New version

Resolves: rhbz#1956859
This commit is contained in:
Jaroslav Škarvada 2021-05-04 19:57:47 +02:00
parent a8bf41bfdb
commit ef659585d9
5 changed files with 35 additions and 189 deletions

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
exim-*.tar.xz
exim-*.tar.xz.asc
/exim-*.tar.xz
/exim-*.tar.xz.asc

View File

@ -1,154 +0,0 @@
diff --git a/src/host.c b/src/host.c
index 0e0e013..99bbba7 100644
--- a/src/host.c
+++ b/src/host.c
@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE;
int af;
#endif
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before anything modifies it. */
+
+host->certname = host->name;
+#endif
+
/* Make sure DNS options are set as required. This appears to be necessary in
some circumstances when the get..byname() function actually calls the DNS. */
@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times;
{
host_item *next = store_get(sizeof(host_item), FALSE);
next->name = host->name;
+#ifndef DISABLE_TLS
+ next->certname = host->certname;
+#endif
next->mx = host->mx;
next->address = text_address;
next->port = PORT_NONE;
@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times;
NULL. If temp_error is set, at least one of the lookups gave a temporary error,
so we pass that back. */
-if (host->address == NULL)
+if (!host->address)
{
uschar *msg =
#ifndef STAND_ALONE
- (message_id[0] == 0 && smtp_in != NULL)?
- string_sprintf("no IP address found for host %s (during %s)", host->name,
+ message_id[0] == 0 && smtp_in
+ ? string_sprintf("no IP address found for host %s (during %s)", host->name,
smtp_get_connection_info()) :
#endif
string_sprintf("no IP address found for host %s", host->name);
@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE;
BOOL dnssec_fail = FALSE;
int i;
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before any CNAME-following modifies it. */
+
+host->certname = host->name;
+#endif
+
/* If allow_ip is set, a name which is an IP address returns that value
as its address. This is used for MX records when allow_mx_to_ip is set, for
those sites that feel they have to flaunt the RFC rules. */
diff --git a/src/structs.h b/src/structs.h
index c6700d5..206237f 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
typedef struct host_item {
struct host_item *next;
- const uschar *name; /* Host name */
- const uschar *address; /* IP address in text form */
- int port; /* port value in host order (if SRV lookup) */
- int mx; /* MX value if found via MX records */
- int sort_key; /* MX*1000 plus random "fraction" */
- int status; /* Usable, unusable, or unknown */
- int why; /* Why host is unusable */
- int last_try; /* Time of last try if known */
+ const uschar *name; /* Host name */
+#ifndef DISABLE_TLS
+ const uschar *certname; /* Name used for certificate checks */
+#endif
+ const uschar *address; /* IP address in text form */
+ int port; /* port value in host order (if SRV lookup) */
+ int mx; /* MX value if found via MX records */
+ int sort_key; /* MX*1000 plus random "fraction" */
+ int status; /* Usable, unusable, or unknown */
+ int why; /* Why host is unusable */
+ int last_try; /* Time of last try if known */
dnssec_status_t dnssec;
} host_item;
diff --git a/src/tls-gnu.c b/src/tls-gnu.c
index 24114f0..875c82e 100644
--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
{
state->exp_tls_verify_cert_hostnames =
#ifdef SUPPORT_I18N
- string_domain_utf8_to_alabel(host->name, NULL);
+ string_domain_utf8_to_alabel(host->certname, NULL);
#else
- host->name;
+ host->certname;
#endif
DEBUG(D_tls)
debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
diff --git a/src/tls-openssl.c b/src/tls-openssl.c
index 8c9d8aa..a623229 100644
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -372,10 +372,10 @@ typedef struct ocsp_resp {
} ocsp_resplist;
typedef struct tls_ext_ctx_cb {
- tls_support * tlsp;
- uschar *certificate;
- uschar *privatekey;
- BOOL is_server;
+ tls_support * tlsp;
+ uschar * certificate;
+ uschar * privatekey;
+ BOOL is_server;
#ifndef DISABLE_OCSP
STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
union {
@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb {
} client;
} u_ocsp;
#endif
- uschar *dhparam;
+ uschar * dhparam;
/* these are cached from first expand */
- uschar *server_cipher_list;
+ uschar * server_cipher_list;
/* only passed down to tls_error: */
- host_item *host;
+ host_item * host;
const uschar * verify_cert_hostnames;
#ifndef DISABLE_EVENT
- uschar * event_action;
+ uschar * event_action;
#endif
} tls_ext_ctx_cb;
@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
{
cbinfo->verify_cert_hostnames =
#ifdef SUPPORT_I18N
- string_domain_utf8_to_alabel(host->name, NULL);
+ string_domain_utf8_to_alabel(host->certname, NULL);
#else
- host->name;
+ host->certname;
#endif
DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
cbinfo->verify_cert_hostnames);

View File

@ -12,7 +12,7 @@ index 61368ec..e8fe9ef 100755
echo "" >>$mft
cat $mftt >> $mft
diff --git a/src/EDITME b/src/EDITME
index e568bdb..65082b5 100644
index 8da36a3..9b7682c 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -99,7 +99,7 @@
@ -361,7 +361,7 @@ index e568bdb..65082b5 100644
# If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
# using the name "exim-daemon.pid".
diff --git a/src/configure.default b/src/configure.default
index 3423ee0..7d1e552 100644
index d94c148..1f6afd4 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -67,7 +67,7 @@
@ -524,7 +524,7 @@ index 3423ee0..7d1e552 100644
require verify = sender
@@ -471,6 +522,7 @@ acl_check_rcpt:
@@ -485,6 +536,7 @@ acl_check_rcpt:
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
@ -532,7 +532,7 @@ index 3423ee0..7d1e552 100644
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
@@ -480,6 +532,7 @@ acl_check_rcpt:
@@ -494,6 +546,7 @@ acl_check_rcpt:
accept authenticated = *
control = submission
control = dkim_disable_verify
@ -540,7 +540,7 @@ index 3423ee0..7d1e552 100644
# Insist that a HELO/EHLO was accepted.
@@ -505,7 +558,8 @@ acl_check_rcpt:
@@ -519,7 +572,8 @@ acl_check_rcpt:
# There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this
@ -550,7 +550,7 @@ index 3423ee0..7d1e552 100644
#
# deny dnslists = black.list.example
# message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
@@ -513,6 +567,10 @@ acl_check_rcpt:
@@ -527,6 +581,10 @@ acl_check_rcpt:
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
@ -561,7 +561,7 @@ index 3423ee0..7d1e552 100644
#############################################################################
#############################################################################
@@ -539,6 +597,10 @@ acl_check_rcpt:
@@ -553,6 +611,10 @@ acl_check_rcpt:
# set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
#############################################################################
@ -572,7 +572,7 @@ index 3423ee0..7d1e552 100644
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
@@ -588,21 +650,32 @@ acl_check_data:
@@ -602,21 +664,32 @@ acl_check_data:
message = header syntax
log_message = header syntax ($acl_verify_message)
@ -601,20 +601,19 @@ index 3423ee0..7d1e552 100644
- # Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You may also need to set the spamd_address
- # option above.
- #
+ # Bypass SpamAssassin checks if the message is too large.
#
- # warn spam = nobody
- # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # Bypass SpamAssassin checks if the message is too large.
+ #
+ # accept condition = ${if >={$message_size}{100000} {1}}
+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
#############################################################################
# No more tests if PRDR was actively used.
@@ -616,11 +689,63 @@ acl_check_data:
@@ -630,11 +703,63 @@ acl_check_data:
# condition = ...
#############################################################################
@ -633,8 +632,7 @@ index 3423ee0..7d1e552 100644
+ #
+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+ # X-Spam-Report: $spam_report
- # Accept the message.
+
+ # And reject if the SpamAssassin score is greater than ten
+ #
+ # deny condition = ${if >{$spam_score_int}{100} {1}}
@ -646,7 +644,8 @@ index 3423ee0..7d1e552 100644
+ # warn condition = ${if >{$spam_score_int}{5} {1}}
+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
+
+
- # Accept the message.
+ # If you want to greylist _all_ mail rather than only mail which looks like there
+ # might be something wrong with it, then you can do this...
+ #
@ -679,7 +678,7 @@ index 3423ee0..7d1e552 100644
######################################################################
@@ -722,7 +847,7 @@ system_aliases:
@@ -736,7 +861,7 @@ system_aliases:
driver = redirect
allow_fail
allow_defer
@ -688,7 +687,7 @@ index 3423ee0..7d1e552 100644
# user = exim
file_transport = address_file
pipe_transport = address_pipe
@@ -760,7 +885,7 @@ userforward:
@@ -774,7 +899,7 @@ userforward:
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward
@ -697,7 +696,7 @@ index 3423ee0..7d1e552 100644
no_verify
no_expn
check_ancestor
@@ -768,6 +893,12 @@ userforward:
@@ -782,6 +907,12 @@ userforward:
pipe_transport = address_pipe
reply_transport = address_reply
@ -710,7 +709,7 @@ index 3423ee0..7d1e552 100644
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
@@ -809,6 +940,25 @@ remote_smtp:
@@ -823,6 +954,25 @@ remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
@ -736,7 +735,7 @@ index 3423ee0..7d1e552 100644
# This transport is used for delivering messages to a smarthost, if the
# smarthost router is enabled. This starts from the same basis as
@@ -861,8 +1011,8 @@ local_delivery:
@@ -875,8 +1025,8 @@ local_delivery:
delivery_date_add
envelope_to_add
return_path_add
@ -747,7 +746,7 @@ index 3423ee0..7d1e552 100644
# This transport is used for handling pipe deliveries generated by alias or
@@ -895,6 +1045,16 @@ address_reply:
@@ -909,6 +1059,16 @@ address_reply:
driver = autoreply
@ -764,7 +763,7 @@ index 3423ee0..7d1e552 100644
######################################################################
# RETRY CONFIGURATION #
@@ -935,6 +1095,21 @@ begin rewrite
@@ -949,6 +1109,21 @@ begin rewrite
# AUTHENTICATION CONFIGURATION #
######################################################################
@ -786,7 +785,7 @@ index 3423ee0..7d1e552 100644
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -950,7 +1125,7 @@ begin rewrite
@@ -964,7 +1139,7 @@ begin rewrite
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.
@ -795,7 +794,7 @@ index 3423ee0..7d1e552 100644
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
@@ -964,7 +1139,7 @@ begin authenticators
@@ -978,7 +1153,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
@ -804,7 +803,7 @@ index 3423ee0..7d1e552 100644
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
@@ -976,7 +1151,7 @@ begin authenticators
@@ -990,7 +1165,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:

View File

@ -11,8 +11,8 @@
Summary: The exim mail transfer agent
Name: exim
Version: 4.94
Release: 7%{?dist}
Version: 4.94.2
Release: 1%{?dist}
License: GPLv2+
Url: https://www.exim.org/
@ -42,12 +42,10 @@ Source24: exim.service
Source25: exim-gen-cert
Source26: clamd.exim.service
Patch0: exim-4.94-config.patch
Patch0: exim-4.94.2-config.patch
Patch1: exim-4.94-libdir.patch
Patch2: exim-4.94-dlopen-localscan.patch
Patch3: exim-4.85-pic.patch
# https://bugs.exim.org/show_bug.cgi?id=2594
Patch4: exim-4.94-tls-cname-handling-fix.patch
Requires: /etc/pki/tls/certs /etc/pki/tls/private
Requires: /etc/aliases
@ -162,7 +160,6 @@ greylisting unconditional.
%patch1 -p1 -b .libdir
%patch2 -p1 -b .dl
%patch3 -p1 -b .fpic
%patch4 -p1 -b .tls-cname-handling-fix
cp src/EDITME Local/Makefile
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -480,6 +477,10 @@ fi
%{_sysconfdir}/cron.daily/greylist-tidy.sh
%changelog
* Tue May 4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94.2-1
- New version
Resolves: rhbz#1956859
* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-7
- Fixed cname handling in TLS certificate verification
Resolves: rhbz#1942582

View File

@ -1,2 +1,2 @@
SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316
SHA512 (exim-4.94.tar.xz.asc) = 7288ff92852bed4058a8c7315ec8f80d8ad80297d50e6971531b54bcf528614f37bb8debaf9e73ffe29fbbe6fa2162f3aeb06373307b23442392427688eb3cb8
SHA512 (exim-4.94.2.tar.xz) = 5334c236221ed4e03dbc33e6a79d939b06037fa2f4b71971607a360b67af5c85a89681ee13a5eeaf0184382c55a160cf2e89ed7afb2949f025a54f1e88f9e3fc
SHA512 (exim-4.94.2.tar.xz.asc) = 982c93530b8c8e13e6d8ea6032c8db27ede6692bc584ea5507b39bba6b4c3082285fb453affdc06e8d962c894c04ee9fc039523c5f329f785f918f831d9803a3