From ef659585d9da355c77d2d3e3e11fd7f30a0e8250 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Tue, 4 May 2021 19:57:47 +0200 Subject: [PATCH] New version Resolves: rhbz#1956859 --- .gitignore | 4 +- exim-4.94-tls-cname-handling-fix.patch | 154 ------------------ ...4-config.patch => exim-4.94.2-config.patch | 49 +++--- exim.spec | 13 +- sources | 4 +- 5 files changed, 35 insertions(+), 189 deletions(-) delete mode 100644 exim-4.94-tls-cname-handling-fix.patch rename exim-4.94-config.patch => exim-4.94.2-config.patch (97%) diff --git a/.gitignore b/.gitignore index 205c447..76743e0 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -exim-*.tar.xz -exim-*.tar.xz.asc +/exim-*.tar.xz +/exim-*.tar.xz.asc diff --git a/exim-4.94-tls-cname-handling-fix.patch b/exim-4.94-tls-cname-handling-fix.patch deleted file mode 100644 index 8cd3add..0000000 --- a/exim-4.94-tls-cname-handling-fix.patch +++ /dev/null @@ -1,154 +0,0 @@ -diff --git a/src/host.c b/src/host.c -index 0e0e013..99bbba7 100644 ---- a/src/host.c -+++ b/src/host.c -@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE; - int af; - #endif - -+#ifndef DISABLE_TLS -+/* Copy the host name at this point to the value which is used for -+TLS certificate name checking, before anything modifies it. */ -+ -+host->certname = host->name; -+#endif -+ - /* Make sure DNS options are set as required. This appears to be necessary in - some circumstances when the get..byname() function actually calls the DNS. */ - -@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times; - { - host_item *next = store_get(sizeof(host_item), FALSE); - next->name = host->name; -+#ifndef DISABLE_TLS -+ next->certname = host->certname; -+#endif - next->mx = host->mx; - next->address = text_address; - next->port = PORT_NONE; -@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times; - NULL. If temp_error is set, at least one of the lookups gave a temporary error, - so we pass that back. */ - --if (host->address == NULL) -+if (!host->address) - { - uschar *msg = - #ifndef STAND_ALONE -- (message_id[0] == 0 && smtp_in != NULL)? -- string_sprintf("no IP address found for host %s (during %s)", host->name, -+ message_id[0] == 0 && smtp_in -+ ? string_sprintf("no IP address found for host %s (during %s)", host->name, - smtp_get_connection_info()) : - #endif - string_sprintf("no IP address found for host %s", host->name); -@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE; - BOOL dnssec_fail = FALSE; - int i; - -+#ifndef DISABLE_TLS -+/* Copy the host name at this point to the value which is used for -+TLS certificate name checking, before any CNAME-following modifies it. */ -+ -+host->certname = host->name; -+#endif -+ - /* If allow_ip is set, a name which is an IP address returns that value - as its address. This is used for MX records when allow_mx_to_ip is set, for - those sites that feel they have to flaunt the RFC rules. */ -diff --git a/src/structs.h b/src/structs.h -index c6700d5..206237f 100644 ---- a/src/structs.h -+++ b/src/structs.h -@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t; - - typedef struct host_item { - struct host_item *next; -- const uschar *name; /* Host name */ -- const uschar *address; /* IP address in text form */ -- int port; /* port value in host order (if SRV lookup) */ -- int mx; /* MX value if found via MX records */ -- int sort_key; /* MX*1000 plus random "fraction" */ -- int status; /* Usable, unusable, or unknown */ -- int why; /* Why host is unusable */ -- int last_try; /* Time of last try if known */ -+ const uschar *name; /* Host name */ -+#ifndef DISABLE_TLS -+ const uschar *certname; /* Name used for certificate checks */ -+#endif -+ const uschar *address; /* IP address in text form */ -+ int port; /* port value in host order (if SRV lookup) */ -+ int mx; /* MX value if found via MX records */ -+ int sort_key; /* MX*1000 plus random "fraction" */ -+ int status; /* Usable, unusable, or unknown */ -+ int why; /* Why host is unusable */ -+ int last_try; /* Time of last try if known */ - dnssec_status_t dnssec; - } host_item; - -diff --git a/src/tls-gnu.c b/src/tls-gnu.c -index 24114f0..875c82e 100644 ---- a/src/tls-gnu.c -+++ b/src/tls-gnu.c -@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) - { - state->exp_tls_verify_cert_hostnames = - #ifdef SUPPORT_I18N -- string_domain_utf8_to_alabel(host->name, NULL); -+ string_domain_utf8_to_alabel(host->certname, NULL); - #else -- host->name; -+ host->certname; - #endif - DEBUG(D_tls) - debug_printf("TLS: server cert verification includes hostname: \"%s\".\n", -diff --git a/src/tls-openssl.c b/src/tls-openssl.c -index 8c9d8aa..a623229 100644 ---- a/src/tls-openssl.c -+++ b/src/tls-openssl.c -@@ -372,10 +372,10 @@ typedef struct ocsp_resp { - } ocsp_resplist; - - typedef struct tls_ext_ctx_cb { -- tls_support * tlsp; -- uschar *certificate; -- uschar *privatekey; -- BOOL is_server; -+ tls_support * tlsp; -+ uschar * certificate; -+ uschar * privatekey; -+ BOOL is_server; - #ifndef DISABLE_OCSP - STACK_OF(X509) *verify_stack; /* chain for verifying the proof */ - union { -@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb { - } client; - } u_ocsp; - #endif -- uschar *dhparam; -+ uschar * dhparam; - /* these are cached from first expand */ -- uschar *server_cipher_list; -+ uschar * server_cipher_list; - /* only passed down to tls_error: */ -- host_item *host; -+ host_item * host; - const uschar * verify_cert_hostnames; - #ifndef DISABLE_EVENT -- uschar * event_action; -+ uschar * event_action; - #endif - } tls_ext_ctx_cb; - -@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) - { - cbinfo->verify_cert_hostnames = - #ifdef SUPPORT_I18N -- string_domain_utf8_to_alabel(host->name, NULL); -+ string_domain_utf8_to_alabel(host->certname, NULL); - #else -- host->name; -+ host->certname; - #endif - DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", - cbinfo->verify_cert_hostnames); diff --git a/exim-4.94-config.patch b/exim-4.94.2-config.patch similarity index 97% rename from exim-4.94-config.patch rename to exim-4.94.2-config.patch index bc99322..dabe578 100644 --- a/exim-4.94-config.patch +++ b/exim-4.94.2-config.patch @@ -12,7 +12,7 @@ index 61368ec..e8fe9ef 100755 echo "" >>$mft cat $mftt >> $mft diff --git a/src/EDITME b/src/EDITME -index e568bdb..65082b5 100644 +index 8da36a3..9b7682c 100644 --- a/src/EDITME +++ b/src/EDITME @@ -99,7 +99,7 @@ @@ -361,7 +361,7 @@ index e568bdb..65082b5 100644 # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # using the name "exim-daemon.pid". diff --git a/src/configure.default b/src/configure.default -index 3423ee0..7d1e552 100644 +index d94c148..1f6afd4 100644 --- a/src/configure.default +++ b/src/configure.default @@ -67,7 +67,7 @@ @@ -524,7 +524,7 @@ index 3423ee0..7d1e552 100644 require verify = sender -@@ -471,6 +522,7 @@ acl_check_rcpt: +@@ -485,6 +536,7 @@ acl_check_rcpt: accept hosts = +relay_from_hosts control = submission control = dkim_disable_verify @@ -532,7 +532,7 @@ index 3423ee0..7d1e552 100644 # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient -@@ -480,6 +532,7 @@ acl_check_rcpt: +@@ -494,6 +546,7 @@ acl_check_rcpt: accept authenticated = * control = submission control = dkim_disable_verify @@ -540,7 +540,7 @@ index 3423ee0..7d1e552 100644 # Insist that a HELO/EHLO was accepted. -@@ -505,7 +558,8 @@ acl_check_rcpt: +@@ -519,7 +572,8 @@ acl_check_rcpt: # There are no default checks on DNS black lists because the domains that # contain these lists are changing all the time. However, here are two # examples of how you can get Exim to perform a DNS black list lookup at this @@ -550,7 +550,7 @@ index 3423ee0..7d1e552 100644 # # deny dnslists = black.list.example # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text -@@ -513,6 +567,10 @@ acl_check_rcpt: +@@ -527,6 +581,10 @@ acl_check_rcpt: # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain # log_message = found in $dnslist_domain @@ -561,7 +561,7 @@ index 3423ee0..7d1e552 100644 ############################################################################# ############################################################################# -@@ -539,6 +597,10 @@ acl_check_rcpt: +@@ -553,6 +611,10 @@ acl_check_rcpt: # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} ############################################################################# @@ -572,7 +572,7 @@ index 3423ee0..7d1e552 100644 # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. -@@ -588,21 +650,32 @@ acl_check_data: +@@ -602,21 +664,32 @@ acl_check_data: message = header syntax log_message = header syntax ($acl_verify_message) @@ -601,20 +601,19 @@ index 3423ee0..7d1e552 100644 - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. -- # ++ # Bypass SpamAssassin checks if the message is too large. + # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report -+ # Bypass SpamAssassin checks if the message is too large. -+ # + # accept condition = ${if >={$message_size}{100000} {1}} + # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size ############################################################################# # No more tests if PRDR was actively used. -@@ -616,11 +689,63 @@ acl_check_data: +@@ -630,11 +703,63 @@ acl_check_data: # condition = ... ############################################################################# @@ -633,8 +632,7 @@ index 3423ee0..7d1e552 100644 + # + # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ + # X-Spam-Report: $spam_report - -- # Accept the message. ++ + # And reject if the SpamAssassin score is greater than ten + # + # deny condition = ${if >{$spam_score_int}{100} {1}} @@ -646,7 +644,8 @@ index 3423ee0..7d1e552 100644 + # warn condition = ${if >{$spam_score_int}{5} {1}} + # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons + -+ + +- # Accept the message. + # If you want to greylist _all_ mail rather than only mail which looks like there + # might be something wrong with it, then you can do this... + # @@ -679,7 +678,7 @@ index 3423ee0..7d1e552 100644 ###################################################################### -@@ -722,7 +847,7 @@ system_aliases: +@@ -736,7 +861,7 @@ system_aliases: driver = redirect allow_fail allow_defer @@ -688,7 +687,7 @@ index 3423ee0..7d1e552 100644 # user = exim file_transport = address_file pipe_transport = address_pipe -@@ -760,7 +885,7 @@ userforward: +@@ -774,7 +899,7 @@ userforward: # local_part_suffix = +* : -* # local_part_suffix_optional file = $home/.forward @@ -697,7 +696,7 @@ index 3423ee0..7d1e552 100644 no_verify no_expn check_ancestor -@@ -768,6 +893,12 @@ userforward: +@@ -782,6 +907,12 @@ userforward: pipe_transport = address_pipe reply_transport = address_reply @@ -710,7 +709,7 @@ index 3423ee0..7d1e552 100644 # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". -@@ -809,6 +940,25 @@ remote_smtp: +@@ -823,6 +954,25 @@ remote_smtp: driver = smtp message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} @@ -736,7 +735,7 @@ index 3423ee0..7d1e552 100644 # This transport is used for delivering messages to a smarthost, if the # smarthost router is enabled. This starts from the same basis as -@@ -861,8 +1011,8 @@ local_delivery: +@@ -875,8 +1025,8 @@ local_delivery: delivery_date_add envelope_to_add return_path_add @@ -747,7 +746,7 @@ index 3423ee0..7d1e552 100644 # This transport is used for handling pipe deliveries generated by alias or -@@ -895,6 +1045,16 @@ address_reply: +@@ -909,6 +1059,16 @@ address_reply: driver = autoreply @@ -764,7 +763,7 @@ index 3423ee0..7d1e552 100644 ###################################################################### # RETRY CONFIGURATION # -@@ -935,6 +1095,21 @@ begin rewrite +@@ -949,6 +1109,21 @@ begin rewrite # AUTHENTICATION CONFIGURATION # ###################################################################### @@ -786,7 +785,7 @@ index 3423ee0..7d1e552 100644 # The following authenticators support plaintext username/password # authentication using the standard PLAIN mechanism and the traditional # but non-standard LOGIN mechanism, with Exim acting as the server. -@@ -950,7 +1125,7 @@ begin rewrite +@@ -964,7 +1139,7 @@ begin rewrite # The default RCPT ACL checks for successful authentication, and will accept # messages from authenticated users from anywhere on the Internet. @@ -795,7 +794,7 @@ index 3423ee0..7d1e552 100644 # PLAIN authentication has no server prompts. The client sends its # credentials in one lump, containing an authorization ID (which we do not -@@ -964,7 +1139,7 @@ begin authenticators +@@ -978,7 +1153,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth2 # server_prompts = : @@ -804,7 +803,7 @@ index 3423ee0..7d1e552 100644 # server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no -@@ -976,7 +1151,7 @@ begin authenticators +@@ -990,7 +1165,7 @@ begin authenticators # driver = plaintext # server_set_id = $auth1 # server_prompts = <| Username: | Password: diff --git a/exim.spec b/exim.spec index 43a7b67..8ebbd0d 100644 --- a/exim.spec +++ b/exim.spec @@ -11,8 +11,8 @@ Summary: The exim mail transfer agent Name: exim -Version: 4.94 -Release: 7%{?dist} +Version: 4.94.2 +Release: 1%{?dist} License: GPLv2+ Url: https://www.exim.org/ @@ -42,12 +42,10 @@ Source24: exim.service Source25: exim-gen-cert Source26: clamd.exim.service -Patch0: exim-4.94-config.patch +Patch0: exim-4.94.2-config.patch Patch1: exim-4.94-libdir.patch Patch2: exim-4.94-dlopen-localscan.patch Patch3: exim-4.85-pic.patch -# https://bugs.exim.org/show_bug.cgi?id=2594 -Patch4: exim-4.94-tls-cname-handling-fix.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: /etc/aliases @@ -162,7 +160,6 @@ greylisting unconditional. %patch1 -p1 -b .libdir %patch2 -p1 -b .dl %patch3 -p1 -b .fpic -%patch4 -p1 -b .tls-cname-handling-fix cp src/EDITME Local/Makefile sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile @@ -480,6 +477,10 @@ fi %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Tue May 4 2021 Jaroslav Škarvada - 4.94.2-1 +- New version + Resolves: rhbz#1956859 + * Thu Mar 25 2021 Jaroslav Škarvada - 4.94-7 - Fixed cname handling in TLS certificate verification Resolves: rhbz#1942582 diff --git a/sources b/sources index 207176a..bba4e58 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316 -SHA512 (exim-4.94.tar.xz.asc) = 7288ff92852bed4058a8c7315ec8f80d8ad80297d50e6971531b54bcf528614f37bb8debaf9e73ffe29fbbe6fa2162f3aeb06373307b23442392427688eb3cb8 +SHA512 (exim-4.94.2.tar.xz) = 5334c236221ed4e03dbc33e6a79d939b06037fa2f4b71971607a360b67af5c85a89681ee13a5eeaf0184382c55a160cf2e89ed7afb2949f025a54f1e88f9e3fc +SHA512 (exim-4.94.2.tar.xz.asc) = 982c93530b8c8e13e6d8ea6032c8db27ede6692bc584ea5507b39bba6b4c3082285fb453affdc06e8d962c894c04ee9fc039523c5f329f785f918f831d9803a3