New version

Resolves: rhbz#2100385

exim-4.95-config.patch

@@ -12,7 +12,7 @@ index 61368ec..e8fe9ef 100755
    echo "" >>$mft
    cat $mftt >> $mft
 diff --git a/src/EDITME b/src/EDITME
-index 8da36a3..088cf75 100644
+index f4329fa..9a9c92d 100644
 --- a/src/EDITME
 +++ b/src/EDITME
 @@ -99,7 +99,7 @@
@@ -52,7 +52,7 @@ index 8da36a3..088cf75 100644
  # Many sites define a user called "exim", with an appropriate default group,
  # and use
 @@ -210,10 +210,10 @@ SPOOL_DIRECTORY=/var/spool/exim
- # If you are buliding with TLS, the library configuration must be done:
+ # If you are building with TLS, the library configuration must be done:
  
  # Uncomment this if you are using OpenSSL
 -# USE_OPENSSL=yes
@@ -64,7 +64,7 @@ index 8da36a3..088cf75 100644
  # TLS_LIBS=-lssl -lcrypto
  # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
  
-@@ -337,7 +337,7 @@ TRANSPORT_SMTP=yes
+@@ -340,7 +340,7 @@ TRANSPORT_SMTP=yes
  # This one is special-purpose, and commonly not required, so it is not
  # included by default.
  
@@ -73,7 +73,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -346,9 +346,9 @@ TRANSPORT_SMTP=yes
+@@ -349,9 +349,9 @@ TRANSPORT_SMTP=yes
  # MBX, is included only when requested. If you do not know what this is about,
  # leave these settings commented out.
  
@@ -86,7 +86,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -406,20 +406,25 @@ LOOKUP_DBM=yes
+@@ -409,22 +409,27 @@ LOOKUP_DBM=yes
  LOOKUP_LSEARCH=yes
  LOOKUP_DNSDB=yes
  
@@ -97,16 +97,17 @@ index 8da36a3..088cf75 100644
  # LOOKUP_IBASE=yes
  # LOOKUP_JSON=yes
 -# LOOKUP_LDAP=yes
--# LOOKUP_MYSQL=yes
--# LOOKUP_MYSQL_PC=mariadb
--# LOOKUP_NIS=yes
--# LOOKUP_NISPLUS=yes
 +LOOKUP_LDAP=yes
 +LDAP_LIB_TYPE=OPENLDAP2
 +LOOKUP_INCLUDE=-I/usr/include/mysql
 +LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient
+ # LOOKUP_LMDB=yes
+ 
+-# LOOKUP_MYSQL=yes
 +LOOKUP_MYSQL=2
-+#LOOKUP_MYSQL_PC=mariadb
+ # LOOKUP_MYSQL_PC=mariadb
+-# LOOKUP_NIS=yes
+-# LOOKUP_NISPLUS=yes
 +LOOKUP_NIS=yes
 +LOOKUP_NISPLUS=yes
 +
@@ -122,7 +123,7 @@ index 8da36a3..088cf75 100644
  # LOOKUP_SQLITE_PC=sqlite3
  # LOOKUP_WHOSON=yes
  
-@@ -432,7 +437,7 @@ LOOKUP_DNSDB=yes
+@@ -437,7 +442,7 @@ LOOKUP_DNSDB=yes
  
  
  # Some platforms may need this for LOOKUP_NIS:
@@ -131,7 +132,7 @@ index 8da36a3..088cf75 100644
  
  #------------------------------------------------------------------------------
  # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate
-@@ -498,7 +503,7 @@ SUPPORT_DANE=yes
+@@ -504,7 +509,7 @@ SUPPORT_DANE=yes
  # files are defaulted in the OS/Makefile-Default file, but can be overridden in
  # local OS-specific make files.
  
@@ -140,7 +141,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -508,7 +513,7 @@ SUPPORT_DANE=yes
+@@ -514,7 +519,7 @@ SUPPORT_DANE=yes
  # and the MIME ACL. Please read the documentation to learn more about these
  # features.
  
@@ -149,10 +150,10 @@ index 8da36a3..088cf75 100644
  
  # If you have content scanning you may wish to only include some of the scanner
  # interfaces.  Uncomment any of these lines to remove that code.
-@@ -595,12 +600,12 @@ DISABLE_MAL_MKS=yes
+@@ -607,12 +612,12 @@ DISABLE_MAL_MKS=yes
- 
- # Uncomment the following line to add DMARC checking capability, implemented
  # using libopendmarc libraries. You must have SPF and DKIM support enabled also.
+ # Library version libopendmarc-1.4.1-1.fc33.x86_64  (on Fedora 33) is known broken;
+ # 1.3.2-3 works.  I seems that the OpenDMARC project broke their API.
 -# SUPPORT_DMARC=yes
 +SUPPORT_DMARC=yes
  # CFLAGS += -I/usr/local/include
@@ -165,7 +166,7 @@ index 8da36a3..088cf75 100644
  
  # Uncomment the following line to add ARC (Authenticated Received Chain)
  # support.  You must have SPF and DKIM support enabled also.
-@@ -713,7 +718,7 @@ FIXED_NEVER_USERS=root
+@@ -712,7 +717,7 @@ FIXED_NEVER_USERS=root
  # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
  # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
  
@@ -174,7 +175,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -758,18 +763,18 @@ FIXED_NEVER_USERS=root
+@@ -764,18 +769,18 @@ ALLOW_INSECURE_TAINTED_DATA=yes
  # included in the Exim binary. You will then need to set up the run time
  # configuration to make use of the mechanism(s) selected.
  
@@ -201,7 +202,7 @@ index 8da36a3..088cf75 100644
  
  # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
  # requires multiple pkg-config files to work with Exim, so the second example
-@@ -796,7 +801,7 @@ FIXED_NEVER_USERS=root
+@@ -802,7 +807,7 @@ ALLOW_INSECURE_TAINTED_DATA=yes
  # one that is set in the headers_charset option. The default setting is
  # defined by this setting:
  
@@ -210,7 +211,7 @@ index 8da36a3..088cf75 100644
  
  # If you are going to make use of $header_xxx expansions in your configuration
  # file, or if your users are going to use them in filter files, and the normal
-@@ -816,7 +821,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -822,7 +827,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # the Sieve filter support. For those OS where iconv() is known to be installed
  # as standard, the file in OS/Makefile-xxxx contains
  #
@@ -219,7 +220,7 @@ index 8da36a3..088cf75 100644
  #
  # If you are not using one of those systems, but have installed iconv(), you
  # need to uncomment that line above. In some cases, you may find that iconv()
-@@ -892,7 +897,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -898,7 +903,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # Once you have done this, "make install" will build the info files and
  # install them in the directory you have defined.
  
@@ -228,7 +229,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -905,7 +910,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -911,7 +916,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # %s. This will be replaced by one of the strings "main", "panic", or "reject"
  # to form the final file names. Some installations may want something like this:
  
@@ -237,7 +238,7 @@ index 8da36a3..088cf75 100644
  
  # which results in files with names /var/log/exim_mainlog, etc. The directory
  # in which the log files are placed must exist; Exim does not try to create
-@@ -977,7 +982,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -983,7 +988,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
  # Perl costs quite a lot of resources. Only do this if you really need it.
  
@@ -246,7 +247,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -987,7 +992,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -993,7 +998,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # that the local_scan API is made available by the linker. You may also need
  # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
  
@@ -255,7 +256,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -997,7 +1002,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1003,7 +1008,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # support, which is intended for use in conjunction with the SMTP AUTH
  # facilities, is included only when requested by the following setting:
  
@@ -264,7 +265,7 @@ index 8da36a3..088cf75 100644
  
  # You probably need to add -lpam to EXTRALIBS, and in some releases of
  # GNU/Linux -ldl is also needed.
-@@ -1009,12 +1014,12 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1015,12 +1020,12 @@ ZCAT_COMMAND=/usr/bin/zcat
  # If you may want to use outbound (client-side) proxying, using Socks5,
  # uncomment the line below.
  
@@ -279,7 +280,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -1038,9 +1043,9 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1044,9 +1049,9 @@ ZCAT_COMMAND=/usr/bin/zcat
  # installed on your system (www.libspf2.org). Depending on where it is installed
  # you may have to edit the CFLAGS and LDFLAGS lines.
  
@@ -291,7 +292,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -1105,7 +1110,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1111,7 +1116,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # group. Once you have installed saslauthd, you should arrange for it to be
  # started by root at boot time.
  
@@ -300,7 +301,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -1119,8 +1124,8 @@ ZCAT_COMMAND=/usr/bin/zcat
+@@ -1125,8 +1130,8 @@ ZCAT_COMMAND=/usr/bin/zcat
  # library for TCP wrappers, so you probably need something like this:
  #
  # USE_TCP_WRAPPERS=yes
@@ -311,7 +312,7 @@ index 8da36a3..088cf75 100644
  #
  # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
  # as well.
-@@ -1172,7 +1177,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1178,7 +1183,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  # is "yes", as well as supporting line editing, a history of input lines in the
  # current run is maintained.
  
@@ -320,7 +321,7 @@ index 8da36a3..088cf75 100644
  
  # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
  # Note that this option adds to the size of the Exim binary, because the
-@@ -1189,7 +1194,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1195,7 +1200,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  #------------------------------------------------------------------------------
  # Uncomment this setting to include IPv6 support.
  
@@ -329,7 +330,7 @@ index 8da36a3..088cf75 100644
  
  ###############################################################################
  #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
-@@ -1210,13 +1215,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1216,13 +1221,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  # haven't got Perl, Exim will still build and run; you just won't be able to
  # use those utilities.
  
@@ -350,7 +351,7 @@ index 8da36a3..088cf75 100644
  
  
  #------------------------------------------------------------------------------
-@@ -1418,7 +1423,7 @@ EXIM_TMPDIR="/tmp"
+@@ -1424,7 +1429,7 @@ EXIM_TMPDIR="/tmp"
  # (process id) to a file so that it can easily be identified. The path of the
  # file can be specified here. Some installations may want something like this:
  
@@ -360,7 +361,7 @@ index 8da36a3..088cf75 100644
  # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
  # using the name "exim-daemon.pid".
 diff --git a/src/configure.default b/src/configure.default
-index d94c148..1f6afd4 100644
+index 3761daf..a5d3718 100644
 --- a/src/configure.default
 +++ b/src/configure.default
 @@ -67,7 +67,7 @@
@@ -405,12 +406,12 @@ index d94c148..1f6afd4 100644
 +# sqlite_dbfile = /var/spool/exim/db/greylist.db
 +
 +
- # If Exim is compiled with support for TLS, you may want to enable the
+ # If Exim is compiled with support for TLS, you may want to change the
- # following options so that Exim allows clients to make encrypted
+ # following option so that Exim disallows certain clients from makeing encrypted
- # connections. In the authenticators section below, there are template
+ # connections. The default is to allow all.
 @@ -157,7 +165,7 @@ acl_smtp_data =         acl_check_data
  
- # Allow any client to use TLS.
+ # This is equivalent to the default.
  
 -# tls_advertise_hosts = *
 +tls_advertise_hosts = *
@@ -427,8 +428,8 @@ index d94c148..1f6afd4 100644
 +tls_privatekey = /etc/pki/tls/private/exim.pem
  
  # For OpenSSL, prefer EC- over RSA-authenticated ciphers
- # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+ .ifdef _HAVE_OPENSSL
-@@ -180,8 +188,8 @@ acl_smtp_data =         acl_check_data
+@@ -189,8 +197,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
  # them you should also allow TLS-on-connect on the traditional but
  # non-standard port 465.
  
@@ -439,7 +440,7 @@ index d94c148..1f6afd4 100644
  
  
  # Specify the domain you want to be added to all unqualified addresses
-@@ -239,6 +247,24 @@ never_users = root
+@@ -248,6 +256,24 @@ never_users = root
  
  host_lookup = *
  
@@ -464,7 +465,7 @@ index d94c148..1f6afd4 100644
  
  # The setting below causes Exim to try to initialize the system resolver
  # library with DNSSEC support.  It has no effect if your library lacks
-@@ -369,8 +395,8 @@ timeout_frozen_after = 7d
+@@ -378,8 +404,8 @@ timeout_frozen_after = 7d
  # Note that TZ is handled separately by the timezone runtime option
  # and TIMEZONE_DEFAULT buildtime option.
  
@@ -475,7 +476,7 @@ index d94c148..1f6afd4 100644
  
  
  
-@@ -381,6 +407,29 @@ timeout_frozen_after = 7d
+@@ -390,6 +416,29 @@ timeout_frozen_after = 7d
  
  begin acl
  
@@ -505,7 +506,7 @@ index d94c148..1f6afd4 100644
  # This access control list is used for every RCPT command in an incoming
  # SMTP message. The tests are run in order until the address is either
  # accepted or denied.
-@@ -392,6 +441,7 @@ acl_check_rcpt:
+@@ -401,6 +450,7 @@ acl_check_rcpt:
  
    accept  hosts = :
            control = dkim_disable_verify
@@ -513,7 +514,7 @@ index d94c148..1f6afd4 100644
  
    #############################################################################
    # The following section of the ACL is concerned with local parts that contain
-@@ -445,7 +495,8 @@ acl_check_rcpt:
+@@ -454,7 +504,8 @@ acl_check_rcpt:
    accept  local_parts   = postmaster
            domains       = +local_domains
  
@@ -523,7 +524,7 @@ index d94c148..1f6afd4 100644
  
    require verify        = sender
  
-@@ -485,6 +536,7 @@ acl_check_rcpt:
+@@ -494,6 +545,7 @@ acl_check_rcpt:
    accept  hosts         = +relay_from_hosts
            control       = submission
            control       = dkim_disable_verify
@@ -531,15 +532,15 @@ index d94c148..1f6afd4 100644
  
    # Accept if the message arrived over an authenticated connection, from
    # any host. Again, these messages are usually from MUAs, so recipient
-@@ -494,6 +546,7 @@ acl_check_rcpt:
+@@ -503,6 +555,7 @@ acl_check_rcpt:
    accept  authenticated = *
            control       = submission
            control       = dkim_disable_verify
 +          control       = dmarc_disable_verify
  
-   # Insist that a HELO/EHLO was accepted.
+   # Insist that any other recipient address that we accept is either in one of
- 
+   # our local domains, or is in a domain for which we explicitly allow
-@@ -519,7 +572,8 @@ acl_check_rcpt:
+@@ -523,7 +576,8 @@ acl_check_rcpt:
    # There are no default checks on DNS black lists because the domains that
    # contain these lists are changing all the time. However, here are two
    # examples of how you can get Exim to perform a DNS black list lookup at this
@@ -549,7 +550,7 @@ index d94c148..1f6afd4 100644
    #
    # deny    dnslists      = black.list.example
    #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-@@ -527,6 +581,10 @@ acl_check_rcpt:
+@@ -531,6 +585,10 @@ acl_check_rcpt:
    # warn    dnslists      = black.list.example
    #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
    #         log_message   = found in $dnslist_domain
@@ -560,7 +561,7 @@ index d94c148..1f6afd4 100644
    #############################################################################
  
    #############################################################################
-@@ -553,6 +611,10 @@ acl_check_rcpt:
+@@ -557,6 +615,10 @@ acl_check_rcpt:
    #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
    #############################################################################
  
@@ -571,7 +572,7 @@ index d94c148..1f6afd4 100644
    # At this point, the address has passed all the checks that have been
    # configured, so we accept it unconditionally.
  
-@@ -602,21 +664,32 @@ acl_check_data:
+@@ -606,21 +668,32 @@ acl_check_data:
            message =     header syntax
            log_message = header syntax ($acl_verify_message)
  
@@ -612,7 +613,7 @@ index d94c148..1f6afd4 100644
  
    #############################################################################
    # No more tests if PRDR was actively used.
-@@ -630,11 +703,63 @@ acl_check_data:
+@@ -634,11 +707,63 @@ acl_check_data:
    #           condition    = ...
    #############################################################################
  
@@ -677,7 +678,7 @@ index d94c148..1f6afd4 100644
  
  
  ######################################################################
-@@ -736,7 +861,7 @@ system_aliases:
+@@ -740,7 +865,7 @@ system_aliases:
    driver = redirect
    allow_fail
    allow_defer
@@ -686,7 +687,7 @@ index d94c148..1f6afd4 100644
  # user = exim
    file_transport = address_file
    pipe_transport = address_pipe
-@@ -774,7 +899,7 @@ userforward:
+@@ -778,7 +903,7 @@ userforward:
  # local_part_suffix = +* : -*
  # local_part_suffix_optional
    file = $home/.forward
@@ -695,7 +696,7 @@ index d94c148..1f6afd4 100644
    no_verify
    no_expn
    check_ancestor
-@@ -782,6 +907,12 @@ userforward:
+@@ -786,6 +911,12 @@ userforward:
    pipe_transport = address_pipe
    reply_transport = address_reply
  
@@ -708,9 +709,9 @@ index d94c148..1f6afd4 100644
  
  # This router matches local user mailboxes. If the router fails, the error
  # message is "Unknown user".
-@@ -823,6 +954,25 @@ remote_smtp:
+@@ -826,6 +957,25 @@ remote_smtp:
-   driver = smtp
+   tls_resumption_hosts = *
-   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ .endif
  
 +# This transport is used for delivering messages over SMTP using the
 +# "message submission" port (RFC4409).
@@ -734,7 +735,7 @@ index d94c148..1f6afd4 100644
  
  # This transport is used for delivering messages to a smarthost, if the
  # smarthost router is enabled.  This starts from the same basis as
-@@ -875,8 +1025,8 @@ local_delivery:
+@@ -880,8 +1030,8 @@ local_delivery:
    delivery_date_add
    envelope_to_add
    return_path_add
@@ -745,7 +746,7 @@ index d94c148..1f6afd4 100644
  
  
  # This transport is used for handling pipe deliveries generated by alias or
-@@ -909,6 +1059,16 @@ address_reply:
+@@ -914,6 +1064,16 @@ address_reply:
    driver = autoreply
  
  
@@ -762,7 +763,7 @@ index d94c148..1f6afd4 100644
  
  ######################################################################
  #                      RETRY CONFIGURATION                           #
-@@ -949,6 +1109,21 @@ begin rewrite
+@@ -954,6 +1114,21 @@ begin rewrite
  #                   AUTHENTICATION CONFIGURATION                     #
  ######################################################################
  
@@ -784,7 +785,7 @@ index d94c148..1f6afd4 100644
  # The following authenticators support plaintext username/password
  # authentication using the standard PLAIN mechanism and the traditional
  # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -964,7 +1139,7 @@ begin rewrite
+@@ -969,7 +1144,7 @@ begin rewrite
  # The default RCPT ACL checks for successful authentication, and will accept
  # messages from authenticated users from anywhere on the Internet.
  
@@ -793,7 +794,7 @@ index d94c148..1f6afd4 100644
  
  # PLAIN authentication has no server prompts. The client sends its
  # credentials in one lump, containing an authorization ID (which we do not
-@@ -978,7 +1153,7 @@ begin authenticators
+@@ -983,7 +1158,7 @@ begin authenticators
  #  driver                     = plaintext
  #  server_set_id              = $auth2
  #  server_prompts             = :
@@ -802,7 +803,7 @@ index d94c148..1f6afd4 100644
  #  server_advertise_condition = ${if def:tls_in_cipher }
  
  # LOGIN authentication has traditional prompts and responses. There is no
-@@ -990,7 +1165,7 @@ begin authenticators
+@@ -995,7 +1170,7 @@ begin authenticators
  #  driver                     = plaintext
  #  server_set_id              = $auth1
  #  server_prompts             = <| Username: | Password:

exim-4.95-dlopen-localscan.patch

@@ -1,8 +1,8 @@
 diff --git a/src/EDITME b/src/EDITME
-index 9e82528..0ae84b1 100644
+index 9a9c92d..3f87919 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -881,6 +881,21 @@ HAVE_ICONV=yes
+@@ -887,6 +887,21 @@ HAVE_ICONV=yes
  # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
  
  
@@ -25,12 +25,12 @@ index 9e82528..0ae84b1 100644
  # The default distribution of Exim contains only the plain text form of the
  # documentation. Other forms are available separately. If you want to install
 diff --git a/src/config.h.defaults b/src/config.h.defaults
-index e17f015..008b97b 100644
+index 877cc7b..94abf58 100644
 --- a/src/config.h.defaults
 +++ b/src/config.h.defaults
-@@ -33,6 +33,8 @@ Do not put spaces between # and the 'define'.
+@@ -35,6 +35,8 @@ Do not put spaces between # and the 'define'.
  
- #define AUTH_VARS                     3
+ #define AUTH_VARS                     4
  
 +#define DLOPEN_LOCAL_SCAN
 +
@@ -38,10 +38,10 @@ index e17f015..008b97b 100644
  
  #define CONFIGURE_FILE
 diff --git a/src/globals.c b/src/globals.c
-index fc3086f..aa11a9b 100644
+index 5d9f7f8..6f11de5 100644
 --- a/src/globals.c
 +++ b/src/globals.c
-@@ -147,6 +147,10 @@ uschar *tls_verify_hosts       = NULL;
+@@ -155,6 +155,10 @@ time_t  tls_watch_trigger_time = (time_t)0;
  uschar *tls_advertise_hosts    = NULL;
  #endif
  
@@ -53,12 +53,12 @@ index fc3086f..aa11a9b 100644
  /* Per Recipient Data Response variables */
  BOOL    prdr_enable            = FALSE;
 diff --git a/src/globals.h b/src/globals.h
-index c80c853..333455c 100644
+index b610ac0..3b97a5d 100644
 --- a/src/globals.h
 +++ b/src/globals.h
-@@ -141,6 +141,11 @@ extern uschar *tls_try_verify_hosts;   /* Optional client verification */
+@@ -149,6 +149,11 @@ extern uschar *tls_verify_hosts;       /* Mandatory client verification */
- extern uschar *tls_verify_certificates;/* Path for certificates to check */
+ extern int     tls_watch_fd;	       /* for inotify of creds files */
- extern uschar *tls_verify_hosts;       /* Mandatory client verification */
+ extern time_t  tls_watch_trigger_time; /* non-0: triggered */
  #endif
 +
 +#ifdef DLOPEN_LOCAL_SCAN
@@ -69,10 +69,10 @@ index c80c853..333455c 100644
  
  extern uschar  *dsn_envid;             /* DSN envid string */
 diff --git a/src/local_scan.c b/src/local_scan.c
-index 4dd0b2b..72e0033 100644
+index 2032ae7..43dfe99 100644
 --- a/src/local_scan.c
 +++ b/src/local_scan.c
-@@ -5,61 +5,135 @@
+@@ -5,59 +5,133 @@
  /* Copyright (c) University of Cambridge 1995 - 2009 */
  /* See the file NOTICE for conditions of use and distribution. */
  
@@ -137,8 +137,6 @@ index 4dd0b2b..72e0033 100644
  int
  local_scan(int fd, uschar **return_text)
  {
- fd = fd;                      /* Keep picky compilers happy */
- return_text = return_text;
 -return LOCAL_SCAN_ACCEPT;
 +#ifdef DLOPEN_LOCAL_SCAN
 +/* local_scan_path is defined AND not the empty string */
@@ -170,8 +168,8 @@ index 4dd0b2b..72e0033 100644
 +else
 +#endif
 +  return LOCAL_SCAN_ACCEPT;
- }
++ }
- 
++ 
 +#ifdef DLOPEN_LOCAL_SCAN
 +
 +static int load_local_scan_library(void)
@@ -250,16 +248,16 @@ index 4dd0b2b..72e0033 100644
 +  }
 +
 +return TRUE;
-+}
+ }
-+
+ 
 +#endif /* DLOPEN_LOCAL_SCAN */
 +
  /* End of local_scan.c */
 diff --git a/src/readconf.c b/src/readconf.c
-index 0d0769c..f1bb0ef 100644
+index 987f9fa..b05896f 100644
 --- a/src/readconf.c
 +++ b/src/readconf.c
-@@ -205,6 +205,9 @@ static optionlist optionlist_config[] = {
+@@ -215,6 +215,9 @@ static optionlist optionlist_config[] = {
    { "local_from_prefix",        opt_stringptr,   {&local_from_prefix} },
    { "local_from_suffix",        opt_stringptr,   {&local_from_suffix} },
    { "local_interfaces",         opt_stringptr,   {&local_interfaces} },

exim-4.95-opendmarc-1.4-build-fix.patch

@@ -0,0 +1,13 @@
+diff --git a/src/dmarc.c b/src/dmarc.c
+index 8a9cdce..9e70cc1 100644
+--- a/src/dmarc.c
++++ b/src/dmarc.c
+@@ -461,7 +461,7 @@ if (!dmarc_abort && !sender_host_authenticated)
+ 		  vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
+ 		  DMARC_POLICY_DKIM_OUTCOME_NONE;
+     libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
+-					       dkim_result, US"");
++					       sig->selector, dkim_result, US"");
+     DEBUG(D_receive)
+       debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
+     if (libdm_status != DMARC_PARSE_OKAY)

exim-4.95-pic.patch

@@ -1,5 +1,5 @@
 diff --git a/src/lookups/Makefile b/src/lookups/Makefile
-index 6ba0cb1..21a7ad7 100644
+index 1fd1394..a24ea2a 100644
 --- a/src/lookups/Makefile
 +++ b/src/lookups/Makefile
 @@ -22,7 +22,7 @@ lookups.a:       $(OBJ)
@@ -9,5 +9,5 @@ index 6ba0cb1..21a7ad7 100644
 -		 $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@
 +		 $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $(PIC) $*.c -o $@
  
- lf_check_file.o: $(PHDRS) lf_check_file.c  lf_functions.h
+ lf_check_file.o: $(HDRS) lf_check_file.c  lf_functions.h
- lf_quote.o:      $(PHDRS) lf_quote.c       lf_functions.h
+ lf_quote.o:      $(HDRS) lf_quote.c       lf_functions.h

exim.spec

@@ -14,7 +14,7 @@
 
 Summary: The exim mail transfer agent
 Name: exim
-Version: 4.94.2
+Version: 4.95
 Release: 1%{?dist}
 License: GPLv2+
 Url: https://www.exim.org/
@@ -52,10 +52,12 @@ Source25: exim-gen-cert
 Source26: clamd.exim.service
 %endif
 
-Patch0: exim-4.94.2-config.patch
+Patch0: exim-4.95-config.patch
 Patch1: exim-4.94-libdir.patch
-Patch2: exim-4.94-dlopen-localscan.patch
+Patch2: exim-4.95-dlopen-localscan.patch
-Patch3: exim-4.85-pic.patch
+Patch3: exim-4.95-pic.patch
+# https://bugs.exim.org/show_bug.cgi?id=2728
+Patch4: exim-4.95-opendmarc-1.4-build-fix.patch
 
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@@ -204,6 +206,7 @@ greylisting unconditional.
 %patch1 -p1 -b .libdir
 %patch2 -p1 -b .dl
 %patch3 -p1 -b .fpic
+%patch4 -p1 -b .opendmarc-1.4-build-fix
 
 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@@ -605,6 +608,10 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 
 %changelog
+* Thu Jun 23 2022 Jaroslav Škarvada <jskarvad@redhat.com> - 4.95-1
+- New version
+  Resolves: rhbz#2100385
+
 * Tue May  4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94.2-1
 - New version
 

sources

@@ -1,2 +1,2 @@
 SHA512 (sa-exim-4.2.tar.gz) = 2c1839c4d897bf65d19c754bbc9dc0674276ccad4a564c639591396afc23f1456decceec94817f62ee9b688f5d6d90436d3d47c869e04a69c955b1376c9fbd7b
-SHA512 (exim-4.94.2.tar.xz) = 5334c236221ed4e03dbc33e6a79d939b06037fa2f4b71971607a360b67af5c85a89681ee13a5eeaf0184382c55a160cf2e89ed7afb2949f025a54f1e88f9e3fc
+SHA512 (exim-4.95.tar.xz) = 93d09c20d99f27da5edbe3e6dc7d25aa4548faa2b67ca26f2cc0b4aeaf58398dd468e0263714fcf0df97531f05d16fcd3f1f0e9d0656ead7858a66b248a44a65