From d69bc63fa98ed04fee947ea22c6b208e5bde42c9 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 20 Feb 2020 12:03:54 +0000
Subject: [PATCH] Enable SPF and DMARC support

---
 exim-4.93-config.patch | 48 ++++++++++++++++++++++++++++++++++++++++++
 exim.spec              |  9 ++++++--
 2 files changed, 55 insertions(+), 2 deletions(-)

diff --git a/exim-4.93-config.patch b/exim-4.93-config.patch
index 769835f..c97eadc 100644
--- a/exim-4.93-config.patch
+++ b/exim-4.93-config.patch
@@ -150,6 +150,21 @@ index 83325ab..a861c7f 100644
  
  # If you have content scanning you may wish to only include some of the scanner
  # interfaces.  Uncomment any of these lines to remove that code.
+@@ -592,12 +598,12 @@
+ 
+ # Uncomment the following line to add DMARC checking capability, implemented
+ # using libopendmarc libraries. You must have SPF and DKIM support enabled also.
+-# SUPPORT_DMARC=yes
++SUPPORT_DMARC=yes
+ # CFLAGS += -I/usr/local/include
+ # LDFLAGS += -lopendmarc
+ # Uncomment the following if you need to change the default. You can
+ # override it at runtime (main config option dmarc_tld_file)
+-# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
++DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat
+ 
+ # Uncomment the following line to add ARC (Authenticated Received Chain)
+ # support.  You must have SPF and DKIM support enabled also.
 @@ -707,7 +713,7 @@ FIXED_NEVER_USERS=root
  # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
  # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
@@ -264,6 +279,15 @@ index 83325ab..a861c7f 100644
  
  
  #------------------------------------------------------------------------------
+@@ -1029,7 +1050,7 @@
+ # installed on your system (www.libspf2.org). Depending on where it is installed
+ # you may have to edit the CFLAGS and LDFLAGS lines.
+ 
+-# SUPPORT_SPF=yes
++SUPPORT_SPF=yes
+ # CFLAGS  += -I/usr/local/include
+ # LDFLAGS += -lspf2
+ 
 @@ -1096,7 +1102,7 @@ ZCAT_COMMAND=/usr/bin/zcat
  # group. Once you have installed saslauthd, you should arrange for it to be
  # started by root at boot time.
@@ -465,6 +489,14 @@ index cf38305..472b801 100644
  # This access control list is used for every RCPT command in an incoming
  # SMTP message. The tests are run in order until the address is either
  # accepted or denied.
+@@ -392,6 +435,7 @@
+ 
+   accept  hosts = :
+           control = dkim_disable_verify
++          control = dmarc_disable_verify
+ 
+   #############################################################################
+   # The following section of the ACL is concerned with local parts that contain
 @@ -445,7 +488,8 @@ acl_check_rcpt:
    accept  local_parts   = postmaster
            domains       = +local_domains
@@ -475,6 +507,22 @@ index cf38305..472b801 100644
  
    require verify        = sender
  
+@@ -471,6 +516,7 @@
+   accept  hosts         = +relay_from_hosts
+           control       = submission
+           control       = dkim_disable_verify
++          control       = dmarc_disable_verify
+ 
+   # Accept if the message arrived over an authenticated connection, from
+   # any host. Again, these messages are usually from MUAs, so recipient
+@@ -480,6 +526,7 @@
+   accept  authenticated = *
+           control       = submission
+           control       = dkim_disable_verify
++          control       = dmarc_disable_verify
+ 
+   # Insist that a HELO/EHLO was accepted.
+ 
 @@ -505,7 +549,8 @@ acl_check_rcpt:
    # There are no default checks on DNS black lists because the domains that
    # contain these lists are changing all the time. However, here are two
diff --git a/exim.spec b/exim.spec
index bd8f9af..9d70ae2 100644
--- a/exim.spec
+++ b/exim.spec
@@ -12,7 +12,7 @@
 Summary: The exim mail transfer agent
 Name: exim
 Version: 4.93
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Url: https://www.exim.org/
 
@@ -50,8 +50,10 @@ Patch3: exim-4.85-pic.patch
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
 Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+Recommends: publicsuffix-list
 BuildRequires: gcc libdb-devel openssl-devel openldap-devel pam-devel
 BuildRequires: pcre-devel sqlite-devel cyrus-sasl-devel
+BuildRequires: libspf2-devel libopendmarc-devel
 BuildRequires: openldap-devel openssl-devel mariadb-connector-c-devel libpq-devel
 BuildRequires: libXaw-devel libXmu-devel libXext-devel libX11-devel libSM-devel
 BuildRequires: perl-devel
@@ -172,7 +174,7 @@ cp exim_monitor/EDITME Local/eximon.conf
 	export PIE=-fPIE
 	export PIC=-fPIC
 %endif
-make _lib=%{_lib} FULLECHO= LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-pie -Wl,-z,relro,-z,now}"
+make _lib=%{_lib} FULLECHO= LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-pie -Wl,-z,relro,-z,now} -lopendmarc -lspf2"
 
 %install
 mkdir -p $RPM_BUILD_ROOT%{_sbindir}
@@ -466,6 +468,9 @@ fi
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 
 %changelog
+* Thu Feb 20 2020 Tom Hughes <tom@compton.nu> - 4.93-3
+- Enable SPF and DMARC support
+
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.93-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild