New version

Resolves: rhbz#1956859
This commit is contained in:
Jaroslav Škarvada 2021-05-04 19:40:58 +02:00
parent a8bf41bfdb
commit f3c8bb48f9
6 changed files with 49 additions and 189 deletions

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
exim-*.tar.xz /exim-*.tar.xz
exim-*.tar.xz.asc /exim-*.tar.xz.asc

View File

@ -1,154 +0,0 @@
diff --git a/src/host.c b/src/host.c
index 0e0e013..99bbba7 100644
--- a/src/host.c
+++ b/src/host.c
@@ -1950,6 +1950,13 @@ BOOL temp_error = FALSE;
int af;
#endif
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before anything modifies it. */
+
+host->certname = host->name;
+#endif
+
/* Make sure DNS options are set as required. This appears to be necessary in
some circumstances when the get..byname() function actually calls the DNS. */
@@ -2117,6 +2124,9 @@ for (int i = 1; i <= times;
{
host_item *next = store_get(sizeof(host_item), FALSE);
next->name = host->name;
+#ifndef DISABLE_TLS
+ next->certname = host->certname;
+#endif
next->mx = host->mx;
next->address = text_address;
next->port = PORT_NONE;
@@ -2135,12 +2145,12 @@ for (int i = 1; i <= times;
NULL. If temp_error is set, at least one of the lookups gave a temporary error,
so we pass that back. */
-if (host->address == NULL)
+if (!host->address)
{
uschar *msg =
#ifndef STAND_ALONE
- (message_id[0] == 0 && smtp_in != NULL)?
- string_sprintf("no IP address found for host %s (during %s)", host->name,
+ message_id[0] == 0 && smtp_in
+ ? string_sprintf("no IP address found for host %s (during %s)", host->name,
smtp_get_connection_info()) :
#endif
string_sprintf("no IP address found for host %s", host->name);
@@ -2260,6 +2270,13 @@ BOOL v6_find_again = FALSE;
BOOL dnssec_fail = FALSE;
int i;
+#ifndef DISABLE_TLS
+/* Copy the host name at this point to the value which is used for
+TLS certificate name checking, before any CNAME-following modifies it. */
+
+host->certname = host->name;
+#endif
+
/* If allow_ip is set, a name which is an IP address returns that value
as its address. This is used for MX records when allow_mx_to_ip is set, for
those sites that feel they have to flaunt the RFC rules. */
diff --git a/src/structs.h b/src/structs.h
index c6700d5..206237f 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -80,14 +80,17 @@ typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t;
typedef struct host_item {
struct host_item *next;
- const uschar *name; /* Host name */
- const uschar *address; /* IP address in text form */
- int port; /* port value in host order (if SRV lookup) */
- int mx; /* MX value if found via MX records */
- int sort_key; /* MX*1000 plus random "fraction" */
- int status; /* Usable, unusable, or unknown */
- int why; /* Why host is unusable */
- int last_try; /* Time of last try if known */
+ const uschar *name; /* Host name */
+#ifndef DISABLE_TLS
+ const uschar *certname; /* Name used for certificate checks */
+#endif
+ const uschar *address; /* IP address in text form */
+ int port; /* port value in host order (if SRV lookup) */
+ int mx; /* MX value if found via MX records */
+ int sort_key; /* MX*1000 plus random "fraction" */
+ int status; /* Usable, unusable, or unknown */
+ int why; /* Why host is unusable */
+ int last_try; /* Time of last try if known */
dnssec_status_t dnssec;
} host_item;
diff --git a/src/tls-gnu.c b/src/tls-gnu.c
index 24114f0..875c82e 100644
--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -2601,9 +2601,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
{
state->exp_tls_verify_cert_hostnames =
#ifdef SUPPORT_I18N
- string_domain_utf8_to_alabel(host->name, NULL);
+ string_domain_utf8_to_alabel(host->certname, NULL);
#else
- host->name;
+ host->certname;
#endif
DEBUG(D_tls)
debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
diff --git a/src/tls-openssl.c b/src/tls-openssl.c
index 8c9d8aa..a623229 100644
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -372,10 +372,10 @@ typedef struct ocsp_resp {
} ocsp_resplist;
typedef struct tls_ext_ctx_cb {
- tls_support * tlsp;
- uschar *certificate;
- uschar *privatekey;
- BOOL is_server;
+ tls_support * tlsp;
+ uschar * certificate;
+ uschar * privatekey;
+ BOOL is_server;
#ifndef DISABLE_OCSP
STACK_OF(X509) *verify_stack; /* chain for verifying the proof */
union {
@@ -390,14 +390,14 @@ typedef struct tls_ext_ctx_cb {
} client;
} u_ocsp;
#endif
- uschar *dhparam;
+ uschar * dhparam;
/* these are cached from first expand */
- uschar *server_cipher_list;
+ uschar * server_cipher_list;
/* only passed down to tls_error: */
- host_item *host;
+ host_item * host;
const uschar * verify_cert_hostnames;
#ifndef DISABLE_EVENT
- uschar * event_action;
+ uschar * event_action;
#endif
} tls_ext_ctx_cb;
@@ -2915,9 +2915,9 @@ if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
{
cbinfo->verify_cert_hostnames =
#ifdef SUPPORT_I18N
- string_domain_utf8_to_alabel(host->name, NULL);
+ string_domain_utf8_to_alabel(host->certname, NULL);
#else
- host->name;
+ host->certname;
#endif
DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
cbinfo->verify_cert_hostnames);

View File

@ -12,7 +12,7 @@ index 61368ec..e8fe9ef 100755
echo "" >>$mft echo "" >>$mft
cat $mftt >> $mft cat $mftt >> $mft
diff --git a/src/EDITME b/src/EDITME diff --git a/src/EDITME b/src/EDITME
index e568bdb..65082b5 100644 index 8da36a3..9b7682c 100644
--- a/src/EDITME --- a/src/EDITME
+++ b/src/EDITME +++ b/src/EDITME
@@ -99,7 +99,7 @@ @@ -99,7 +99,7 @@
@ -361,7 +361,7 @@ index e568bdb..65082b5 100644
# If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
# using the name "exim-daemon.pid". # using the name "exim-daemon.pid".
diff --git a/src/configure.default b/src/configure.default diff --git a/src/configure.default b/src/configure.default
index 3423ee0..7d1e552 100644 index d94c148..1f6afd4 100644
--- a/src/configure.default --- a/src/configure.default
+++ b/src/configure.default +++ b/src/configure.default
@@ -67,7 +67,7 @@ @@ -67,7 +67,7 @@
@ -524,7 +524,7 @@ index 3423ee0..7d1e552 100644
require verify = sender require verify = sender
@@ -471,6 +522,7 @@ acl_check_rcpt: @@ -485,6 +536,7 @@ acl_check_rcpt:
accept hosts = +relay_from_hosts accept hosts = +relay_from_hosts
control = submission control = submission
control = dkim_disable_verify control = dkim_disable_verify
@ -532,7 +532,7 @@ index 3423ee0..7d1e552 100644
# Accept if the message arrived over an authenticated connection, from # Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient # any host. Again, these messages are usually from MUAs, so recipient
@@ -480,6 +532,7 @@ acl_check_rcpt: @@ -494,6 +546,7 @@ acl_check_rcpt:
accept authenticated = * accept authenticated = *
control = submission control = submission
control = dkim_disable_verify control = dkim_disable_verify
@ -540,7 +540,7 @@ index 3423ee0..7d1e552 100644
# Insist that a HELO/EHLO was accepted. # Insist that a HELO/EHLO was accepted.
@@ -505,7 +558,8 @@ acl_check_rcpt: @@ -519,7 +572,8 @@ acl_check_rcpt:
# There are no default checks on DNS black lists because the domains that # There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two # contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this # examples of how you can get Exim to perform a DNS black list lookup at this
@ -550,7 +550,7 @@ index 3423ee0..7d1e552 100644
# #
# deny dnslists = black.list.example # deny dnslists = black.list.example
# message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
@@ -513,6 +567,10 @@ acl_check_rcpt: @@ -527,6 +581,10 @@ acl_check_rcpt:
# warn dnslists = black.list.example # warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain # log_message = found in $dnslist_domain
@ -561,7 +561,7 @@ index 3423ee0..7d1e552 100644
############################################################################# #############################################################################
############################################################################# #############################################################################
@@ -539,6 +597,10 @@ acl_check_rcpt: @@ -553,6 +611,10 @@ acl_check_rcpt:
# set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
############################################################################# #############################################################################
@ -572,7 +572,7 @@ index 3423ee0..7d1e552 100644
# At this point, the address has passed all the checks that have been # At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally. # configured, so we accept it unconditionally.
@@ -588,21 +650,32 @@ acl_check_data: @@ -602,21 +664,32 @@ acl_check_data:
message = header syntax message = header syntax
log_message = header syntax ($acl_verify_message) log_message = header syntax ($acl_verify_message)
@ -601,20 +601,19 @@ index 3423ee0..7d1e552 100644
- # Add headers to a message if it is judged to be spam. Before enabling this, - # Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You may also need to set the spamd_address - # you must install SpamAssassin. You may also need to set the spamd_address
- # option above. - # option above.
- # + # Bypass SpamAssassin checks if the message is too large.
#
- # warn spam = nobody - # warn spam = nobody
- # add_header = X-Spam_score: $spam_score\n\ - # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\ - # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report - # X-Spam_report: $spam_report
+ # Bypass SpamAssassin checks if the message is too large.
+ #
+ # accept condition = ${if >={$message_size}{100000} {1}} + # accept condition = ${if >={$message_size}{100000} {1}}
+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size + # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
############################################################################# #############################################################################
# No more tests if PRDR was actively used. # No more tests if PRDR was actively used.
@@ -616,11 +689,63 @@ acl_check_data: @@ -630,11 +703,63 @@ acl_check_data:
# condition = ... # condition = ...
############################################################################# #############################################################################
@ -633,8 +632,7 @@ index 3423ee0..7d1e552 100644
+ # + #
+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ + # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+ # X-Spam-Report: $spam_report + # X-Spam-Report: $spam_report
+
- # Accept the message.
+ # And reject if the SpamAssassin score is greater than ten + # And reject if the SpamAssassin score is greater than ten
+ # + #
+ # deny condition = ${if >{$spam_score_int}{100} {1}} + # deny condition = ${if >{$spam_score_int}{100} {1}}
@ -646,7 +644,8 @@ index 3423ee0..7d1e552 100644
+ # warn condition = ${if >{$spam_score_int}{5} {1}} + # warn condition = ${if >{$spam_score_int}{5} {1}}
+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons + # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
+ +
+
- # Accept the message.
+ # If you want to greylist _all_ mail rather than only mail which looks like there + # If you want to greylist _all_ mail rather than only mail which looks like there
+ # might be something wrong with it, then you can do this... + # might be something wrong with it, then you can do this...
+ # + #
@ -679,7 +678,7 @@ index 3423ee0..7d1e552 100644
###################################################################### ######################################################################
@@ -722,7 +847,7 @@ system_aliases: @@ -736,7 +861,7 @@ system_aliases:
driver = redirect driver = redirect
allow_fail allow_fail
allow_defer allow_defer
@ -688,7 +687,7 @@ index 3423ee0..7d1e552 100644
# user = exim # user = exim
file_transport = address_file file_transport = address_file
pipe_transport = address_pipe pipe_transport = address_pipe
@@ -760,7 +885,7 @@ userforward: @@ -774,7 +899,7 @@ userforward:
# local_part_suffix = +* : -* # local_part_suffix = +* : -*
# local_part_suffix_optional # local_part_suffix_optional
file = $home/.forward file = $home/.forward
@ -697,7 +696,7 @@ index 3423ee0..7d1e552 100644
no_verify no_verify
no_expn no_expn
check_ancestor check_ancestor
@@ -768,6 +893,12 @@ userforward: @@ -782,6 +907,12 @@ userforward:
pipe_transport = address_pipe pipe_transport = address_pipe
reply_transport = address_reply reply_transport = address_reply
@ -710,7 +709,7 @@ index 3423ee0..7d1e552 100644
# This router matches local user mailboxes. If the router fails, the error # This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user". # message is "Unknown user".
@@ -809,6 +940,25 @@ remote_smtp: @@ -823,6 +954,25 @@ remote_smtp:
driver = smtp driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
@ -736,7 +735,7 @@ index 3423ee0..7d1e552 100644
# This transport is used for delivering messages to a smarthost, if the # This transport is used for delivering messages to a smarthost, if the
# smarthost router is enabled. This starts from the same basis as # smarthost router is enabled. This starts from the same basis as
@@ -861,8 +1011,8 @@ local_delivery: @@ -875,8 +1025,8 @@ local_delivery:
delivery_date_add delivery_date_add
envelope_to_add envelope_to_add
return_path_add return_path_add
@ -747,7 +746,7 @@ index 3423ee0..7d1e552 100644
# This transport is used for handling pipe deliveries generated by alias or # This transport is used for handling pipe deliveries generated by alias or
@@ -895,6 +1045,16 @@ address_reply: @@ -909,6 +1059,16 @@ address_reply:
driver = autoreply driver = autoreply
@ -764,7 +763,7 @@ index 3423ee0..7d1e552 100644
###################################################################### ######################################################################
# RETRY CONFIGURATION # # RETRY CONFIGURATION #
@@ -935,6 +1095,21 @@ begin rewrite @@ -949,6 +1109,21 @@ begin rewrite
# AUTHENTICATION CONFIGURATION # # AUTHENTICATION CONFIGURATION #
###################################################################### ######################################################################
@ -786,7 +785,7 @@ index 3423ee0..7d1e552 100644
# The following authenticators support plaintext username/password # The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional # authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server. # but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -950,7 +1125,7 @@ begin rewrite @@ -964,7 +1139,7 @@ begin rewrite
# The default RCPT ACL checks for successful authentication, and will accept # The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet. # messages from authenticated users from anywhere on the Internet.
@ -795,7 +794,7 @@ index 3423ee0..7d1e552 100644
# PLAIN authentication has no server prompts. The client sends its # PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not # credentials in one lump, containing an authorization ID (which we do not
@@ -964,7 +1139,7 @@ begin authenticators @@ -978,7 +1153,7 @@ begin authenticators
# driver = plaintext # driver = plaintext
# server_set_id = $auth2 # server_set_id = $auth2
# server_prompts = : # server_prompts = :
@ -804,7 +803,7 @@ index 3423ee0..7d1e552 100644
# server_advertise_condition = ${if def:tls_in_cipher } # server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no # LOGIN authentication has traditional prompts and responses. There is no
@@ -976,7 +1151,7 @@ begin authenticators @@ -990,7 +1165,7 @@ begin authenticators
# driver = plaintext # driver = plaintext
# server_set_id = $auth1 # server_set_id = $auth1
# server_prompts = <| Username: | Password: # server_prompts = <| Username: | Password:

View File

@ -0,0 +1,11 @@
--- a/src/dmarc.c
+++ b/src/dmarc.c
@@ -446,7 +446,7 @@ if (!dmarc_abort && !sender_host_authenticated)
vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
DMARC_POLICY_DKIM_OUTCOME_NONE;
libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
- dkim_result, US"");
+ sig->selector, dkim_result, US"");
DEBUG(D_receive)
debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
if (libdm_status != DMARC_PARSE_OKAY)

View File

@ -11,8 +11,8 @@
Summary: The exim mail transfer agent Summary: The exim mail transfer agent
Name: exim Name: exim
Version: 4.94 Version: 4.94.2
Release: 7%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
Url: https://www.exim.org/ Url: https://www.exim.org/
@ -42,12 +42,12 @@ Source24: exim.service
Source25: exim-gen-cert Source25: exim-gen-cert
Source26: clamd.exim.service Source26: clamd.exim.service
Patch0: exim-4.94-config.patch Patch0: exim-4.94.2-config.patch
Patch1: exim-4.94-libdir.patch Patch1: exim-4.94-libdir.patch
Patch2: exim-4.94-dlopen-localscan.patch Patch2: exim-4.94-dlopen-localscan.patch
Patch3: exim-4.85-pic.patch Patch3: exim-4.85-pic.patch
# https://bugs.exim.org/show_bug.cgi?id=2594 # https://bugs.exim.org/show_bug.cgi?id=2728
Patch4: exim-4.94-tls-cname-handling-fix.patch Patch4: exim-4.94.2-opendmarc-1.4-build-fix.patch
Requires: /etc/pki/tls/certs /etc/pki/tls/private Requires: /etc/pki/tls/certs /etc/pki/tls/private
Requires: /etc/aliases Requires: /etc/aliases
@ -162,7 +162,7 @@ greylisting unconditional.
%patch1 -p1 -b .libdir %patch1 -p1 -b .libdir
%patch2 -p1 -b .dl %patch2 -p1 -b .dl
%patch3 -p1 -b .fpic %patch3 -p1 -b .fpic
%patch4 -p1 -b .tls-cname-handling-fix %patch4 -p1 -b .opendmarc-1.4-build-fix
cp src/EDITME Local/Makefile cp src/EDITME Local/Makefile
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
@ -480,6 +480,10 @@ fi
%{_sysconfdir}/cron.daily/greylist-tidy.sh %{_sysconfdir}/cron.daily/greylist-tidy.sh
%changelog %changelog
* Tue May 4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94.2-1
- New version
Resolves: rhbz#1956859
* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-7 * Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-7
- Fixed cname handling in TLS certificate verification - Fixed cname handling in TLS certificate verification
Resolves: rhbz#1942582 Resolves: rhbz#1942582

View File

@ -1,2 +1,2 @@
SHA512 (exim-4.94.tar.xz) = 3bf95ade30902327403e7308089a3e423761da5b0745397dace7c7fd15ba3838d93e0ee418f1fed57606f79e57b793c7c7407e5c0d526146f0036126d5d95316 SHA512 (exim-4.94.2.tar.xz) = 5334c236221ed4e03dbc33e6a79d939b06037fa2f4b71971607a360b67af5c85a89681ee13a5eeaf0184382c55a160cf2e89ed7afb2949f025a54f1e88f9e3fc
SHA512 (exim-4.94.tar.xz.asc) = 7288ff92852bed4058a8c7315ec8f80d8ad80297d50e6971531b54bcf528614f37bb8debaf9e73ffe29fbbe6fa2162f3aeb06373307b23442392427688eb3cb8 SHA512 (exim-4.94.2.tar.xz.asc) = 982c93530b8c8e13e6d8ea6032c8db27ede6692bc584ea5507b39bba6b4c3082285fb453affdc06e8d962c894c04ee9fc039523c5f329f785f918f831d9803a3