Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>

.gitignore

@@ -1 +1,2 @@
-exim-*.tar.bz2
+/exim-*.tar.xz
+/exim-*.tar.xz.asc

exim-4.87-dynlookup-config.patch

@@ -1,25 +0,0 @@
-diff --git a/src/EDITME b/src/EDITME
-index df3dcc8..de01565 100644
---- a/src/EDITME
-+++ b/src/EDITME
-@@ -306,14 +306,16 @@ LOOKUP_DSEARCH=yes
- # LOOKUP_IBASE=yes
- LOOKUP_LDAP=yes
- LDAP_LIB_TYPE=OPENLDAP2
--LOOKUP_INCLUDE=-I/usr/include/mysql
--LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
--LOOKUP_MYSQL=yes
-+LOOKUP_LIBS=-lldap -llber -lsqlite3
-+LOOKUP_MYSQL_INCLUDE=-I/usr/include/mysql
-+LOOKUP_MYSQL_LIBS=-L/usr/${_lib}/mysql -lmysqlclient
-+LOOKUP_PGSQL_LIBS=-lpq
-+LOOKUP_MYSQL=2
- LOOKUP_NIS=yes
- LOOKUP_NISPLUS=yes
- # LOOKUP_ORACLE=yes
- LOOKUP_PASSWD=yes
--LOOKUP_PGSQL=yes
-+LOOKUP_PGSQL=2
- # LOOKUP_REDIS=yes
- LOOKUP_SQLITE=yes
- # LOOKUP_WHOSON=yes

exim-4.87-environment.patch

@@ -1,14 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -357,8 +357,8 @@ timeout_frozen_after = 7d
- # Note that TZ is handled separateley by the timezone runtime option
- # and TIMEZONE_DEFAULT buildtime option.
- 
--# keep_environment = ^LDAP
--# add_environment = PATH=/usr/bin::/bin
-+keep_environment = ^LDAP
-+add_environment = PATH=/usr/bin::/bin
- 
- 
- 

exim-4.87-localhost-is-local.patch

@@ -1,13 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index d1ce2f1..1f10008 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -55,7 +55,7 @@
- # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
- # are all colon-separated lists:
- 
--domainlist local_domains = @
-+domainlist local_domains = @ : localhost : localhost.localdomain
- domainlist relay_to_domains =
- hostlist   relay_from_hosts = localhost
- # (We rely upon hostname resolution working for localhost, because the default

exim-4.87-spamdconf.patch

@@ -1,103 +0,0 @@
---- a/src/configure.default.spamd	2016-12-25 21:06:57.453758443 +0000
-+++ b/src/configure.default	2016-12-25 21:07:49.940188407 +0000
-@@ -109,6 +109,7 @@ hostlist   relay_from_hosts = localhost
- 
- acl_smtp_rcpt = acl_check_rcpt
- acl_smtp_data = acl_check_data
-+acl_smtp_mime = acl_check_mime
- 
- # You should not change those settings until you understand how ACLs work.
- 
-@@ -121,7 +122,7 @@ acl_smtp_data = acl_check_data
- # of what to set for other virus scanners. The second modification is in the
- # acl_check_data access control list (see below).
- 
--# av_scanner = clamd:/tmp/clamd
-+av_scanner = clamd:/var/run/clamd.exim/clamd.sock
- 
- 
- # For spam scanning, there is a similar option that defines the interface to
-@@ -431,7 +432,8 @@ acl_check_rcpt:
-   accept  local_parts   = postmaster
-           domains       = +local_domains
- 
--  # Deny unless the sender address can be verified.
-+  # Deny unless the sender address can be routed. For proper verification of the
-+  # address, read the documentation on callouts and add the /callout modifier.
- 
-   require verify        = sender
- 
-@@ -535,27 +537,63 @@ acl_check_data:
-                        got $max_received_linelength
-           condition  = ${if > {$max_received_linelength}{998}}
- 
-+  # Put simple tests first. A good one is to check for the presence of a
-+  # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
-+  # or misconfigured mailer software occasionally omits this from genuine
-+  # messages too, though -- although it's not hard for the offender to fix
-+  # after they receive a bounce because of it.
-+  #
-+  # deny    condition  = ${if !def:h_Message-ID: {1}}
-+  #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
-+  #                      Most messages without it are spam, so your mail has been rejected.
-+
-   # Deny if the message contains a virus. Before enabling this check, you
-   # must install a virus scanner and set the av_scanner option above.
-   #
-   # deny    malware    = *
-   #         message    = This message contains a virus ($malware_name).
- 
--  # Add headers to a message if it is judged to be spam. Before enabling this,
--  # you must install SpamAssassin. You may also need to set the spamd_address
--  # option above.
--  #
--  # warn    spam       = nobody
--  #         add_header = X-Spam_score: $spam_score\n\
--  #                      X-Spam_score_int: $spam_score_int\n\
--  #                      X-Spam_bar: $spam_bar\n\
--  #                      X-Spam_report: $spam_report
-+  # Bypass SpamAssassin checks if the message is too large.
-+  #
-+  # accept  condition  = ${if >={$message_size}{100000} {1}}
-+  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
-+
-+  # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
-+  # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
-+  # score exceeds the SA system threshold.
-+  #
-+  # warn    spam       = nobody/defer_ok
-+  #         add_header = X-Spam-Flag: YES
-+  #
-+  # accept  condition  = ${if !def:spam_score_int {1}}
-+  #         add_header = X-Spam-Note: SpamAssassin invocation failed
-+  #
-+
-+  # Unconditionally add score and report headers
-+  #
-+  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
-+  #                      X-Spam-Report: $spam_report
- 
--  # Accept the message.
-+  # And reject if the SpamAssassin score is greater than ten
-+  #
-+  # deny    condition = ${if >{$spam_score_int}{100} {1}}
-+  #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
-+  #  	    	        $spam_report
- 
-   accept
- 
- 
-+acl_check_mime:
-+
-+  # File extension filtering.
-+  deny message = Blacklisted file extension detected
-+       condition = ${if match \
-+                        {${lc:$mime_filename}} \
-+                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
-+                     {1}{0}}
-+
-+  accept
-+
- 
- ######################################################################
- #                      ROUTERS CONFIGURATION                         #

exim-4.88-DKIM-fix.patch

@@ -1,630 +0,0 @@
-diff --git a/src/auths/get_data.c b/src/auths/get_data.c
-index f839a01..11bc581 100644
---- a/src/auths/get_data.c
-+++ b/src/auths/get_data.c
-@@ -31,7 +31,7 @@ auth_get_data(uschar **aptr, uschar *challenge, int challen)
- int c;
- int p = 0;
- smtp_printf("334 %s\r\n", b64encode(challenge, challen));
--while ((c = receive_getc()) != '\n' && c != EOF)
-+while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
-   {
-   if (p >= big_buffer_size - 1) return BAD64;
-   big_buffer[p++] = c;
-diff --git a/src/auths/get_no64_data.c b/src/auths/get_no64_data.c
-index d3ffe08..71e7139 100644
---- a/src/auths/get_no64_data.c
-+++ b/src/auths/get_no64_data.c
-@@ -32,7 +32,7 @@ auth_get_no64_data(uschar **aptr, uschar *challenge)
- int c;
- int p = 0;
- smtp_printf("334 %s\r\n", challenge);
--while ((c = receive_getc()) != '\n' && c != EOF)
-+while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
-   {
-   if (p >= big_buffer_size - 1) return BAD64;
-   big_buffer[p++] = c;
-diff --git a/src/dkim.c b/src/dkim.c
-index 70c9547..445d246 100644
---- a/src/dkim.c
-+++ b/src/dkim.c
-@@ -18,6 +18,7 @@ int dkim_verify_oldpool;
- pdkim_ctx *dkim_verify_ctx = NULL;
- pdkim_signature *dkim_signatures = NULL;
- pdkim_signature *dkim_cur_sig = NULL;
-+static BOOL dkim_collect_error = FALSE;
- 
- static int
- dkim_exim_query_dns_txt(char *name, char *answer)
-@@ -87,6 +88,7 @@ if (dkim_verify_ctx)
- 
- dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
- dkim_collect_input = !!dkim_verify_ctx;
-+dkim_collect_error = FALSE;
- 
- /* Start feed up with any cached data */
- receive_get_cache();
-@@ -106,6 +108,7 @@ if (  dkim_collect_input
-   {
-   log_write(0, LOG_MAIN,
- 	     "DKIM: validation error: %.100s", pdkim_errstr(rc));
-+  dkim_collect_error = TRUE;
-   dkim_collect_input = FALSE;
-   }
- store_pool = dkim_verify_oldpool;
-@@ -127,11 +130,7 @@ store_pool = POOL_PERM;
- 
- dkim_signatures = NULL;
- 
--/* If we have arrived here with dkim_collect_input == FALSE, it
--means there was a processing error somewhere along the way.
--Log the incident and disable futher verification. */
--
--if (!dkim_collect_input)
-+if (dkim_collect_error)
-   {
-   log_write(0, LOG_MAIN,
- 	     "DKIM: Error while running this message through validation,"
-diff --git a/src/functions.h b/src/functions.h
-index 04d9410..9c60090 100644
---- a/src/functions.h
-+++ b/src/functions.h
-@@ -55,7 +55,7 @@ extern int     tls_export_cert(uschar *, size_t, void *);
- extern int     tls_feof(void);
- extern int     tls_ferror(void);
- extern void    tls_free_cert(void **);
--extern int     tls_getc(void);
-+extern int     tls_getc(unsigned);
- extern void    tls_get_cache(void);
- extern int     tls_import_cert(const uschar *, void **);
- extern int     tls_read(BOOL, uschar *, size_t);
-@@ -101,7 +101,7 @@ extern int     auth_xtextdecode(uschar *, uschar **);
- 
- extern uschar *b64encode(uschar *, int);
- extern int     b64decode(uschar *, uschar **);
--extern int     bdat_getc(void);
-+extern int     bdat_getc(unsigned);
- extern void    bits_clear(unsigned int *, size_t, int *);
- extern void    bits_set(unsigned int *, size_t, int *);
- 
-@@ -395,7 +395,7 @@ extern uschar *smtp_get_connection_info(void);
- extern BOOL    smtp_get_interface(uschar *, int, address_item *,
-                  uschar **, uschar *);
- extern BOOL    smtp_get_port(uschar *, address_item *, int *, uschar *);
--extern int     smtp_getc(void);
-+extern int     smtp_getc(unsigned);
- extern void    smtp_get_cache(void);
- extern int     smtp_handle_acl_fail(int, int, uschar *, uschar *);
- extern void    smtp_log_no_mail(void);
-@@ -421,7 +421,7 @@ extern int     spool_open_datafile(uschar *);
- extern int     spool_open_temp(uschar *);
- extern int     spool_read_header(uschar *, BOOL, BOOL);
- extern int     spool_write_header(uschar *, int, uschar **);
--extern int     stdin_getc(void);
-+extern int     stdin_getc(unsigned);
- extern int     stdin_feof(void);
- extern int     stdin_ferror(void);
- extern int     stdin_ungetc(int);
-diff --git a/src/globals.c b/src/globals.c
-index c722059..649335f 100644
---- a/src/globals.c
-+++ b/src/globals.c
-@@ -187,9 +187,9 @@ incoming TCP/IP. The defaults use stdin. We never need these for any
- stand-alone tests. */
- 
- #ifndef STAND_ALONE
--int (*lwr_receive_getc)(void)  = stdin_getc;
-+int (*lwr_receive_getc)(unsigned) = stdin_getc;
- int (*lwr_receive_ungetc)(int) = stdin_ungetc;
--int (*receive_getc)(void)      = stdin_getc;
-+int (*receive_getc)(unsigned)  = stdin_getc;
- void (*receive_get_cache)(void)= NULL;
- int (*receive_ungetc)(int)     = stdin_ungetc;
- int (*receive_feof)(void)      = stdin_feof;
-diff --git a/src/globals.h b/src/globals.h
-index e3dd507..344f8ef 100644
---- a/src/globals.h
-+++ b/src/globals.h
-@@ -141,9 +141,9 @@ extern uschar  *dsn_advertise_hosts;   /* host for which TLS is advertised */
- /* Input-reading functions for messages, so we can use special ones for
- incoming TCP/IP. */
- 
--extern int (*lwr_receive_getc)(void);
-+extern int (*lwr_receive_getc)(unsigned);
- extern int (*lwr_receive_ungetc)(int);
--extern int (*receive_getc)(void);
-+extern int (*receive_getc)(unsigned);
- extern void (*receive_get_cache)(void);
- extern int (*receive_ungetc)(int);
- extern int (*receive_feof)(void);
-diff --git a/src/macros.h b/src/macros.h
-index 1b7cf4a..c8957d8 100644
---- a/src/macros.h
-+++ b/src/macros.h
-@@ -968,5 +968,9 @@ enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE };
- #define PEER_OFFERED_SIZE	BIT(6)
- #define PEER_OFFERED_CHUNKING	BIT(7)
- 
-+/* Argument for *_getc */
-+
-+#define GETC_BUFFER_UNLIMITED	UINT_MAX
-+
- 
- /* End of macros.h */
-diff --git a/src/pdkim/pdkim.c b/src/pdkim/pdkim.c
-index 7bfcdf4..bcc3f09 100644
---- a/src/pdkim/pdkim.c
-+++ b/src/pdkim/pdkim.c
-@@ -962,6 +962,11 @@ if (ctx->flags & PDKIM_MODE_SIGN)
- /* DKIM-Signature: headers are added to the verification list */
- else
-   {
-+  DEBUG(D_acl)
-+    {
-+    debug_printf("PDKIM >> raw hdr: ");
-+    pdkim_quoteprint(CUS ctx->cur_header, Ustrlen(ctx->cur_header));
-+    }
-   if (strncasecmp(CCS ctx->cur_header,
- 		  DKIM_SIGNATURE_HEADERNAME,
- 		  Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
-diff --git a/src/receive.c b/src/receive.c
-index e535876..9155cf1 100644
---- a/src/receive.c
-+++ b/src/receive.c
-@@ -37,7 +37,7 @@ the file. (When SMTP input is occurring, different functions are used by
- changing the pointer variables.) */
- 
- int
--stdin_getc(void)
-+stdin_getc(unsigned lim)
- {
- return getc(stdin);
- }
-@@ -626,7 +626,7 @@ if (!dot_ends)
-   {
-   register int last_ch = '\n';
- 
--  for (; (ch = (receive_getc)()) != EOF; last_ch = ch)
-+  for (; (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; last_ch = ch)
-     {
-     if (ch == 0) body_zerocount++;
-     if (last_ch == '\r' && ch != '\n')
-@@ -668,7 +668,7 @@ if (!dot_ends)
- 
- ch_state = 1;
- 
--while ((ch = (receive_getc)()) != EOF)
-+while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
-   {
-   if (ch == 0) body_zerocount++;
-   switch (ch_state)
-@@ -786,7 +786,7 @@ int ch_state = 0;
- int ch;
- int linelength = 0;
- 
--while ((ch = (receive_getc)()) != EOF)
-+while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
-   {
-   if (ch == 0) body_zerocount++;
-   switch (ch_state)
-@@ -913,7 +913,7 @@ read_message_bdat_smtp(FILE *fout)
- int ch;
- int linelength = 0;
- 
--for (;;) switch (ch = bdat_getc())
-+for (;;) switch (ch = bdat_getc(GETC_BUFFER_UNLIMITED))
-   {
-   case EOF: return END_EOF;
-   case EOD: return END_DOT;
-@@ -1682,7 +1682,7 @@ next->text. */
- 
- for (;;)
-   {
--  int ch = (receive_getc)();
-+  int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
- 
-   /* If we hit EOF on a SMTP connection, it's an error, since incoming
-   SMTP must have a correct "." terminator. */
-@@ -1761,10 +1761,10 @@ for (;;)
- 
-   if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
-     {
--    ch = (receive_getc)();
-+    ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
-     if (ch == '\r')
-       {
--      ch = (receive_getc)();
-+      ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
-       if (ch != '\n')
-         {
-         receive_ungetc(ch);
-@@ -1795,7 +1795,7 @@ for (;;)
- 
-   if (ch == '\r')
-     {
--    ch = (receive_getc)();
-+    ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
-     if (ch == '\n')
-       {
-       if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
-@@ -1890,7 +1890,7 @@ for (;;)
- 
-   if (ch != EOF)
-     {
--    int nextch = (receive_getc)();
-+    int nextch = (receive_getc)(GETC_BUFFER_UNLIMITED);
-     if (nextch == ' ' || nextch == '\t')
-       {
-       next->text[ptr++] = nextch;
-@@ -4024,7 +4024,7 @@ if (smtp_input && sender_host_address != NULL && !sender_host_notsocket &&
- 
-   if (select(fileno(smtp_in) + 1, &select_check, NULL, NULL, &tv) != 0)
-     {
--    int c = (receive_getc)();
-+    int c = (receive_getc)(GETC_BUFFER_UNLIMITED);
-     if (c != EOF) (receive_ungetc)(c); else
-       {
-       smtp_notquit_exit(US"connection-lost", NULL, NULL);
-diff --git a/src/smtp_in.c b/src/smtp_in.c
-index 1484861..82900d9 100644
---- a/src/smtp_in.c
-+++ b/src/smtp_in.c
-@@ -44,11 +44,11 @@ The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
- we need room to handle large base64-encoded AUTHs for GSSAPI.
- */
- 
--#define smtp_cmd_buffer_size  16384
-+#define SMTP_CMD_BUFFER_SIZE  16384
- 
- /* Size of buffer for reading SMTP incoming packets */
- 
--#define in_buffer_size  8192
-+#define IN_BUFFER_SIZE  8192
- 
- /* Structure for SMTP command list */
- 
-@@ -301,7 +301,7 @@ static int     smtp_had_error;
- 
- /* forward declarations */
- int bdat_ungetc(int ch);
--static int smtp_read_command(BOOL check_sync);
-+static int smtp_read_command(BOOL check_sync, unsigned buffer_lim);
- static int synprot_error(int type, int code, uschar *data, uschar *errmess);
- static void smtp_quit_handler(uschar **, uschar **);
- static void smtp_rset_handler(void);
-@@ -315,12 +315,12 @@ it flushes the output, and refills the buffer, with a timeout. The signal
- handler is set appropriately by the calling function. This function is not used
- after a connection has negotated itself into an TLS/SSL state.
- 
--Arguments:  none
-+Arguments:  lim		Maximum amount to read/buffer
- Returns:    the next character or EOF
- */
- 
- int
--smtp_getc(void)
-+smtp_getc(unsigned lim)
- {
- if (smtp_inptr >= smtp_inend)
-   {
-@@ -328,7 +328,10 @@ if (smtp_inptr >= smtp_inend)
-   if (!smtp_out) return EOF;
-   fflush(smtp_out);
-   if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
--  rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
-+
-+  /* Limit amount read, so non-message data is not fed to DKIM */
-+
-+  rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE, lim));
-   save_errno = errno;
-   alarm(0);
-   if (rc <= 0)
-@@ -376,23 +379,26 @@ to handle the BDAT command/response.
- Placed here due to the correlation with the above smtp_getc(), which it wraps,
- and also by the need to do smtp command/response handling.
- 
--Arguments:  none
-+Arguments:  lim		(ignored)
- Returns:    the next character or ERR, EOD or EOF
- */
- 
- int
--bdat_getc(void)
-+bdat_getc(unsigned lim)
- {
- uschar * user_msg = NULL;
- uschar * log_msg;
- 
- for(;;)
-   {
--  if (chunking_data_left-- > 0)
--    return lwr_receive_getc();
-+  if (chunking_data_left > 0)
-+    return lwr_receive_getc(chunking_data_left--);
- 
-   receive_getc = lwr_receive_getc;
-   receive_ungetc = lwr_receive_ungetc;
-+#ifndef DISABLE_DKIM
-+  dkim_collect_input = FALSE;
-+#endif
- 
-   /* If not the last, ack the received chunk.  The last response is delayed
-   until after the data ACL decides on it */
-@@ -405,21 +411,22 @@ for(;;)
-     return EOD;
-     }
- 
--  chunking_state = CHUNKING_OFFERED;
-   smtp_printf("250 %u byte chunk received\r\n", chunking_datasize);
-+  chunking_state = CHUNKING_OFFERED;
-+  DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
- 
-   /* Expect another BDAT cmd from input. RFC 3030 says nothing about
-   QUIT, RSET or NOOP but handling them seems obvious */
- 
- next_cmd:
--  switch(smtp_read_command(TRUE))
-+  switch(smtp_read_command(TRUE, 1))
-     {
-     default:
-       (void) synprot_error(L_smtp_protocol_error, 503, NULL,
- 	US"only BDAT permissible after non-LAST BDAT");
- 
-   repeat_until_rset:
--      switch(smtp_read_command(TRUE))
-+      switch(smtp_read_command(TRUE, 1))
- 	{
- 	case QUIT_CMD:	smtp_quit_handler(&user_msg, &log_msg);	/*FALLTHROUGH */
- 	case EOF_CMD:	return EOF;
-@@ -458,6 +465,8 @@ next_cmd:
-       chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
- 	? CHUNKING_LAST : CHUNKING_ACTIVE;
-       chunking_data_left = chunking_datasize;
-+      DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
-+				    (int)chunking_state, chunking_data_left);
- 
-       if (chunking_datasize == 0)
- 	if (chunking_state == CHUNKING_LAST)
-@@ -471,6 +480,9 @@ next_cmd:
- 
-       receive_getc = bdat_getc;
-       receive_ungetc = bdat_ungetc;
-+#ifndef DISABLE_DKIM
-+      dkim_collect_input = TRUE;
-+#endif
-       break;	/* to top of main loop */
-       }
-     }
-@@ -480,15 +492,18 @@ next_cmd:
- static void
- bdat_flush_data(void)
- {
--while (chunking_data_left-- > 0)
--  if (lwr_receive_getc() < 0)
-+while (chunking_data_left > 0)
-+  if (lwr_receive_getc(chunking_data_left--) < 0)
-     break;
- 
- receive_getc = lwr_receive_getc;
- receive_ungetc = lwr_receive_ungetc;
- 
- if (chunking_state != CHUNKING_LAST)
-+  {
-   chunking_state = CHUNKING_OFFERED;
-+  DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
-+  }
- }
- 
- 
-@@ -1126,13 +1141,14 @@ signal handler that closes down the session on a timeout. Control does not
- return when it runs.
- 
- Arguments:
--  check_sync   if TRUE, check synchronization rules if global option is TRUE
-+  check_sync	if TRUE, check synchronization rules if global option is TRUE
-+  buffer_lim	maximum to buffer in lower layer
- 
- Returns:       a code identifying the command (enumerated above)
- */
- 
- static int
--smtp_read_command(BOOL check_sync)
-+smtp_read_command(BOOL check_sync, unsigned buffer_lim)
- {
- int c;
- int ptr = 0;
-@@ -1141,9 +1157,9 @@ BOOL hadnull = FALSE;
- 
- os_non_restarting_signal(SIGALRM, command_timeout_handler);
- 
--while ((c = (receive_getc)()) != '\n' && c != EOF)
-+while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
-   {
--  if (ptr >= smtp_cmd_buffer_size)
-+  if (ptr >= SMTP_CMD_BUFFER_SIZE)
-     {
-     os_non_restarting_signal(SIGALRM, sigalrm_handler);
-     return OTHER_CMD;
-@@ -1301,7 +1317,7 @@ tzero.tv_usec = 0;
- rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
- 
- if (rc <= 0) return TRUE;     /* Not ready to read */
--rc = smtp_getc();
-+rc = smtp_getc(GETC_BUFFER_UNLIMITED);
- if (rc < 0) return TRUE;      /* End of file or error */
- 
- smtp_ungetc(rc);
-@@ -1337,7 +1353,7 @@ if (smtp_in == NULL || smtp_batched_input) return;
- receive_swallow_smtp();
- smtp_printf("421 %s\r\n", message);
- 
--for (;;) switch(smtp_read_command(FALSE))
-+for (;;) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
-   {
-   case EOF_CMD:
-   return;
-@@ -1781,7 +1797,7 @@ while (done <= 0)
-   uschar *recipient = NULL;
-   int start, end, sender_domain, recipient_domain;
- 
--  switch(smtp_read_command(FALSE))
-+  switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
-     {
-     /* The HELO/EHLO commands set sender_address_helo if they have
-     valid data; otherwise they are ignored, except that they do
-@@ -2040,12 +2056,12 @@ acl_var_c = NULL;
- 
- /* Allow for trailing 0 in the command and data buffers. */
- 
--if (!(smtp_cmd_buffer = US malloc(2*smtp_cmd_buffer_size + 2)))
-+if (!(smtp_cmd_buffer = US malloc(2*SMTP_CMD_BUFFER_SIZE + 2)))
-   log_write(0, LOG_MAIN|LOG_PANIC_DIE,
-     "malloc() failed for SMTP command buffer");
- 
- smtp_cmd_buffer[0] = 0;
--smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
-+smtp_data_buffer = smtp_cmd_buffer + SMTP_CMD_BUFFER_SIZE + 1;
- 
- /* For batched input, the protocol setting can be overridden from the
- command line by a trusted caller. */
-@@ -2065,7 +2081,7 @@ else
- /* Set up the buffer for inputting using direct read() calls, and arrange to
- call the local functions instead of the standard C ones. */
- 
--if (!(smtp_inbuffer = (uschar *)malloc(in_buffer_size)))
-+if (!(smtp_inbuffer = (uschar *)malloc(IN_BUFFER_SIZE)))
-   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
- 
- receive_getc = smtp_getc;
-@@ -3550,7 +3566,7 @@ while (done <= 0)
- 	    US &off, sizeof(off));
- #endif
- 
--  switch(smtp_read_command(TRUE))
-+  switch(smtp_read_command(TRUE, GETC_BUFFER_UNLIMITED))
-     {
-     /* The AUTH command is not permitted to occur inside a transaction, and may
-     occur successfully only once per connection. Actually, that isn't quite
-@@ -4750,14 +4766,14 @@ while (done <= 0)
-       chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
- 	? CHUNKING_LAST : CHUNKING_ACTIVE;
-       chunking_data_left = chunking_datasize;
-+      DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
-+				    (int)chunking_state, chunking_data_left);
- 
-       lwr_receive_getc = receive_getc;
-       lwr_receive_ungetc = receive_ungetc;
-       receive_getc = bdat_getc;
-       receive_ungetc = bdat_ungetc;
- 
--      DEBUG(D_any)
--        debug_printf("chunking state %d\n", (int)chunking_state);
-       goto DATA_BDAT;
-       }
- 
-@@ -4973,7 +4989,7 @@ while (done <= 0)
-     It seems safest to just wipe away the content rather than leave it as a
-     target to jump to. */
- 
--    memset(smtp_inbuffer, 0, in_buffer_size);
-+    memset(smtp_inbuffer, 0, IN_BUFFER_SIZE);
- 
-     /* Attempt to start up a TLS session, and if successful, discard all
-     knowledge that was obtained previously. At least, that's what the RFC says,
-@@ -5027,7 +5043,7 @@ while (done <= 0)
-     set, but we must still reject all incoming commands. */
- 
-     DEBUG(D_tls) debug_printf("TLS failed to start\n");
--    while (done <= 0) switch(smtp_read_command(FALSE))
-+    while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
-       {
-       case EOF_CMD:
- 	log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
-@@ -5315,8 +5331,8 @@ while (done <= 0)
- 
-     case BADSYN_CMD:
-     SYNC_FAILURE:
--    if (smtp_inend >= smtp_inbuffer + in_buffer_size)
--      smtp_inend = smtp_inbuffer + in_buffer_size - 1;
-+    if (smtp_inend >= smtp_inbuffer + IN_BUFFER_SIZE)
-+      smtp_inend = smtp_inbuffer + IN_BUFFER_SIZE - 1;
-     c = smtp_inend - smtp_inptr;
-     if (c > 150) c = 150;
-     smtp_inptr[c] = 0;
-diff --git a/src/tls-gnu.c b/src/tls-gnu.c
-index 10bfaca..181dde4 100644
---- a/src/tls-gnu.c
-+++ b/src/tls-gnu.c
-@@ -2158,12 +2158,12 @@ Only used by the server-side TLS.
- 
- This feeds DKIM and should be used for all message-body reads.
- 
--Arguments:  none
-+Arguments:  lim		Maximum amount to read/bufffer
- Returns:    the next character or EOF
- */
- 
- int
--tls_getc(void)
-+tls_getc(unsigned lim)
- {
- exim_gnutls_state_st *state = &state_server;
- if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
-@@ -2175,7 +2175,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
- 
-   if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
-   inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
--    ssl_xfer_buffer_size);
-+    MIN(ssl_xfer_buffer_size, lim));
-   alarm(0);
- 
-   /* Timeouts do not get this far; see command_timeout_handler().
-@@ -2213,7 +2213,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
-     state->tlsp->peercert = NULL;
-     state->tlsp->peerdn = NULL;
- 
--    return smtp_getc();
-+    return smtp_getc(lim);
-     }
- 
-   /* Handle genuine errors */
-diff --git a/src/tls-openssl.c b/src/tls-openssl.c
-index d9426ac..0ac7d03 100644
---- a/src/tls-openssl.c
-+++ b/src/tls-openssl.c
-@@ -2360,14 +2360,14 @@ return OK;
- /* This gets the next byte from the TLS input buffer. If the buffer is empty,
- it refills the buffer via the SSL reading function.
- 
--Arguments:  none
-+Arguments:  lim		Maximum amount to read/buffer
- Returns:    the next character or EOF
- 
- Only used by the server-side TLS.
- */
- 
- int
--tls_getc(void)
-+tls_getc(unsigned lim)
- {
- if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
-   {
-@@ -2378,7 +2378,8 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
-     ssl_xfer_buffer, ssl_xfer_buffer_size);
- 
-   if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
--  inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
-+  inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
-+		    MIN(ssl_xfer_buffer_size, lim));
-   error = SSL_get_error(server_ssl, inbytes);
-   alarm(0);
- 
-@@ -2405,7 +2406,7 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
-     tls_in.peerdn = NULL;
-     tls_in.sni = NULL;
- 
--    return smtp_getc();
-+    return smtp_getc(lim);
-     }
- 
-   /* Handle genuine errors */

exim-4.88-allow-filter.patch

@@ -1,13 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index 1e3c63f..0e7854c 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -724,7 +724,7 @@ userforward:
- # local_part_suffix = +* : -*
- # local_part_suffix_optional
-   file = $home/.forward
--# allow_filter
-+  allow_filter
-   no_verify
-   no_expn
-   check_ancestor

exim-4.88-config.patch

@@ -1,298 +0,0 @@
-diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
-index 3e486a6..6c4afec 100755
---- a/scripts/Configure-Makefile
-+++ b/scripts/Configure-Makefile
-@@ -269,7 +269,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
- 
-   mv $mft $mftt
-   echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
--  echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft
-+  echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft
-   echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft
-   echo "" >>$mft
-   cat $mftt >> $mft
-diff --git a/src/src/EDITME b/src/src/EDITME
-index 6929346..5a08197 100644
---- a/src/EDITME
-+++ b/src/EDITME
-@@ -98,7 +98,7 @@
- # /usr/local/sbin. The installation script will try to create this directory,
- # and any superior directories, if they do not exist.
- 
--BIN_DIRECTORY=/usr/exim/bin
-+BIN_DIRECTORY=/usr/sbin
- 
- 
- #------------------------------------------------------------------------------
-@@ -114,7 +114,7 @@ BIN_DIRECTORY=/usr/exim/bin
- # don't exist. It will also install a default runtime configuration if this
- # file does not exist.
- 
--CONFIGURE_FILE=/usr/exim/configure
-+CONFIGURE_FILE=/etc/exim/exim.conf
- 
- # It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
- # In this case, Exim will use the first of them that exists when it is run.
-@@ -131,7 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure
- # deliveries. (Local deliveries run as various non-root users, typically as the
- # owner of a local mailbox.) Specifying these values as root is not supported.
- 
--EXIM_USER=
-+EXIM_USER=93
- 
- # If you specify EXIM_USER as a name, this is looked up at build time, and the
- # uid number is built into the binary. However, you can specify that this
-@@ -152,7 +152,7 @@ EXIM_USER=
- # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
- # you want to use a group other than the default group for the given user.
- 
--# EXIM_GROUP=
-+EXIM_GROUP=93
- 
- # Many sites define a user called "exim", with an appropriate default group,
- # and use
-@@ -232,7 +232,7 @@ TRANSPORT_SMTP=yes
- # This one is special-purpose, and commonly not required, so it is not
- # included by default.
- 
--# TRANSPORT_LMTP=yes
-+TRANSPORT_LMTP=yes
- 
- 
- #------------------------------------------------------------------------------
-@@ -241,9 +241,9 @@ TRANSPORT_SMTP=yes
- # MBX, is included only when requested. If you do not know what this is about,
- # leave these settings commented out.
- 
--# SUPPORT_MAILDIR=yes
--# SUPPORT_MAILSTORE=yes
--# SUPPORT_MBX=yes
-+SUPPORT_MAILDIR=yes
-+SUPPORT_MAILSTORE=yes
-+SUPPORT_MBX=yes
- 
- 
- #------------------------------------------------------------------------------
-@@ -301,19 +301,21 @@ LOOKUP_DBM=yes
- LOOKUP_LSEARCH=yes
- LOOKUP_DNSDB=yes
- 
--# LOOKUP_CDB=yes
--# LOOKUP_DSEARCH=yes
-+LOOKUP_CDB=yes
-+LOOKUP_DSEARCH=yes
- # LOOKUP_IBASE=yes
--# LOOKUP_LDAP=yes
--# LOOKUP_MYSQL=yes
--# LOOKUP_NIS=yes
--# LOOKUP_NISPLUS=yes
-+LOOKUP_LDAP=yes
-+LDAP_LIB_TYPE=OPENLDAP2
-+LOOKUP_INCLUDE=-I/usr/include/mysql
-+LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
-+LOOKUP_MYSQL=yes
-+LOOKUP_NIS=yes
-+LOOKUP_NISPLUS=yes
- # LOOKUP_ORACLE=yes
--# LOOKUP_PASSWD=yes
--# LOOKUP_PGSQL=yes
-+LOOKUP_PASSWD=yes
-+LOOKUP_PGSQL=yes
- # LOOKUP_REDIS=yes
--# LOOKUP_SQLITE=yes
--# LOOKUP_SQLITE_PC=sqlite3
-+LOOKUP_SQLITE=yes
- # LOOKUP_WHOSON=yes
- 
- # These two settings are obsolete; all three lookups are compiled when
-@@ -390,7 +392,7 @@ EXIM_MONITOR=eximon.bin
- # and the MIME ACL. Please read the documentation to learn more about these
- # features.
- 
--# WITH_CONTENT_SCAN=yes
-+WITH_CONTENT_SCAN=yes
- 
- #------------------------------------------------------------------------------
- # If you're using ClamAV and are backporting fixes to an old version, instead
-@@ -577,7 +579,7 @@ FIXED_NEVER_USERS=root
- # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
- # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
- 
--# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs
-+TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs
- 
- 
- #------------------------------------------------------------------------------
-@@ -622,16 +624,14 @@ FIXED_NEVER_USERS=root
- # included in the Exim binary. You will then need to set up the run time
- # configuration to make use of the mechanism(s) selected.
- 
--# AUTH_CRAM_MD5=yes
--# AUTH_CYRUS_SASL=yes
--# AUTH_DOVECOT=yes
--# AUTH_GSASL=yes
--# AUTH_GSASL_PC=libgsasl
--# AUTH_HEIMDAL_GSSAPI=yes
--# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
--# AUTH_PLAINTEXT=yes
--# AUTH_SPA=yes
--# AUTH_TLS=yes
-+AUTH_CRAM_MD5=yes
-+AUTH_CYRUS_SASL=yes
-+AUTH_DOVECOT=yes
-+AUTH_GSASL=yes
-+AUTH_GSASL_PC=libgsasl
-+AUTH_PLAINTEXT=yes
-+AUTH_SPA=yes
-+AUTH_TLS=yes
- 
- 
- #------------------------------------------------------------------------------
-@@ -652,7 +652,7 @@ FIXED_NEVER_USERS=root
- # one that is set in the headers_charset option. The default setting is
- # defined by this setting:
- 
--HEADERS_CHARSET="ISO-8859-1"
-+HEADERS_CHARSET="UTF-8"
- 
- # If you are going to make use of $header_xxx expansions in your configuration
- # file, or if your users are going to use them in filter files, and the normal
-@@ -672,7 +672,7 @@ HEADERS_CHARSET="ISO-8859-1"
- # the Sieve filter support. For those OS where iconv() is known to be installed
- # as standard, the file in OS/Makefile-xxxx contains
- #
--# HAVE_ICONV=yes
-+HAVE_ICONV=yes
- #
- # If you are not using one of those systems, but have installed iconv(), you
- # need to uncomment that line above. In some cases, you may find that iconv()
-@@ -734,11 +734,11 @@ HEADERS_CHARSET="ISO-8859-1"
- # leave these settings commented out.
- 
- # This setting is required for any TLS support (either OpenSSL or GnuTLS)
--# SUPPORT_TLS=yes
-+SUPPORT_TLS=yes
- 
- # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
--# USE_OPENSSL_PC=openssl
--# TLS_LIBS=-lssl -lcrypto
-+TLS_INCLUDE=-I/usr/kerberos/include
-+TLS_LIBS=-lssl -lcrypto
- 
- # Uncomment the first and either the second or the third of these if you
- # are using GnuTLS.  If you have pkg-config, then the second, else the third.
-@@ -807,7 +807,7 @@ HEADERS_CHARSET="ISO-8859-1"
- # Once you have done this, "make install" will build the info files and
- # install them in the directory you have defined.
- 
--# INFO_DIRECTORY=/usr/share/info
-+INFO_DIRECTORY=/usr/share/info
- 
- 
- #------------------------------------------------------------------------------
-@@ -820,7 +820,7 @@ HEADERS_CHARSET="ISO-8859-1"
- # %s. This will be replaced by one of the strings "main", "panic", or "reject"
- # to form the final file names. Some installations may want something like this:
- 
--# LOG_FILE_PATH=/var/log/exim_%slog
-+LOG_FILE_PATH=/var/log/exim/%s.log
- 
- # which results in files with names /var/log/exim_mainlog, etc. The directory
- # in which the log files are placed must exist; Exim does not try to create
-@@ -892,7 +892,7 @@ ZCAT_COMMAND=/usr/bin/zcat
- # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
- # Perl costs quite a lot of resources. Only do this if you really need it.
- 
--# EXIM_PERL=perl.o
-+EXIM_PERL=perl.o
- 
- 
- #------------------------------------------------------------------------------
-@@ -902,7 +902,7 @@ ZCAT_COMMAND=/usr/bin/zcat
- # that the local_scan API is made available by the linker. You may also need
- # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
- 
--# EXPAND_DLFUNC=yes
-+EXPAND_DLFUNC=yes
- 
- 
- #------------------------------------------------------------------------------
-@@ -912,7 +912,7 @@ ZCAT_COMMAND=/usr/bin/zcat
- # support, which is intended for use in conjunction with the SMTP AUTH
- # facilities, is included only when requested by the following setting:
- 
--# SUPPORT_PAM=yes
-+SUPPORT_PAM=yes
- 
- # You probably need to add -lpam to EXTRALIBS, and in some releases of
- # GNU/Linux -ldl is also needed.
-@@ -1006,7 +1006,7 @@ ZCAT_COMMAND=/usr/bin/zcat
- # group. Once you have installed saslauthd, you should arrange for it to be
- # started by root at boot time.
- 
--# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
-+CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
- 
- 
- #------------------------------------------------------------------------------
-@@ -1019,9 +1019,9 @@ ZCAT_COMMAND=/usr/bin/zcat
- # You may well also have to specify a local "include" file and an additional
- # library for TCP wrappers, so you probably need something like this:
- #
--# USE_TCP_WRAPPERS=yes
--# CFLAGS=-O -I/usr/local/include
--# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
-+USE_TCP_WRAPPERS=yes
-+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
-+EXTRALIBS_EXIM=-lwrap -lpam -ldl -export-dynamic -rdynamic
- #
- # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
- # as well.
-@@ -1073,7 +1073,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
- # is "yes", as well as supporting line editing, a history of input lines in the
- # current run is maintained.
- 
--# USE_READLINE=yes
-+USE_READLINE=yes
- 
- # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
- # Note that this option adds to the size of the Exim binary, because the
-@@ -1083,7 +1083,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
- #------------------------------------------------------------------------------
- # Uncomment this setting to include IPv6 support.
- 
--# HAVE_IPV6=yes
-+HAVE_IPV6=yes
- 
- ###############################################################################
- #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
-@@ -1104,13 +1104,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
- # haven't got Perl, Exim will still build and run; you just won't be able to
- # use those utilities.
- 
--# CHOWN_COMMAND=/usr/bin/chown
--# CHGRP_COMMAND=/usr/bin/chgrp
--# CHMOD_COMMAND=/usr/bin/chmod
--# MV_COMMAND=/bin/mv
--# RM_COMMAND=/bin/rm
--# TOUCH_COMMAND=/usr/bin/touch
--# PERL_COMMAND=/usr/bin/perl
-+CHOWN_COMMAND=/usr/bin/chown
-+CHGRP_COMMAND=/usr/bin/chgrp
-+CHMOD_COMMAND=/usr/bin/chmod
-+MV_COMMAND=/usr/bin/mv
-+RM_COMMAND=/usr/bin/rm
-+TOUCH_COMMAND=/usr/bin/touch
-+PERL_COMMAND=/usr/bin/perl
- 
- 
- #------------------------------------------------------------------------------
-@@ -1312,7 +1312,7 @@ EXIM_TMPDIR="/tmp"
- # (process id) to a file so that it can easily be identified. The path of the
- # file can be specified here. Some installations may want something like this:
- 
--# PID_FILE_PATH=/var/lock/exim.pid
-+PID_FILE_PATH=/var/run/exim.pid
- 
- # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
- # using the name "exim-daemon.pid".

exim-4.88-cyrus.patch

@@ -1,21 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index 8b6162b..d588898 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -765,6 +765,16 @@ address_reply:
-   driver = autoreply
- 
- 
-+# This transport is used to deliver local mail to cyrus IMAP server via UNIX
-+# socket. You'll need to configure the 'localuser' router above to use it.
-+#
-+#lmtp_delivery:
-+#  home_directory = /var/spool/imap
-+#  driver = lmtp
-+#  command = "/usr/lib/cyrus-imapd/deliver -l"
-+#  batch_max = 20
-+#  user = cyrus
-+
- 
- ######################################################################
- #                      RETRY CONFIGURATION                           #

exim-4.88-greylist-conf.patch

@@ -1,118 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index 921c53b..a92c954 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -107,6 +107,7 @@ hostlist   relay_from_hosts = localhost
- # manual for details. The lists above are used in the access control lists for
- # checking incoming messages. The names of these ACLs are defined here:
- 
-+acl_smtp_mail = acl_check_mail
- acl_smtp_rcpt = acl_check_rcpt
- acl_smtp_data = acl_check_data
- acl_smtp_mime = acl_check_mime
-@@ -368,6 +369,29 @@ timeout_frozen_after = 7d
- 
- begin acl
- 
-+
-+# This access control list is used for the MAIL command in an incoming
-+# SMTP message.
-+
-+acl_check_mail:
-+
-+  # Hosts are required to say HELO (or EHLO) before sending mail.
-+  # So don't allow them to use the MAIL command if they haven't
-+  # done so.
-+
-+  deny condition = ${if eq{$sender_helo_name}{} {1}}
-+       message = Nice boys say HELO first
-+
-+  # Use the lack of reverse DNS to trigger greylisting. Some people
-+  # even reject for it but that would be a little excessive.
-+
-+  warn condition = ${if eq{$sender_host_name}{} {1}}
-+       set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
-+
-+  accept
-+
-+
-+
- # This access control list is used for every RCPT command in an incoming
- # SMTP message. The tests are run in order until the address is either
- # accepted or denied.
-@@ -493,7 +517,8 @@ acl_check_rcpt:
-   # There are no default checks on DNS black lists because the domains that
-   # contain these lists are changing all the time. However, here are two
-   # examples of how you can get Exim to perform a DNS black list lookup at this
--  # point. The first one denies, whereas the second just warns.
-+  # point. The first one denies, whereas the second just warns. The third
-+  # triggers greylisting for any host in the blacklist.
-   #
-   # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
-   #         dnslists      = black.list.example
-@@ -501,6 +526,10 @@ acl_check_rcpt:
-   # warn    dnslists      = black.list.example
-   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
-   #         log_message   = found in $dnslist_domain
-+  #
-+  # warn    dnslists      = black.list.example
-+  #         set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
-+  #
-   #############################################################################
- 
-   #############################################################################
-@@ -514,6 +543,10 @@ acl_check_rcpt:
-   # require verify = csa
-   #############################################################################
- 
-+  # Alternatively, greylist for it:
-+  # warn !verify = csa
-+  #      set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
-+
-   # At this point, the address has passed all the checks that have been
-   # configured, so we accept it unconditionally.
- 
-@@ -546,6 +579,12 @@ acl_check_data:
-   # deny    condition  = ${if !def:h_Message-ID: {1}}
-   #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
-   #                      Most messages without it are spam, so your mail has been rejected.
-+  #
-+  # Alternatively if we're feeling more lenient we could just use it to
-+  # trigger greylisting instead:
-+
-+  warn    condition  = ${if !def:h_Message-ID: {1}}
-+          set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
- 
-   # Deny if the message contains a virus. Before enabling this check, you
-   # must install a virus scanner and set the av_scanner option above.
-@@ -580,8 +619,30 @@ acl_check_data:
-   #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
-   #  	    	        $spam_report
- 
-+  # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
-+  #
-+  # warn    condition = ${if >{$spam_score_int}{5} {1}}
-+  #         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
-+
-+
-+  # If you want to greylist _all_ mail rather than only mail which looks like there
-+  # might be something wrong with it, then you can do this...
-+  #
-+  # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
-+
-+  # Now, invoke the greylisting. For this you need to have installed the exim-greylist
-+  # package which contains this subroutine, and you need to uncomment the bit below
-+  # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
-+  # greylisting will kick in and will defer the mail to check if the sender is a
-+  # proper mail which which retries, or whether it's a zombie. For more details, see
-+  # the exim-greylist.conf.inc file itself.
-+  #
-+  # require acl = greylist_mail
-+
-   accept
- 
-+# To enable the greylisting, also uncomment this line:
-+# .include /etc/exim/exim-greylist.conf.inc
- 
- acl_check_mime:
- 

exim-4.88-pamconfig.patch

@@ -1,78 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index d588898..61bdae8 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data
- 
- # Allow any client to use TLS.
- 
--# tls_advertise_hosts = *
-+tls_advertise_hosts = *
- 
- # Specify the location of the Exim server's TLS certificate and private key.
- # The private key must not be encrypted (password protected). You can put
-@@ -150,8 +150,8 @@ acl_smtp_data = acl_check_data
- # need the first setting, or in separate files, in which case you need both
- # options.
- 
--# tls_certificate = /etc/ssl/exim.crt
--# tls_privatekey = /etc/ssl/exim.pem
-+tls_certificate = /etc/pki/tls/certs/exim.pem
-+tls_privatekey = /etc/pki/tls/private/exim.pem
- 
- # In order to support roaming users who wish to send email from anywhere,
- # you may want to make Exim listen on other ports as well as port 25, in
-@@ -162,8 +162,8 @@ acl_smtp_data = acl_check_data
- # them you should also allow TLS-on-connect on the traditional but
- # non-standard port 465.
- 
--# daemon_smtp_ports = 25 : 465 : 587
--# tls_on_connect_ports = 465
-+daemon_smtp_ports = 25 : 465 : 587
-+tls_on_connect_ports = 465
- 
- 
- # Specify the domain you want to be added to all unqualified addresses
-@@ -221,6 +221,24 @@ never_users = root
- 
- host_lookup = *
- 
-+# This setting, if uncommented, allows users to authenticate using
-+# their system passwords against saslauthd if they connect over a
-+# secure connection. If you have network logins such as NIS or
-+# Kerberos rather than only local users, then you possibly also want
-+# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
-+# too. Once a user is authenticated, the acl_check_rcpt ACL then
-+# allows them to relay through the system.
-+#
-+# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
-+#
-+# By default, we set this option to allow SMTP AUTH from nowhere
-+# (Exim's default would be to allow it from anywhere, even on an
-+# unencrypted connection).
-+#
-+# Comment this one out if you uncomment the above. Did you make sure
-+# saslauthd is actually running first?
-+#
-+auth_advertise_hosts =
- 
- # The settings below cause Exim to make RFC 1413 (ident) callbacks
- # for all incoming SMTP calls. You can limit the hosts to which these
-@@ -844,7 +862,7 @@ begin authenticators
- #  driver                     = plaintext
- #  server_set_id              = $auth2
- #  server_prompts             = :
--#  server_condition           = Authentication is not yet configured
-+#  server_condition           = ${if saslauthd{{$2}{$3}{smtp}} {1}}
- #  server_advertise_condition = ${if def:tls_in_cipher }
- 
- # LOGIN authentication has traditional prompts and responses. There is no
-@@ -856,7 +874,7 @@ begin authenticators
- #  driver                     = plaintext
- #  server_set_id              = $auth1
- #  server_prompts             = <| Username: | Password:
--#  server_condition           = Authentication is not yet configured
-+#  server_condition           = ${if saslauthd{{$1}{$2}{smtp}} {1}}
- #  server_advertise_condition = ${if def:tls_in_cipher }
- 
- 

exim-4.88-procmail.patch

@@ -1,34 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index ecc3d6e..1e3c63f 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -732,6 +732,12 @@ userforward:
-   pipe_transport = address_pipe
-   reply_transport = address_reply
- 
-+procmail:
-+  driver = accept
-+  check_local_user
-+  require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
-+  transport = procmail
-+  no_verify
- 
- # This router matches local user mailboxes. If the router fails, the error
- # message is "Unknown user".
-@@ -773,6 +779,16 @@ remote_smtp:
-   driver = smtp
-   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
- 
-+# This transport invokes procmail to deliver mail
-+procmail:
-+  driver = pipe
-+  command = "/usr/bin/procmail -d $local_part"
-+  return_path_add
-+  delivery_date_add
-+  envelope_to_add
-+  user = $local_part
-+  initgroups
-+  return_output
- 
- # This transport is used for local delivery to user mailboxes in traditional
- # BSD mailbox format. By default it will be run under the uid and gid of the

exim-4.88-rhl.patch

@@ -1,24 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index 985f1d0..8b6162b 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -630,7 +630,7 @@ system_aliases:
-   driver = redirect
-   allow_fail
-   allow_defer
--  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
-+  data = ${lookup{$local_part}lsearch{/etc/aliases}}
- # user = exim
-   file_transport = address_file
-   pipe_transport = address_pipe
-@@ -731,8 +731,8 @@ local_delivery:
-   delivery_date_add
-   envelope_to_add
-   return_path_add
--# group = mail
--# mode = 0660
-+  group = mail
-+  mode = 0660
- 
- 
- # This transport is used for handling pipe deliveries generated by alias or

exim-4.88-smarthost-config.patch

@@ -1,51 +0,0 @@
-diff --git a/src/configure.default b/src/configure.default
-index a92c954..13599ae 100644
---- a/src/configure.default
-+++ b/src/configure.default
-@@ -840,6 +840,15 @@ remote_smtp:
-   driver = smtp
-   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
- 
-+# This transport is used for delivering messages over SMTP using the
-+# "message submission" port (RFC4409).
-+
-+remote_msa:
-+  driver = smtp
-+  port = 587
-+  hosts_require_auth = *
-+
-+
- # This transport invokes procmail to deliver mail
- procmail:
-   driver = pipe
-@@ -948,6 +957,21 @@ begin rewrite
- #                   AUTHENTICATION CONFIGURATION                     #
- ######################################################################
- 
-+begin authenticators
-+
-+# This authenticator supports CRAM-MD5 username/password authentication
-+# with Exim acting as a _client_, as it might when sending its outgoing
-+# mail to a smarthost rather than directly to the final recipient.
-+# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
-+
-+#client_auth:
-+#  driver = cram_md5
-+#  public_name = CRAM-MD5
-+#  client_name = SMTPAUTH_USERNAME
-+#  client_secret = SMTPAUTH_PASSWORD
-+
-+#
-+
- # The following authenticators support plaintext username/password
- # authentication using the standard PLAIN mechanism and the traditional
- # but non-standard LOGIN mechanism, with Exim acting as the server.
-@@ -963,7 +987,7 @@ begin rewrite
- # The default RCPT ACL checks for successful authentication, and will accept
- # messages from authenticated users from anywhere on the Internet.
- 
--begin authenticators
-+#
- 
- # PLAIN authentication has no server prompts. The client sends its
- # credentials in one lump, containing an authorization ID (which we do not

exim-4.94-libdir.patch

@@ -1,8 +1,8 @@
 diff --git a/OS/Makefile-Linux b/OS/Makefile-Linux
-index 990f884..d1ef114 100644
+index dfb2fa8..58c30f7 100644
 --- a/OS/Makefile-Linux
 +++ b/OS/Makefile-Linux
-@@ -24,8 +24,8 @@ LIBRESOLV = -lresolv
+@@ -27,8 +27,8 @@ LIBRESOLV = -lresolv
  
  X11=/usr/X11R6
  XINCLUDE=-I$(X11)/include

exim-4.96-build-fix.patch

@@ -0,0 +1,13 @@
+diff --git a/src/drtables.c b/src/drtables.c
+index 513ef6c..3fa5c92 100644
+--- a/src/drtables.c
++++ b/src/drtables.c
+@@ -736,7 +736,7 @@ else
+     {
+     char * name = ent->d_name;
+     int len = (int)strlen(name);
+-    if (regex_match(regex_islookupmod, US name, len, NUL))
++    if (regex_match(regex_islookupmod, US name, len, NULL))
+       {
+       int pathnamelen = len + (int)strlen(LOOKUP_MODULE_DIR) + 2;
+       void *dl;

exim-4.96-config.patch

@@ -0,0 +1,815 @@
+diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
+index ed77b6a..b9eb64d 100755
+--- a/scripts/Configure-Makefile
++++ b/scripts/Configure-Makefile
+@@ -317,7 +317,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
+ 
+   mv $mft $mftt
+   echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
+-  echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft
++  echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft
+   echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft
+   echo "" >>$mft
+   cat $mftt >> $mft
+diff --git a/src/EDITME b/src/EDITME
+index 53022e5..cf0b33e 100644
+--- a/src/EDITME
++++ b/src/EDITME
+@@ -99,7 +99,7 @@
+ # /usr/local/sbin. The installation script will try to create this directory,
+ # and any superior directories, if they do not exist.
+ 
+-BIN_DIRECTORY=/usr/exim/bin
++BIN_DIRECTORY=/usr/sbin
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -115,7 +115,7 @@ BIN_DIRECTORY=/usr/exim/bin
+ # don't exist. It will also install a default runtime configuration if this
+ # file does not exist.
+ 
+-CONFIGURE_FILE=/usr/exim/configure
++CONFIGURE_FILE=/etc/exim/exim.conf
+ 
+ # It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
+ # In this case, Exim will use the first of them that exists when it is run.
+@@ -132,7 +132,7 @@ CONFIGURE_FILE=/usr/exim/configure
+ # deliveries. (Local deliveries run as various non-root users, typically as the
+ # owner of a local mailbox.) Specifying these values as root is not supported.
+ 
+-EXIM_USER=
++EXIM_USER=93
+ 
+ # If you specify EXIM_USER as a name, this is looked up at build time, and the
+ # uid number is built into the binary. However, you can specify that this
+@@ -153,7 +153,7 @@ EXIM_USER=
+ # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
+ # you want to use a group other than the default group for the given user.
+ 
+-# EXIM_GROUP=
++EXIM_GROUP=93
+ 
+ # Many sites define a user called "exim", with an appropriate default group,
+ # and use
+@@ -210,10 +210,10 @@ SPOOL_DIRECTORY=/var/spool/exim
+ # If you are building with TLS, the library configuration must be done:
+ 
+ # Uncomment this if you are using OpenSSL
+-# USE_OPENSSL=yes
++USE_OPENSSL=yes
+ # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
+ # and an optional location.
+-# USE_OPENSSL_PC=openssl
++USE_OPENSSL_PC=openssl
+ # TLS_LIBS=-lssl -lcrypto
+ # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+ 
+@@ -340,7 +340,7 @@ TRANSPORT_SMTP=yes
+ # This one is special-purpose, and commonly not required, so it is not
+ # included by default.
+ 
+-# TRANSPORT_LMTP=yes
++TRANSPORT_LMTP=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -349,9 +349,9 @@ TRANSPORT_SMTP=yes
+ # MBX, is included only when requested. If you do not know what this is about,
+ # leave these settings commented out.
+ 
+-# SUPPORT_MAILDIR=yes
+-# SUPPORT_MAILSTORE=yes
+-# SUPPORT_MBX=yes
++SUPPORT_MAILDIR=yes
++SUPPORT_MAILSTORE=yes
++SUPPORT_MBX=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -409,22 +409,28 @@ LOOKUP_DBM=yes
+ LOOKUP_LSEARCH=yes
+ LOOKUP_DNSDB=yes
+ 
+-# LOOKUP_CDB=yes
+-# LOOKUP_DSEARCH=yes
++LOOKUP_CDB=yes
++LOOKUP_DSEARCH=yes
+ # LOOKUP_IBASE=yes
+ # LOOKUP_JSON=yes
+-# LOOKUP_LDAP=yes
++LOOKUP_LDAP=yes
++LDAP_LIB_TYPE=OPENLDAP2
++LOOKUP_LIBS=-lldap -llber -lsqlite3
+ # LOOKUP_LMDB=yes
+ 
+-# LOOKUP_MYSQL=yes
+-# LOOKUP_MYSQL_PC=mariadb
+-# LOOKUP_NIS=yes
++LOOKUP_MYSQL=2
++LOOKUP_MYSQL_PC=mariadb
++LOOKUP_NIS=yes
+ # LOOKUP_NISPLUS=yes
++CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc
++LIBS+=-L/usr/$(_lib)/nsl
++
+ # LOOKUP_ORACLE=yes
+-# LOOKUP_PASSWD=yes
+-# LOOKUP_PGSQL=yes
++LOOKUP_PASSWD=yes
++LOOKUP_PGSQL=2
++LOOKUP_PGSQL_LIBS=-lpq
+ # LOOKUP_REDIS=yes
+-# LOOKUP_SQLITE=yes
++LOOKUP_SQLITE=yes
+ # LOOKUP_SQLITE_PC=sqlite3
+ # LOOKUP_WHOSON=yes
+ 
+@@ -437,7 +443,7 @@ LOOKUP_DNSDB=yes
+ 
+ 
+ # Some platforms may need this for LOOKUP_NIS:
+-# LIBS += -lnsl
++LIBS += -lnsl
+ 
+ #------------------------------------------------------------------------------
+ # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate
+@@ -511,7 +517,7 @@ SUPPORT_DANE=yes
+ # files are defaulted in the OS/Makefile-Default file, but can be overridden in
+ # local OS-specific make files.
+ 
+-# EXIM_MONITOR=eximon.bin
++EXIM_MONITOR=eximon.bin
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -521,7 +527,7 @@ SUPPORT_DANE=yes
+ # and the MIME ACL. Please read the documentation to learn more about these
+ # features.
+ 
+-# WITH_CONTENT_SCAN=yes
++WITH_CONTENT_SCAN=yes
+ 
+ # If you have content scanning you may wish to only include some of the scanner
+ # interfaces.  Uncomment any of these lines to remove that code.
+@@ -604,12 +610,12 @@ DISABLE_MAL_MKS=yes
+ # using libopendmarc libraries. You must have SPF and DKIM support enabled also.
+ # Library version libopendmarc-1.4.1-1.fc33.x86_64  (on Fedora 33) is known broken;
+ # 1.3.2-3 works.  I seems that the OpenDMARC project broke their API.
+-# SUPPORT_DMARC=yes
++SUPPORT_DMARC=yes
+ # CFLAGS += -I/usr/local/include
+-# LDFLAGS += -lopendmarc
++LDFLAGS += -lopendmarc
+ # Uncomment the following if you need to change the default. You can
+ # override it at runtime (main config option dmarc_tld_file)
+-# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
++DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat
+ 
+ # Uncomment the following line to add ARC (Authenticated Received Chain)
+ # support.  You must have SPF and DKIM support enabled also.
+@@ -709,7 +715,7 @@ FIXED_NEVER_USERS=root
+ # CONFIGURE_OWNER setting, to specify a configuration file which is listed in
+ # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
+ 
+-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs
++TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -754,18 +760,18 @@ FIXED_NEVER_USERS=root
+ # included in the Exim binary. You will then need to set up the run time
+ # configuration to make use of the mechanism(s) selected.
+ 
+-# AUTH_CRAM_MD5=yes
+-# AUTH_CYRUS_SASL=yes
+-# AUTH_DOVECOT=yes
++AUTH_CRAM_MD5=yes
++AUTH_CYRUS_SASL=yes
++AUTH_DOVECOT=yes
+ # AUTH_EXTERNAL=yes
+-# AUTH_GSASL=yes
+-# AUTH_GSASL_PC=libgsasl
++AUTH_GSASL=yes
++AUTH_GSASL_PC=libgsasl
+ # AUTH_HEIMDAL_GSSAPI=yes
+ # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
+ # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
+-# AUTH_PLAINTEXT=yes
+-# AUTH_SPA=yes
+-# AUTH_TLS=yes
++AUTH_PLAINTEXT=yes
++AUTH_SPA=yes
++AUTH_TLS=yes
+ 
+ # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
+ # requires multiple pkg-config files to work with Exim, so the second example
+@@ -792,7 +798,7 @@ FIXED_NEVER_USERS=root
+ # one that is set in the headers_charset option. The default setting is
+ # defined by this setting:
+ 
+-HEADERS_CHARSET="ISO-8859-1"
++HEADERS_CHARSET="UTF-8"
+ 
+ # If you are going to make use of $header_xxx expansions in your configuration
+ # file, or if your users are going to use them in filter files, and the normal
+@@ -812,7 +818,7 @@ HEADERS_CHARSET="ISO-8859-1"
+ # the Sieve filter support. For those OS where iconv() is known to be installed
+ # as standard, the file in OS/Makefile-xxxx contains
+ #
+-# HAVE_ICONV=yes
++HAVE_ICONV=yes
+ #
+ # If you are not using one of those systems, but have installed iconv(), you
+ # need to uncomment that line above. In some cases, you may find that iconv()
+@@ -888,7 +894,7 @@ HEADERS_CHARSET="ISO-8859-1"
+ # Once you have done this, "make install" will build the info files and
+ # install them in the directory you have defined.
+ 
+-# INFO_DIRECTORY=/usr/share/info
++INFO_DIRECTORY=/usr/share/info
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -901,7 +907,7 @@ HEADERS_CHARSET="ISO-8859-1"
+ # %s. This will be replaced by one of the strings "main", "panic", or "reject"
+ # to form the final file names. Some installations may want something like this:
+ 
+-# LOG_FILE_PATH=/var/log/exim_%slog
++LOG_FILE_PATH=/var/log/exim/%s.log
+ 
+ # which results in files with names /var/log/exim_mainlog, etc. The directory
+ # in which the log files are placed must exist; Exim does not try to create
+@@ -973,7 +979,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+ # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
+ # Perl costs quite a lot of resources. Only do this if you really need it.
+ 
+-# EXIM_PERL=perl.o
++EXIM_PERL=perl.o
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -983,7 +989,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+ # that the local_scan API is made available by the linker. You may also need
+ # to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
+ 
+-# EXPAND_DLFUNC=yes
++EXPAND_DLFUNC=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -993,7 +999,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+ # support, which is intended for use in conjunction with the SMTP AUTH
+ # facilities, is included only when requested by the following setting:
+ 
+-# SUPPORT_PAM=yes
++SUPPORT_PAM=yes
+ 
+ # You probably need to add -lpam to EXTRALIBS, and in some releases of
+ # GNU/Linux -ldl is also needed.
+@@ -1005,12 +1011,12 @@ ZCAT_COMMAND=/usr/bin/zcat
+ # If you may want to use outbound (client-side) proxying, using Socks5,
+ # uncomment the line below.
+ 
+-# SUPPORT_SOCKS=yes
++SUPPORT_SOCKS=yes
+ 
+ # If you may want to use inbound (server-side) proxying, using Proxy Protocol,
+ # uncomment the line below.
+ 
+-# SUPPORT_PROXY=yes
++SUPPORT_PROXY=yes
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1034,9 +1040,9 @@ ZCAT_COMMAND=/usr/bin/zcat
+ # installed on your system (www.libspf2.org). Depending on where it is installed
+ # you may have to edit the CFLAGS and LDFLAGS lines.
+ 
+-# SUPPORT_SPF=yes
++SUPPORT_SPF=yes
+ # CFLAGS  += -I/usr/local/include
+-# LDFLAGS += -lspf2
++LDFLAGS += -lspf2
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1101,7 +1107,7 @@ ZCAT_COMMAND=/usr/bin/zcat
+ # group. Once you have installed saslauthd, you should arrange for it to be
+ # started by root at boot time.
+ 
+-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
++CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1115,8 +1121,8 @@ ZCAT_COMMAND=/usr/bin/zcat
+ # library for TCP wrappers, so you probably need something like this:
+ #
+ # USE_TCP_WRAPPERS=yes
+-# CFLAGS=-O -I/usr/local/include
+-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
++CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic
+ #
+ # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
+ # as well.
+@@ -1168,7 +1174,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+ # is "yes", as well as supporting line editing, a history of input lines in the
+ # current run is maintained.
+ 
+-# USE_READLINE=yes
++USE_READLINE=yes
+ 
+ # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
+ # Note that this option adds to the size of the Exim binary, because the
+@@ -1185,7 +1191,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+ #------------------------------------------------------------------------------
+ # Uncomment this setting to include IPv6 support.
+ 
+-# HAVE_IPV6=yes
++HAVE_IPV6=yes
+ 
+ ###############################################################################
+ #              THINGS YOU ALMOST NEVER NEED TO MENTION                        #
+@@ -1206,13 +1212,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+ # haven't got Perl, Exim will still build and run; you just won't be able to
+ # use those utilities.
+ 
+-# CHOWN_COMMAND=/usr/bin/chown
+-# CHGRP_COMMAND=/usr/bin/chgrp
+-# CHMOD_COMMAND=/usr/bin/chmod
+-# MV_COMMAND=/bin/mv
+-# RM_COMMAND=/bin/rm
+-# TOUCH_COMMAND=/usr/bin/touch
+-# PERL_COMMAND=/usr/bin/perl
++CHOWN_COMMAND=/usr/bin/chown
++CHGRP_COMMAND=/usr/bin/chgrp
++CHMOD_COMMAND=/usr/bin/chmod
++MV_COMMAND=/usr/bin/mv
++RM_COMMAND=/usr/bin/rm
++TOUCH_COMMAND=/usr/bin/touch
++PERL_COMMAND=/usr/bin/perl
+ 
+ 
+ #------------------------------------------------------------------------------
+@@ -1414,7 +1420,7 @@ EXIM_TMPDIR="/tmp"
+ # (process id) to a file so that it can easily be identified. The path of the
+ # file can be specified here. Some installations may want something like this:
+ 
+-# PID_FILE_PATH=/var/lock/exim.pid
++PID_FILE_PATH=/var/run/exim.pid
+ 
+ # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
+ # using the name "exim-daemon.pid".
+diff --git a/src/configure.default b/src/configure.default
+index 3761daf..a5d3718 100644
+--- a/src/configure.default
++++ b/src/configure.default
+@@ -67,7 +67,7 @@
+ # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
+ # are all colon-separated lists:
+ 
+-domainlist local_domains = @
++domainlist local_domains = @ : localhost : localhost.localdomain
+ domainlist relay_to_domains =
+ hostlist   relay_from_hosts = localhost
+ # (We rely upon hostname resolution working for localhost, because the default
+@@ -119,11 +119,13 @@ hostlist   relay_from_hosts = localhost
+ # manual for details. The lists above are used in the access control lists for
+ # checking incoming messages. The names of these ACLs are defined here:
+ 
++acl_smtp_mail =         acl_check_mail
+ acl_smtp_rcpt =         acl_check_rcpt
+ .ifdef _HAVE_PRDR
+ acl_smtp_data_prdr =    acl_check_prdr
+ .endif
+ acl_smtp_data =         acl_check_data
++acl_smtp_mime =         acl_check_mime
+ 
+ # You should not change those settings until you understand how ACLs work.
+ 
+@@ -136,7 +138,7 @@ acl_smtp_data =         acl_check_data
+ # of what to set for other virus scanners. The second modification is in the
+ # acl_check_data access control list (see below).
+ 
+-# av_scanner = clamd:/tmp/clamd
++av_scanner = clamd:/var/run/clamd.exim/clamd.sock
+ 
+ 
+ # For spam scanning, there is a similar option that defines the interface to
+@@ -147,6 +149,12 @@ acl_smtp_data =         acl_check_data
+ # spamd_address = 127.0.0.1 783
+ 
+ 
++# Set the default sqlite database file for greylisting. Uncomment this
++# if you use the greylisting ACLs defined below.
++
++# sqlite_dbfile = /var/spool/exim/db/greylist.db
++
++
+ # If Exim is compiled with support for TLS, you may want to change the
+ # following option so that Exim disallows certain clients from makeing encrypted
+ # connections. The default is to allow all.
+@@ -157,7 +165,7 @@ acl_smtp_data =         acl_check_data
+ 
+ # This is equivalent to the default.
+ 
+-# tls_advertise_hosts = *
++tls_advertise_hosts = *
+ 
+ # Specify the location of the Exim server's TLS certificate and private key.
+ # The private key must not be encrypted (password protected). You can put
+@@ -165,8 +173,8 @@ acl_smtp_data =         acl_check_data
+ # need the first setting, or in separate files, in which case you need both
+ # options.
+ 
+-# tls_certificate = /etc/ssl/exim.crt
+-# tls_privatekey = /etc/ssl/exim.pem
++tls_certificate = /etc/pki/tls/certs/exim.pem
++tls_privatekey = /etc/pki/tls/private/exim.pem
+ 
+ # For OpenSSL, prefer EC- over RSA-authenticated ciphers
+ .ifdef _HAVE_OPENSSL
+@@ -189,8 +197,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
+ # them you should also allow TLS-on-connect on the traditional but
+ # non-standard port 465.
+ 
+-# daemon_smtp_ports = 25 : 465 : 587
+-# tls_on_connect_ports = 465
++daemon_smtp_ports = 25 : 465 : 587
++tls_on_connect_ports = 465
+ 
+ 
+ # Specify the domain you want to be added to all unqualified addresses
+@@ -248,6 +256,24 @@ never_users = root
+ 
+ host_lookup = *
+ 
++# This setting, if uncommented, allows users to authenticate using
++# their system passwords against saslauthd if they connect over a
++# secure connection. If you have network logins such as NIS or
++# Kerberos rather than only local users, then you possibly also want
++# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
++# too. Once a user is authenticated, the acl_check_rcpt ACL then
++# allows them to relay through the system.
++#
++# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
++#
++# By default, we set this option to allow SMTP AUTH from nowhere
++# (Exim's default would be to allow it from anywhere, even on an
++# unencrypted connection).
++#
++# Comment this one out if you uncomment the above. Did you make sure
++# saslauthd is actually running first?
++#
++auth_advertise_hosts =
+ 
+ # The setting below causes Exim to try to initialize the system resolver
+ # library with DNSSEC support.  It has no effect if your library lacks
+@@ -378,8 +404,8 @@ timeout_frozen_after = 7d
+ # Note that TZ is handled separately by the timezone runtime option
+ # and TIMEZONE_DEFAULT buildtime option.
+ 
+-# keep_environment = ^LDAP
+-# add_environment = PATH=/usr/bin::/bin
++keep_environment = ^LDAP
++add_environment = PATH=/usr/bin::/bin
+ 
+ 
+ 
+@@ -390,6 +416,29 @@ timeout_frozen_after = 7d
+ 
+ begin acl
+ 
++
++# This access control list is used for the MAIL command in an incoming
++# SMTP message.
++
++acl_check_mail:
++
++  # Hosts are required to say HELO (or EHLO) before sending mail.
++  # So don't allow them to use the MAIL command if they haven't
++  # done so.
++
++  deny condition = ${if eq{$sender_helo_name}{} {1}}
++       message = Nice boys say HELO first
++
++  # Use the lack of reverse DNS to trigger greylisting. Some people
++  # even reject for it but that would be a little excessive.
++
++  warn condition = ${if eq{$sender_host_name}{} {1}}
++       set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
++
++  accept
++
++
++
+ # This access control list is used for every RCPT command in an incoming
+ # SMTP message. The tests are run in order until the address is either
+ # accepted or denied.
+@@ -401,6 +450,7 @@ acl_check_rcpt:
+ 
+   accept  hosts = :
+           control = dkim_disable_verify
++          control = dmarc_disable_verify
+ 
+   #############################################################################
+   # The following section of the ACL is concerned with local parts that contain
+@@ -454,7 +504,8 @@ acl_check_rcpt:
+   accept  local_parts   = postmaster
+           domains       = +local_domains
+ 
+-  # Deny unless the sender address can be verified.
++  # Deny unless the sender address can be routed. For proper verification of the
++  # address, read the documentation on callouts and add the /callout modifier.
+ 
+   require verify        = sender
+ 
+@@ -494,6 +545,7 @@ acl_check_rcpt:
+   accept  hosts         = +relay_from_hosts
+           control       = submission
+           control       = dkim_disable_verify
++          control       = dmarc_disable_verify
+ 
+   # Accept if the message arrived over an authenticated connection, from
+   # any host. Again, these messages are usually from MUAs, so recipient
+@@ -503,6 +555,7 @@ acl_check_rcpt:
+   accept  authenticated = *
+           control       = submission
+           control       = dkim_disable_verify
++          control       = dmarc_disable_verify
+ 
+   # Insist that any other recipient address that we accept is either in one of
+   # our local domains, or is in a domain for which we explicitly allow
+@@ -523,7 +576,8 @@ acl_check_rcpt:
+   # There are no default checks on DNS black lists because the domains that
+   # contain these lists are changing all the time. However, here are two
+   # examples of how you can get Exim to perform a DNS black list lookup at this
+-  # point. The first one denies, whereas the second just warns.
++  # point. The first one denies, whereas the second just warns. The third
++  # triggers greylisting for any host in the blacklist.
+   #
+   # deny    dnslists      = black.list.example
+   #         message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+@@ -531,6 +585,10 @@ acl_check_rcpt:
+   # warn    dnslists      = black.list.example
+   #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
+   #         log_message   = found in $dnslist_domain
++  #
++  # warn    dnslists      = black.list.example
++  #         set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
++  #
+   #############################################################################
+ 
+   #############################################################################
+@@ -557,6 +615,10 @@ acl_check_rcpt:
+   #        set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
+   #############################################################################
+ 
++  # Alternatively, greylist for it:
++  # warn !verify = csa
++  #      set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
++
+   # At this point, the address has passed all the checks that have been
+   # configured, so we accept it unconditionally.
+ 
+@@ -606,21 +668,32 @@ acl_check_data:
+           message =     header syntax
+           log_message = header syntax ($acl_verify_message)
+ 
++  # Put simple tests first. A good one is to check for the presence of a
++  # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
++  # or misconfigured mailer software occasionally omits this from genuine
++  # messages too, though -- although it's not hard for the offender to fix
++  # after they receive a bounce because of it.
++  #
++  # deny    condition  = ${if !def:h_Message-ID: {1}}
++  #         message    = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
++  #                      Most messages without it are spam, so your mail has been rejected.
++  #
++  # Alternatively if we're feeling more lenient we could just use it to
++  # trigger greylisting instead:
++
++  warn    condition  = ${if !def:h_Message-ID: {1}}
++          set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
++
+   # Deny if the message contains a virus. Before enabling this check, you
+   # must install a virus scanner and set the av_scanner option above.
+   #
+   # deny    malware    = *
+   #         message    = This message contains a virus ($malware_name).
+ 
+-  # Add headers to a message if it is judged to be spam. Before enabling this,
+-  # you must install SpamAssassin. You may also need to set the spamd_address
+-  # option above.
++  # Bypass SpamAssassin checks if the message is too large.
+   #
+-  # warn    spam       = nobody
+-  #         add_header = X-Spam_score: $spam_score\n\
+-  #                      X-Spam_score_int: $spam_score_int\n\
+-  #                      X-Spam_bar: $spam_bar\n\
+-  #                      X-Spam_report: $spam_report
++  # accept  condition  = ${if >={$message_size}{100000} {1}}
++  #         add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
+ 
+   #############################################################################
+   # No more tests if PRDR was actively used.
+@@ -634,11 +707,63 @@ acl_check_data:
+   #           condition    = ...
+   #############################################################################
+ 
++  # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
++  # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
++  # score exceeds the SA system threshold.
++  #
++  # warn    spam       = nobody/defer_ok
++  #         add_header = X-Spam-Flag: YES
++  #
++  # accept  condition  = ${if !def:spam_score_int {1}}
++  #         add_header = X-Spam-Note: SpamAssassin invocation failed
++  #
++
++  # Unconditionally add score and report headers
++  #
++  # warn    add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
++  #                      X-Spam-Report: $spam_report
++
++  # And reject if the SpamAssassin score is greater than ten
++  #
++  # deny    condition = ${if >{$spam_score_int}{100} {1}}
++  #         message   = Your message scored $spam_score SpamAssassin point. Report follows:\n\
++  #  	    	        $spam_report
++
++  # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
++  #
++  # warn    condition = ${if >{$spam_score_int}{5} {1}}
++  #         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
++
+ 
+-  # Accept the message.
++  # If you want to greylist _all_ mail rather than only mail which looks like there
++  # might be something wrong with it, then you can do this...
++  #
++  # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
++
++  # Now, invoke the greylisting. For this you need to have installed the exim-greylist
++  # package which contains this subroutine, and you need to uncomment the bit below
++  # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
++  # greylisting will kick in and will defer the mail to check if the sender is a
++  # proper mail which which retries, or whether it's a zombie. For more details, see
++  # the exim-greylist.conf.inc file itself.
++  #
++  # require acl = greylist_mail
+ 
+   accept
+ 
++# To enable the greylisting, also uncomment this line:
++# .include /etc/exim/exim-greylist.conf.inc
++
++acl_check_mime:
++
++  # File extension filtering.
++  deny message = Blacklisted file extension detected
++       condition = ${if match \
++                        {${lc:$mime_filename}} \
++                        {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
++                     {1}{0}}
++
++  accept
+ 
+ 
+ ######################################################################
+@@ -740,7 +865,7 @@ system_aliases:
+   driver = redirect
+   allow_fail
+   allow_defer
+-  data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
++  data = ${lookup{$local_part}lsearch{/etc/aliases}}
+ # user = exim
+   file_transport = address_file
+   pipe_transport = address_pipe
+@@ -778,7 +903,7 @@ userforward:
+ # local_part_suffix = +* : -*
+ # local_part_suffix_optional
+   file = $home/.forward
+-# allow_filter
++  allow_filter
+   no_verify
+   no_expn
+   check_ancestor
+@@ -786,6 +911,12 @@ userforward:
+   pipe_transport = address_pipe
+   reply_transport = address_reply
+ 
++procmail:
++  driver = accept
++  check_local_user
++  require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
++  transport = procmail
++  no_verify
+ 
+ # This router matches local user mailboxes. If the router fails, the error
+ # message is "Unknown user".
+@@ -826,6 +957,25 @@ remote_smtp:
+   tls_resumption_hosts = *
+ .endif
+ 
++# This transport is used for delivering messages over SMTP using the
++# "message submission" port (RFC4409).
++
++remote_msa:
++  driver = smtp
++  port = 587
++  hosts_require_auth = *
++
++
++# This transport invokes procmail to deliver mail
++procmail:
++  driver = pipe
++  command = "/usr/bin/procmail -d $local_part"
++  return_path_add
++  delivery_date_add
++  envelope_to_add
++  user = $local_part
++  initgroups
++  return_output
+ 
+ # This transport is used for delivering messages to a smarthost, if the
+ # smarthost router is enabled.  This starts from the same basis as
+@@ -880,8 +1030,8 @@ local_delivery:
+   delivery_date_add
+   envelope_to_add
+   return_path_add
+-# group = mail
+-# mode = 0660
++  group = mail
++  mode = 0660
+ 
+ 
+ # This transport is used for handling pipe deliveries generated by alias or
+@@ -914,6 +1064,16 @@ address_reply:
+   driver = autoreply
+ 
+ 
++# This transport is used to deliver local mail to cyrus IMAP server via UNIX
++# socket. You'll need to configure the 'localuser' router above to use it.
++#
++#lmtp_delivery:
++#  home_directory = /var/spool/imap
++#  driver = lmtp
++#  command = "/usr/lib/cyrus-imapd/deliver -l"
++#  batch_max = 20
++#  user = cyrus
++
+ 
+ ######################################################################
+ #                      RETRY CONFIGURATION                           #
+@@ -954,6 +1114,21 @@ begin rewrite
+ #                   AUTHENTICATION CONFIGURATION                     #
+ ######################################################################
+ 
++begin authenticators
++
++# This authenticator supports CRAM-MD5 username/password authentication
++# with Exim acting as a _client_, as it might when sending its outgoing
++# mail to a smarthost rather than directly to the final recipient.
++# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
++
++#client_auth:
++#  driver = cram_md5
++#  public_name = CRAM-MD5
++#  client_name = SMTPAUTH_USERNAME
++#  client_secret = SMTPAUTH_PASSWORD
++
++#
++
+ # The following authenticators support plaintext username/password
+ # authentication using the standard PLAIN mechanism and the traditional
+ # but non-standard LOGIN mechanism, with Exim acting as the server.
+@@ -969,7 +1144,7 @@ begin rewrite
+ # The default RCPT ACL checks for successful authentication, and will accept
+ # messages from authenticated users from anywhere on the Internet.
+ 
+-begin authenticators
++#
+ 
+ # PLAIN authentication has no server prompts. The client sends its
+ # credentials in one lump, containing an authorization ID (which we do not
+@@ -983,7 +1158,7 @@ begin authenticators
+ #  driver                     = plaintext
+ #  server_set_id              = $auth2
+ #  server_prompts             = :
+-#  server_condition           = Authentication is not yet configured
++#  server_condition           = ${if saslauthd{{$2}{$3}{smtp}} {1}}
+ #  server_advertise_condition = ${if def:tls_in_cipher }
+ 
+ # LOGIN authentication has traditional prompts and responses. There is no
+@@ -995,7 +1170,7 @@ begin authenticators
+ #  driver                     = plaintext
+ #  server_set_id              = $auth1
+ #  server_prompts             = <| Username: | Password:
+-#  server_condition           = Authentication is not yet configured
++#  server_condition           = ${if saslauthd{{$1}{$2}{smtp}} {1}}
+ #  server_advertise_condition = ${if def:tls_in_cipher }
+ 
+ 

exim-4.96-dlopen-localscan.patch

@@ -1,17 +1,19 @@
 diff --git a/src/EDITME b/src/EDITME
-index 5a08197..3921db6 100644
+index cf0b33e..7d4cbf3 100644
 --- a/src/EDITME
 +++ b/src/EDITME
-@@ -792,6 +792,20 @@ TLS_LIBS=-lssl -lcrypto
+@@ -878,6 +878,21 @@ HAVE_ICONV=yes
+ # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
  
  
- #------------------------------------------------------------------------------
++#------------------------------------------------------------------------------
 +# On systems which support dynamic loading of shared libraries, Exim can
 +# load a local_scan function specified in its config file instead of having
 +# to be recompiled with the desired local_scan function. For a full
 +# description of the API to this function, see the Exim specification.
 +
 +DLOPEN_LOCAL_SCAN=yes
++HAVE_LOCAL_SCAN=yes
 +
 +# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the
 +# linker flags.  Without it, the loaded .so won't be able to access any
@@ -19,17 +21,16 @@ index 5a08197..3921db6 100644
 +
 +LFLAGS=-rdynamic -ldl -pie
 +
-+#------------------------------------------------------------------------------
+ #------------------------------------------------------------------------------
  # The default distribution of Exim contains only the plain text form of the
  # documentation. Other forms are available separately. If you want to install
- # the documentation in "info" format, first fetch the Texinfo documentation
 diff --git a/src/config.h.defaults b/src/config.h.defaults
-index bafdc1b..c6ba256 100644
+index 25ab755..e27a51d 100644
 --- a/src/config.h.defaults
 +++ b/src/config.h.defaults
-@@ -28,6 +28,8 @@ it's a default value. */
+@@ -33,6 +33,8 @@ Do not put spaces between # and the 'define'.
  
- #define AUTH_VARS                     3
+ #define AUTH_VARS                     4
  
 +#define DLOPEN_LOCAL_SCAN
 +
@@ -37,10 +38,10 @@ index bafdc1b..c6ba256 100644
  
  #define CONFIGURE_FILE
 diff --git a/src/globals.c b/src/globals.c
-index f83d850..c722059 100644
+index ff246fe..b9dfbbb 100644
 --- a/src/globals.c
 +++ b/src/globals.c
-@@ -167,6 +167,10 @@ uschar *tls_verify_hosts       = NULL;
+@@ -151,6 +151,10 @@ time_t  tls_watch_trigger_time = (time_t)0;
  uschar *tls_advertise_hosts    = NULL;
  #endif
  
@@ -52,12 +53,12 @@ index f83d850..c722059 100644
  /* Per Recipient Data Response variables */
  BOOL    prdr_enable            = FALSE;
 diff --git a/src/globals.h b/src/globals.h
-index b3747a8..e3dd507 100644
+index fe099e4..7530a76 100644
 --- a/src/globals.h
 +++ b/src/globals.h
-@@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts;   /* Optional client verification */
- extern uschar *tls_verify_certificates;/* Path for certificates to check */
- extern uschar *tls_verify_hosts;       /* Mandatory client verification */
+@@ -148,6 +148,11 @@ extern uschar *tls_verify_hosts;       /* Mandatory client verification */
+ extern int     tls_watch_fd;	       /* for inotify of creds files */
+ extern time_t  tls_watch_trigger_time; /* non-0: triggered */
  #endif
 +
 +#ifdef DLOPEN_LOCAL_SCAN
@@ -68,21 +69,25 @@ index b3747a8..e3dd507 100644
  
  extern uschar  *dsn_envid;             /* DSN envid string */
 diff --git a/src/local_scan.c b/src/local_scan.c
-index 3500047..8599172 100644
+index 7a3bae7..6ea5d2d 100644
 --- a/src/local_scan.c
 +++ b/src/local_scan.c
-@@ -5,60 +5,131 @@
- /* Copyright (c) University of Cambridge 1995 - 2009 */
+@@ -6,59 +6,133 @@
+ /* Copyright (c) The Exim Maintainers 2021 */
  /* See the file NOTICE for conditions of use and distribution. */
  
-+#include "exim.h"
++#include <local_scan.h>
  
 -/******************************************************************************
 -This file contains a template local_scan() function that just returns ACCEPT.
 -If you want to implement your own version, you should copy this file to, say
 -Local/local_scan.c, and edit the copy. To use your version instead of the
 -default, you must set
--
++#ifdef DLOPEN_LOCAL_SCAN
++extern uschar *local_scan_path;        /* Path to local_scan() library */
++#endif
+ 
+-HAVE_LOCAL_SCAN=yes
 -LOCAL_SCAN_SOURCE=Local/local_scan.c
 -
 -in your Local/Makefile. This makes it easy to copy your version for use with
@@ -132,8 +137,6 @@ index 3500047..8599172 100644
  int
  local_scan(int fd, uschar **return_text)
  {
- fd = fd;                      /* Keep picky compilers happy */
- return_text = return_text;
 -return LOCAL_SCAN_ACCEPT;
 +#ifdef DLOPEN_LOCAL_SCAN
 +/* local_scan_path is defined AND not the empty string */
@@ -165,8 +168,8 @@ index 3500047..8599172 100644
 +else
 +#endif
 +  return LOCAL_SCAN_ACCEPT;
- }
- 
++ }
++ 
 +#ifdef DLOPEN_LOCAL_SCAN
 +
 +static int load_local_scan_library(void)
@@ -245,22 +248,22 @@ index 3500047..8599172 100644
 +  }
 +
 +return TRUE;
-+}
-+
+ }
+ 
 +#endif /* DLOPEN_LOCAL_SCAN */
 +
  /* End of local_scan.c */
 diff --git a/src/readconf.c b/src/readconf.c
-index b2a3c73..6f2efa0 100644
+index 06bc50f..6ecb0af 100644
 --- a/src/readconf.c
 +++ b/src/readconf.c
-@@ -314,6 +314,9 @@ static optionlist optionlist_config[] = {
-   { "local_from_prefix",        opt_stringptr,   &local_from_prefix },
-   { "local_from_suffix",        opt_stringptr,   &local_from_suffix },
-   { "local_interfaces",         opt_stringptr,   &local_interfaces },
+@@ -212,6 +212,9 @@ static optionlist optionlist_config[] = {
+   { "local_from_prefix",        opt_stringptr,   {&local_from_prefix} },
+   { "local_from_suffix",        opt_stringptr,   {&local_from_suffix} },
+   { "local_interfaces",         opt_stringptr,   {&local_interfaces} },
 +#ifdef DLOPEN_LOCAL_SCAN
 +  { "local_scan_path",          opt_stringptr,   &local_scan_path },
 +#endif
-   { "local_scan_timeout",       opt_time,        &local_scan_timeout },
-   { "local_sender_retain",      opt_bool,        &local_sender_retain },
-   { "localhost_number",         opt_stringptr,   &host_number_string },
+ #ifdef HAVE_LOCAL_SCAN
+   { "local_scan_timeout",       opt_time,        {&local_scan_timeout} },
+ #endif

exim-4.96-opendmarc-1.4-build-fix.patch

@@ -0,0 +1,13 @@
+diff --git a/src/dmarc.c b/src/dmarc.c
+index 17bba9d..a218380 100644
+--- a/src/dmarc.c
++++ b/src/dmarc.c
+@@ -459,7 +459,7 @@ if (!dmarc_abort && !sender_host_authenticated)
+ 		  vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
+ 		  DMARC_POLICY_DKIM_OUTCOME_NONE;
+     libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
+-					       dkim_result, US"");
++					       sig->selector, dkim_result, US"");
+     DEBUG(D_receive)
+       debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
+     if (libdm_status != DMARC_PARSE_OKAY)

exim-4.96-pic.patch

@@ -1,13 +1,13 @@
 diff --git a/src/lookups/Makefile b/src/lookups/Makefile
-index 6ba0cb1..21a7ad7 100644
+index 19585bf..a0d355f 100644
 --- a/src/lookups/Makefile
 +++ b/src/lookups/Makefile
-@@ -22,7 +22,7 @@ lookups.a:       $(OBJ)
+@@ -24,7 +24,7 @@ lookups.a:       $(OBJ)
  		 $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
  
  .c.so:;          @echo "$(CC) -shared $*.c"
 -		 $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@
 +		 $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $(PIC) $*.c -o $@
  
- lf_check_file.o: $(PHDRS) lf_check_file.c  lf_functions.h
- lf_quote.o:      $(PHDRS) lf_quote.c       lf_functions.h
+ lf_check_file.o: $(HDRS) lf_check_file.c  lf_functions.h
+ lf_quote.o:      $(HDRS) lf_quote.c       lf_functions.h

exim-clamav-tmpfiles.conf

@@ -1 +1 @@
-D /var/run/clamd.exim 0750 exim exim -
+D /run/clamd.exim 0750 exim exim -

exim-greylist.conf.inc

@@ -1,11 +1,44 @@
-# $Id: acl-greylist-sqlite,v 1.3 2007/11/25 19:17:28 dwmw2 Exp $
+#
+# Exim ACL for greylisting. David Woodhouse <dwmw2@infradead.org>
+#
+# For full background on the logic behind greylisting and how this
+# ACL works, see https://github.com/Exim/exim/wiki/SimpleGreylisting
+#
 
-GREYDB=/var/spool/exim/db/greylist.db
+# UPDATING TO EXIM 4.94+
+# ======================
+#
+# Previous versions of this ACL specified the sqlite database filename 
+# in the sqlite lookup strings directly, but since Exim 4.94 is it no 
+# longer permitted to mix "tainted" text which comes from the message 
+# itself, with the filename. Thus, you now have to set
+#
+# sqlite_dbfile = /var/spool/exim/db/greylist.db
+#
+# ... in the main configuration because it can't be specified within
+# the ACL in this file any more.
 
-# ACL for greylisting. Place reason(s) for greylisting into a variable named
-# $acl_m_greylistreasons before invoking with 'require acl = greylist_mail'.
-# The reasons should be separate lines of text, and will be reported in
-# the SMTP rejection message as well as the log message.
+# USING THIS ACL
+# ==============
+#
+# First set sqlite_dbfile in the main configuration file to point to
+# the greylist sqlite database, as described above.
+#
+# In your main ACLs, gather reason(s) for greylisting into a variable 
+# named $acl_m_greylistreasons before invoking this ACL with
+# 'require acl = greylist_mail'. The reasons should be separate lines
+# of text, and will be reported in the SMTP rejection message as well
+# as the log message. Anything "suspicious" about the email can be
+# used as criteria here — being HTML, having even a few SpamAssassin
+# points, even lacking SPF authorisation (which is OK for greylisting
+# although you should never reject outright for an SPF "failure"
+# because of the flaws in SPF).
+#
+# Obviously you need to .include this file too in order to be able
+# to invoke this greylist_mail ACL.
+
+# HOW IT WORKS
+# ============
 #
 # When a suspicious mail is seen, we temporarily reject it and wait to see
 # if the sender tries again. Most spam robots won't bother. Real mail hosts
@@ -44,15 +77,13 @@ GREYDB=/var/spool/exim/db/greylist.db
 #
 
 greylist_mail:
-  # First, accept if it there's absolutely nothing suspicious about it...
-  accept condition = ${if eq{$acl_m_greylistreasons}{} {1}}
-  # ... or if it was generated locally or by authenticated clients.
+  # Firstly,  accept if it was generated locally or by authenticated clients.
   accept hosts = :
   accept authenticated = *
 
   # Secondly, there's _absolutely_ no point in greylisting mail from
   # hosts which are known to resend their mail. Just accept it.
-  accept condition = ${lookup sqlite {GREYDB SELECT host from resenders \
+  accept condition = ${lookup sqlite {SELECT host from resenders \
 			       WHERE helo='${quote_sqlite:$sender_helo_name}' \
 			       AND host='$sender_host_address';} {1}}
 
@@ -62,15 +93,28 @@ greylist_mail:
   # Attempt to look up this mail in the greylist database. If it's there,
   # remember the expiry time for it; we need to make sure they've waited
   # long enough.
-  warn set acl_m_greyexpiry = ${lookup sqlite {GREYDB SELECT expire FROM greylist \
+  warn set acl_m_greyexpiry = ${lookup sqlite {SELECT expire FROM greylist \
 				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
 
+
+  # If there's absolutely nothing suspicious about the email, accept it. BUT...
+  accept condition = ${if eq {$acl_m_greylistreasons}{} {1}}
+         condition = ${if eq {$acl_m_greyexpiry}{} {1}}
+
+  # ..if this same mail was greylisted before (perhaps because it came from a
+  # host which *was* suspicious), then we still want to mark that original host
+  # as a "known resender". If we don't, then hosts which attempt to deliver from
+  # a dodgy Legacy IP address but then fall back to using IPv6 after greylisting
+  # will *never* see their Legacy IP address added to the 'known resenders' list.
+  accept condition = ${if eq {$acl_m_greylistreasons}{} {1}}
+         acl = write_known_resenders
+
   # If the mail isn't already the database -- i.e. if the $acl_m_greyexpiry
   # variable we just looked up is empty -- then try to add it now. This is 
   # where the 5 minute timeout is set ($tod_epoch + 300), should you wish
   # to change it.
   warn  condition = ${if eq {$acl_m_greyexpiry}{} {1}}
-	set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO greylist \
+	set acl_m_dontcare = ${lookup sqlite {INSERT INTO greylist \
 					VALUES ( '$acl_m_greyident', \
 						 '${eval10:$tod_epoch+300}', \
 						 '$sender_host_address', \
@@ -79,7 +123,7 @@ greylist_mail:
   # Be paranoid, and check if the insertion succeeded (by doing another lookup).
   # Otherwise, if there's a database error we might end up deferring for ever.
   defer condition = ${if eq {$acl_m_greyexpiry}{} {1}}
-        condition = ${lookup sqlite {GREYDB SELECT expire FROM greylist \
+        condition = ${lookup sqlite {SELECT expire FROM greylist \
 				WHERE id='${quote_sqlite:$acl_m_greyident}';} {1}}
         message = Your mail was considered suspicious for the following reason(s):\n$acl_m_greylistreasons \
 		  The mail has been greylisted for 5 minutes, after which it should be accepted. \
@@ -105,13 +149,16 @@ greylist_mail:
 		  You should wait another ${eval10:$acl_m_greyexpiry-$tod_epoch} seconds.\n\
 		  Reason(s) for greylisting: \n$acl_m_greylistreasons
 
+  accept acl = write_known_resenders
+
+write_known_resenders:
   # The message was listed but it's been more than five minutes. Accept it now and whitelist
   # the _original_ sending host by its { IP, HELO } so that we don't delay its mail again.
-  warn set acl_m_orighost = ${lookup sqlite {GREYDB SELECT host FROM greylist \
+  warn set acl_m_orighost = ${lookup sqlite {SELECT host FROM greylist \
 				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
-       set acl_m_orighelo = ${lookup sqlite {GREYDB SELECT helo FROM greylist \
+       set acl_m_orighelo = ${lookup sqlite {SELECT helo FROM greylist \
 				WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
-       set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO resenders \
+       set acl_m_dontcare = ${lookup sqlite {INSERT INTO resenders \
 				VALUES ( '$acl_m_orighost', \
 					 '${quote_sqlite:$acl_m_orighelo}', \
 					 '$tod_epoch' ); }}

exim.init

@@ -1,132 +0,0 @@
-#!/bin/bash
-#
-# exim    This shell script takes care of starting and stopping exim
-#
-# chkconfig: 2345 80 30
-# description: Exim is a Mail Transport Agent, which is the program \
-#              that moves mail from one machine to another.
-# processname: exim
-# config: /etc/exim/exim.conf
-# pidfile: /var/run/exim.pid
-
-# Source function library.
-. /etc/init.d/functions
-
-# Source networking configuration.
-[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
-
-# Source exim configureation.
-if [ -f /etc/sysconfig/exim ] ; then
-	. /etc/sysconfig/exim
-else
-	DAEMON=yes
-	QUEUE=1h
-fi
-
-USER=${USER:=exim}
-GROUP=${GROUP:=exim}
-
-gen_cert() {
-	if [ ! -f /etc/pki/tls/certs/exim.pem ] ; then
-		umask 077
-		FQDN=`hostname`
-		if [ "x${FQDN}" = "x" ]; then
-			FQDN=localhost.localdomain
-		fi
-		echo -n $"Generating exim certificate: "
-		cat << EOF | openssl req -new -x509 -days 365 -nodes \
-			-out /etc/pki/tls/certs/exim.pem \
-			-keyout /etc/pki/tls/private/exim.pem &>/dev/null
---
-SomeState
-SomeCity
-SomeOrganization
-SomeOrganizationalUnit
-${FQDN}
-root@${FQDN}
-EOF
-		if [ $? -eq 0 ]; then
-			success
-			chown $USER:$GROUP /etc/pki/tls/{private,certs}/exim.pem
-			chmod 600 /etc/pki/tls/{private,certs}/exim.pem
-		else
-			failure
-		fi
-		echo
-	fi
-}
-
-start() {
-	[ "$EUID" != "0" ] && exit 4
-	[ "${NETWORKING}" = "no" ] && exit 1
-	[ -f /usr/sbin/exim ] || exit 5
-
-	# check ownerships
-	# do this by seeing if /var/log/exim/main.log exists and is
-	# owned by exim - if owned by someone else we fix it up
-	if [ -f /var/log/exim/main.log ]
-	then
-	    if [ "exim" != "`ls -l /var/log/exim/main.log | awk '{print $4}'`" ]
-	    then
-		chown -R $USER:$GROUP /var/log/exim /var/spool/exim
-	    fi
-	fi
-
-	# generate certificate if doesn't exist
-	gen_cert
-
-        # Start daemons.
-        echo -n $"Starting exim: "
-        daemon /usr/sbin/exim $([ "$DAEMON" = yes ] && echo -bd) \
-                              $([ -n "$QUEUE" ] && echo -q$QUEUE)
-        RETVAL=$?
-        echo
-        [ $RETVAL = 0 ] && touch /var/lock/subsys/exim
-}
-
-stop() {
-	[ "$EUID" != "0" ] && exit 4
-        # Stop daemons.
-        echo -n $"Shutting down exim: "
-        killproc exim
-	RETVAL=$?
-        echo
-        [ $RETVAL = 0 ] && rm -f /var/lock/subsys/exim
-}
-
-restart() {
-	stop
-	start
-}
-
-# See how we were called.
-case "$1" in
-  start)
-	start
-	;;
-  stop)
-	stop
-	;;
-  restart)
-	restart
-	;;
-  reload|force-reload)
-	status exim > /dev/null || exit 7
-	echo -n $"Reloading exim:"
-	killproc exim -HUP
-	echo
-	;;
-  condrestart|try-restart)
-	status exim > /dev/null || exit 0
-	restart
-	;;
-  status)
-	status exim
-	;;
-  *)
-	echo $"Usage: $0 {start|stop|restart|reload|force-reload|status|condrestart|try-restart}"
-	exit 2
-esac
-
-exit $RETVAL
-

exim.spec

@@ -6,32 +6,28 @@
 %bcond_without clamav
 %endif
 
-%global sysv2systemdnvr 4.76-6
-
 # hardened build if not overridden
 %{!?_hardened_build:%global _hardened_build 1}
 
 Summary: The exim mail transfer agent
 Name: exim
-Version: 4.88
-Release: 3%{?dist}
+Version: 4.96
+Release: 2%{?dist}
 License: GPLv2+
-Url: http://www.exim.org/
-Group: System Environment/Daemons
-Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Url: https://www.exim.org/
+
 Provides: MTA smtpd smtpdaemon server(smtp)
-Requires(post): /sbin/chkconfig /sbin/service /sbin/restorecon %{_sbindir}/alternatives systemd systemd-sysv
+Requires(post): /sbin/restorecon %{_sbindir}/alternatives systemd
 Requires(preun): %{_sbindir}/alternatives systemd
 Requires(postun): %{_sbindir}/alternatives systemd
 Requires(pre): %{_sbindir}/groupadd, %{_sbindir}/useradd
 %if %{with clamav}
-%if 0%{?fedora} < 23
-Requires: initscripts
+BuildRequires: clamd
 %endif
-BuildRequires: clamav-devel
-%endif
-Source: ftp://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2
-Source2: exim.init
+Source: https://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.xz
+Source1: https://ftp.exim.org/pub/exim/exim4/%{name}-%{version}.tar.xz.asc
+Source2: https://downloads.exim.org/Exim-Maintainers-Keyring.asc
+
 Source3: exim.sysconfig
 Source4: exim.logrotate
 Source5: exim-tidydb.sh
@@ -46,37 +42,57 @@ Source24: exim.service
 Source25: exim-gen-cert
 Source26: clamd.exim.service
 
-Patch4: exim-4.88-rhl.patch
-Patch6: exim-4.88-config.patch
-Patch8: exim-4.82-libdir.patch
-Patch12: exim-4.88-cyrus.patch
-Patch13: exim-4.88-pamconfig.patch
-Patch14: exim-4.87-spamdconf.patch
-Patch18: exim-4.88-dlopen-localscan.patch
-Patch19: exim-4.88-procmail.patch
-Patch20: exim-4.88-allow-filter.patch
-Patch21: exim-4.87-localhost-is-local.patch
-Patch22: exim-4.88-greylist-conf.patch
-Patch23: exim-4.88-smarthost-config.patch
-Patch25: exim-4.87-dynlookup-config.patch
-# Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584
-Patch26: exim-4.85-pic.patch
-Patch27: exim-4.87-environment.patch
-# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2016
-# Upsream patch: https://git.exim.org/exim.git/patch/bd8fbe3606d80e5a3fc02fe71b521146c6938448
-Patch28: exim-4.88-DKIM-fix.patch
+Patch0: exim-4.96-config.patch
+Patch1: exim-4.94-libdir.patch
+Patch2: exim-4.96-dlopen-localscan.patch
+Patch3: exim-4.96-pic.patch
+# https://bugs.exim.org/show_bug.cgi?id=2728
+Patch4: exim-4.96-opendmarc-1.4-build-fix.patch
+# https://bugs.exim.org/show_bug.cgi?id=2899
+Patch5: exim-4.96-build-fix.patch
 
 Requires: /etc/pki/tls/certs /etc/pki/tls/private
 Requires: /etc/aliases
 Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
-BuildRequires: libdb-devel openssl-devel openldap-devel pam-devel
-BuildRequires: pcre-devel sqlite-devel tcp_wrappers-devel cyrus-sasl-devel
-BuildRequires: openldap-devel openssl-devel mysql-devel postgresql-devel
-BuildRequires: libXaw-devel libXmu-devel libXext-devel libX11-devel libSM-devel
+Recommends: publicsuffix-list
+BuildRequires: gcc
+BuildRequires: libdb-devel
+BuildRequires: openssl-devel
+BuildRequires: openldap-devel
+BuildRequires: pam-devel
+BuildRequires: pcre2-devel
+BuildRequires: sqlite-devel
+BuildRequires: cyrus-sasl-devel
+BuildRequires: libspf2-devel
+BuildRequires: libopendmarc-devel
+BuildRequires: openldap-devel
+BuildRequires: openssl-devel
+BuildRequires: mariadb-connector-c-devel
+BuildRequires: libpq-devel
+BuildRequires: libXaw-devel
+BuildRequires: libXmu-devel
+BuildRequires: libXext-devel
+BuildRequires: libX11-devel
+BuildRequires: libSM-devel
 BuildRequires: perl-devel
 BuildRequires: perl-generators
-BuildRequires: libICE-devel libXpm-devel libXt-devel perl(ExtUtils::Embed)
-BuildRequires: systemd-units libgsasl-devel
+BuildRequires: libICE-devel
+BuildRequires: libXpm-devel
+BuildRequires: libXt-devel
+BuildRequires: perl(ExtUtils::Embed)
+# mariadb-devel for mariadb pkgconfig
+BuildRequires: systemd-units
+BuildRequires: libgsasl-devel
+BuildRequires: mariadb-devel
+# Workaround for NIS removal from glibc, bug 1534920
+BuildRequires: libnsl2-devel
+BuildRequires: libtirpc-devel
+BuildRequires: gnupg2
+BuildRequires: grep
+%if 0%{?rhel} == 8
+BuildRequires:  epel-rpm-macros >= 8-5
+%endif
+BuildRequires: make
 
 %description
 Exim is a message transfer agent (MTA) developed at the University of
@@ -88,22 +104,8 @@ routed, and there are extensive facilities for checking incoming
 mail. Exim can be installed in place of sendmail, although the
 configuration of exim is quite different to that of sendmail.
 
-%if 0%{?fedora} < 23
-%package sysvinit
-Summary: SysV initscript for Exim
-Group: System Environment/Daemons
-BuildArch: noarch
-Requires: %{name} = %{version}-%{release}
-Requires(preun): chkconfig
-Requires(post): chkconfig
-
-%description sysvinit
-This package contains the SysV initscript for Exim.
-%endif
-
 %package mysql
 Summary: MySQL lookup support for Exim
-Group: System Environment/Daemons
 Requires: exim = %{version}-%{release}
 
 %description mysql
@@ -111,7 +113,6 @@ This package contains the MySQL lookup module for Exim
 
 %package pgsql
 Summary: PostgreSQL lookup support for Exim
-Group: System Environment/Daemons
 Requires: exim = %{version}-%{release}
 
 %description pgsql
@@ -119,7 +120,6 @@ This package contains the PostgreSQL lookup module for Exim
 
 %package mon
 Summary: X11 monitor application for Exim
-Group: Applications/System
 
 %description mon
 The Exim Monitor is an optional supplement to the Exim package. It
@@ -130,11 +130,8 @@ interface.
 %if %{with clamav}
 %package clamav
 Summary: Clam Antivirus scanner dæmon configuration for use with Exim
-Group: System Environment/Daemons
-Requires: clamav-server exim
+Requires: clamd exim
 Obsoletes: clamav-exim <= 0.86.2
-Requires(post): /sbin/chkconfig /sbin/service
-Requires(preun): /sbin/chkconfig /sbin/service
 
 %description clamav
 This package contains configuration files which invoke a copy of the
@@ -153,24 +150,11 @@ For further details of Exim content scanning, see chapter 41 of the Exim
 specification:
 http://www.exim.org/exim-html-%{version}/doc/html/spec_html/ch41.html
 
-%if 0%{?fedora} < 23
-%package clamav-sysvinit
-Summary: SysV initscript for Clam Antivirus scanner for Exim
-Group: System Environment/Daemons
-BuildArch: noarch
-Requires: exim-clamav = %{version}-%{release}
-Requires(preun): chkconfig
-Requires(post): chkconfig
-
-%description clamav-sysvinit
-This package contains the SysV initscript.
-%endif
 %endif
 
 %package greylist
 Summary: Example configuration for greylisting using Exim
-Group: System Environment/Daemons
-Requires: sqlite exim 
+Requires: sqlite exim
 Requires: crontabs
 
 %description greylist
@@ -190,34 +174,24 @@ a list of 'offended' which it's committed, which may include having
 SpamAssassin points, lacking a Message-ID: header, coming from a blacklisted
 host, etc. There are examples of these in the default configuration file,
 mostly commented out. These should be sufficient for you to you trigger
-greylisting for whatever 'offences' you can dream of, or even to make 
+greylisting for whatever 'offences' you can dream of, or even to make
 greylisting unconditional.
 
 %prep
-%setup -q
-
-%patch4 -p1 -b .rhl
-%patch6 -p1 -b .config
-%patch8 -p1 -b .libdir
-%patch12 -p1 -b .cyrus
-%patch13 -p1 -b .pam
-%patch14 -p1 -b .spamd
-%patch18 -p1 -b .dl
-%patch19 -p1 -b .procmail
-%patch20 -p1 -b .filter
-%patch21 -p1 -b .localhost
-%patch22 -p1 -b .grey
-%patch23 -p1 -b .smarthost
-%patch25 -p1 -b .dynconfig
-%patch26 -p1 -b .fpic
-%patch27 -p1 -b .environment
-%patch28 -p1 -b .DKIM-fix
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%autosetup -p1
 
 cp src/EDITME Local/Makefile
 sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
 sed -i 's@^# AUTH_LIBS=-lsasl2@AUTH_LIBS=-lsasl2@' Local/Makefile
 cp exim_monitor/EDITME Local/eximon.conf
 
+# Workaround for rhbz#1791878
+pushd doc
+for f in $(ls -dp cve-* | grep -v '/\|\(\.txt\)$'); do
+  mv "$f" "$f.txt"
+done
+popd
 
 %build
 %ifnarch s390 s390x sparc sparcv9 sparcv9v sparc64 sparc64v
@@ -227,11 +201,11 @@ cp exim_monitor/EDITME Local/eximon.conf
 	export PIE=-fPIE
 	export PIC=-fPIC
 %endif
-make _lib=%{_lib} FULLECHO= LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-pie -Wl,-z,relro,-z,now}"
+
+export LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-pie -Wl,-z,relro,-z,now}"
+make _lib=%{_lib} FULLECHO=
 
 %install
-rm -rf $RPM_BUILD_ROOT
-
 mkdir -p $RPM_BUILD_ROOT%{_sbindir}
 mkdir -p $RPM_BUILD_ROOT%{_bindir}
 mkdir -p $RPM_BUILD_ROOT%{_libdir}
@@ -293,11 +267,6 @@ pod2man --center=EXIM --section=8 \
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
 install -m 644 %SOURCE3 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/exim
 
-%if 0%{?fedora} < 23
-mkdir -p $RPM_BUILD_ROOT%{_initrddir}
-install %SOURCE2 $RPM_BUILD_ROOT%{_initrddir}/exim
-%endif
-
 # Systemd
 mkdir -p %{buildroot}%{_unitdir}
 mkdir -p $RPM_BUILD_ROOT%{_libexecdir}
@@ -322,25 +291,23 @@ chmod 600 $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem
 # generate alternatives ghosts
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 for i in %{_sbindir}/sendmail %{_bindir}/{mailq,runq,rsmtp,rmail,newaliases} \
-	/usr/lib/sendmail %{_sysconfdir}/pam.d/smtp %{_mandir}/man1/mailq.1.gz
+	/usr/lib/sendmail %{_sysconfdir}/pam.d/smtp
 do
 	touch $RPM_BUILD_ROOT$i
 done
+gzip < /dev/null > $RPM_BUILD_ROOT%{_mandir}/man1/mailq.1.gz
 
 %if %{with clamav}
 # Munge the clamav init and config files from clamav-devel. This really ought
 # to be a subpackage of clamav, but this hack will have to do for now.
 function clamsubst() {
-	 sed -e "s!<SERVICE>!$3!g;s!<USER>!$4!g;""$5" %{_datadir}/clamav/template/"$1" >"$RPM_BUILD_ROOT$2"
+	 sed -e "s!<SERVICE>!$3!g;s!<USER>!$4!g;""$5" %{_docdir}/clamd/"$1" >"$RPM_BUILD_ROOT$2"
 }
 
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/clamd.d
 clamsubst clamd.conf %{_sysconfdir}/clamd.d/exim.conf exim exim \
        's!^##*\(\(LogFile\|LocalSocket\|PidFile\|User\)\s\|\(StreamSaveToDisk\|ScanMail\|LogTime\|ScanArchive\)$\)!\1!;s!^Example!#Example!;'
 
-%if 0%{?fedora} < 23
-clamsubst clamd.init %{_initrddir}/clamd.exim exim exim ''
-%endif
 clamsubst clamd.logrotate %{_sysconfdir}/logrotate.d/clamd.exim exim exim ''
 cat <<EOF > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/clamd.exim
 CLAMD_CONFIG='%_sysconfdir/clamd.d/exim.conf'
@@ -364,8 +331,8 @@ install -m755 %{SOURCE22} $RPM_BUILD_ROOT/%_sysconfdir/cron.daily/greylist-tidy.
 install -m644 %{SOURCE23} $RPM_BUILD_ROOT/%_sysconfdir/exim/trusted-configs
 touch $RPM_BUILD_ROOT/%_var/spool/exim/db/greylist.db
 
-%clean
-rm -rf $RPM_BUILD_ROOT
+%check
+build-`scripts/os-type`-`scripts/arch-type`/exim -C src/configure.default -bV
 
 %pre
 %{_sbindir}/groupadd -g 93 exim 2>/dev/null
@@ -408,29 +375,6 @@ if [ $1 -ge 1 ]; then
 	fi
 fi
 
-%triggerun -- exim < %{sysv2systemdnvr}
-%{_bindir}/systemd-sysv-convert --save exim >/dev/null 2>&1 ||:
-/bin/systemctl enable exim.service >/dev/null 2>&1
-/sbin/chkconfig --del exim >/dev/null 2>&1 || :
-/bin/systemctl try-restart exim.service >/dev/null 2>&1 || :
-
-%if 0%{?fedora} < 23
-%triggerpostun -n exim-sysvinit -- exim < %{sysv2systemdnvr}
-/sbin/chkconfig --add exim >/dev/null 2>&1 || :
-
-%post sysvinit
-/sbin/chkconfig --add exim >/dev/null 2>&1 ||:
-
-%preun sysvinit
-if [ "$1" = 0 ]; then
-	%{_initrddir}/exim stop >/dev/null 2>&1 ||:
-	/sbin/chkconfig --del exim >/dev/null 2>&1 ||:
-fi
-
-%postun sysvinit
-[ "$1" -ge "1" ] && %{_initrddir}/exim condrestart >/dev/null 2>&1 ||:
-%endif
-
 %post greylist
 if [ ! -r %{_var}/spool/exim/db/greylist.db ]; then
    sqlite3 %{_var}/spool/exim/db/greylist.db < %{_sysconfdir}/exim/mk-greylist-db.sql
@@ -439,7 +383,6 @@ if [ ! -r %{_var}/spool/exim/db/greylist.db ]; then
 fi
 
 %files
-%defattr(-,root,root)
 %attr(4755,root,root) %{_sbindir}/exim
 %{_sbindir}/exim_dumpdb
 %{_sbindir}/exim_fixdb
@@ -503,28 +446,19 @@ fi
 %ghost %{_sysconfdir}/pam.d/smtp
 %ghost %{_mandir}/man1/mailq.1.gz
 
-%if 0%{?fedora} < 23
-%files sysvinit
-%defattr(-,root,root,-)
-%{_initrddir}/exim
-%endif
-
 %files mysql
-%defattr(-,root,root,-)
 %{_libdir}/exim/%{version}-%{release}/lookups/mysql.so
 
 %files pgsql
-%defattr(-,root,root,-)
 %{_libdir}/exim/%{version}-%{release}/lookups/pgsql.so
 
 %files mon
-%defattr(-,root,root)
 %{_sbindir}/eximon
 %{_sbindir}/eximon.bin
 
 %if %{with clamav}
 %post clamav
-/bin/mkdir -p 0750 %{_var}/run/clamd.exim
+/bin/mkdir -pm 0750 %{_var}/run/clamd.exim
 /bin/chown exim:exim %{_var}/run/clamd.exim
 /bin/touch %{_var}/log/clamd.exim
 /bin/chown exim.exim %{_var}/log/clamd.exim
@@ -545,29 +479,7 @@ if [ $1 -ge 1 ] ; then
     /bin/systemctl try-restart clamd.exim.service >/dev/null 2>&1 || :
 fi
 
-%triggerun -- clamav < %{sysv2systemdnvr}
-%{_bindir}/systemd-sysv-convert --save clamd.exim >/dev/null 2>&1 ||:
-/bin/systemctl enable clamd.exim.service >/dev/null 2>&1
-/sbin/chkconfig --del clamd.exim >/dev/null 2>&1 || :
-/bin/systemctl try-restart clamd.exim.service >/dev/null 2>&1 || :
-
-%if 0%{?fedora} < 23
-%triggerpostun -n exim-clamav-sysvinit -- exim < %{sysv2systemdnvr}
-/sbin/chkconfig --add clamd.exim >/dev/null 2>&1 ||:
-
-%post clamav-sysvinit
-/sbin/chkconfig --add clamd.exim >/dev/null 2>&1 ||:
-
-%preun clamav-sysvinit
-test "$1" != 0 || %{_initrddir}/clamd.exim stop >/dev/null 2>&1 || :
-test "$1" != 0 || /sbin/chkconfig --del clamd.exim >/dev/null 2>&1 || :
-
-%postun clamav-sysvinit
-test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
-%endif
-
 %files clamav
-%defattr(-,root,root,-)
 %{_sbindir}/clamd.exim
 %{_unitdir}/clamd.exim.service
 %config(noreplace) %verify(not mtime) %{_sysconfdir}/clamd.d/exim.conf
@@ -576,22 +488,265 @@ test "$1"  = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
 %{_tmpfilesdir}/exim-clamav.conf
 %ghost %attr(0750,exim,exim) %dir %{_var}/run/clamd.exim
 %ghost %attr(0644,exim,exim) %{_var}/log/clamd.exim
-
-%if 0%{?fedora} < 23
-%files clamav-sysvinit
-%defattr(-,root,root,-)
-%attr(0755,root,root) %config %{_initrddir}/clamd.exim
-%endif
 %endif
 
 %files greylist
-%defattr(-,root,root,-)
 %config %{_sysconfdir}/exim/exim-greylist.conf.inc
 %ghost %{_var}/spool/exim/db/greylist.db
 %{_sysconfdir}/exim/mk-greylist-db.sql
 %{_sysconfdir}/cron.daily/greylist-tidy.sh
 
 %changelog
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.96-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jun 28 2022 Jaroslav Škarvada <jskarvad@redhat.com> - 4.96-1
+- New version
+  Resolves: rhbz#2101104
+
+* Mon May 30 2022 Jitka Plesnikova <jplesnik@redhat.com> - 4.95-4
+- Perl 5.36 rebuild
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 4.95-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Nov 12 2021 Björn Esser <besser82@fedoraproject.org> - 4.95-2
+- Rebuild(libnsl2)
+- Drop support for NISPLUS, as libnsl2 >= 2.0.0 does not support it anymore
+
+* Mon Oct  4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.95-1
+- New version
+  Resolves: rhbz#2008452
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 4.94.2-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.94.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 4.94.2-2
+- Perl 5.34 rebuild
+
+* Tue May  4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94.2-1
+- New version
+  Resolves: rhbz#1956859
+
+* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-7
+- Fixed cname handling in TLS certificate verification
+  Resolves: rhbz#1942582
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 4.94-6
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Mon Feb 08 2021 Pavel Raiskup <praiskup@redhat.com> - 4.94-5
+- rebuild for libpq ABI fix rhbz#1908268
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 4.94-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.94-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 4.94-2
+- Perl 5.32 rebuild
+
+* Mon Jun  1 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-1
+- New version
+  Resolves: rhbz#1842590
+- Used Exim maintainers keyring for GPG verification
+- Dropped CVE-2020-12783 patch (upstreamed)
+- Used better workaround for rhbz#1791878
+  Resolves: rhbz#1842633
+
+* Fri May 15 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-8
+- Fixed out-of-bounds read in the SPA authenticator
+  Resolves: CVE-2020-12783
+
+* Wed Apr 29 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-7
+- Improved the spec file not to override LDFLAGS
+
+* Wed Apr 29 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-6
+- Updated config to explictly link with spf2 and opendmarc
+- Fixed bogus date in changelog
+
+* Wed Apr 29 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-5
+- Bump for rebuild with the fixed clamd requirement
+  Resolves: rhbz#1801329
+
+* Fri Mar 20 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-4
+- Workaround for upgrade conflict
+  Resolves: rhbz#1791878
+
+* Thu Feb 20 2020 Tom Hughes <tom@compton.nu> - 4.93-3
+- Enable SPF and DMARC support
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.93-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sun Jan 12 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-1
+- New version
+  Resolves: rhbz#1782320
+- Consolidated and simplified patches
+- Dropped dane-enable patch (not needed)
+
+* Thu Jan  2 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.3-5
+- Fixed FTBFS due to changes in clamav package
+  Resolves: rhbz#1787285
+
+* Fri Nov 22 2019 Felix Schwarz <fschwarz@fedoraproject.org> - 4.92.3-4
+- enable GPG-based source file verification
+
+* Thu Oct 10 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.3-3
+- Enabled local_scan
+
+* Thu Oct 10 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.3-2
+- Dropped sysvinit artifacts
+
+* Mon Sep 30 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.3-1
+- New version
+  Resolves: rhbz#1756656
+  Resolves: CVE-2019-16928
+
+* Fri Sep  6 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.2-1
+- New version
+  Resolves: CVE-2019-15846
+
+* Tue Aug 20 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.1-1
+- New version
+  Resolves: rhbz#1742312
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.92-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 4.92-8
+- Perl 5.30 rebuild
+
+* Wed Mar 27 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92-7
+- Enabled DANE support
+  Resolves: rhbz#1693202
+
+* Wed Mar 20 2019 Peter Robinson <pbrobinson@fedoraproject.org> 4.92-6
+- Drop F-23 conditionals, and related obsolete bits
+
+* Tue Mar 19 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92-5
+- Processed greylist.db by cron job only if it has non zero size
+  Resolves: rhbz#1689211
+
+* Mon Mar  4 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92-4
+- Fixed greylist-conf patch
+  Related: rhbz#1679274
+
+* Sat Mar  2 2019 Tim Landscheidt <tim@tim-landscheidt.de> - 4.92-3
+- Fix syntax error in exim.conf (#1679274)
+- Use properly compressed empty mailq.1.gz as ghost file
+- Add basic check that configuration file is valid
+
+* Wed Feb 20 2019 Marcel Härry <mh+fedora@scrit.ch> - 4.92-2
+- Enable proxy and socks support
+  Resolves: rhbz#1542870
+
+* Mon Feb 11 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92-1
+- New version
+  Resolves: rhbz#1674282
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.91-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 4.91-5
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Fri Jul 20 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.91-4
+- Fixed FTBFS by adding gcc requirement
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.91-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 4.91-2
+- Perl 5.28 rebuild
+
+* Thu Apr 19 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.91-1
+- New version
+  Resolves: rhbz#1567670
+- Dropped dec64table-read-fix patch (already upstream)
+- De-fuzzified patches
+
+* Wed Mar 14 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-4
+- Fixed dec64table OOB read in b64decode
+- De-fuzzified nsl-fix patch
+
+* Fri Feb 16 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-3
+- Dropped dynlookup-config patch (merged into config patch)
+
+* Fri Feb 16 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-2
+- Fixed mysql module
+
+* Tue Feb 13 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-1
+- New version
+  Resolves: rhbz#1527710
+- Fixed buffer overflow in utility function
+  Resolves: CVE-2018-6789
+- Updated and defuzzified patches
+- Dropped mariadb-macro-fix patch (not needed)
+- Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
+  CVE-2017-16944 patches (all upstreamed)
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.89-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 4.89-11
+- Rebuilt for switch to libxcrypt
+
+* Wed Jan 17 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-10
+- Fixed FTBFS due to NIS removal from glibc
+  Resolves: rhbz#1534920
+
+* Fri Dec  1 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-9
+- Fixed denial of service
+  Resolves: CVE-2017-16944
+
+* Thu Nov 30 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-8
+- Dropped tcp_wrappers support
+  Resolves: rhbz#1518763
+
+* Mon Nov 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-7
+- Fixed use-after-free
+  Resolves: CVE-2017-16943
+
+* Fri Nov 10 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-6
+- Used mariadb-connector-c-devel instead of mysql-devel
+  Resolves: rhbz#1494094
+
+* Fri Aug 18 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-5
+- Fixed compilation with the mariadb-10.2
+  Resolves: rhbz#1467312
+- Fixed multiple memory leaks
+  Resolves: CVE-2017-1000369
+- Fixed typo causing exim-clamav to create /0750 directory
+  Resolves: rhbz#1412028
+- On callout avoid SIZE option when doing recipient verification with
+  caching enabled
+  Resolves: rhbz#1482217
+- Fixed some minor whitespace problems in the spec
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.89-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.89-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4.89-2
+- Perl 5.26 rebuild
+
+* Wed Mar  8 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-1
+- New version
+  Resolves: rhbz#1430156
+- Switched to xz archive
+- Dropped DKIM-fix patch (already upstream)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.88-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
 * Mon Jan 23 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.88-3
 - Fixed DKIM
 - Defuzzified patches and fixed some whitespaces

greylist-tidy.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-if [ -r /var/spool/exim/db/greylist.db ]; then
+if [ -s /var/spool/exim/db/greylist.db ]; then
     sqlite3 /var/spool/exim/db/greylist.db <<EOF
 .timeout 5000
 DELETE FROM greylist WHERE expire < $((`date +%s` - 604800));

sources

@@ -1 +1,2 @@
-SHA512 (exim-4.88.tar.bz2) = ea094bf703628c201de119fc5f09539475e52158e935f8f2a9e4138c4a1bfe885017145c3cc5e22aa9087b195091955c69385ebf1ea0baec64ed5c1b8e3b1caf
+SHA512 (exim-4.96.tar.xz) = 6b863661465a0b9897c1b71875c5196a1903cf560dd85de45b08242b9731edb2bc10eb56945d62e477e5d15cc7a8d493915bff2ca81689673a8091c66f62c89e
+SHA512 (exim-4.96.tar.xz.asc) = a231c97e44a7365ac5961f2827b89d8cdf6ad94964633814f31e44d94ada9900f76664c45c2f55e378245e44739a0ef323786ca29b4093e44ce2b008eca4ad64