New version

Resolves: rhbz#1956859
2021-05-04 19:40:58 +02:00 · 2021-05-04 19:40:58 +02:00 · f3c8bb48f9
commit f3c8bb48f9
parent a8bf41bfdb
6 changed files with 49 additions and 189 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-exim-*.tar.xz
+/exim-*.tar.xz
-exim-*.tar.xz.asc
+/exim-*.tar.xz.asc
--- a/exim-4.94-tls-cname-handling-fix.patch
+++ b/exim-4.94-tls-cname-handling-fix.patch
@ -1,154 +0,0 @@
 diff --git a/src/host.c b/src/host.c
 index 0e0e013..99bbba7 100644
 --- a/src/host.c
 +++ b/src/host.c
@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE;
 int af;
 #endif
 +#ifndef DISABLE_TLS
 +/* Copy the host name at this point to the value which is used for
 +TLS certificate name checking, before anything modifies it.  */
 +
 +host->certname = host->name;
 +#endif
 +
 /* Make sure DNS options are set as required. This appears to be necessary in
 some circumstances when the get..byname() function actually calls the DNS. */
@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times;
       {
       host_item *next = store_get(sizeof(host_item), FALSE);
       next->name = host->name;
 +#ifndef DISABLE_TLS
 +      next->certname = host->certname;
 +#endif
       next->mx = host->mx;
       next->address = text_address;
       next->port = PORT_NONE;
@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times;
 NULL. If temp_error is set, at least one of the lookups gave a temporary error,
 so we pass that back. */
 -if (host->address == NULL)
 +if (!host->address)
   {
   uschar *msg =
     #ifndef STAND_ALONE
 -    (message_id[0] == 0 && smtp_in != NULL)?
 -      string_sprintf("no IP address found for host %s (during %s)", host->name,
 +    message_id[0] == 0 && smtp_in
 +      ? string_sprintf("no IP address found for host %s (during %s)", host->name,
           smtp_get_connection_info()) :
     #endif
     string_sprintf("no IP address found for host %s", host->name);
@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE;
 BOOL dnssec_fail = FALSE;
 int i;
 +#ifndef DISABLE_TLS
 +/* Copy the host name at this point to the value which is used for
 +TLS certificate name checking, before any CNAME-following modifies it.  */
 +
 +host->certname = host->name;
 +#endif
 +
 /* If allow_ip is set, a name which is an IP address returns that value
 as its address. This is used for MX records when allow_mx_to_ip is set, for
 those sites that feel they have to flaunt the RFC rules. */
 diff --git a/src/structs.h b/src/structs.h
 index c6700d5..206237f 100644
 --- a/src/structs.h
 +++ b/src/structs.h
@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
 typedef struct host_item {
   struct host_item *next;
 -  const uschar *name;             /* Host name */
 -  const uschar *address;          /* IP address in text form */
 -  int     port;                   /* port value in host order (if SRV lookup) */
 -  int     mx;                     /* MX value if found via MX records */
 -  int     sort_key;               /* MX*1000 plus random "fraction" */
 -  int     status;                 /* Usable, unusable, or unknown */
 -  int     why;                    /* Why host is unusable */
 -  int     last_try;               /* Time of last try if known */
 +  const uschar *name;		/* Host name */
 +#ifndef DISABLE_TLS
 +  const uschar *certname;	/* Name used for certificate checks */
 +#endif
 +  const uschar *address;	/* IP address in text form */
 +  int     port;			/* port value in host order (if SRV lookup) */
 +  int     mx;			/* MX value if found via MX records */
 +  int     sort_key;		/* MX*1000 plus random "fraction" */
 +  int     status;		/* Usable, unusable, or unknown */
 +  int     why;			/* Why host is unusable */
 +  int     last_try;		/* Time of last try if known */
   dnssec_status_t dnssec;
 } host_item;
 diff --git a/src/tls-gnu.c b/src/tls-gnu.c
 index 24114f0..875c82e 100644
 --- a/src/tls-gnu.c
 +++ b/src/tls-gnu.c
@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   state->exp_tls_verify_cert_hostnames =
 #ifdef SUPPORT_I18N
 -    string_domain_utf8_to_alabel(host->name, NULL);
 +    string_domain_utf8_to_alabel(host->certname, NULL);
 #else
 -    host->name;
 +    host->certname;
 #endif
   DEBUG(D_tls)
     debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
 diff --git a/src/tls-openssl.c b/src/tls-openssl.c
 index 8c9d8aa..a623229 100644
 --- a/src/tls-openssl.c
 +++ b/src/tls-openssl.c
@@ -372,10 +372,10 @@ typedef struct ocsp_resp {
 } ocsp_resplist;
 typedef struct tls_ext_ctx_cb {
 -  tls_support * tlsp;
 -  uschar *certificate;
 -  uschar *privatekey;
 -  BOOL is_server;
 +  tls_support *	tlsp;
 +  uschar *	certificate;
 +  uschar *	privatekey;
 +  BOOL		is_server;
 #ifndef DISABLE_OCSP
   STACK_OF(X509) *verify_stack;		/* chain for verifying the proof */
   union {
@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb {
     } client;
   } u_ocsp;
 #endif
 -  uschar *dhparam;
 +  uschar *	dhparam;
   /* these are cached from first expand */
 -  uschar *server_cipher_list;
 +  uschar *	server_cipher_list;
   /* only passed down to tls_error: */
 -  host_item *host;
 +  host_item *	host;
   const uschar * verify_cert_hostnames;
 #ifndef DISABLE_EVENT
 -  uschar * event_action;
 +  uschar *	event_action;
 #endif
 } tls_ext_ctx_cb;
@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   cbinfo->verify_cert_hostnames =
 #ifdef SUPPORT_I18N
 -    string_domain_utf8_to_alabel(host->name, NULL);
 +    string_domain_utf8_to_alabel(host->certname, NULL);
 #else
 -    host->name;
 +    host->certname;
 #endif
   DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
 		    cbinfo->verify_cert_hostnames);
--- a/exim-4.94.2-config.patch
+++ b/exim-4.94.2-config.patch
@ -12,7 +12,7 @@ index 61368ec..e8fe9ef 100755
   echo "" >>$mft
   cat $mftt >> $mft
 diff --git a/src/EDITME b/src/EDITME
-index e568bdb..65082b5 100644
+index 8da36a3..9b7682c 100644
 --- a/src/EDITME
 +++ b/src/EDITME
@@ -99,7 +99,7 @@
@ -361,7 +361,7 @@ index e568bdb..65082b5 100644
 # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
 # using the name "exim-daemon.pid".
 diff --git a/src/configure.default b/src/configure.default
-index 3423ee0..7d1e552 100644
+index d94c148..1f6afd4 100644
 --- a/src/configure.default
 +++ b/src/configure.default
@@ -67,7 +67,7 @@
@ -524,7 +524,7 @@ index 3423ee0..7d1e552 100644
   require verify        = sender
-@@ -471,6 +522,7 @@ acl_check_rcpt:
+@@ -485,6 +536,7 @@ acl_check_rcpt:
   accept  hosts         = +relay_from_hosts
           control       = submission
           control       = dkim_disable_verify
@ -532,7 +532,7 @@ index 3423ee0..7d1e552 100644
   # Accept if the message arrived over an authenticated connection, from
   # any host. Again, these messages are usually from MUAs, so recipient
-@@ -480,6 +532,7 @@ acl_check_rcpt:
+@@ -494,6 +546,7 @@ acl_check_rcpt:
   accept  authenticated = *
           control       = submission
           control       = dkim_disable_verify
@ -540,7 +540,7 @@ index 3423ee0..7d1e552 100644
   # Insist that a HELO/EHLO was accepted.
-@@ -505,7 +558,8 @@ acl_check_rcpt:
+@@ -519,7 +572,8 @@ acl_check_rcpt:
   # There are no default checks on DNS black lists because the domains that
   # contain these lists are changing all the time. However, here are two
   # examples of how you can get Exim to perform a DNS black list lookup at this
@ -550,7 +550,7 @@ index 3423ee0..7d1e552 100644
   #
   # deny    dnslists      = black.list.example
   #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-@@ -513,6 +567,10 @@ acl_check_rcpt:
+@@ -527,6 +581,10 @@ acl_check_rcpt:
   # warn    dnslists      = black.list.example
   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
   #         log_message   = found in $dnslist_domain
@ -561,7 +561,7 @@ index 3423ee0..7d1e552 100644
   #############################################################################
   #############################################################################
-@@ -539,6 +597,10 @@ acl_check_rcpt:
+@@ -553,6 +611,10 @@ acl_check_rcpt:
   #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
   #############################################################################
@ -572,7 +572,7 @@ index 3423ee0..7d1e552 100644
   # At this point, the address has passed all the checks that have been
   # configured, so we accept it unconditionally.
-@@ -588,21 +650,32 @@ acl_check_data:
+@@ -602,21 +664,32 @@ acl_check_data:
           message =     header syntax
           log_message = header syntax ($acl_verify_message)
@ -601,20 +601,19 @@ index 3423ee0..7d1e552 100644
 -  # Add headers to a message if it is judged to be spam. Before enabling this,
 -  # you must install SpamAssassin. You may also need to set the spamd_address
 -  # option above.
-  #
+  # Bypass SpamAssassin checks if the message is too large.
   #
 -  # warn    spam       = nobody
 -  #         add_header = X-Spam_score: $spam_score\n\
 -  #                      X-Spam_score_int: $spam_score_int\n\
 -  #                      X-Spam_bar: $spam_bar\n\
 -  #                      X-Spam_report: $spam_report
 +  # Bypass SpamAssassin checks if the message is too large.
 +  #
 +  # accept  condition  = ${if >={$message_size}{100000} {1}}
 +  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
   #############################################################################
   # No more tests if PRDR was actively used.
-@@ -616,11 +689,63 @@ acl_check_data:
+@@ -630,11 +703,63 @@ acl_check_data:
   #           condition    = ...
   #############################################################################
@ -633,8 +632,7 @@ index 3423ee0..7d1e552 100644
 +  #
 +  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
 +  #                      X-Spam-Report: $spam_report
- 
+
 -  # Accept the message.
 +  # And reject if the SpamAssassin score is greater than ten
 +  #
 +  # deny    condition = ${if >{$spam_score_int}{100} {1}}
@ -646,7 +644,8 @@ index 3423ee0..7d1e552 100644
 +  # warn    condition = ${if >{$spam_score_int}{5} {1}}
 +  #         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
 +
-+
+ 
 -  # Accept the message.
 +  # If you want to greylist _all_ mail rather than only mail which looks like there
 +  # might be something wrong with it, then you can do this...
 +  #
@ -679,7 +678,7 @@ index 3423ee0..7d1e552 100644
 ######################################################################
-@@ -722,7 +847,7 @@ system_aliases:
+@@ -736,7 +861,7 @@ system_aliases:
   driver = redirect
   allow_fail
   allow_defer
@ -688,7 +687,7 @@ index 3423ee0..7d1e552 100644
 # user = exim
   file_transport = address_file
   pipe_transport = address_pipe
-@@ -760,7 +885,7 @@ userforward:
+@@ -774,7 +899,7 @@ userforward:
 # local_part_suffix = +* : -*
 # local_part_suffix_optional
   file = $home/.forward
@ -697,7 +696,7 @@ index 3423ee0..7d1e552 100644
   no_verify
   no_expn
   check_ancestor
-@@ -768,6 +893,12 @@ userforward:
+@@ -782,6 +907,12 @@ userforward:
   pipe_transport = address_pipe
   reply_transport = address_reply
@ -710,7 +709,7 @@ index 3423ee0..7d1e552 100644
 # This router matches local user mailboxes. If the router fails, the error
 # message is "Unknown user".
-@@ -809,6 +940,25 @@ remote_smtp:
+@@ -823,6 +954,25 @@ remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
@ -736,7 +735,7 @@ index 3423ee0..7d1e552 100644
 # This transport is used for delivering messages to a smarthost, if the
 # smarthost router is enabled.  This starts from the same basis as
-@@ -861,8 +1011,8 @@ local_delivery:
+@@ -875,8 +1025,8 @@ local_delivery:
   delivery_date_add
   envelope_to_add
   return_path_add
@ -747,7 +746,7 @@ index 3423ee0..7d1e552 100644
 # This transport is used for handling pipe deliveries generated by alias or
-@@ -895,6 +1045,16 @@ address_reply:
+@@ -909,6 +1059,16 @@ address_reply:
   driver = autoreply
@ -764,7 +763,7 @@ index 3423ee0..7d1e552 100644
 ######################################################################
 #                      RETRY CONFIGURATION                           #
-@@ -935,6 +1095,21 @@ begin rewrite
+@@ -949,6 +1109,21 @@ begin rewrite
 #                   AUTHENTICATION CONFIGURATION                     #
 ######################################################################
@ -786,7 +785,7 @@ index 3423ee0..7d1e552 100644
 # The following authenticators support plaintext username/password
 # authentication using the standard PLAIN mechanism and the traditional
 # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -950,7 +1125,7 @@ begin rewrite
+@@ -964,7 +1139,7 @@ begin rewrite
 # The default RCPT ACL checks for successful authentication, and will accept
 # messages from authenticated users from anywhere on the Internet.
@ -795,7 +794,7 @@ index 3423ee0..7d1e552 100644
 # PLAIN authentication has no server prompts. The client sends its
 # credentials in one lump, containing an authorization ID (which we do not
-@@ -964,7 +1139,7 @@ begin authenticators
+@@ -978,7 +1153,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth2
 #  server_prompts             = :
@ -804,7 +803,7 @@ index 3423ee0..7d1e552 100644
 #  server_advertise_condition = ${if def:tls_in_cipher }
 # LOGIN authentication has traditional prompts and responses. There is no
-@@ -976,7 +1151,7 @@ begin authenticators
+@@ -990,7 +1165,7 @@ begin authenticators
 #  driver                     = plaintext
 #  server_set_id              = $auth1
 #  server_prompts             = <| Username: | Password:
--- a/exim-4.94.2-opendmarc-1.4-build-fix.patch
+++ b/exim-4.94.2-opendmarc-1.4-build-fix.patch
@ -0,0 +1,11 @@
 --- a/src/dmarc.c
 +++ b/src/dmarc.c
@@ -446,7 +446,7 @@ if (!dmarc_abort && !sender_host_authenticated)
 		  vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
 		  DMARC_POLICY_DKIM_OUTCOME_NONE;
     libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
 -					       dkim_result, US"");
 +					       sig->selector, dkim_result, US"");
     DEBUG(D_receive)
       debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
     if (libdm_status != DMARC_PARSE_OKAY)
--- a/exim.spec
+++ b/exim.spec
@ -11,8 +11,8 @@
 Summary: The exim mail transfer agent
 Name: exim
-Version: 4.94
+Version: 4.94.2
-Release: 7%{?dist}
+Release: 1%{?dist}
 License: GPLv2+
 Url: https://www.exim.org/
@ -42,12 +42,12 @@ Source24: exim.service
 Source25: exim-gen-cert
 Source26: clamd.exim.service
-Patch0: exim-4.94-config.patch
+Patch0: exim-4.94.2-config.patch
 Patch1: exim-4.94-libdir.patch
 Patch2: exim-4.94-dlopen-localscan.patch
 Patch3: exim-4.85-pic.patch
-# https://bugs.exim.org/show_bug.cgi?id=2594
+# https://bugs.exim.org/show_bug.cgi?id=2728
-Patch4: exim-4.94-tls-cname-handling-fix.patch
+Patch4: exim-4.94.2-opendmarc-1.4-build-fix.patch
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
@ -162,7 +162,7 @@ greylisting unconditional.
 %patch1 -p1 -b .libdir
 %patch2 -p1 -b .dl
 %patch3 -p1 -b .fpic
-%patch4 -p1 -b .tls-cname-handling-fix
+%patch4 -p1 -b .opendmarc-1.4-build-fix
 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -480,6 +480,10 @@ fi
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 %changelog
 * Tue May  4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94.2-1
 - New version
  Resolves: rhbz#1956859
 * Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-7
 - Fixed cname handling in TLS certificate verification
  Resolves: rhbz#1942582
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316
+SHA512 (exim-4.94.2.tar.xz) = 5334c236221ed4e03dbc33e6a79d939b06037fa2f4b71971607a360b67af5c85a89681ee13a5eeaf0184382c55a160cf2e89ed7afb2949f025a54f1e88f9e3fc
-SHA512 (exim-4.94.tar.xz.asc) = 7288ff92852bed4058a8c7315ec8f80d8ad80297d50e6971531b54bcf528614f37bb8debaf9e73ffe29fbbe6fa2162f3aeb06373307b23442392427688eb3cb8
+SHA512 (exim-4.94.2.tar.xz.asc) = 982c93530b8c8e13e6d8ea6032c8db27ede6692bc584ea5507b39bba6b4c3082285fb453affdc06e8d962c894c04ee9fc039523c5f329f785f918f831d9803a3
`@ -1,2 +1,2 @@`
	`exim-*.tar.xz`	`/exim-*.tar.xz`
	`exim-*.tar.xz.asc`	`/exim-*.tar.xz.asc`
`@ -1,2 +1,2 @@`
	`SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316`	`SHA512 (exim-4.94.2.tar.xz) = 5334c236221ed4e03dbc33e6a79d939b06037fa2f4b71971607a360b67af5c85a89681ee13a5eeaf0184382c55a160cf2e89ed7afb2949f025a54f1e88f9e3fc`
	`SHA512 (exim-4.94.tar.xz.asc) = 7288ff92852bed4058a8c7315ec8f80d8ad80297d50e6971531b54bcf528614f37bb8debaf9e73ffe29fbbe6fa2162f3aeb06373307b23442392427688eb3cb8`	`SHA512 (exim-4.94.2.tar.xz.asc) = 982c93530b8c8e13e6d8ea6032c8db27ede6692bc584ea5507b39bba6b4c3082285fb453affdc06e8d962c894c04ee9fc039523c5f329f785f918f831d9803a3`