_build 1} + +Summary: The exim mail transfer agent +Name: exim +Version: 4.92.2 +Release: 1%{?dist} +License: GPLv2+ +Url: http://www.exim.org/ + +Provides: MTA smtpd smtpdaemon server(smtp) +Requires(post): /sbin/restorecon %{_sbindir}/alternatives systemd +Requires(preun): %{_sbindir}/alternatives systemd +Requires(postun): %{_sbindir}/alternatives systemd +Requires(pre): %{_sbindir}/groupadd, %{_sbindir}/useradd +%if %{with clamav} +BuildRequires: clamav-devel +%endif +Source: ftp://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.xz +Source2: exim.init +Source3: exim.sysconfig +Source4: exim.logrotate +Source5: exim-tidydb.sh +Source11: exim.pam +Source12: exim-clamav-tmpfiles.conf + +Source20: exim-greylist.conf.inc +Source21: mk-greylist-db.sql +Source22: greylist-tidy.sh +Source23: trusted-configs +Source24: exim.service +Source25: exim-gen-cert +Source26: clamd.exim.service + +Patch4: exim-4.92-rhl.patch +Patch6: exim-4.92-config.patch +Patch8: exim-4.82-libdir.patch +Patch12: exim-4.92-cyrus.patch +Patch13: exim-4.92-pamconfig.patch +Patch14: exim-4.92-spamdconf.patch +Patch18: exim-4.92-dlopen-localscan.patch +Patch19: exim-4.92-procmail.patch +Patch20: exim-4.92-allow-filter.patch +Patch21: exim-4.92-localhost-is-local.patch +Patch22: exim-4.92-greylist-conf.patch +Patch23: exim-4.92-smarthost-config.patch +Patch26: exim-4.85-pic.patch +Patch27: exim-4.92-environment.patch +# Workaround for NIS removal from glibc, bug 1534920 +Patch33: exim-4.90.1-nsl-fix.patch +Patch40: exim-4.92-support-proxies.patch +Patch41: exim-4.92-dane-enable.patch + +Requires: /etc/pki/tls/certs /etc/pki/tls/private +Requires: /etc/aliases +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) +BuildRequires: gcc libdb-devel openssl-devel openldap-devel pam-devel +BuildRequires: pcre-devel sqlite-devel cyrus-sasl-devel +BuildRequires: openldap-devel openssl-devel mariadb-connector-c-devel libpq-devel +BuildRequires: libXaw-devel libXmu-devel libXext-devel libX11-devel libSM-devel +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: libICE-devel libXpm-devel libXt-devel perl(ExtUtils::Embed) +# mariadb-devel for mariadb pkgconfig +BuildRequires: systemd-units libgsasl-devel mariadb-devel +# Workaround for NIS removal from glibc, bug 1534920 +BuildRequires: libnsl2-devel libtirpc-devel + +%description +Exim is a message transfer agent (MTA) developed at the University of +Cambridge for use on Unix systems connected to the Internet. It is +freely available under the terms of the GNU General Public Licence. In +style it is similar to Smail 3, but its facilities are more +general. There is a great deal of flexibility in the way mail can be +routed, and there are extensive facilities for checking incoming +mail. Exim can be installed in place of sendmail, although the +configuration of exim is quite different to that of sendmail. + +%package mysql +Summary: MySQL lookup support for Exim +Requires: exim = %{version}-%{release} + +%description mysql +This package contains the MySQL lookup module for Exim + +%package pgsql +Summary: PostgreSQL lookup support for Exim +Requires: exim = %{version}-%{release} + +%description pgsql +This package contains the PostgreSQL lookup module for Exim + +%package mon +Summary: X11 monitor application for Exim + +%description mon +The Exim Monitor is an optional supplement to the Exim package. It +displays information about Exim's processing in an X window, and an +administrator can perform a number of control actions from the window +interface. + +%if %{with clamav} +%package clamav +Summary: Clam Antivirus scanner dæmon configuration for use with Exim +Requires: clamav-server exim +Obsoletes: clamav-exim <= 0.86.2 + +%description clamav +This package contains configuration files which invoke a copy of the +clamav dæmon for use with Exim. It can be activated by adding (or +uncommenting) + + av_scanner = clamd:%{_var}/run/clamd.exim/clamd.sock + +in your exim.conf, and using the 'malware' condition in the DATA ACL, +as follows: + + deny message = This message contains malware ($malware_name) + malware = * + +For further details of Exim content scanning, see chapter 41 of the Exim +specification: +http://www.exim.org/exim-html-%{version}/doc/html/spec_html/ch41.html + +%endif + +%package greylist +Summary: Example configuration for greylisting using Exim +Requires: sqlite exim +Requires: crontabs + +%description greylist +This package contains a simple example of how to do greylisting in Exim's +ACL configuration. It contains a cron job to remove old entries from the +greylisting database, and an ACL subroutine which needs to be included +from the main exim.conf file. + +To enable greylisting, install this package and then uncomment the lines +in Exim's configuration /etc/exim.conf which enable it. You need to +uncomment at least two lines -- the '.include' directive which includes +the new ACL subroutine, and the line which invokes the new subroutine. + +By default, this implementation only greylists mails which appears +'suspicious' in some way. During normal processing of the ACLs we collect +a list of 'offended' which it's committed, which may include having +SpamAssassin points, lacking a Message-ID: header, coming from a blacklisted +host, etc. There are examples of these in the default configuration file, +mostly commented out. These should be sufficient for you to you trigger +greylisting for whatever 'offences' you can dream of, or even to make +greylisting unconditional. + +%prep +%setup -q + +%patch4 -p1 -b .rhl +%patch6 -p1 -b .config +%patch8 -p1 -b .libdir +%patch12 -p1 -b .cyrus +%patch13 -p1 -b .pam +%patch14 -p1 -b .spamd +%patch18 -p1 -b .dl +%patch19 -p1 -b .procmail +%patch20 -p1 -b .filter +%patch21 -p1 -b .localhost +%patch22 -p1 -b .grey +%patch23 -p1 -b .smarthost +%patch26 -p1 -b .fpic +%patch27 -p1 -b .environment +%patch33 -p1 -b .nsl-fix +%patch40 -p1 -b .proxy +%patch41 -p1 -b .dane-enable + +cp src/EDITME Local/Makefile +sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile +sed -i 's@^# AUTH_LIBS=-lsasl2@AUTH_LIBS=-lsasl2@' Local/Makefile +cp exim_monitor/EDITME Local/eximon.conf + + +%build +%ifnarch s390 s390x sparc sparcv9 sparcv9v sparc64 sparc64v + export PIE=-fpie + export PIC=-fpic +%else + export PIE=-fPIE + export PIC=-fPIC +%endif +make _lib=%{_lib} FULLECHO= LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-pie -Wl,-z,relro,-z,now}" + +%install +mkdir -p $RPM_BUILD_ROOT%{_sbindir} +mkdir -p $RPM_BUILD_ROOT%{_bindir} +mkdir -p $RPM_BUILD_ROOT%{_libdir} +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pam.d +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/exim + +cd build-`scripts/os-type`-`scripts/arch-type` +install -m 4775 exim $RPM_BUILD_ROOT%{_sbindir} + +for i in eximon eximon.bin exim_dumpdb exim_fixdb exim_tidydb \ + exinext exiwhat exim_dbmbuild exicyclog exim_lock \ + exigrep eximstats exipick exiqgrep exiqsumm \ + exim_checkaccess convert4r4 +do + install -m 0755 $i $RPM_BUILD_ROOT%{_sbindir} +done + +mkdir -p $RPM_BUILD_ROOT%{_libdir}/exim/%{version}-%{release}/lookups +for i in mysql.so pgsql.so +do + install -m755 lookups/$i \ + $RPM_BUILD_ROOT%{_libdir}/exim/%{version}-%{release}/lookups +done + +cd .. + +install -m 0644 src/configure.default $RPM_BUILD_ROOT%{_sysconfdir}/exim/exim.conf +install -m 0644 %SOURCE11 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/exim + +mkdir -p $RPM_BUILD_ROOT/usr/lib +pushd $RPM_BUILD_ROOT/usr/lib +ln -sf ../sbin/exim sendmail.exim +popd + +pushd $RPM_BUILD_ROOT%{_sbindir}/ +ln -sf exim sendmail.exim +popd + +pushd $RPM_BUILD_ROOT%{_bindir}/ +ln -sf ../sbin/exim mailq.exim +ln -sf ../sbin/exim runq.exim +ln -sf ../sbin/exim rsmtp.exim +ln -sf ../sbin/exim rmail.exim +ln -sf ../sbin/exim newaliases.exim +popd + +install -d -m 0750 $RPM_BUILD_ROOT%{_var}/spool/exim +install -d -m 0750 $RPM_BUILD_ROOT%{_var}/spool/exim/db +install -d -m 0750 $RPM_BUILD_ROOT%{_var}/spool/exim/input +install -d -m 0750 $RPM_BUILD_ROOT%{_var}/spool/exim/msglog +install -d -m 0750 $RPM_BUILD_ROOT%{_var}/log/exim + +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man8 +install -m644 doc/exim.8 $RPM_BUILD_ROOT%{_mandir}/man8/exim.8 +pod2man --center=EXIM --section=8 \ + $RPM_BUILD_ROOT/usr/sbin/eximstats \ + $RPM_BUILD_ROOT%{_mandir}/man8/eximstats.8 + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig +install -m 644 %SOURCE3 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/exim + +%if 0%{?fedora} < 23 +mkdir -p $RPM_BUILD_ROOT%{_initrddir} +install %SOURCE2 $RPM_BUILD_ROOT%{_initrddir}/exim +%endif + +# Systemd +mkdir -p %{buildroot}%{_unitdir} +mkdir -p $RPM_BUILD_ROOT%{_libexecdir} +install -m644 %{SOURCE24} %{buildroot}%{_unitdir} +install -m755 %{SOURCE25} %{buildroot}%{_libexecdir} + +%if %{with clamav} +install -m644 %{SOURCE26} %{buildroot}%{_unitdir} +%endif + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d +install -m 0644 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/exim + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily +install -m 0755 %SOURCE5 $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/exim-tidydb + +# generate ghost .pem file +mkdir -p $RPM_BUILD_ROOT/etc/pki/tls/{certs,private} +touch $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem +chmod 600 $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem + +# generate alternatives ghosts +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 +for i in %{_sbindir}/sendmail %{_bindir}/{mailq,runq,rsmtp,rmail,newaliases} \ + /usr/lib/sendmail %{_sysconfdir}/pam.d/smtp +do + touch $RPM_BUILD_ROOT$i +done +gzip < /dev/null > $RPM_BUILD_ROOT%{_mandir}/man1/mailq.1.gz + +%if %{with clamav} +# Munge the clamav init and config files from clamav-devel. This really ought +# to be a subpackage of clamav, but this hack will have to do for now. +function clamsubst() { + sed -e "s!!$3!g;s!!$4!g;""$5" %{_datadir}/clamav/template/"$1" >"$RPM_BUILD_ROOT$2" +} + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/clamd.d +clamsubst clamd.conf %{_sysconfdir}/clamd.d/exim.conf exim exim \ + 's!^##*\(\(LogFile\|LocalSocket\|PidFile\|User\)\s\|\(StreamSaveToDisk\|ScanMail\|LogTime\|ScanArchive\)$\)!\1!;s!^Example!#Example!;' + +clamsubst clamd.logrotate %{_sysconfdir}/logrotate.d/clamd.exim exim exim '' +cat < $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/clamd.exim +CLAMD_CONFIG='%_sysconfdir/clamd.d/exim.conf' +CLAMD_SOCKET=%{_var}/run/clamd.exim/clamd.sock +EOF +ln -sf clamd $RPM_BUILD_ROOT/usr/sbin/clamd.exim + +mkdir -p %{buildroot}%{_tmpfilesdir} +install -m 0644 %{SOURCE12} %{buildroot}%{_tmpfilesdir}/exim-clamav.conf +mkdir -p $RPM_BUILD_ROOT%{_var}/run/clamd.exim +mkdir -p $RPM_BUILD_ROOT%{_var}/log +touch $RPM_BUILD_ROOT%{_var}/log/clamd.exim + +%endif + +# Set up the greylist subpackage +install -m644 %{SOURCE20} $RPM_BUILD_ROOT/%_sysconfdir/exim/exim-greylist.conf.inc +install -m644 %{SOURCE21} $RPM_BUILD_ROOT/%_sysconfdir/exim/mk-greylist-db.sql +mkdir -p $RPM_BUILD_ROOT/%_sysconfdir/cron.daily +install -m755 %{SOURCE22} $RPM_BUILD_ROOT/%_sysconfdir/cron.daily/greylist-tidy.sh +install -m644 %{SOURCE23} $RPM_BUILD_ROOT/%_sysconfdir/exim/trusted-configs +touch $RPM_BUILD_ROOT/%_var/spool/exim/db/greylist.db + +%check +build-`scripts/os-type`-`scripts/arch-type`/exim -C src/configure.default -bV + +%pre +%{_sbindir}/groupadd -g 93 exim 2>/dev/null +%{_sbindir}/useradd -d %{_var}/spool/exim -s /sbin/nologin -G mail -M -r -u 93 -g exim exim 2>/dev/null +# Copy TLS certs from old location to new -- don't move them, because the +# config file may be modified and may be pointing to the old location. +if [ ! -f /etc/pki/tls/certs/exim.pem -a -f %{_datadir}/ssl/certs/exim.pem ] ; then + cp %{_datadir}/ssl/certs/exim.pem /etc/pki/tls/certs/exim.pem + cp %{_datadir}/ssl/private/exim.pem /etc/pki/tls/private/exim.pem +fi + +exit 0 + +%post +%systemd_post %{name}.service + +%{_sbindir}/alternatives --install %{_sbindir}/sendmail mta %{_sbindir}/sendmail.exim 10 \ + --slave %{_bindir}/mailq mta-mailq %{_bindir}/mailq.exim \ + --slave %{_bindir}/runq mta-runq %{_bindir}/runq.exim \ + --slave %{_bindir}/rsmtp mta-rsmtp %{_bindir}/rsmtp.exim \ + --slave %{_bindir}/rmail mta-rmail %{_bindir}/rmail.exim \ + --slave /etc/pam.d/smtp mta-pam /etc/pam.d/exim \ + --slave %{_bindir}/newaliases mta-newaliases %{_bindir}/newaliases.exim \ + --slave /usr/lib/sendmail mta-sendmail /usr/lib/sendmail.exim \ + --slave %{_mandir}/man1/mailq.1.gz mta-mailqman %{_mandir}/man8/exim.8.gz \ + --initscript exim + +%preun +%systemd_preun %{name}.service +if [ $1 = 0 ]; then + %{_sbindir}/alternatives --remove mta %{_sbindir}/sendmail.exim +fi + +%postun +%systemd_postun_with_restart %{name}.service +if [ $1 -ge 1 ]; then + mta=`readlink /etc/alternatives/mta` + if [ "$mta" == "%{_sbindir}/sendmail.exim" ]; then + /usr/sbin/alternatives --set mta %{_sbindir}/sendmail.exim + fi +fi + +%post greylist +if [ ! -r %{_var}/spool/exim/db/greylist.db ]; then + sqlite3 %{_var}/spool/exim/db/greylist.db < %{_sysconfdir}/exim/mk-greylist-db.sql + chown exim.exim %{_var}/spool/exim/db/greylist.db + chmod 0660 %{_var}/spool/exim/db/greylist.db +fi + +%files +%attr(4755,root,root) %{_sbindir}/exim +%{_sbindir}/exim_dumpdb +%{_sbindir}/exim_fixdb +%{_sbindir}/exim_tidydb +%{_sbindir}/exinext +%{_sbindir}/exiwhat +%{_sbindir}/exim_dbmbuild +%{_sbindir}/exicyclog +%{_sbindir}/exigrep +%{_sbindir}/eximstats +%{_sbindir}/exipick +%{_sbindir}/exiqgrep +%{_sbindir}/exiqsumm +%{_sbindir}/exim_lock +%{_sbindir}/exim_checkaccess +%{_sbindir}/convert4r4 +%{_sbindir}/sendmail.exim +%{_bindir}/mailq.exim +%{_bindir}/runq.exim +%{_bindir}/rsmtp.exim +%{_bindir}/rmail.exim +%{_bindir}/newaliases.exim +/usr/lib/sendmail.exim +%{_mandir}/man8/* +%dir %{_libdir}/exim +%dir %{_libdir}/exim/%{version}-%{release} +%dir %{_libdir}/exim/%{version}-%{release}/lookups + +%defattr(-,exim,exim) +%dir %{_var}/spool/exim +%dir %{_var}/spool/exim/db +%dir %{_var}/spool/exim/input +%dir %{_var}/spool/exim/msglog +%dir %{_var}/log/exim + +%defattr(-,root,root) +%dir %{_sysconfdir}/exim +%config(noreplace) %{_sysconfdir}/exim/exim.conf +%config(noreplace) %{_sysconfdir}/exim/trusted-configs +%config(noreplace) %{_sysconfdir}/sysconfig/exim +%{_unitdir}/exim.service +%{_libexecdir}/exim-gen-cert +%config(noreplace) %{_sysconfdir}/logrotate.d/exim +%config(noreplace) %{_sysconfdir}/pam.d/exim +%{_sysconfdir}/cron.daily/exim-tidydb + +%license LICENCE NOTICE +%doc ACKNOWLEDGMENTS README.UPDATING README +%doc doc util/unknownuser.sh + +%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) /etc/pki/tls/certs/exim.pem +%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) /etc/pki/tls/private/exim.pem + +%attr(0755,root,root) %ghost %{_sbindir}/sendmail +%attr(0755,root,root) %ghost %{_bindir}/mailq +%attr(0755,root,root) %ghost %{_bindir}/runq +%attr(0755,root,root) %ghost %{_bindir}/rsmtp +%attr(0755,root,root) %ghost %{_bindir}/rmail +%attr(0755,root,root) %ghost %{_bindir}/newaliases +%attr(0755,root,root) %ghost /usr/lib/sendmail +%ghost %{_sysconfdir}/pam.d/smtp +%ghost %{_mandir}/man1/mailq.1.gz + +%files mysql +%{_libdir}/exim/%{version}-%{release}/lookups/mysql.so + +%files pgsql +%{_libdir}/exim/%{version}-%{release}/lookups/pgsql.so + +%files mon +%{_sbindir}/eximon +%{_sbindir}/eximon.bin + +%if %{with clamav} +%post clamav +/bin/mkdir -pm 0750 %{_var}/run/clamd.exim +/bin/chown exim:exim %{_var}/run/clamd.exim +/bin/touch %{_var}/log/clamd.exim +/bin/chown exim.exim %{_var}/log/clamd.exim +/sbin/restorecon %{_var}/log/clamd.exim +if [ $1 -eq 1 ] ; then + /bin/systemctl daemon-reload >/dev/null 2>&1 || : +fi + +%preun clamav +if [ $1 = 0 ]; then + /bin/systemctl --no-reload clamd.exim.service > /dev/null 2>&1 || : + /bin/systemctl stop clamd.exim.service > /dev/null 2>&1 || : +fi + +%postun clamav +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ $1 -ge 1 ] ; then + /bin/systemctl try-restart clamd.exim.service >/dev/null 2>&1 || : +fi + +%files clamav +%{_sbindir}/clamd.exim +%{_unitdir}/clamd.exim.service +%config(noreplace) %verify(not mtime) %{_sysconfdir}/clamd.d/exim.conf +%config(noreplace) %verify(not mtime) %{_sysconfdir}/sysconfig/clamd.exim +%config(noreplace) %verify(not mtime) %{_sysconfdir}/logrotate.d/clamd.exim +%{_tmpfilesdir}/exim-clamav.conf +%ghost %attr(0750,exim,exim) %dir %{_var}/run/clamd.exim +%ghost %attr(0644,exim,exim) %{_var}/log/clamd.exim +%endif + +%files greylist +%config %{_sysconfdir}/exim/exim-greylist.conf.inc +%ghost %{_var}/spool/exim/db/greylist.db +%{_sysconfdir}/exim/mk-greylist-db.sql +%{_sysconfdir}/cron.daily/greylist-tidy.sh + +%changelog +* Fri Sep 6 2019 Jaroslav Škarvada - 4.92.2-1 +- New version + Resolves: CVE-2019-15846 + +* Tue Aug 20 2019 Jaroslav Škarvada - 4.92.1-1 +- New version + Resolves: rhbz#1742312 + +* Thu Jul 25 2019 Fedora Release Engineering - 4.92-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu May 30 2019 Jitka Plesnikova - 4.92-8 +- Perl 5.30 rebuild + +* Wed Mar 27 2019 Jaroslav Škarvada - 4.92-7 +- Enabled DANE support + Resolves: rhbz#1693202 + +* Wed Mar 20 2019 Peter Robinson 4.92-6 +- Drop F-23 conditionals, and related obsolete bits + +* Tue Mar 19 2019 Jaroslav Škarvada - 4.92-5 +- Processed greylist.db by cron job only if it has non zero size + Resolves: rhbz#1689211 + +* Mon Mar 4 2019 Jaroslav Škarvada - 4.92-4 +- Fixed greylist-conf patch + Related: rhbz#1679274 + +* Sat Mar 2 2019 Tim Landscheidt - 4.92-3 +- Fix syntax error in exim.conf (#1679274) +- Use properly compressed empty mailq.1.gz as ghost file +- Add basic check that configuration file is valid + +* Wed Feb 20 2019 Marcel Härry - 4.92-2 +- Enable proxy and socks support + Resolves: rhbz#1542870 + +* Mon Feb 11 2019 Jaroslav Škarvada - 4.92-1 +- New version + Resolves: rhbz#1674282 + +* Thu Jan 31 2019 Fedora Release Engineering - 4.91-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Jan 14 2019 Björn Esser - 4.91-5 +- Rebuilt for libcrypt.so.2 (#1666033) + +* Fri Jul 20 2018 Jaroslav Škarvada - 4.91-4 +- Fixed FTBFS by adding gcc requirement + +* Fri Jul 13 2018 Fedora Release Engineering - 4.91-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jun 27 2018 Jitka Plesnikova - 4.91-2 +- Perl 5.28 rebuild + +* Thu Apr 19 2018 Jaroslav Škarvada - 4.91-1 +- New version + Resolves: rhbz#1567670 +- Dropped dec64table-read-fix patch (already upstream) +- De-fuzzified patches + +* Wed Mar 14 2018 Jaroslav Škarvada - 4.90.1-4 +- Fixed dec64table OOB read in b64decode +- De-fuzzified nsl-fix patch + +* Fri Feb 16 2018 Jaroslav Škarvada - 4.90.1-3 +- Dropped dynlookup-config patch (merged into config patch) + +* Fri Feb 16 2018 Jaroslav Škarvada - 4.90.1-2 +- Fixed mysql module + +* Tue Feb 13 2018 Jaroslav Škarvada - 4.90.1-1 +- New version + Resolves: rhbz#1527710 +- Fixed buffer overflow in utility function + Resolves: CVE-2018-6789 +- Updated and defuzzified patches +- Dropped mariadb-macro-fix patch (not needed) +- Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943, + CVE-2017-16944 patches (all upstreamed) + +* Wed Feb 07 2018 Fedora Release Engineering - 4.89-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Jan 20 2018 Björn Esser - 4.89-11 +- Rebuilt for switch to libxcrypt + +* Wed Jan 17 2018 Jaroslav Škarvada - 4.89-10 +- Fixed FTBFS due to NIS removal from glibc + Resolves: rhbz#1534920 + +* Fri Dec 1 2017 Jaroslav Škarvada - 4.89-9 +- Fixed denial of service + Resolves: CVE-2017-16944 + +* Thu Nov 30 2017 Jaroslav Škarvada - 4.89-8 +- Dropped tcp_wrappers support + Resolves: rhbz#1518763 + +* Mon Nov 27 2017 Jaroslav Škarvada - 4.89-7 +- Fixed use-after-free + Resolves: CVE-2017-16943 + +* Fri Nov 10 2017 Jaroslav Škarvada - 4.89-6 +- Used mariadb-connector-c-devel instead of mysql-devel + Resolves: rhbz#1494094 + +* Fri Aug 18 2017 Jaroslav Škarvada - 4.89-5 +- Fixed compilation with the mariadb-10.2 + Resolves: rhbz#1467312 +- Fixed multiple memory leaks + Resolves: CVE-2017-1000369 +- Fixed typo causing exim-clamav to create /0750 directory + Resolves: rhbz#1412028 +- On callout avoid SIZE option when doing recipient verification with + caching enabled + Resolves: rhbz#1482217 +- Fixed some minor whitespace problems in the spec + +* Wed Aug 02 2017 Fedora Release Engineering - 4.89-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 4.89-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sun Jun 04 2017 Jitka Plesnikova - 4.89-2 +- Perl 5.26 rebuild + +* Wed Mar 8 2017 Jaroslav Škarvada - 4.89-1 +- New version + Resolves: rhbz#1430156 +- Switched to xz archive +- Dropped DKIM-fix patch (already upstream) + +* Fri Feb 10 2017 Fedora Release Engineering - 4.88-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 23 2017 Jaroslav Škarvada - 4.88-3 +- Fixed DKIM +- Defuzzified patches and fixed some whitespaces + +* Sat Jan 14 2017 Ville Skyttä - 4.88-2 +- Move tmpfiles.d config to %%{_tmpfilesdir} +- Install license files as %%license + +* Sun Dec 25 2016 David Woodhouse - 4.88-1 +- Update to 4.88 (CVE-2016-9963 / rhbz#1405323) + +* Thu Jun 9 2016 Jaroslav Škarvada - 4.87-5 +- Allow configuration of user:group through sysconfig + Resolves: rhbz#1344250 + +* Sat May 14 2016 Jitka Plesnikova - 4.87-4 +- Perl 5.24 rebuild + +* Wed May 4 2016 Jaroslav Škarvada - 4.87-3 +- Dropped sa-exim which has been obsoleted long time ago by the proper + built-in ACL support +- Unconditionalized sources + Resolves: rhbz#1332211 + +* Mon Apr 18 2016 Jaroslav Škarvada - 4.87-2 +- Used sane environment defaults in default configuration + Resolves: rhbz#1323775 + +* Sun Apr 10 2016 Jaroslav Škarvada - 4.87-1 +- New version + Resolves: rhbz#1325557 + +* Thu Mar 3 2016 Jaroslav Škarvada - 4.86.2-1 +- New version + Resolves: rhbz#1314118 +- Fixed local privilege escalation for set-uid root when using perl_startup + Resolves: CVE-2016-1531 +- Defuzzified patches + +* Wed Feb 03 2016 Fedora Release Engineering - 4.86-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Mon Nov 2 2015 Jaroslav Škarvada - 4.86-3 +- Fixed exim-gen-cert not to output error on success + +* Fri Sep 18 2015 Jaroslav Škarvada - 4.86-2 +- Hardened build, rebuilt with the full RELRO (only the daemon) + +* Mon Jul 27 2015 Jaroslav Škarvada - 4.86-1 +- New version + Resolves: rhbz#1246923 +- Updated and defuzzified patches + +* Wed Jun 17 2015 Fedora Release Engineering - 4.85-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 4.85-4 +- Perl 5.22 rebuild + +* Tue Mar 10 2015 Adam Jackson 4.85-3 +- Drop sysvinit subpackages for F23+ + +* Tue Feb 10 2015 Jaroslav Škarvada - 4.85-2 +- Shared objects are now compiled with PIC, not PIE, which is needed for gcc-5, + (by pic patch) + Resolves: rhbz#1190784 + +* Tue Jan 13 2015 Jaroslav Škarvada - 4.85-1 +- New version + Resolves: rhbz#1181479 +- De-fuzzified config and dlopen-localscan patches + +* Fri Oct 10 2014 Jaroslav Škarvada - 4.84-4 +- Do not override LFLAGS (problem reported by Todd Lyons) + +* Tue Aug 26 2014 Jitka Plesnikova - 4.84-3 +- Perl 5.20 rebuild + +* Sat Aug 16 2014 Fedora Release Engineering - 4.84-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Aug 12 2014 Jaroslav Škarvada - 4.84-1 +- New version + Resolves: rhbz#1129036 +- De-fuzzified dlopen-localscan patch + +* Wed Jul 23 2014 Jaroslav Škarvada - 4.83-1 +- New version + Resolves: CVE-2014-2972 +- De-fuzzified patches + +* Wed Jul 9 2014 Jaroslav Škarvada - 4.82.1-4 +- Do not build clamav on RHEL +- Fixed build without clamav + +* Wed Jul 9 2014 Jaroslav Škarvada - 4.82.1-3 +- Dropped support for FC6 and earlier, without sa and with clamav are + now the defaults, they can be overriden by --with / --without + +* Sat Jun 07 2014 Fedora Release Engineering - 4.82.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon Jun 2 2014 Jaroslav Škarvada - 4.82.1-1 +- New version + +* Tue Oct 29 2013 Jaroslav Škarvada - 4.82-1 +- New version + Resolves: rhbz#1024196 +- Fixed bogus dates in the changelog (best effort) +- De-fuzzified patches +- Fixed double packaging of mailq.1.gz + +* Sat Aug 03 2013 Petr Pisar - 4.80.1-6 +- Perl 5.18 rebuild + +* Sat Jul 27 2013 Jóhann B. Guðmundsson - 4.80.1-5 +- Add a missing requirement on crontabs to spec file + +* Wed Jul 17 2013 Petr Pisar - 4.80.1-4 +- Perl 5.18 rebuild + +* Tue Feb 26 2013 Jaroslav Škarvada - 4.80.1-3 +- Switched to systemd-rpm macros + Resolves: rhbz#850102 + +* Wed Feb 13 2013 Fedora Release Engineering - 4.80.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Fri Oct 26 2012 Jaroslav Škarvada - 4.80.1-1 +- New version + Resolves: CVE-2012-5671 + +* Thu Jul 19 2012 Fedora Release Engineering - 4.80-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jun 11 2012 Petr Pisar - 4.80-2 +- Perl 5.16 rebuild + +* Mon Jun 4 2012 Jaroslav Škarvada - 4.80-1 +- New version + Resolves: rhbz#827963 + +* Fri Apr 6 2012 Jaroslav Škarvada - 4.77-2 +- Rebuilt with libdb-5.2 + +* Wed Feb 29 2012 Jaroslav Škarvada - 4.77-1 +- New version +- Removed unused ldap-deprecated patch +- Dropped strict aliasing patch +- Built with libdb-5.2 + +* Fri Feb 10 2012 Petr Pisar - 4.76-9 +- Rebuild against PCRE 8.30 + +* Mon Feb 6 2012 Jaroslav Škarvada - 4.76-8 +- Workarounded wrong SELinux context of /var/log/clamd.exim + +* Thu Feb 2 2012 Jaroslav Škarvada - 4.76-7 +- Fixed exim-clamav to work with /var/run on tmpfs + +* Mon Jan 30 2012 Jaroslav Škarvada - 4.76-6 +- Introduced systemd unit file, thanks to Jóhann B. Guðmundsson + Resoloves: rhbz#721354 +- Provided SysV initscripts in sysvinit subpackages +- Used PrivateTmp + Resolves: rhbz#782502 + +* Fri Jan 13 2012 Fedora Release Engineering - 4.76-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Jun 16 2011 Marcela Mašláňová - 4.76-4 +- Perl mass rebuild + +* Mon May 09 2011 David Woodhouse - 4.76-3 +- Update to 4.76 (fixes CVE-2011-1407, CVE-2011-1764) (#702474) + +* Wed Mar 23 2011 Dan Horák - 4.73-3 +- rebuilt for mysql 5.5.10 (soname bump in libmysqlclient) + +* Tue Feb 08 2011 Fedora Release Engineering - 4.73-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 05 2011 David Woodhouse - 4.73-1 +- Update to 4.73 + +* Sat Aug 07 2010 David Woodhouse - 4.72-2 +- Fedora infrastructure ate my package; bump release and rebuild + +* Thu Jun 03 2010 David Woodhouse - 4.72-1 +- Update to 4.72 (fixes CVE-2010-2023, CVS-2010-2024) + +* Tue Jun 01 2010 Marcela Maslanova - 4.71-4 +- Mass rebuild with perl-5.12.0 + +* Thu Mar 18 2010 Miroslav Lichvar - 4.71-3 +- follow guidelines for alternatives (#570800) +- fix init script LSB compliance (#523238) +- handle undefined NETWORKING in init script (#483528) + +* Tue Feb 09 2010 Adam Jackson 4.71-2 +- Fix FTBFS with --no-add-needed + +* Thu Dec 24 2009 David Woodhouse - 4.69-20 +- Update to 4.71 + +* Fri Dec 4 2009 Stepan Kasal - 4.69-19 +- rebuild against perl 5.10.1 + +* Mon Oct 05 2009 David Woodhouse - 4.69-18 +- Fix typo in clamd %%post (#527085) + +* Wed Sep 16 2009 Tomas Mraz - 4.69-17 +- Use password-auth common PAM configuration instead of system-auth + +* Mon Aug 31 2009 David Woodhouse - 4.69-16 +- Create group for exim with correct gid (#518706) +- Allow expansion of spamd_address + +* Fri Aug 21 2009 Tomas Mraz - 4.69-15 +- rebuilt with new openssl + +* Tue Aug 18 2009 Miroslav Lichvar - 4.69-14 +- Move certificate generation to init script (#517013) +- Fix strict aliasing warning + +* Wed Aug 12 2009 David Woodhouse - 4.69-13 +- Cope with lack of /etc/sysconfig/network (#506330) +- Require /etc/pki/tls/ directories +- Provide exim-tidydb cron job (#481426) +- Provide clamd.exim log file (#452358) + +* Fri Jul 24 2009 Fedora Release Engineering - 4.69-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sat May 23 2009 Michael Schwendt - 4.69-11 +- Add subpackage dependencies to fix unowned directories (#474869). +- Add missing defattr. + +* Tue Feb 24 2009 Fedora Release Engineering - 4.69-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Sat Jan 24 2009 Caolán McNamara 4.69-9 +- rebuild for dependencies + +* Thu Aug 28 2008 Michael Schwendt 4.69-8 +- Include unowned directories. + +* Wed Aug 13 2008 David Woodhouse 4.69-7 +- Rediff all patches to cope with new zero-fuzz policy + +* Wed Aug 13 2008 David Woodhouse 4.69-6 +- Add $RPM_OPT_FLAGS in config instead of overriding on make command line. + (to fix the setting of largefile options which we were killing) + +* Sat Apr 19 2008 David Woodhouse 4.69-5 +- Add dynamic lookup patch, split into subpackages (#199256) + +* Tue Mar 18 2008 Tom "spot" Callaway 4.69-4 +- add Requires for versioned perl (libperl.so) + +* Mon Mar 17 2008 David Woodhouse 4.69-3 +- Rebuild for new perl + +* Mon Feb 04 2008 Dennis Gilmore 4.69-2 +- sparc needs -fPIE not -fpie + +* Thu Jan 03 2008 David Woodhouse 4.69-1 +- Update to 4.69 +- Provide server(smtp) (#380611) + +* Wed Dec 05 2007 David Woodhouse 4.68-3 +- Rebuild for OpenSSL/OpenLDAP + +* Sun Nov 25 2007 David Woodhouse 4.68-2 +- Fix handling of IPv6 addresses as "known resenders" in example greylist + configuration + +* Fri Aug 31 2007 David Woodhouse 4.68-1 +- Update to 4.68 + +* Wed Aug 22 2007 David Woodhouse 4.67-5 +- Handle open() being a macro + +* Wed Aug 22 2007 David Woodhouse 4.67-4 +- Update licence + +* Wed Aug 22 2007 David Woodhouse 4.67-3 +- Rebuild + +* Wed Jun 27 2007 David Woodhouse 4.67-2 +- Fix typo in config (#246799) + +* Wed Jun 27 2007 David Woodhouse 4.67-1 +- Update to 4.67 +- Add config example for using a smarthost, with SMTP AUTH. + +* Thu Feb 8 2007 David Woodhouse 4.66-3 +- Improve documentation and error handling in greylist ACL. +- Require HELO before mail + +* Wed Feb 7 2007 David Woodhouse 4.66-2 +- Add example of greylisting implementation in Exim ACLs + +* Tue Feb 6 2007 David Woodhouse 4.66-1 +- Update to 4.66 +- Add dovecot authenticator +- Add 'reload' in init script (#219174) + +* Tue Oct 17 2006 Christian Iseli 4.63-6 +- Own /etc/exim directory + +* Thu Oct 05 2006 Christian Iseli 4.63-5 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Mon Sep 25 2006 David Woodhouse - 4.63-4 +- Set home_directory on lmtp_transport by default + +* Sun Sep 3 2006 David Woodhouse - 4.63-3 +- chmod +x /etc/init.d/clamd.exim +- Make exim-clamav package require exim (since it uses the same uid) + +* Sun Sep 3 2006 David Woodhouse - 4.63-2 +- Add procmail router and transport (#146848) +- Add localhost and localhost.localdomain as local domains (#198511) +- Fix mispatched authenticators (#204591) +- Other cleanups of config file and extra examples +- Add exim-clamav subpackage +- Use existing TLS cert on upgrade, even though it moved + +* Sat Aug 26 2006 David Woodhouse - 4.63-1 +- Update to 4.63 +- Disable sa-exim, but leave the dlopen patch in + +* Wed Jul 19 2006 Thomas Woerner - 4.62-6 +- final version +- changed permissions of /etc/pki/tls/*/exim.pem to 0600 +- config(noreplace) for /etc/logrotate.d/exim, /etc/pam.d/exim and + /etc/sysconfig/exim + +* Mon Jul 17 2006 Thomas Woerner - 4.62-5 +- fixed certs path +- fixed permissions for some binaries +- fixed pam file to use include instead of pam_stack + +* Tue Jul 4 2006 David Woodhouse 4.62-4 +- Package review + +* Wed Jun 28 2006 David Woodhouse 4.62-3 +- BR tcp_wrappers + +* Tue May 2 2006 David Woodhouse 4.62-2 +- Bump release to work around 'make tag' error + +* Tue May 2 2006 David Woodhouse 4.62-1 +- Update to 4.62 + +* Fri Apr 7 2006 David Woodhouse 4.61-2 +- Define LDAP_DEPRECATED to ensure ldap functions are all declared. + +* Tue Apr 4 2006 David Woodhouse 4.61-1 +- Update to 4.61 + +* Thu Mar 23 2006 David Woodhouse 4.60-5 +- Fix eximon buffer overflow (#186303) + +* Tue Mar 21 2006 David Woodhouse 4.60-4 +- Actually enable Postgres + +* Tue Mar 7 2006 David Woodhouse 4.60-3 +- Rebuild + +* Tue Nov 29 2005 David Woodhouse 4.60-2 +- Require libXt-devel + +* Tue Nov 29 2005 David Woodhouse 4.60-1 +- Update to 4.60 + +* Sun Nov 13 2005 David Woodhouse 4.54-4 +- Fix 64-bit build + +* Fri Nov 11 2005 David Woodhouse 4.54-3 +- Update X11 BuildRequires + +* Wed Oct 5 2005 David Woodhouse 4.54-2 +- Rebuild for new OpenSSL +- Add MySQL and Postgres support to keep jgarzik happy + +* Wed Oct 5 2005 David Woodhouse 4.54-1 +- Update to Exim 4.54 +- Enable sqlite support + +* Thu Aug 25 2005 David Woodhouse 4.52-2 +- Use system PCRE + +* Fri Jul 1 2005 David Woodhouse 4.52-1 +- Update to Exim 4.52 + +* Thu Jun 16 2005 David Woodhouse 4.51-3 +- Rebuild for -devel + +* Thu Jun 16 2005 David Woodhouse 4.51-2 +- Update CSA patch + +* Wed May 4 2005 David Woodhouse 4.51-1 +- Update to Exim 4.51 +- Include Tony's CSA support patch + +* Tue Feb 22 2005 David Woodhouse 4.50-2 +- Move exim-doc into a separate package + +* Tue Feb 22 2005 David Woodhouse 4.50-1 +- Update to Exim 4.50 and sa-exim 4.2 +- Default headers_charset to utf-8 +- Add sample spamd stuff to default configuration like exiscan-acl used to + +* Sat Jan 15 2005 David Woodhouse 4.44-1 +- Update to Exim 4.44 and exiscan-acl-4.44-28 + +* Tue Jan 4 2005 David Woodhouse 4.43-4 +- Fix buffer overflows in host_aton() and SPA authentication + +* Thu Dec 16 2004 David Woodhouse 4.43-3 +- Demonstrate SASL auth configuration in default config file +- Enable TLS and provide certificate if necessary +- Don't reject all GB2312 charset mail by default + +* Mon Dec 6 2004 Thomas Woerner 4.43-2 +- rebuild + +* Thu Oct 7 2004 Thomas Woerner 4.43-1 +- new version 4.43 with sasl support +- new exiscan-acl-4.43-28 +- new config.samples and FAQ-html (added publication date) +- new BuildRequires for cyrus-sasl-devel openldap-devel openssl-devel + and PreReq for cyrus-sasl openldap openssl + +* Mon Sep 13 2004 Thomas Woerner 4.42-2 +- update to sa-exim-4.1: fixes spamassassin's new score= string (#131796) + +* Fri Aug 27 2004 Thomas Woerner 4.42-1 +- new version 4.42 + +* Mon Aug 2 2004 Thomas Woerner 4.41-1 +- new version 4.41 + +* Fri Jul 2 2004 Thomas Woerner 4.34-3 +- added pre-definition of local_delivery using Cyrus-IMAP (#122912) +- added BuildRequires for pam-devel (#124555) +- fixed format string bugs (#125117) +- fixed sa-exim code placed wrong in spec file (#127102) +- extended postun with alternatives call + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Wed May 12 2004 David Woodhouse 4.34-1 +- Update to Exim 4.34, exiscan-acl 4.34-21 + +* Sat May 8 2004 David Woodhouse 4.33-2 +- fix buffer overflow in header_syntax check + +* Wed May 5 2004 David Woodhouse 4.33-1 +- Update to Exim 4.33, exiscan-acl 4.33-20 to + fix crashes both in exiscan-acl and Exim itself. + +* Fri Apr 30 2004 David Woodhouse 4.32-2 +- Enable IPv6 support, Cyrus saslauthd support, iconv. + +* Thu Apr 15 2004 David Woodhouse 4.32-1 +- update to Exim 4.32, exiscan-acl 4.32-17, sa-exim 4.0 +- Fix Provides: and Source urls. +- include exiqgrep, exim_checkaccess, exipick +- require /etc/aliases instead of setup + +* Tue Feb 24 2004 Thomas Woerner 4.30-6.1 +- rebuilt + +* Mon Feb 23 2004 Tim Waugh +- Use ':' instead of '.' as separator for chown. + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Jan 27 2004 Thomas Woerner 4.30-5 +- /usr/lib/sendmail is in alternatives, now +- /etc/alises is now in setup: new Requires for setup >= 2.5.31-1 + +* Tue Jan 13 2004 Thomas Woerner 4.30-4 +- fixed group test in init script +- fixed config patch: use /etc/exim/exim.conf instead of /usr/exim/exim4.conf + +* Wed Dec 10 2003 Nigel Metheringham - 4.30-3 +- Use exim.8 manpage from upstream +- Add eximstats.8 man page (from pod) +- Fixed mailq(1) man page alternatives links + +* Mon Dec 08 2003 Florian La Roche +- do not package /etc/aliases. We currently require sendmail rpm until + /etc/aliases moves into a more suitable rpm like "setup" or something else. + +* Thu Dec 4 2003 Thomas Woerner 4.30-1 +- new version 4.30 +- new exiscan-acl-4.30-14 +- disabled pie for s390 and s390x + +* Wed Dec 3 2003 Tim Waugh +- Fixed PIE support to make it actually work. + +* Wed Dec 3 2003 Thomas Woerner 4.24-1.2 +- added -fPIE to CFLAGS + +* Sat Nov 15 2003 Thomas Woerner 4.24-1.1 +- fixed useradd in pre +- fixed alternatives in post + +* Thu Nov 13 2003 Thomas Woerner 4.24-1 +- new version 4.24 with LDAP and perl support +- added SpamAssassin sa plugin + +* Mon Sep 23 2002 Bernhard Rosenkraenzer 3.36-1 +- 3.36, fixes security bugs + +* Thu Jun 21 2001 Tim Waugh 3.22-14 +- Bump release number. + +* Tue Jun 12 2001 Tim Waugh 3.22-13 +- Remove pam-devel build dependency in order to share package between + Guinness and Seawolf. + +* Fri Jun 8 2001 Tim Waugh 3.22-12 +- Fix format string bug. + +* Wed May 2 2001 Tim Waugh 3.22-11 +- SIGALRM patch from maintainer (bug #20908). +- There's no README.IPV6 any more (bug #32378). +- Fix logrotate entry for exim's pidfile scheme (bug #35436). +- ignore_target_hosts crash fix from maintainer. +- Make the summary start with a capital letter. +- Add reload entry to initscript; use $0 in strings. + +* Sun Mar 4 2001 Tim Waugh 3.22-10 +- Make sure db ownership is correct on upgrade, since we don't run as + root when running as a daemon any more. + +* Fri Mar 2 2001 Tim Powers +- rebuilt against openssl-0.9.6-1 + +* Sat Feb 17 2001 Tim Waugh +- Run as user mail, group mail when we drop privileges (bug #28193). + +* Tue Feb 13 2001 Tim Powers +- added conflict with postfix + +* Thu Jan 25 2001 Tim Waugh +- Avoid using zero-length salt in crypteq expansion. + +* Tue Jan 23 2001 Tim Waugh +- Redo initscript internationalisation. +- Initscript uses bash not sh. + +* Mon Jan 22 2001 Tim Waugh +- Okay, the real bug was in libident. + +* Mon Jan 22 2001 Tim Waugh +- Revert the RST patch for now; if it's needed, it's a pidentd bug + and should be fixed there. + +* Mon Jan 22 2001 Tim Waugh +- 3.22. +- Build requires XFree86-devel. + +* Mon Jan 15 2001 Tim Waugh +- New-style prereqs. +- Initscript internationalisation. + +* Thu Jan 11 2001 Tim Waugh +- Security patch no longer required; 3.20 and later have a hide feature + to do the same thing. +- Mark exim.conf noreplace. +- Better libident (RST) patch. + +* Wed Jan 10 2001 Tim Waugh +- Fix eximconfig so that it tells the user the correct place to look + for documentation +- Fix configure.default to deliver mail as group mail so that local + delivery works + +* Tue Jan 09 2001 Tim Waugh +- 3.21 + +* Mon Jan 08 2001 Tim Waugh +- Enable TLS support (bug #23196) + +* Mon Jan 08 2001 Tim Waugh +- 3.20 (bug #21895). Absorbs configure.default patch +- Put URLs in source tags where applicable +- Add build requirement on pam-devel + +* Wed Oct 18 2000 Bernhard Rosenkraenzer +- Fix up eximconfig's header generation (we're not Debian), Bug #18068 +- BuildRequires db2-devel (Bug #18089) +- Fix typo in logrotate script (Bug #18308) +- Local delivery must be setuid to work (Bug #18314) +- Don't send TCP RST packages to ident (Bug #19048) + +* Wed Oct 18 2000 Bernhard Rosenkraenzer +- 3.16 +- fix security bug +- some specfile cleanups +- fix handling of RPM_OPT_FLAGS + +* Fri Aug 18 2000 Tim Powers +- fixed bug #16535, logrotate script changes + +* Thu Aug 17 2000 Tim Powers +- fixed bug #16460 +- fixed bug #16458 +- fixed bug #16476 + +* Wed Aug 2 2000 Tim Powers +- fixed bug #15142 + +* Fri Jul 28 2000 Than Ngo +- add missing restart function in startup script +- add rm -rf $RPM_BUILD_ROOT in install section +- use %%{_tmppath} + +* Fri Jul 28 2000 Tim Powers +- fixed initscript so that condrestart doesn't return 1 when the test fails + +* Mon Jul 24 2000 Prospector +- rebuilt + +* Mon Jul 17 2000 Tim Powers +- inits bakc to rc.d/init.d, using service to start inits + +* Thu Jul 13 2000 Tim Powers +- applied patch from bug #13890 + +* Mon Jul 10 2000 Tim Powers +- rebuilt + +* Thu Jul 06 2000 Tim Powers +- added patch submitted by , fixes bug #13539 + +* Thu Jul 06 2000 Tim Powers +- fixed broken prereq to require /etc/init.d + +* Tue Jun 27 2000 Tim Powers +- PreReq initscripts >= 5.20 + +* Mon Jun 26 2000 Tim Powers +- fix init.d script location +- add condrestart to init.d script + +* Wed Jun 14 2000 Nalin Dahyabhai +- migrate to system-auth setup + +* Tue Jun 6 2000 Tim Powers +- fixed man page location + +* Tue May 9 2000 Tim Powers +- rebuilt for 7.0 + +* Fri Feb 04 2000 Tim Powers +- fixed the groups to be in Red Hat groups. +- removed Vendor header since it is going to be marked Red Hat in our build + system. +- quiet setups +- strip binaries +- fixed so that man pages can be auto gzipped by new RPM (in files list + /usr/man/*/* ) +- built for Powertools 6.2 + +* Tue Jan 18 2000 Mark Bergsma +- Upgraded to exim 3.13 +- Removed i386 specialization +- Added syslog support + +* Wed Dec 8 1999 Mark Bergsma +- Upgraded to exim 3.12 +- Procmail no longer used as the delivery agent + +* Wed Dec 1 1999 Mark Bergsma +- Upgraded to exim 3.11 + +* Sat Nov 27 1999 Mark Bergsma +- Added /etc/pam.d/exim + +* Wed Nov 24 1999 Mark Bergsma +- Upgraded to exim 3.10 + +* Thu Nov 11 1999 Mark Bergsma +- Added eximconfig script, thanks to Mark Baker +- Exim now uses the Berkeley DB library. + +* Wed Aug 4 1999 Mark Bergsma +- Upgraded to version 3.03 +- Removed version number out of the spec file name. + +* Fri Jul 23 1999 Mark Bergsma +- Added embedded Perl support. +- Added tcp_wrappers support. +- Added extra documentation in a new doc subpackage. + +* Mon Jul 12 1999 Mark Bergsma +- Added /usr/sbin/sendmail as a link to exim. +- Fixed wrong filenames in logrotate entry. + +* Sun Jul 11 1999 Mark Bergsma +- Now using the '%%changelog' tag. +- Removed the SysV init links - let chkconfig handle them. +- Replaced install -d with mkdir -p + +* Sat Jul 10 1999 Mark Bergsma +- Fixed owner of the exim-mon files - the owner is now root + +* Thu Jul 08 1999 Mark Bergsma +- Removed executable permission bits of /etc/exim.conf +- Removed setuid permission bits of all programs except exim +- Changed spool/log directory owner/groups to 'mail' +- Changed the default configuration file to make exim run + as user and group 'mail'. + +* Thu Jul 08 1999 Mark Bergsma +- Added the /usr/bin/rmail -> /usr/sbin/exim symlink. +- Added the convert4r3 script. +- Added the transport-filter.pl script to the documentation. + +* Thu Jul 08 1999 Mark Bergsma +- Added procmail transport and director, and made that the + default. +- Added the unknownuser.sh script to the documentation. + +* Thu Jul 08 1999 Mark Bergsma +- Added manpage for exim. +- Fixed symlinks pointing to targets under Buildroot. +- The exim logfiles will now only be removed when uninstalling, + not upgrading. + +* Wed Jul 07 1999 Mark Bergsma +- Added 'Obsoletes' header. +- Added several symlinks to /usr/sbin/exim. + +* Wed Jul 07 1999 Mark Bergsma +- First RPM packet release. +- Not tested on other architectures/OS'es than i386/Linux.. diff --git a/exim.sysconfig b/exim.sysconfig new file mode 100644 index 0000000..69e525d --- /dev/null +++ b/exim.sysconfig @@ -0,0 +1,4 @@ +DAEMON=yes +QUEUE=1h +USER=exim +GROUP=exim diff --git a/greylist-tidy.sh b/greylist-tidy.sh new file mode 100755 index 0000000..20251f4 --- /dev/null +++ b/greylist-tidy.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +if [ -s /var/spool/exim/db/greylist.db ]; then + sqlite3 /var/spool/exim/db/greylist.db <