rpms
/
exim
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f37-riscv64
rpms:epel7
rpms:epel8
rpms:epel9
rpms:f35
rpms:f36
rpms:f37
rpms:main
rpms:epel8-playground
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:el6
rpms:f29
rpms:f30
rpms:f28
rpms:f26
rpms:f27
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f20
rpms:f21
rpms:f19
rpms:f18
rpms:f16
rpms:f17
rpms:f15
rpms:f13
rpms:f14
rpms:fc6
rpms:f11
rpms:f9
rpms:f10
rpms:f12
rpms:f7
rpms:f8
rpms:exim-4_72-1_el6
rpms:exim-4_72-1_fc12
rpms:EL-6-start
rpms:EL-6-split
rpms:exim-4_72-1_fc13
rpms:exim-4_72-1_fc14
rpms:exim-4_71-4_fc14
rpms:exim-4_71-3_fc14
rpms:exim-4_71-2_fc13
rpms:F-13-start
rpms:F-13-split
rpms:exim-4_71-1_fc13
rpms:exim-4_69-19_fc13
rpms:exim-4_69-18_fc12
rpms:exim-4_69-17_fc12
rpms:F-12-start
rpms:F-12-split
rpms:exim-4_69-16_fc12
rpms:exim-4_69-15_fc12
rpms:exim-4_69-14_fc12
rpms:exim-4_69-13_fc12
rpms:exim-4_69-12_fc12
rpms:exim-4_69-11_fc12
rpms:exim-4_69-10_fc11
rpms:F-11-start
rpms:F-11-split
rpms:exim-4_69-9_fc11
rpms:exim-4_69-8_fc11
rpms:exim-4_69-8_fc10
rpms:F-10-start
rpms:F-10-split
rpms:exim-4_69-7_fc10
rpms:exim-4_69-6_fc10
rpms:exim-4_69-5_fc10
rpms:exim-4_69-4_fc9
rpms:F-9-start
rpms:F-9-split
rpms:exim-4_69-3_fc9
rpms:exim-4_69-2_fc9
rpms:exim-4_69-1_fc9
rpms:exim-4_68-3_fc9
rpms:exim-4_68-2_fc9
rpms:exim-4_68-1_fc8
rpms:F-8-start
rpms:F-8-split
rpms:exim-4_67-5_fc8
rpms:exim-4_67-4_fc8
rpms:exim-4_67-3_fc8
rpms:exim-4_67-2_fc8
rpms:exim-4_67-1_fc8
rpms:F-7-start
rpms:F-7-split
rpms:exim-4_66-3_fc7
rpms:exim-4_66-2_fc7
rpms:exim-4_66-1_fc6
rpms:exim-4_63-6_fc7
rpms:exim-4_63-5_fc6
rpms:FC-6-start
rpms:FC-6-split
rpms:exim-4_63-4_fc6
rpms:exim-4_63-3_fc6
rpms:exim-4_63-2_fc6
rpms:exim-4_63-1_fc6
rpms:exim-4_62-6_fc6
rpms:exim-4_62-6
rpms:exim-4_62-3_fc6
rpms:exim-4_62-2_fc6
rpms:exim-4_62-1_fc6
rpms:exim-4_62-1_fc5
rpms:exim-4_61-2_fc6
rpms:exim-4_61-1_fc6
rpms:exim-4_60-5_fc6
rpms:exim-4_60-4_fc6
rpms:exim-4_60-3_fc5
rpms:FC-5-split
rpms:exim-4_60-2_fc5
rpms:exim-4_60-1_fc5
rpms:exim-4_54-4_fc5
rpms:exim-4_54-4_fc4
rpms:exim-4_54-3_fc5
rpms:exim-4_54-2_fc5
rpms:exim-4_54-1_fc5
rpms:exim-4_52-2_fc5
rpms:exim-4_52-1_fc5
rpms:exim-4_51-3
rpms:exim-4_51-1
rpms:FC-4-split
rpms:exim-4_50-2
...
pull from: rpms:epel7
Branches Tags
rpms:f37-riscv64
rpms:epel7
rpms:epel8
rpms:epel9
rpms:f35
rpms:f36
rpms:f37
rpms:main
rpms:rawhide
rpms:epel8-playground
rpms:f34
rpms:f33
rpms:f32
rpms:f31
rpms:el6
rpms:f29
rpms:f30
rpms:f28
rpms:f26
rpms:f27
rpms:f25
rpms:f24
rpms:f23
rpms:f22
rpms:f20
rpms:f21
rpms:f19
rpms:f18
rpms:f16
rpms:f17
rpms:f15
rpms:f13
rpms:f14
rpms:fc6
rpms:f11
rpms:f9
rpms:f10
rpms:f12
rpms:f7
rpms:f8
rpms:exim-4_72-1_el6
rpms:exim-4_72-1_fc12
rpms:EL-6-start
rpms:EL-6-split
rpms:exim-4_72-1_fc13
rpms:exim-4_72-1_fc14
rpms:exim-4_71-4_fc14
rpms:exim-4_71-3_fc14
rpms:exim-4_71-2_fc13
rpms:F-13-start
rpms:F-13-split
rpms:exim-4_71-1_fc13
rpms:exim-4_69-19_fc13
rpms:exim-4_69-18_fc12
rpms:exim-4_69-17_fc12
rpms:F-12-start
rpms:F-12-split
rpms:exim-4_69-16_fc12
rpms:exim-4_69-15_fc12
rpms:exim-4_69-14_fc12
rpms:exim-4_69-13_fc12
rpms:exim-4_69-12_fc12
rpms:exim-4_69-11_fc12
rpms:exim-4_69-10_fc11
rpms:F-11-start
rpms:F-11-split
rpms:exim-4_69-9_fc11
rpms:exim-4_69-8_fc11
rpms:exim-4_69-8_fc10
rpms:F-10-start
rpms:F-10-split
rpms:exim-4_69-7_fc10
rpms:exim-4_69-6_fc10
rpms:exim-4_69-5_fc10
rpms:exim-4_69-4_fc9
rpms:F-9-start
rpms:F-9-split
rpms:exim-4_69-3_fc9
rpms:exim-4_69-2_fc9
rpms:exim-4_69-1_fc9
rpms:exim-4_68-3_fc9
rpms:exim-4_68-2_fc9
rpms:exim-4_68-1_fc8
rpms:F-8-start
rpms:F-8-split
rpms:exim-4_67-5_fc8
rpms:exim-4_67-4_fc8
rpms:exim-4_67-3_fc8
rpms:exim-4_67-2_fc8
rpms:exim-4_67-1_fc8
rpms:F-7-start
rpms:F-7-split
rpms:exim-4_66-3_fc7
rpms:exim-4_66-2_fc7
rpms:exim-4_66-1_fc6
rpms:exim-4_63-6_fc7
rpms:exim-4_63-5_fc6
rpms:FC-6-start
rpms:FC-6-split
rpms:exim-4_63-4_fc6
rpms:exim-4_63-3_fc6
rpms:exim-4_63-2_fc6
rpms:exim-4_63-1_fc6
rpms:exim-4_62-6_fc6
rpms:exim-4_62-6
rpms:exim-4_62-3_fc6
rpms:exim-4_62-2_fc6
rpms:exim-4_62-1_fc6
rpms:exim-4_62-1_fc5
rpms:exim-4_61-2_fc6
rpms:exim-4_61-1_fc6
rpms:exim-4_60-5_fc6
rpms:exim-4_60-4_fc6
rpms:exim-4_60-3_fc5
rpms:FC-5-split
rpms:exim-4_60-2_fc5
rpms:exim-4_60-1_fc5
rpms:exim-4_54-4_fc5
rpms:exim-4_54-4_fc4
rpms:exim-4_54-3_fc5
rpms:exim-4_54-2_fc5
rpms:exim-4_54-1_fc5
rpms:exim-4_52-2_fc5
rpms:exim-4_52-1_fc5
rpms:exim-4_51-3
rpms:exim-4_51-1
rpms:FC-4-split
rpms:exim-4_50-2

35 Commits
rawhide ... epel7

Author SHA1 Message Date
Jaroslav Škarvada 11c2200b24 New version 
Resolves: rhbz#2119687
 2022-08-19 21:58:13 +02:00
Jaroslav Škarvada cbbdc51775 New version 
Resolves: rhbz#2100385
 2022-06-23 18:52:14 +02:00
Jaroslav Škarvada 4845899c4e New version 2021-05-04 20:34:33 +02:00
Jaroslav Škarvada 4753ea0351 Release bump to fix greylisting 2021-04-13 00:00:01 +02:00
David Woodhouse aa3062fa1a Fix greylisting for Exim 4.94 2021-04-12 14:27:32 +02:00
Jaroslav Škarvada b08df76248 Fixed cname handling in TLS certificate verification 
Resolves: rhbz#1942583
 2021-03-25 15:42:00 +01:00
Jaroslav Škarvada 5787faece7 New version 
Resolves: rhbz#1842590
Used Exim maintainers keyring for GPG verification
Dropped CVE-2020-12783 patch (upstreamed)
Used better workaround for rhbz#1791878
  Resolves: rhbz#1842633
 2020-06-01 21:48:09 +02:00
Jaroslav Škarvada 8b2730e97c Fixed out-of-bounds read in the SPA authenticator 
Resolves: CVE-2020-12783
 2020-05-15 21:05:28 +02:00
Jaroslav Škarvada 780569af31 Fixed FTBFS with spf2 and opendmarc 
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2020-04-29 19:42:24 +02:00
Jaroslav Škarvada 6783664c90 Enabled spf2 and opendmarc support 
Resolves: rhbz#1829076
 2020-04-29 18:18:06 +02:00
Jaroslav Škarvada 935e9a27e4 Rebased to 4.93 
Resolves: rhbz#1827425
 2020-04-27 23:59:52 +02:00
Jaroslav Škarvada 68f78d8d08 New version 
Resolves: rhbz#1756656
  Resolves: CVE-2019-16928
 2019-09-30 13:46:23 +02:00
Jaroslav Škarvada 3722b366f7 New version 
Resolves: CVE-2019-15846
 2019-09-06 17:51:25 +02:00
Jaroslav Škarvada 9fe0f130b8 New version 
Resolves: rhbz#1742312
 2019-08-20 17:44:10 +02:00
Jaroslav Škarvada 8656a01853 New version 
De-fuzzified patches
 2019-06-05 11:16:58 +02:00
Jaroslav Škarvada 89cc74b43d Enabled DANE support 
Resolves: rhbz#1693202
De-fuzzified support-proxies patch
 2019-03-27 13:23:20 +01:00
mh 6a241632d3 enable proxy support bz#1542870 2019-02-20 07:55:13 +01:00
Jaroslav Škarvada c1b340c76c Removed unused patches and de-fuzzified dlopen-localscan patch 
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2018-08-22 16:34:47 +02:00
Jaroslav Škarvada 3afb1c1273 New version 
Resolves: rhbz#1615158
Dropped dynlookup-config patch (merged into config patch)
Dropped dec64table-read-fix patch (already upstream)
De-fuzzified patches
 2018-08-22 16:11:00 +02:00
Jaroslav Škarvada 3206e7c0eb Fixed dec64table OOB read in b64decode 2018-03-14 09:29:23 +01:00
Jaroslav Škarvada c4f7bb88e5 Fixed undefined symbols in mysql module 2018-02-16 17:43:17 +01:00
Jaroslav Škarvada 91496a8099 Removed unused patch 
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2018-02-14 16:51:22 +01:00
Jaroslav Škarvada 53057966f8 New version 
Resolves: rhbz#1527710
Fixed buffer overflow in utility function
  Resolves: CVE-2018-6789
Updated and defuzzified patches
Dropped mariadb-macro-fix patch (not needed)
Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
  CVE-2017-16944 patches (all upstreamed)
 2018-02-14 16:43:42 +01:00
Jaroslav Škarvada 62c96cdc52 Fixed denial of service 
Resolves: CVE-2017-16944
 2017-12-01 14:21:49 +01:00
Jaroslav Škarvada 8bdd6e1817 Fixed use-after-free 
Resolves: CVE-2017-16943
 2017-11-27 15:34:56 +01:00
Jaroslav Škarvada ea73ae82d0 Fixed compilation with the mariadb-10.2 
Resolves: rhbz#1467312
Fixed multiple memory leaks
  Resolves: CVE-2017-1000369
Fixed typo causing exim-clamav to create /0750 directory
  Resolves: rhbz#1412028
On callout avoid SIZE option when doing recipient verification with
  caching enabled
  Resolves: rhbz#1482217
Fixed some minor whitespace problems in the spec
 2017-08-18 17:17:28 +02:00
Jaroslav Škarvada 64e26a2068 Added new sources 
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2017-03-10 13:33:50 +01:00
Jaroslav Škarvada 69bc0d0ccf New version 
Resolves: rhbz#1428141
Switched to xz archive
Dropped DKIM-fix patch (already upstream)
 2017-03-10 13:29:26 +01:00
Jaroslav Škarvada 1332a1979d Merge remote-tracking branch 'origin/master' into epel7 
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2017-01-23 16:44:57 +01:00
Jaroslav Škarvada 91489a1640 Fixed changelog and sources 
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2017-01-02 14:16:54 +01:00
Jaroslav Škarvada c81d281a9d Merge remote-tracking branch 'origin/master' into epel7 
Resolves: CVE-2016-9963

Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2017-01-02 13:00:58 +01:00
Jaroslav Škarvada df4a02e56c Used sane environment defaults in default configuration 
Resolves: rhbz#1323775
 2016-04-18 16:32:47 +02:00
Jaroslav Škarvada ab9aafa16a Added sources: 
Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
 2016-03-03 15:11:32 +01:00
Jaroslav Škarvada 56f8aaa827 New version (security bug fix release) 
Resolves: rhbz#1314118
- Fixed local privilege escalation for set-uid root when using perl_startup
  Resolves: CVE-2016-1531
- Defuzzified patches
 2016-03-03 15:03:36 +01:00
Jaroslav Škarvada f8f76cd111 MIME crash fix (by mime-fix patch) 
Resolves: rhbz#1289056
 2015-12-07 14:24:24 +01:00
23 changed files with 1165 additions and 1609 deletions
Show Stats Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1 +1,2 @@
exim-*.tar.bz2
/exim-*.tar.xz
/sa-exim-*.tar.gz

25
exim-4.87-dynlookup-config.patch
View File

@ -1,25 +0,0 @@
diff --git a/src/EDITME b/src/EDITME
index df3dcc8..de01565 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -306,14 +306,16 @@ LOOKUP_DSEARCH=yes
# LOOKUP_IBASE=yes
LOOKUP_LDAP=yes
LDAP_LIB_TYPE=OPENLDAP2
-LOOKUP_INCLUDE=-I/usr/include/mysql
-LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
-LOOKUP_MYSQL=yes
+LOOKUP_LIBS=-lldap -llber -lsqlite3
+LOOKUP_MYSQL_INCLUDE=-I/usr/include/mysql
+LOOKUP_MYSQL_LIBS=-L/usr/${_lib}/mysql -lmysqlclient
+LOOKUP_PGSQL_LIBS=-lpq
+LOOKUP_MYSQL=2
LOOKUP_NIS=yes
LOOKUP_NISPLUS=yes
# LOOKUP_ORACLE=yes
LOOKUP_PASSWD=yes
-LOOKUP_PGSQL=yes
+LOOKUP_PGSQL=2
# LOOKUP_REDIS=yes
LOOKUP_SQLITE=yes
# LOOKUP_WHOSON=yes

14
exim-4.87-environment.patch
View File

@ -1,14 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
--- a/src/configure.default
+++ b/src/configure.default
@@ -357,8 +357,8 @@ timeout_frozen_after = 7d
# Note that TZ is handled separateley by the timezone runtime option
# and TIMEZONE_DEFAULT buildtime option.
-# keep_environment = ^LDAP
-# add_environment = PATH=/usr/bin::/bin
+keep_environment = ^LDAP
+add_environment = PATH=/usr/bin::/bin

13
exim-4.87-localhost-is-local.patch
View File

@ -1,13 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index d1ce2f1..1f10008 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -55,7 +55,7 @@
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
-domainlist local_domains = @
+domainlist local_domains = @ : localhost : localhost.localdomain
domainlist relay_to_domains =
hostlist relay_from_hosts = localhost
# (We rely upon hostname resolution working for localhost, because the default

103
exim-4.87-spamdconf.patch
View File

@ -1,103 +0,0 @@
--- a/src/configure.default.spamd 2016-12-25 21:06:57.453758443 +0000
+++ b/src/configure.default 2016-12-25 21:07:49.940188407 +0000
@@ -109,6 +109,7 @@ hostlist relay_from_hosts = localhost
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
+acl_smtp_mime = acl_check_mime
# You should not change those settings until you understand how ACLs work.
@@ -121,7 +122,7 @@ acl_smtp_data = acl_check_data
# of what to set for other virus scanners. The second modification is in the
# acl_check_data access control list (see below).
-# av_scanner = clamd:/tmp/clamd
+av_scanner = clamd:/var/run/clamd.exim/clamd.sock
# For spam scanning, there is a similar option that defines the interface to
@@ -431,7 +432,8 @@ acl_check_rcpt:
accept local_parts = postmaster
domains = +local_domains
- # Deny unless the sender address can be verified.
+ # Deny unless the sender address can be routed. For proper verification of the
+ # address, read the documentation on callouts and add the /callout modifier.
require verify = sender
@@ -535,27 +537,63 @@ acl_check_data:
got $max_received_linelength
condition = ${if > {$max_received_linelength}{998}}
+ # Put simple tests first. A good one is to check for the presence of a
+ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
+ # or misconfigured mailer software occasionally omits this from genuine
+ # messages too, though -- although it's not hard for the offender to fix
+ # after they receive a bounce because of it.
+ #
+ # deny condition = ${if !def:h_Message-ID: {1}}
+ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
+ # Most messages without it are spam, so your mail has been rejected.
+
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
# deny malware = *
# message = This message contains a virus ($malware_name).
- # Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You may also need to set the spamd_address
- # option above.
- #
- # warn spam = nobody
- # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # Bypass SpamAssassin checks if the message is too large.
+ #
+ # accept condition = ${if >={$message_size}{100000} {1}}
+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
+
+ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
+ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
+ # score exceeds the SA system threshold.
+ #
+ # warn spam = nobody/defer_ok
+ # add_header = X-Spam-Flag: YES
+ #
+ # accept condition = ${if !def:spam_score_int {1}}
+ # add_header = X-Spam-Note: SpamAssassin invocation failed
+ #
+
+ # Unconditionally add score and report headers
+ #
+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+ # X-Spam-Report: $spam_report
- # Accept the message.
+ # And reject if the SpamAssassin score is greater than ten
+ #
+ # deny condition = ${if >{$spam_score_int}{100} {1}}
+ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
+ # $spam_report
accept
+acl_check_mime:
+
+ # File extension filtering.
+ deny message = Blacklisted file extension detected
+ condition = ${if match \
+ {${lc:$mime_filename}} \
+ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
+ {1}{0}}
+
+ accept
+
######################################################################
# ROUTERS CONFIGURATION #

630
exim-4.88-DKIM-fix.patch
View File

@ -1,630 +0,0 @@
diff --git a/src/auths/get_data.c b/src/auths/get_data.c
index f839a01..11bc581 100644
--- a/src/auths/get_data.c
+++ b/src/auths/get_data.c
@@ -31,7 +31,7 @@ auth_get_data(uschar **aptr, uschar *challenge, int challen)
int c;
int p = 0;
smtp_printf("334 %s\r\n", b64encode(challenge, challen));
-while ((c = receive_getc()) != '\n' && c != EOF)
+while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
{
if (p >= big_buffer_size - 1) return BAD64;
big_buffer[p++] = c;
diff --git a/src/auths/get_no64_data.c b/src/auths/get_no64_data.c
index d3ffe08..71e7139 100644
--- a/src/auths/get_no64_data.c
+++ b/src/auths/get_no64_data.c
@@ -32,7 +32,7 @@ auth_get_no64_data(uschar **aptr, uschar *challenge)
int c;
int p = 0;
smtp_printf("334 %s\r\n", challenge);
-while ((c = receive_getc()) != '\n' && c != EOF)
+while ((c = receive_getc(GETC_BUFFER_UNLIMITED)) != '\n' && c != EOF)
{
if (p >= big_buffer_size - 1) return BAD64;
big_buffer[p++] = c;
diff --git a/src/dkim.c b/src/dkim.c
index 70c9547..445d246 100644
--- a/src/dkim.c
+++ b/src/dkim.c
@@ -18,6 +18,7 @@ int dkim_verify_oldpool;
pdkim_ctx *dkim_verify_ctx = NULL;
pdkim_signature *dkim_signatures = NULL;
pdkim_signature *dkim_cur_sig = NULL;
+static BOOL dkim_collect_error = FALSE;
static int
dkim_exim_query_dns_txt(char *name, char *answer)
@@ -87,6 +88,7 @@ if (dkim_verify_ctx)
dkim_verify_ctx = pdkim_init_verify(&dkim_exim_query_dns_txt, dot_stuffing);
dkim_collect_input = !!dkim_verify_ctx;
+dkim_collect_error = FALSE;
/* Start feed up with any cached data */
receive_get_cache();
@@ -106,6 +108,7 @@ if ( dkim_collect_input
{
log_write(0, LOG_MAIN,
"DKIM: validation error: %.100s", pdkim_errstr(rc));
+ dkim_collect_error = TRUE;
dkim_collect_input = FALSE;
}
store_pool = dkim_verify_oldpool;
@@ -127,11 +130,7 @@ store_pool = POOL_PERM;
dkim_signatures = NULL;
-/* If we have arrived here with dkim_collect_input == FALSE, it
-means there was a processing error somewhere along the way.
-Log the incident and disable futher verification. */
-
-if (!dkim_collect_input)
+if (dkim_collect_error)
{
log_write(0, LOG_MAIN,
"DKIM: Error while running this message through validation,"
diff --git a/src/functions.h b/src/functions.h
index 04d9410..9c60090 100644
--- a/src/functions.h
+++ b/src/functions.h
@@ -55,7 +55,7 @@ extern int tls_export_cert(uschar *, size_t, void *);
extern int tls_feof(void);
extern int tls_ferror(void);
extern void tls_free_cert(void **);
-extern int tls_getc(void);
+extern int tls_getc(unsigned);
extern void tls_get_cache(void);
extern int tls_import_cert(const uschar *, void **);
extern int tls_read(BOOL, uschar *, size_t);
@@ -101,7 +101,7 @@ extern int auth_xtextdecode(uschar *, uschar **);
extern uschar *b64encode(uschar *, int);
extern int b64decode(uschar *, uschar **);
-extern int bdat_getc(void);
+extern int bdat_getc(unsigned);
extern void bits_clear(unsigned int *, size_t, int *);
extern void bits_set(unsigned int *, size_t, int *);
@@ -395,7 +395,7 @@ extern uschar *smtp_get_connection_info(void);
extern BOOL smtp_get_interface(uschar *, int, address_item *,
uschar **, uschar *);
extern BOOL smtp_get_port(uschar *, address_item *, int *, uschar *);
-extern int smtp_getc(void);
+extern int smtp_getc(unsigned);
extern void smtp_get_cache(void);
extern int smtp_handle_acl_fail(int, int, uschar *, uschar *);
extern void smtp_log_no_mail(void);
@@ -421,7 +421,7 @@ extern int spool_open_datafile(uschar *);
extern int spool_open_temp(uschar *);
extern int spool_read_header(uschar *, BOOL, BOOL);
extern int spool_write_header(uschar *, int, uschar **);
-extern int stdin_getc(void);
+extern int stdin_getc(unsigned);
extern int stdin_feof(void);
extern int stdin_ferror(void);
extern int stdin_ungetc(int);
diff --git a/src/globals.c b/src/globals.c
index c722059..649335f 100644
--- a/src/globals.c
+++ b/src/globals.c
@@ -187,9 +187,9 @@ incoming TCP/IP. The defaults use stdin. We never need these for any
stand-alone tests. */
#ifndef STAND_ALONE
-int (*lwr_receive_getc)(void) = stdin_getc;
+int (*lwr_receive_getc)(unsigned) = stdin_getc;
int (*lwr_receive_ungetc)(int) = stdin_ungetc;
-int (*receive_getc)(void) = stdin_getc;
+int (*receive_getc)(unsigned) = stdin_getc;
void (*receive_get_cache)(void)= NULL;
int (*receive_ungetc)(int) = stdin_ungetc;
int (*receive_feof)(void) = stdin_feof;
diff --git a/src/globals.h b/src/globals.h
index e3dd507..344f8ef 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -141,9 +141,9 @@ extern uschar *dsn_advertise_hosts; /* host for which TLS is advertised */
/* Input-reading functions for messages, so we can use special ones for
incoming TCP/IP. */
-extern int (*lwr_receive_getc)(void);
+extern int (*lwr_receive_getc)(unsigned);
extern int (*lwr_receive_ungetc)(int);
-extern int (*receive_getc)(void);
+extern int (*receive_getc)(unsigned);
extern void (*receive_get_cache)(void);
extern int (*receive_ungetc)(int);
extern int (*receive_feof)(void);
diff --git a/src/macros.h b/src/macros.h
index 1b7cf4a..c8957d8 100644
--- a/src/macros.h
+++ b/src/macros.h
@@ -968,5 +968,9 @@ enum { FILTER_UNSET, FILTER_FORWARD, FILTER_EXIM, FILTER_SIEVE };
#define PEER_OFFERED_SIZE BIT(6)
#define PEER_OFFERED_CHUNKING BIT(7)
+/* Argument for *_getc */
+
+#define GETC_BUFFER_UNLIMITED UINT_MAX
+
/* End of macros.h */
diff --git a/src/pdkim/pdkim.c b/src/pdkim/pdkim.c
index 7bfcdf4..bcc3f09 100644
--- a/src/pdkim/pdkim.c
+++ b/src/pdkim/pdkim.c
@@ -962,6 +962,11 @@ if (ctx->flags & PDKIM_MODE_SIGN)
/* DKIM-Signature: headers are added to the verification list */
else
{
+ DEBUG(D_acl)
+ {
+ debug_printf("PDKIM >> raw hdr: ");
+ pdkim_quoteprint(CUS ctx->cur_header, Ustrlen(ctx->cur_header));
+ }
if (strncasecmp(CCS ctx->cur_header,
DKIM_SIGNATURE_HEADERNAME,
Ustrlen(DKIM_SIGNATURE_HEADERNAME)) == 0)
diff --git a/src/receive.c b/src/receive.c
index e535876..9155cf1 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -37,7 +37,7 @@ the file. (When SMTP input is occurring, different functions are used by
changing the pointer variables.) */
int
-stdin_getc(void)
+stdin_getc(unsigned lim)
{
return getc(stdin);
}
@@ -626,7 +626,7 @@ if (!dot_ends)
{
register int last_ch = '\n';
- for (; (ch = (receive_getc)()) != EOF; last_ch = ch)
+ for (; (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; last_ch = ch)
{
if (ch == 0) body_zerocount++;
if (last_ch == '\r' && ch != '\n')
@@ -668,7 +668,7 @@ if (!dot_ends)
ch_state = 1;
-while ((ch = (receive_getc)()) != EOF)
+while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
{
if (ch == 0) body_zerocount++;
switch (ch_state)
@@ -786,7 +786,7 @@ int ch_state = 0;
int ch;
int linelength = 0;
-while ((ch = (receive_getc)()) != EOF)
+while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
{
if (ch == 0) body_zerocount++;
switch (ch_state)
@@ -913,7 +913,7 @@ read_message_bdat_smtp(FILE *fout)
int ch;
int linelength = 0;
-for (;;) switch (ch = bdat_getc())
+for (;;) switch (ch = bdat_getc(GETC_BUFFER_UNLIMITED))
{
case EOF: return END_EOF;
case EOD: return END_DOT;
@@ -1682,7 +1682,7 @@ next->text. */
for (;;)
{
- int ch = (receive_getc)();
+ int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
/* If we hit EOF on a SMTP connection, it's an error, since incoming
SMTP must have a correct "." terminator. */
@@ -1761,10 +1761,10 @@ for (;;)
if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
{
- ch = (receive_getc)();
+ ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (ch == '\r')
{
- ch = (receive_getc)();
+ ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (ch != '\n')
{
receive_ungetc(ch);
@@ -1795,7 +1795,7 @@ for (;;)
if (ch == '\r')
{
- ch = (receive_getc)();
+ ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (ch == '\n')
{
if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
@@ -1890,7 +1890,7 @@ for (;;)
if (ch != EOF)
{
- int nextch = (receive_getc)();
+ int nextch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (nextch == ' ' || nextch == '\t')
{
next->text[ptr++] = nextch;
@@ -4024,7 +4024,7 @@ if (smtp_input && sender_host_address != NULL && !sender_host_notsocket &&
if (select(fileno(smtp_in) + 1, &select_check, NULL, NULL, &tv) != 0)
{
- int c = (receive_getc)();
+ int c = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (c != EOF) (receive_ungetc)(c); else
{
smtp_notquit_exit(US"connection-lost", NULL, NULL);
diff --git a/src/smtp_in.c b/src/smtp_in.c
index 1484861..82900d9 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -44,11 +44,11 @@ The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and
we need room to handle large base64-encoded AUTHs for GSSAPI.
*/
-#define smtp_cmd_buffer_size 16384
+#define SMTP_CMD_BUFFER_SIZE 16384
/* Size of buffer for reading SMTP incoming packets */
-#define in_buffer_size 8192
+#define IN_BUFFER_SIZE 8192
/* Structure for SMTP command list */
@@ -301,7 +301,7 @@ static int smtp_had_error;
/* forward declarations */
int bdat_ungetc(int ch);
-static int smtp_read_command(BOOL check_sync);
+static int smtp_read_command(BOOL check_sync, unsigned buffer_lim);
static int synprot_error(int type, int code, uschar *data, uschar *errmess);
static void smtp_quit_handler(uschar **, uschar **);
static void smtp_rset_handler(void);
@@ -315,12 +315,12 @@ it flushes the output, and refills the buffer, with a timeout. The signal
handler is set appropriately by the calling function. This function is not used
after a connection has negotated itself into an TLS/SSL state.
-Arguments: none
+Arguments: lim Maximum amount to read/buffer
Returns: the next character or EOF
*/
int
-smtp_getc(void)
+smtp_getc(unsigned lim)
{
if (smtp_inptr >= smtp_inend)
{
@@ -328,7 +328,10 @@ if (smtp_inptr >= smtp_inend)
if (!smtp_out) return EOF;
fflush(smtp_out);
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
- rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
+
+ /* Limit amount read, so non-message data is not fed to DKIM */
+
+ rc = read(fileno(smtp_in), smtp_inbuffer, MIN(IN_BUFFER_SIZE, lim));
save_errno = errno;
alarm(0);
if (rc <= 0)
@@ -376,23 +379,26 @@ to handle the BDAT command/response.
Placed here due to the correlation with the above smtp_getc(), which it wraps,
and also by the need to do smtp command/response handling.
-Arguments: none
+Arguments: lim (ignored)
Returns: the next character or ERR, EOD or EOF
*/
int
-bdat_getc(void)
+bdat_getc(unsigned lim)
{
uschar * user_msg = NULL;
uschar * log_msg;
for(;;)
{
- if (chunking_data_left-- > 0)
- return lwr_receive_getc();
+ if (chunking_data_left > 0)
+ return lwr_receive_getc(chunking_data_left--);
receive_getc = lwr_receive_getc;
receive_ungetc = lwr_receive_ungetc;
+#ifndef DISABLE_DKIM
+ dkim_collect_input = FALSE;
+#endif
/* If not the last, ack the received chunk. The last response is delayed
until after the data ACL decides on it */
@@ -405,21 +411,22 @@ for(;;)
return EOD;
}
- chunking_state = CHUNKING_OFFERED;
smtp_printf("250 %u byte chunk received\r\n", chunking_datasize);
+ chunking_state = CHUNKING_OFFERED;
+ DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
/* Expect another BDAT cmd from input. RFC 3030 says nothing about
QUIT, RSET or NOOP but handling them seems obvious */
next_cmd:
- switch(smtp_read_command(TRUE))
+ switch(smtp_read_command(TRUE, 1))
{
default:
(void) synprot_error(L_smtp_protocol_error, 503, NULL,
US"only BDAT permissible after non-LAST BDAT");
repeat_until_rset:
- switch(smtp_read_command(TRUE))
+ switch(smtp_read_command(TRUE, 1))
{
case QUIT_CMD: smtp_quit_handler(&user_msg, &log_msg); /*FALLTHROUGH */
case EOF_CMD: return EOF;
@@ -458,6 +465,8 @@ next_cmd:
chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
? CHUNKING_LAST : CHUNKING_ACTIVE;
chunking_data_left = chunking_datasize;
+ DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
+ (int)chunking_state, chunking_data_left);
if (chunking_datasize == 0)
if (chunking_state == CHUNKING_LAST)
@@ -471,6 +480,9 @@ next_cmd:
receive_getc = bdat_getc;
receive_ungetc = bdat_ungetc;
+#ifndef DISABLE_DKIM
+ dkim_collect_input = TRUE;
+#endif
break; /* to top of main loop */
}
}
@@ -480,15 +492,18 @@ next_cmd:
static void
bdat_flush_data(void)
{
-while (chunking_data_left-- > 0)
- if (lwr_receive_getc() < 0)
+while (chunking_data_left > 0)
+ if (lwr_receive_getc(chunking_data_left--) < 0)
break;
receive_getc = lwr_receive_getc;
receive_ungetc = lwr_receive_ungetc;
if (chunking_state != CHUNKING_LAST)
+ {
chunking_state = CHUNKING_OFFERED;
+ DEBUG(D_receive) debug_printf("chunking state %d\n", (int)chunking_state);
+ }
}
@@ -1126,13 +1141,14 @@ signal handler that closes down the session on a timeout. Control does not
return when it runs.
Arguments:
- check_sync if TRUE, check synchronization rules if global option is TRUE
+ check_sync if TRUE, check synchronization rules if global option is TRUE
+ buffer_lim maximum to buffer in lower layer
Returns: a code identifying the command (enumerated above)
*/
static int
-smtp_read_command(BOOL check_sync)
+smtp_read_command(BOOL check_sync, unsigned buffer_lim)
{
int c;
int ptr = 0;
@@ -1141,9 +1157,9 @@ BOOL hadnull = FALSE;
os_non_restarting_signal(SIGALRM, command_timeout_handler);
-while ((c = (receive_getc)()) != '\n' && c != EOF)
+while ((c = (receive_getc)(buffer_lim)) != '\n' && c != EOF)
{
- if (ptr >= smtp_cmd_buffer_size)
+ if (ptr >= SMTP_CMD_BUFFER_SIZE)
{
os_non_restarting_signal(SIGALRM, sigalrm_handler);
return OTHER_CMD;
@@ -1301,7 +1317,7 @@ tzero.tv_usec = 0;
rc = select(fd + 1, (SELECT_ARG2_TYPE *)&fds, NULL, NULL, &tzero);
if (rc <= 0) return TRUE; /* Not ready to read */
-rc = smtp_getc();
+rc = smtp_getc(GETC_BUFFER_UNLIMITED);
if (rc < 0) return TRUE; /* End of file or error */
smtp_ungetc(rc);
@@ -1337,7 +1353,7 @@ if (smtp_in == NULL || smtp_batched_input) return;
receive_swallow_smtp();
smtp_printf("421 %s\r\n", message);
-for (;;) switch(smtp_read_command(FALSE))
+for (;;) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
{
case EOF_CMD:
return;
@@ -1781,7 +1797,7 @@ while (done <= 0)
uschar *recipient = NULL;
int start, end, sender_domain, recipient_domain;
- switch(smtp_read_command(FALSE))
+ switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
{
/* The HELO/EHLO commands set sender_address_helo if they have
valid data; otherwise they are ignored, except that they do
@@ -2040,12 +2056,12 @@ acl_var_c = NULL;
/* Allow for trailing 0 in the command and data buffers. */
-if (!(smtp_cmd_buffer = US malloc(2*smtp_cmd_buffer_size + 2)))
+if (!(smtp_cmd_buffer = US malloc(2*SMTP_CMD_BUFFER_SIZE + 2)))
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"malloc() failed for SMTP command buffer");
smtp_cmd_buffer[0] = 0;
-smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
+smtp_data_buffer = smtp_cmd_buffer + SMTP_CMD_BUFFER_SIZE + 1;
/* For batched input, the protocol setting can be overridden from the
command line by a trusted caller. */
@@ -2065,7 +2081,7 @@ else
/* Set up the buffer for inputting using direct read() calls, and arrange to
call the local functions instead of the standard C ones. */
-if (!(smtp_inbuffer = (uschar *)malloc(in_buffer_size)))
+if (!(smtp_inbuffer = (uschar *)malloc(IN_BUFFER_SIZE)))
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "malloc() failed for SMTP input buffer");
receive_getc = smtp_getc;
@@ -3550,7 +3566,7 @@ while (done <= 0)
US &off, sizeof(off));
#endif
- switch(smtp_read_command(TRUE))
+ switch(smtp_read_command(TRUE, GETC_BUFFER_UNLIMITED))
{
/* The AUTH command is not permitted to occur inside a transaction, and may
occur successfully only once per connection. Actually, that isn't quite
@@ -4750,14 +4766,14 @@ while (done <= 0)
chunking_state = strcmpic(smtp_cmd_data+n, US"LAST") == 0
? CHUNKING_LAST : CHUNKING_ACTIVE;
chunking_data_left = chunking_datasize;
+ DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
+ (int)chunking_state, chunking_data_left);
lwr_receive_getc = receive_getc;
lwr_receive_ungetc = receive_ungetc;
receive_getc = bdat_getc;
receive_ungetc = bdat_ungetc;
- DEBUG(D_any)
- debug_printf("chunking state %d\n", (int)chunking_state);
goto DATA_BDAT;
}
@@ -4973,7 +4989,7 @@ while (done <= 0)
It seems safest to just wipe away the content rather than leave it as a
target to jump to. */
- memset(smtp_inbuffer, 0, in_buffer_size);
+ memset(smtp_inbuffer, 0, IN_BUFFER_SIZE);
/* Attempt to start up a TLS session, and if successful, discard all
knowledge that was obtained previously. At least, that's what the RFC says,
@@ -5027,7 +5043,7 @@ while (done <= 0)
set, but we must still reject all incoming commands. */
DEBUG(D_tls) debug_printf("TLS failed to start\n");
- while (done <= 0) switch(smtp_read_command(FALSE))
+ while (done <= 0) switch(smtp_read_command(FALSE, GETC_BUFFER_UNLIMITED))
{
case EOF_CMD:
log_write(L_smtp_connection, LOG_MAIN, "%s closed by EOF",
@@ -5315,8 +5331,8 @@ while (done <= 0)
case BADSYN_CMD:
SYNC_FAILURE:
- if (smtp_inend >= smtp_inbuffer + in_buffer_size)
- smtp_inend = smtp_inbuffer + in_buffer_size - 1;
+ if (smtp_inend >= smtp_inbuffer + IN_BUFFER_SIZE)
+ smtp_inend = smtp_inbuffer + IN_BUFFER_SIZE - 1;
c = smtp_inend - smtp_inptr;
if (c > 150) c = 150;
smtp_inptr[c] = 0;
diff --git a/src/tls-gnu.c b/src/tls-gnu.c
index 10bfaca..181dde4 100644
--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -2158,12 +2158,12 @@ Only used by the server-side TLS.
This feeds DKIM and should be used for all message-body reads.
-Arguments: none
+Arguments: lim Maximum amount to read/bufffer
Returns: the next character or EOF
*/
int
-tls_getc(void)
+tls_getc(unsigned lim)
{
exim_gnutls_state_st *state = &state_server;
if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
@@ -2175,7 +2175,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
- ssl_xfer_buffer_size);
+ MIN(ssl_xfer_buffer_size, lim));
alarm(0);
/* Timeouts do not get this far; see command_timeout_handler().
@@ -2213,7 +2213,7 @@ if (state->xfer_buffer_lwm >= state->xfer_buffer_hwm)
state->tlsp->peercert = NULL;
state->tlsp->peerdn = NULL;
- return smtp_getc();
+ return smtp_getc(lim);
}
/* Handle genuine errors */
diff --git a/src/tls-openssl.c b/src/tls-openssl.c
index d9426ac..0ac7d03 100644
--- a/src/tls-openssl.c
+++ b/src/tls-openssl.c
@@ -2360,14 +2360,14 @@ return OK;
/* This gets the next byte from the TLS input buffer. If the buffer is empty,
it refills the buffer via the SSL reading function.
-Arguments: none
+Arguments: lim Maximum amount to read/buffer
Returns: the next character or EOF
Only used by the server-side TLS.
*/
int
-tls_getc(void)
+tls_getc(unsigned lim)
{
if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
{
@@ -2378,7 +2378,8 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
ssl_xfer_buffer, ssl_xfer_buffer_size);
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
- inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer, ssl_xfer_buffer_size);
+ inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
+ MIN(ssl_xfer_buffer_size, lim));
error = SSL_get_error(server_ssl, inbytes);
alarm(0);
@@ -2405,7 +2406,7 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
tls_in.peerdn = NULL;
tls_in.sni = NULL;
- return smtp_getc();
+ return smtp_getc(lim);
}
/* Handle genuine errors */

13
exim-4.88-allow-filter.patch
View File

@ -1,13 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index 1e3c63f..0e7854c 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -724,7 +724,7 @@ userforward:
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward
-# allow_filter
+ allow_filter
no_verify
no_expn
check_ancestor

298
exim-4.88-config.patch
View File

@ -1,298 +0,0 @@
diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 3e486a6..6c4afec 100755
--- a/scripts/Configure-Makefile
+++ b/scripts/Configure-Makefile
@@ -269,7 +269,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
mv $mft $mftt
echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft
+ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft
echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft
echo "" >>$mft
cat $mftt >> $mft
diff --git a/src/src/EDITME b/src/src/EDITME
index 6929346..5a08197 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -98,7 +98,7 @@
# /usr/local/sbin. The installation script will try to create this directory,
# and any superior directories, if they do not exist.
-BIN_DIRECTORY=/usr/exim/bin
+BIN_DIRECTORY=/usr/sbin
#------------------------------------------------------------------------------
@@ -114,7 +114,7 @@ BIN_DIRECTORY=/usr/exim/bin
# don't exist. It will also install a default runtime configuration if this
# file does not exist.
-CONFIGURE_FILE=/usr/exim/configure
+CONFIGURE_FILE=/etc/exim/exim.conf
# It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
# In this case, Exim will use the first of them that exists when it is run.
@@ -131,7 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure
# deliveries. (Local deliveries run as various non-root users, typically as the
# owner of a local mailbox.) Specifying these values as root is not supported.
-EXIM_USER=
+EXIM_USER=93
# If you specify EXIM_USER as a name, this is looked up at build time, and the
# uid number is built into the binary. However, you can specify that this
@@ -152,7 +152,7 @@ EXIM_USER=
# for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
# you want to use a group other than the default group for the given user.
-# EXIM_GROUP=
+EXIM_GROUP=93
# Many sites define a user called "exim", with an appropriate default group,
# and use
@@ -232,7 +232,7 @@ TRANSPORT_SMTP=yes
# This one is special-purpose, and commonly not required, so it is not
# included by default.
-# TRANSPORT_LMTP=yes
+TRANSPORT_LMTP=yes
#------------------------------------------------------------------------------
@@ -241,9 +241,9 @@ TRANSPORT_SMTP=yes
# MBX, is included only when requested. If you do not know what this is about,
# leave these settings commented out.
-# SUPPORT_MAILDIR=yes
-# SUPPORT_MAILSTORE=yes
-# SUPPORT_MBX=yes
+SUPPORT_MAILDIR=yes
+SUPPORT_MAILSTORE=yes
+SUPPORT_MBX=yes
#------------------------------------------------------------------------------
@@ -301,19 +301,21 @@ LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
LOOKUP_DNSDB=yes
-# LOOKUP_CDB=yes
-# LOOKUP_DSEARCH=yes
+LOOKUP_CDB=yes
+LOOKUP_DSEARCH=yes
# LOOKUP_IBASE=yes
-# LOOKUP_LDAP=yes
-# LOOKUP_MYSQL=yes
-# LOOKUP_NIS=yes
-# LOOKUP_NISPLUS=yes
+LOOKUP_LDAP=yes
+LDAP_LIB_TYPE=OPENLDAP2
+LOOKUP_INCLUDE=-I/usr/include/mysql
+LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient -lpq
+LOOKUP_MYSQL=yes
+LOOKUP_NIS=yes
+LOOKUP_NISPLUS=yes
# LOOKUP_ORACLE=yes
-# LOOKUP_PASSWD=yes
-# LOOKUP_PGSQL=yes
+LOOKUP_PASSWD=yes
+LOOKUP_PGSQL=yes
# LOOKUP_REDIS=yes
-# LOOKUP_SQLITE=yes
-# LOOKUP_SQLITE_PC=sqlite3
+LOOKUP_SQLITE=yes
# LOOKUP_WHOSON=yes
# These two settings are obsolete; all three lookups are compiled when
@@ -390,7 +392,7 @@ EXIM_MONITOR=eximon.bin
# and the MIME ACL. Please read the documentation to learn more about these
# features.
-# WITH_CONTENT_SCAN=yes
+WITH_CONTENT_SCAN=yes
#------------------------------------------------------------------------------
# If you're using ClamAV and are backporting fixes to an old version, instead
@@ -577,7 +579,7 @@ FIXED_NEVER_USERS=root
# CONFIGURE_OWNER setting, to specify a configuration file which is listed in
# the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs
+TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs
#------------------------------------------------------------------------------
@@ -622,16 +624,14 @@ FIXED_NEVER_USERS=root
# included in the Exim binary. You will then need to set up the run time
# configuration to make use of the mechanism(s) selected.
-# AUTH_CRAM_MD5=yes
-# AUTH_CYRUS_SASL=yes
-# AUTH_DOVECOT=yes
-# AUTH_GSASL=yes
-# AUTH_GSASL_PC=libgsasl
-# AUTH_HEIMDAL_GSSAPI=yes
-# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
-# AUTH_PLAINTEXT=yes
-# AUTH_SPA=yes
-# AUTH_TLS=yes
+AUTH_CRAM_MD5=yes
+AUTH_CYRUS_SASL=yes
+AUTH_DOVECOT=yes
+AUTH_GSASL=yes
+AUTH_GSASL_PC=libgsasl
+AUTH_PLAINTEXT=yes
+AUTH_SPA=yes
+AUTH_TLS=yes
#------------------------------------------------------------------------------
@@ -652,7 +652,7 @@ FIXED_NEVER_USERS=root
# one that is set in the headers_charset option. The default setting is
# defined by this setting:
-HEADERS_CHARSET="ISO-8859-1"
+HEADERS_CHARSET="UTF-8"
# If you are going to make use of $header_xxx expansions in your configuration
# file, or if your users are going to use them in filter files, and the normal
@@ -672,7 +672,7 @@ HEADERS_CHARSET="ISO-8859-1"
# the Sieve filter support. For those OS where iconv() is known to be installed
# as standard, the file in OS/Makefile-xxxx contains
#
-# HAVE_ICONV=yes
+HAVE_ICONV=yes
#
# If you are not using one of those systems, but have installed iconv(), you
# need to uncomment that line above. In some cases, you may find that iconv()
@@ -734,11 +734,11 @@ HEADERS_CHARSET="ISO-8859-1"
# leave these settings commented out.
# This setting is required for any TLS support (either OpenSSL or GnuTLS)
-# SUPPORT_TLS=yes
+SUPPORT_TLS=yes
# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
-# USE_OPENSSL_PC=openssl
-# TLS_LIBS=-lssl -lcrypto
+TLS_INCLUDE=-I/usr/kerberos/include
+TLS_LIBS=-lssl -lcrypto
# Uncomment the first and either the second or the third of these if you
# are using GnuTLS. If you have pkg-config, then the second, else the third.
@@ -807,7 +807,7 @@ HEADERS_CHARSET="ISO-8859-1"
# Once you have done this, "make install" will build the info files and
# install them in the directory you have defined.
-# INFO_DIRECTORY=/usr/share/info
+INFO_DIRECTORY=/usr/share/info
#------------------------------------------------------------------------------
@@ -820,7 +820,7 @@ HEADERS_CHARSET="ISO-8859-1"
# %s. This will be replaced by one of the strings "main", "panic", or "reject"
# to form the final file names. Some installations may want something like this:
-# LOG_FILE_PATH=/var/log/exim_%slog
+LOG_FILE_PATH=/var/log/exim/%s.log
# which results in files with names /var/log/exim_mainlog, etc. The directory
# in which the log files are placed must exist; Exim does not try to create
@@ -892,7 +892,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
# Perl costs quite a lot of resources. Only do this if you really need it.
-# EXIM_PERL=perl.o
+EXIM_PERL=perl.o
#------------------------------------------------------------------------------
@@ -902,7 +902,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# that the local_scan API is made available by the linker. You may also need
# to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
-# EXPAND_DLFUNC=yes
+EXPAND_DLFUNC=yes
#------------------------------------------------------------------------------
@@ -912,7 +912,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# support, which is intended for use in conjunction with the SMTP AUTH
# facilities, is included only when requested by the following setting:
-# SUPPORT_PAM=yes
+SUPPORT_PAM=yes
# You probably need to add -lpam to EXTRALIBS, and in some releases of
# GNU/Linux -ldl is also needed.
@@ -1006,7 +1006,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# group. Once you have installed saslauthd, you should arrange for it to be
# started by root at boot time.
-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
+CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
#------------------------------------------------------------------------------
@@ -1019,9 +1019,9 @@ ZCAT_COMMAND=/usr/bin/zcat
# You may well also have to specify a local "include" file and an additional
# library for TCP wrappers, so you probably need something like this:
#
-# USE_TCP_WRAPPERS=yes
-# CFLAGS=-O -I/usr/local/include
-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
+USE_TCP_WRAPPERS=yes
+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE)
+EXTRALIBS_EXIM=-lwrap -lpam -ldl -export-dynamic -rdynamic
#
# but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
# as well.
@@ -1073,7 +1073,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# is "yes", as well as supporting line editing, a history of input lines in the
# current run is maintained.
-# USE_READLINE=yes
+USE_READLINE=yes
# You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
# Note that this option adds to the size of the Exim binary, because the
@@ -1083,7 +1083,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
#------------------------------------------------------------------------------
# Uncomment this setting to include IPv6 support.
-# HAVE_IPV6=yes
+HAVE_IPV6=yes
###############################################################################
# THINGS YOU ALMOST NEVER NEED TO MENTION #
@@ -1104,13 +1104,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# haven't got Perl, Exim will still build and run; you just won't be able to
# use those utilities.
-# CHOWN_COMMAND=/usr/bin/chown
-# CHGRP_COMMAND=/usr/bin/chgrp
-# CHMOD_COMMAND=/usr/bin/chmod
-# MV_COMMAND=/bin/mv
-# RM_COMMAND=/bin/rm
-# TOUCH_COMMAND=/usr/bin/touch
-# PERL_COMMAND=/usr/bin/perl
+CHOWN_COMMAND=/usr/bin/chown
+CHGRP_COMMAND=/usr/bin/chgrp
+CHMOD_COMMAND=/usr/bin/chmod
+MV_COMMAND=/usr/bin/mv
+RM_COMMAND=/usr/bin/rm
+TOUCH_COMMAND=/usr/bin/touch
+PERL_COMMAND=/usr/bin/perl
#------------------------------------------------------------------------------
@@ -1312,7 +1312,7 @@ EXIM_TMPDIR="/tmp"
# (process id) to a file so that it can easily be identified. The path of the
# file can be specified here. Some installations may want something like this:
-# PID_FILE_PATH=/var/lock/exim.pid
+PID_FILE_PATH=/var/run/exim.pid
# If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
# using the name "exim-daemon.pid".

21
exim-4.88-cyrus.patch
View File

@ -1,21 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index 8b6162b..d588898 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -765,6 +765,16 @@ address_reply:
driver = autoreply
+# This transport is used to deliver local mail to cyrus IMAP server via UNIX
+# socket. You'll need to configure the 'localuser' router above to use it.
+#
+#lmtp_delivery:
+# home_directory = /var/spool/imap
+# driver = lmtp
+# command = "/usr/lib/cyrus-imapd/deliver -l"
+# batch_max = 20
+# user = cyrus
+
######################################################################
# RETRY CONFIGURATION #

118
exim-4.88-greylist-conf.patch
View File

@ -1,118 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index 921c53b..a92c954 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -107,6 +107,7 @@ hostlist relay_from_hosts = localhost
# manual for details. The lists above are used in the access control lists for
# checking incoming messages. The names of these ACLs are defined here:
+acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
acl_smtp_mime = acl_check_mime
@@ -368,6 +369,29 @@ timeout_frozen_after = 7d
begin acl
+
+# This access control list is used for the MAIL command in an incoming
+# SMTP message.
+
+acl_check_mail:
+
+ # Hosts are required to say HELO (or EHLO) before sending mail.
+ # So don't allow them to use the MAIL command if they haven't
+ # done so.
+
+ deny condition = ${if eq{$sender_helo_name}{} {1}}
+ message = Nice boys say HELO first
+
+ # Use the lack of reverse DNS to trigger greylisting. Some people
+ # even reject for it but that would be a little excessive.
+
+ warn condition = ${if eq{$sender_host_name}{} {1}}
+ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
+
+ accept
+
+
+
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
@@ -493,7 +517,8 @@ acl_check_rcpt:
# There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this
- # point. The first one denies, whereas the second just warns.
+ # point. The first one denies, whereas the second just warns. The third
+ # triggers greylisting for any host in the blacklist.
#
# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
# dnslists = black.list.example
@@ -501,6 +526,10 @@ acl_check_rcpt:
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
+ #
+ # warn dnslists = black.list.example
+ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
+ #
#############################################################################
#############################################################################
@@ -514,6 +543,10 @@ acl_check_rcpt:
# require verify = csa
#############################################################################
+ # Alternatively, greylist for it:
+ # warn !verify = csa
+ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
+
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
@@ -546,6 +579,12 @@ acl_check_data:
# deny condition = ${if !def:h_Message-ID: {1}}
# message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
# Most messages without it are spam, so your mail has been rejected.
+ #
+ # Alternatively if we're feeling more lenient we could just use it to
+ # trigger greylisting instead:
+
+ warn condition = ${if !def:h_Message-ID: {1}}
+ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
@@ -580,8 +619,30 @@ acl_check_data:
# message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
# $spam_report
+ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
+ #
+ # warn condition = ${if >{$spam_score_int}{5} {1}}
+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
+
+
+ # If you want to greylist _all_ mail rather than only mail which looks like there
+ # might be something wrong with it, then you can do this...
+ #
+ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
+
+ # Now, invoke the greylisting. For this you need to have installed the exim-greylist
+ # package which contains this subroutine, and you need to uncomment the bit below
+ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
+ # greylisting will kick in and will defer the mail to check if the sender is a
+ # proper mail which which retries, or whether it's a zombie. For more details, see
+ # the exim-greylist.conf.inc file itself.
+ #
+ # require acl = greylist_mail
+
accept
+# To enable the greylisting, also uncomment this line:
+# .include /etc/exim/exim-greylist.conf.inc
acl_check_mime:

78
exim-4.88-pamconfig.patch
View File

@ -1,78 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index d588898..61bdae8 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data
# Allow any client to use TLS.
-# tls_advertise_hosts = *
+tls_advertise_hosts = *
# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
@@ -150,8 +150,8 @@ acl_smtp_data = acl_check_data
# need the first setting, or in separate files, in which case you need both
# options.
-# tls_certificate = /etc/ssl/exim.crt
-# tls_privatekey = /etc/ssl/exim.pem
+tls_certificate = /etc/pki/tls/certs/exim.pem
+tls_privatekey = /etc/pki/tls/private/exim.pem
# In order to support roaming users who wish to send email from anywhere,
# you may want to make Exim listen on other ports as well as port 25, in
@@ -162,8 +162,8 @@ acl_smtp_data = acl_check_data
# them you should also allow TLS-on-connect on the traditional but
# non-standard port 465.
-# daemon_smtp_ports = 25 : 465 : 587
-# tls_on_connect_ports = 465
+daemon_smtp_ports = 25 : 465 : 587
+tls_on_connect_ports = 465
# Specify the domain you want to be added to all unqualified addresses
@@ -221,6 +221,24 @@ never_users = root
host_lookup = *
+# This setting, if uncommented, allows users to authenticate using
+# their system passwords against saslauthd if they connect over a
+# secure connection. If you have network logins such as NIS or
+# Kerberos rather than only local users, then you possibly also want
+# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
+# too. Once a user is authenticated, the acl_check_rcpt ACL then
+# allows them to relay through the system.
+#
+# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
+#
+# By default, we set this option to allow SMTP AUTH from nowhere
+# (Exim's default would be to allow it from anywhere, even on an
+# unencrypted connection).
+#
+# Comment this one out if you uncomment the above. Did you make sure
+# saslauthd is actually running first?
+#
+auth_advertise_hosts =
# The settings below cause Exim to make RFC 1413 (ident) callbacks
# for all incoming SMTP calls. You can limit the hosts to which these
@@ -844,7 +862,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
-# server_condition = Authentication is not yet configured
+# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
@@ -856,7 +874,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
-# server_condition = Authentication is not yet configured
+# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }

34
exim-4.88-procmail.patch
View File

@ -1,34 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index ecc3d6e..1e3c63f 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -732,6 +732,12 @@ userforward:
pipe_transport = address_pipe
reply_transport = address_reply
+procmail:
+ driver = accept
+ check_local_user
+ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
+ transport = procmail
+ no_verify
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
@@ -773,6 +779,16 @@ remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+# This transport invokes procmail to deliver mail
+procmail:
+ driver = pipe
+ command = "/usr/bin/procmail -d $local_part"
+ return_path_add
+ delivery_date_add
+ envelope_to_add
+ user = $local_part
+ initgroups
+ return_output
# This transport is used for local delivery to user mailboxes in traditional
# BSD mailbox format. By default it will be run under the uid and gid of the

24
exim-4.88-rhl.patch
View File

@ -1,24 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index 985f1d0..8b6162b 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -630,7 +630,7 @@ system_aliases:
driver = redirect
allow_fail
allow_defer
- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
+ data = ${lookup{$local_part}lsearch{/etc/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe
@@ -731,8 +731,8 @@ local_delivery:
delivery_date_add
envelope_to_add
return_path_add
-# group = mail
-# mode = 0660
+ group = mail
+ mode = 0660
# This transport is used for handling pipe deliveries generated by alias or

51
exim-4.88-smarthost-config.patch
View File

@ -1,51 +0,0 @@
diff --git a/src/configure.default b/src/configure.default
index a92c954..13599ae 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -840,6 +840,15 @@ remote_smtp:
driver = smtp
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+# This transport is used for delivering messages over SMTP using the
+# "message submission" port (RFC4409).
+
+remote_msa:
+ driver = smtp
+ port = 587
+ hosts_require_auth = *
+
+
# This transport invokes procmail to deliver mail
procmail:
driver = pipe
@@ -948,6 +957,21 @@ begin rewrite
# AUTHENTICATION CONFIGURATION #
######################################################################
+begin authenticators
+
+# This authenticator supports CRAM-MD5 username/password authentication
+# with Exim acting as a _client_, as it might when sending its outgoing
+# mail to a smarthost rather than directly to the final recipient.
+# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
+
+#client_auth:
+# driver = cram_md5
+# public_name = CRAM-MD5
+# client_name = SMTPAUTH_USERNAME
+# client_secret = SMTPAUTH_PASSWORD
+
+#
+
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -963,7 +987,7 @@ begin rewrite
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.
-begin authenticators
+#
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not

4
exim-4.82-libdir.patch → exim-4.94-libdir.patch
View File

@ -1,8 +1,8 @@
diff --git a/OS/Makefile-Linux b/OS/Makefile-Linux
index 990f884..d1ef114 100644
index dfb2fa8..58c30f7 100644
--- a/OS/Makefile-Linux
+++ b/OS/Makefile-Linux
@@ -24,8 +24,8 @@ LIBRESOLV = -lresolv
@@ -27,8 +27,8 @@ LIBRESOLV = -lresolv
X11=/usr/X11R6
XINCLUDE=-I$(X11)/include

13
exim-4.96-build-fix.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/drtables.c b/src/drtables.c
index 513ef6c..3fa5c92 100644
--- a/src/drtables.c
+++ b/src/drtables.c
@@ -736,7 +736,7 @@ else
{
char * name = ent->d_name;
int len = (int)strlen(name);
- if (regex_match(regex_islookupmod, US name, len, NUL))
+ if (regex_match(regex_islookupmod, US name, len, NULL))
{
int pathnamelen = len + (int)strlen(LOOKUP_MODULE_DIR) + 2;
void *dl;

814
exim-4.96-config.patch Normal file
View File

@ -0,0 +1,814 @@
diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile
index ed77b6a..b9eb64d 100755
--- a/scripts/Configure-Makefile
+++ b/scripts/Configure-Makefile
@@ -317,7 +317,7 @@ if [ "${EXIM_PERL}" != "" ] ; then
mv $mft $mftt
echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft
- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft
+ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft
echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft
echo "" >>$mft
cat $mftt >> $mft
diff --git a/src/EDITME b/src/EDITME
index 53022e5..b7ae2cc 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -99,7 +99,7 @@
# /usr/local/sbin. The installation script will try to create this directory,
# and any superior directories, if they do not exist.
-BIN_DIRECTORY=/usr/exim/bin
+BIN_DIRECTORY=/usr/sbin
#------------------------------------------------------------------------------
@@ -115,7 +115,7 @@ BIN_DIRECTORY=/usr/exim/bin
# don't exist. It will also install a default runtime configuration if this
# file does not exist.
-CONFIGURE_FILE=/usr/exim/configure
+CONFIGURE_FILE=/etc/exim/exim.conf
# It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
# In this case, Exim will use the first of them that exists when it is run.
@@ -132,7 +132,7 @@ CONFIGURE_FILE=/usr/exim/configure
# deliveries. (Local deliveries run as various non-root users, typically as the
# owner of a local mailbox.) Specifying these values as root is not supported.
-EXIM_USER=
+EXIM_USER=93
# If you specify EXIM_USER as a name, this is looked up at build time, and the
# uid number is built into the binary. However, you can specify that this
@@ -153,7 +153,7 @@ EXIM_USER=
# for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
# you want to use a group other than the default group for the given user.
-# EXIM_GROUP=
+EXIM_GROUP=93
# Many sites define a user called "exim", with an appropriate default group,
# and use
@@ -210,10 +210,10 @@ SPOOL_DIRECTORY=/var/spool/exim
# If you are building with TLS, the library configuration must be done:
# Uncomment this if you are using OpenSSL
-# USE_OPENSSL=yes
+USE_OPENSSL=yes
# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
# and an optional location.
-# USE_OPENSSL_PC=openssl
+USE_OPENSSL_PC=openssl
# TLS_LIBS=-lssl -lcrypto
# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
@@ -340,7 +340,7 @@ TRANSPORT_SMTP=yes
# This one is special-purpose, and commonly not required, so it is not
# included by default.
-# TRANSPORT_LMTP=yes
+TRANSPORT_LMTP=yes
#------------------------------------------------------------------------------
@@ -349,9 +349,9 @@ TRANSPORT_SMTP=yes
# MBX, is included only when requested. If you do not know what this is about,
# leave these settings commented out.
-# SUPPORT_MAILDIR=yes
-# SUPPORT_MAILSTORE=yes
-# SUPPORT_MBX=yes
+SUPPORT_MAILDIR=yes
+SUPPORT_MAILSTORE=yes
+SUPPORT_MBX=yes
#------------------------------------------------------------------------------
@@ -409,22 +409,27 @@ LOOKUP_DBM=yes
LOOKUP_LSEARCH=yes
LOOKUP_DNSDB=yes
-# LOOKUP_CDB=yes
-# LOOKUP_DSEARCH=yes
+LOOKUP_CDB=yes
+LOOKUP_DSEARCH=yes
# LOOKUP_IBASE=yes
# LOOKUP_JSON=yes
-# LOOKUP_LDAP=yes
+LOOKUP_LDAP=yes
+LDAP_LIB_TYPE=OPENLDAP2
+LOOKUP_INCLUDE=-I/usr/include/mysql
+LOOKUP_LIBS=-lldap -llber -lsqlite3 -L/usr/$(_lib)/mysql -lmysqlclient
# LOOKUP_LMDB=yes
-# LOOKUP_MYSQL=yes
+LOOKUP_MYSQL=2
# LOOKUP_MYSQL_PC=mariadb
-# LOOKUP_NIS=yes
-# LOOKUP_NISPLUS=yes
+LOOKUP_NIS=yes
+LOOKUP_NISPLUS=yes
+
# LOOKUP_ORACLE=yes
-# LOOKUP_PASSWD=yes
-# LOOKUP_PGSQL=yes
+LOOKUP_PASSWD=yes
+LOOKUP_PGSQL=2
+LOOKUP_PGSQL_LIBS=-lpq
# LOOKUP_REDIS=yes
-# LOOKUP_SQLITE=yes
+LOOKUP_SQLITE=yes
# LOOKUP_SQLITE_PC=sqlite3
# LOOKUP_WHOSON=yes
@@ -437,7 +442,7 @@ LOOKUP_DNSDB=yes
# Some platforms may need this for LOOKUP_NIS:
-# LIBS += -lnsl
+LIBS += -lnsl
#------------------------------------------------------------------------------
# If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate
@@ -511,7 +516,7 @@ SUPPORT_DANE=yes
# files are defaulted in the OS/Makefile-Default file, but can be overridden in
# local OS-specific make files.
-# EXIM_MONITOR=eximon.bin
+EXIM_MONITOR=eximon.bin
#------------------------------------------------------------------------------
@@ -521,7 +526,7 @@ SUPPORT_DANE=yes
# and the MIME ACL. Please read the documentation to learn more about these
# features.
-# WITH_CONTENT_SCAN=yes
+WITH_CONTENT_SCAN=yes
# If you have content scanning you may wish to only include some of the scanner
# interfaces. Uncomment any of these lines to remove that code.
@@ -604,12 +609,12 @@ DISABLE_MAL_MKS=yes
# using libopendmarc libraries. You must have SPF and DKIM support enabled also.
# Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken;
# 1.3.2-3 works. I seems that the OpenDMARC project broke their API.
-# SUPPORT_DMARC=yes
+SUPPORT_DMARC=yes
# CFLAGS += -I/usr/local/include
-# LDFLAGS += -lopendmarc
+LDFLAGS += -lopendmarc
# Uncomment the following if you need to change the default. You can
# override it at runtime (main config option dmarc_tld_file)
-# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds
+DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat
# Uncomment the following line to add ARC (Authenticated Received Chain)
# support. You must have SPF and DKIM support enabled also.
@@ -709,7 +714,7 @@ FIXED_NEVER_USERS=root
# CONFIGURE_OWNER setting, to specify a configuration file which is listed in
# the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim.
-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs
+TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs
#------------------------------------------------------------------------------
@@ -754,18 +759,18 @@ FIXED_NEVER_USERS=root
# included in the Exim binary. You will then need to set up the run time
# configuration to make use of the mechanism(s) selected.
-# AUTH_CRAM_MD5=yes
-# AUTH_CYRUS_SASL=yes
-# AUTH_DOVECOT=yes
+AUTH_CRAM_MD5=yes
+AUTH_CYRUS_SASL=yes
+AUTH_DOVECOT=yes
# AUTH_EXTERNAL=yes
-# AUTH_GSASL=yes
-# AUTH_GSASL_PC=libgsasl
+AUTH_GSASL=yes
+AUTH_GSASL_PC=libgsasl
# AUTH_HEIMDAL_GSSAPI=yes
# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
-# AUTH_PLAINTEXT=yes
-# AUTH_SPA=yes
-# AUTH_TLS=yes
+AUTH_PLAINTEXT=yes
+AUTH_SPA=yes
+AUTH_TLS=yes
# Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
# requires multiple pkg-config files to work with Exim, so the second example
@@ -792,7 +797,7 @@ FIXED_NEVER_USERS=root
# one that is set in the headers_charset option. The default setting is
# defined by this setting:
-HEADERS_CHARSET="ISO-8859-1"
+HEADERS_CHARSET="UTF-8"
# If you are going to make use of $header_xxx expansions in your configuration
# file, or if your users are going to use them in filter files, and the normal
@@ -812,7 +817,7 @@ HEADERS_CHARSET="ISO-8859-1"
# the Sieve filter support. For those OS where iconv() is known to be installed
# as standard, the file in OS/Makefile-xxxx contains
#
-# HAVE_ICONV=yes
+HAVE_ICONV=yes
#
# If you are not using one of those systems, but have installed iconv(), you
# need to uncomment that line above. In some cases, you may find that iconv()
@@ -888,7 +893,7 @@ HEADERS_CHARSET="ISO-8859-1"
# Once you have done this, "make install" will build the info files and
# install them in the directory you have defined.
-# INFO_DIRECTORY=/usr/share/info
+INFO_DIRECTORY=/usr/share/info
#------------------------------------------------------------------------------
@@ -901,7 +906,7 @@ HEADERS_CHARSET="ISO-8859-1"
# %s. This will be replaced by one of the strings "main", "panic", or "reject"
# to form the final file names. Some installations may want something like this:
-# LOG_FILE_PATH=/var/log/exim_%slog
+LOG_FILE_PATH=/var/log/exim/%s.log
# which results in files with names /var/log/exim_mainlog, etc. The directory
# in which the log files are placed must exist; Exim does not try to create
@@ -973,7 +978,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded
# Perl costs quite a lot of resources. Only do this if you really need it.
-# EXIM_PERL=perl.o
+EXIM_PERL=perl.o
#------------------------------------------------------------------------------
@@ -983,7 +988,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# that the local_scan API is made available by the linker. You may also need
# to add -ldl to EXTRALIBS so that dlopen() is available to Exim.
-# EXPAND_DLFUNC=yes
+EXPAND_DLFUNC=yes
#------------------------------------------------------------------------------
@@ -993,7 +998,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# support, which is intended for use in conjunction with the SMTP AUTH
# facilities, is included only when requested by the following setting:
-# SUPPORT_PAM=yes
+SUPPORT_PAM=yes
# You probably need to add -lpam to EXTRALIBS, and in some releases of
# GNU/Linux -ldl is also needed.
@@ -1005,12 +1010,12 @@ ZCAT_COMMAND=/usr/bin/zcat
# If you may want to use outbound (client-side) proxying, using Socks5,
# uncomment the line below.
-# SUPPORT_SOCKS=yes
+SUPPORT_SOCKS=yes
# If you may want to use inbound (server-side) proxying, using Proxy Protocol,
# uncomment the line below.
-# SUPPORT_PROXY=yes
+SUPPORT_PROXY=yes
#------------------------------------------------------------------------------
@@ -1034,9 +1039,9 @@ ZCAT_COMMAND=/usr/bin/zcat
# installed on your system (www.libspf2.org). Depending on where it is installed
# you may have to edit the CFLAGS and LDFLAGS lines.
-# SUPPORT_SPF=yes
+SUPPORT_SPF=yes
# CFLAGS += -I/usr/local/include
-# LDFLAGS += -lspf2
+LDFLAGS += -lspf2
#------------------------------------------------------------------------------
@@ -1101,7 +1106,7 @@ ZCAT_COMMAND=/usr/bin/zcat
# group. Once you have installed saslauthd, you should arrange for it to be
# started by root at boot time.
-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
+CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux
#------------------------------------------------------------------------------
@@ -1115,8 +1120,8 @@ ZCAT_COMMAND=/usr/bin/zcat
# library for TCP wrappers, so you probably need something like this:
#
# USE_TCP_WRAPPERS=yes
-# CFLAGS=-O -I/usr/local/include
-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap
+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) -std=gnu99
+EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic
#
# but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM
# as well.
@@ -1168,7 +1173,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# is "yes", as well as supporting line editing, a history of input lines in the
# current run is maintained.
-# USE_READLINE=yes
+USE_READLINE=yes
# You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes.
# Note that this option adds to the size of the Exim binary, because the
@@ -1185,7 +1190,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases
#------------------------------------------------------------------------------
# Uncomment this setting to include IPv6 support.
-# HAVE_IPV6=yes
+HAVE_IPV6=yes
###############################################################################
# THINGS YOU ALMOST NEVER NEED TO MENTION #
@@ -1206,13 +1211,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
# haven't got Perl, Exim will still build and run; you just won't be able to
# use those utilities.
-# CHOWN_COMMAND=/usr/bin/chown
-# CHGRP_COMMAND=/usr/bin/chgrp
-# CHMOD_COMMAND=/usr/bin/chmod
-# MV_COMMAND=/bin/mv
-# RM_COMMAND=/bin/rm
-# TOUCH_COMMAND=/usr/bin/touch
-# PERL_COMMAND=/usr/bin/perl
+CHOWN_COMMAND=/usr/bin/chown
+CHGRP_COMMAND=/usr/bin/chgrp
+CHMOD_COMMAND=/usr/bin/chmod
+MV_COMMAND=/usr/bin/mv
+RM_COMMAND=/usr/bin/rm
+TOUCH_COMMAND=/usr/bin/touch
+PERL_COMMAND=/usr/bin/perl
#------------------------------------------------------------------------------
@@ -1414,7 +1419,7 @@ EXIM_TMPDIR="/tmp"
# (process id) to a file so that it can easily be identified. The path of the
# file can be specified here. Some installations may want something like this:
-# PID_FILE_PATH=/var/lock/exim.pid
+PID_FILE_PATH=/var/run/exim.pid
# If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
# using the name "exim-daemon.pid".
diff --git a/src/configure.default b/src/configure.default
index 3761daf..a5d3718 100644
--- a/src/configure.default
+++ b/src/configure.default
@@ -67,7 +67,7 @@
# +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They
# are all colon-separated lists:
-domainlist local_domains = @
+domainlist local_domains = @ : localhost : localhost.localdomain
domainlist relay_to_domains =
hostlist relay_from_hosts = localhost
# (We rely upon hostname resolution working for localhost, because the default
@@ -119,11 +119,13 @@ hostlist relay_from_hosts = localhost
# manual for details. The lists above are used in the access control lists for
# checking incoming messages. The names of these ACLs are defined here:
+acl_smtp_mail = acl_check_mail
acl_smtp_rcpt = acl_check_rcpt
.ifdef _HAVE_PRDR
acl_smtp_data_prdr = acl_check_prdr
.endif
acl_smtp_data = acl_check_data
+acl_smtp_mime = acl_check_mime
# You should not change those settings until you understand how ACLs work.
@@ -136,7 +138,7 @@ acl_smtp_data = acl_check_data
# of what to set for other virus scanners. The second modification is in the
# acl_check_data access control list (see below).
-# av_scanner = clamd:/tmp/clamd
+av_scanner = clamd:/var/run/clamd.exim/clamd.sock
# For spam scanning, there is a similar option that defines the interface to
@@ -147,6 +149,12 @@ acl_smtp_data = acl_check_data
# spamd_address = 127.0.0.1 783
+# Set the default sqlite database file for greylisting. Uncomment this
+# if you use the greylisting ACLs defined below.
+
+# sqlite_dbfile = /var/spool/exim/db/greylist.db
+
+
# If Exim is compiled with support for TLS, you may want to change the
# following option so that Exim disallows certain clients from makeing encrypted
# connections. The default is to allow all.
@@ -157,7 +165,7 @@ acl_smtp_data = acl_check_data
# This is equivalent to the default.
-# tls_advertise_hosts = *
+tls_advertise_hosts = *
# Specify the location of the Exim server's TLS certificate and private key.
# The private key must not be encrypted (password protected). You can put
@@ -165,8 +173,8 @@ acl_smtp_data = acl_check_data
# need the first setting, or in separate files, in which case you need both
# options.
-# tls_certificate = /etc/ssl/exim.crt
-# tls_privatekey = /etc/ssl/exim.pem
+tls_certificate = /etc/pki/tls/certs/exim.pem
+tls_privatekey = /etc/pki/tls/private/exim.pem
# For OpenSSL, prefer EC- over RSA-authenticated ciphers
.ifdef _HAVE_OPENSSL
@@ -189,8 +197,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
# them you should also allow TLS-on-connect on the traditional but
# non-standard port 465.
-# daemon_smtp_ports = 25 : 465 : 587
-# tls_on_connect_ports = 465
+daemon_smtp_ports = 25 : 465 : 587
+tls_on_connect_ports = 465
# Specify the domain you want to be added to all unqualified addresses
@@ -248,6 +256,24 @@ never_users = root
host_lookup = *
+# This setting, if uncommented, allows users to authenticate using
+# their system passwords against saslauthd if they connect over a
+# secure connection. If you have network logins such as NIS or
+# Kerberos rather than only local users, then you possibly also want
+# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism
+# too. Once a user is authenticated, the acl_check_rcpt ACL then
+# allows them to relay through the system.
+#
+# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}}
+#
+# By default, we set this option to allow SMTP AUTH from nowhere
+# (Exim's default would be to allow it from anywhere, even on an
+# unencrypted connection).
+#
+# Comment this one out if you uncomment the above. Did you make sure
+# saslauthd is actually running first?
+#
+auth_advertise_hosts =
# The setting below causes Exim to try to initialize the system resolver
# library with DNSSEC support. It has no effect if your library lacks
@@ -378,8 +404,8 @@ timeout_frozen_after = 7d
# Note that TZ is handled separately by the timezone runtime option
# and TIMEZONE_DEFAULT buildtime option.
-# keep_environment = ^LDAP
-# add_environment = PATH=/usr/bin::/bin
+keep_environment = ^LDAP
+add_environment = PATH=/usr/bin::/bin
@@ -390,6 +416,29 @@ timeout_frozen_after = 7d
begin acl
+
+# This access control list is used for the MAIL command in an incoming
+# SMTP message.
+
+acl_check_mail:
+
+ # Hosts are required to say HELO (or EHLO) before sending mail.
+ # So don't allow them to use the MAIL command if they haven't
+ # done so.
+
+ deny condition = ${if eq{$sender_helo_name}{} {1}}
+ message = Nice boys say HELO first
+
+ # Use the lack of reverse DNS to trigger greylisting. Some people
+ # even reject for it but that would be a little excessive.
+
+ warn condition = ${if eq{$sender_host_name}{} {1}}
+ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons
+
+ accept
+
+
+
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
@@ -401,6 +450,7 @@ acl_check_rcpt:
accept hosts = :
control = dkim_disable_verify
+ control = dmarc_disable_verify
#############################################################################
# The following section of the ACL is concerned with local parts that contain
@@ -454,7 +504,8 @@ acl_check_rcpt:
accept local_parts = postmaster
domains = +local_domains
- # Deny unless the sender address can be verified.
+ # Deny unless the sender address can be routed. For proper verification of the
+ # address, read the documentation on callouts and add the /callout modifier.
require verify = sender
@@ -494,6 +545,7 @@ acl_check_rcpt:
accept hosts = +relay_from_hosts
control = submission
control = dkim_disable_verify
+ control = dmarc_disable_verify
# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
@@ -503,6 +555,7 @@ acl_check_rcpt:
accept authenticated = *
control = submission
control = dkim_disable_verify
+ control = dmarc_disable_verify
# Insist that any other recipient address that we accept is either in one of
# our local domains, or is in a domain for which we explicitly allow
@@ -523,7 +576,8 @@ acl_check_rcpt:
# There are no default checks on DNS black lists because the domains that
# contain these lists are changing all the time. However, here are two
# examples of how you can get Exim to perform a DNS black list lookup at this
- # point. The first one denies, whereas the second just warns.
+ # point. The first one denies, whereas the second just warns. The third
+ # triggers greylisting for any host in the blacklist.
#
# deny dnslists = black.list.example
# message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
@@ -531,6 +585,10 @@ acl_check_rcpt:
# warn dnslists = black.list.example
# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
# log_message = found in $dnslist_domain
+ #
+ # warn dnslists = black.list.example
+ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons
+ #
#############################################################################
#############################################################################
@@ -557,6 +615,10 @@ acl_check_rcpt:
# set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER}
#############################################################################
+ # Alternatively, greylist for it:
+ # warn !verify = csa
+ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons
+
# At this point, the address has passed all the checks that have been
# configured, so we accept it unconditionally.
@@ -606,21 +668,32 @@ acl_check_data:
message = header syntax
log_message = header syntax ($acl_verify_message)
+ # Put simple tests first. A good one is to check for the presence of a
+ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken
+ # or misconfigured mailer software occasionally omits this from genuine
+ # messages too, though -- although it's not hard for the offender to fix
+ # after they receive a bounce because of it.
+ #
+ # deny condition = ${if !def:h_Message-ID: {1}}
+ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\
+ # Most messages without it are spam, so your mail has been rejected.
+ #
+ # Alternatively if we're feeling more lenient we could just use it to
+ # trigger greylisting instead:
+
+ warn condition = ${if !def:h_Message-ID: {1}}
+ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons
+
# Deny if the message contains a virus. Before enabling this check, you
# must install a virus scanner and set the av_scanner option above.
#
# deny malware = *
# message = This message contains a virus ($malware_name).
- # Add headers to a message if it is judged to be spam. Before enabling this,
- # you must install SpamAssassin. You may also need to set the spamd_address
- # option above.
+ # Bypass SpamAssassin checks if the message is too large.
#
- # warn spam = nobody
- # add_header = X-Spam_score: $spam_score\n\
- # X-Spam_score_int: $spam_score_int\n\
- # X-Spam_bar: $spam_bar\n\
- # X-Spam_report: $spam_report
+ # accept condition = ${if >={$message_size}{100000} {1}}
+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size
#############################################################################
# No more tests if PRDR was actively used.
@@ -634,11 +707,63 @@ acl_check_data:
# condition = ...
#############################################################################
+ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message
+ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA
+ # score exceeds the SA system threshold.
+ #
+ # warn spam = nobody/defer_ok
+ # add_header = X-Spam-Flag: YES
+ #
+ # accept condition = ${if !def:spam_score_int {1}}
+ # add_header = X-Spam-Note: SpamAssassin invocation failed
+ #
+
+ # Unconditionally add score and report headers
+ #
+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\
+ # X-Spam-Report: $spam_report
+
+ # And reject if the SpamAssassin score is greater than ten
+ #
+ # deny condition = ${if >{$spam_score_int}{100} {1}}
+ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\
+ # $spam_report
+
+ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5
+ #
+ # warn condition = ${if >{$spam_score_int}{5} {1}}
+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons
+
- # Accept the message.
+ # If you want to greylist _all_ mail rather than only mail which looks like there
+ # might be something wrong with it, then you can do this...
+ #
+ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons
+
+ # Now, invoke the greylisting. For this you need to have installed the exim-greylist
+ # package which contains this subroutine, and you need to uncomment the bit below
+ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty,
+ # greylisting will kick in and will defer the mail to check if the sender is a
+ # proper mail which which retries, or whether it's a zombie. For more details, see
+ # the exim-greylist.conf.inc file itself.
+ #
+ # require acl = greylist_mail
accept
+# To enable the greylisting, also uncomment this line:
+# .include /etc/exim/exim-greylist.conf.inc
+
+acl_check_mime:
+
+ # File extension filtering.
+ deny message = Blacklisted file extension detected
+ condition = ${if match \
+ {${lc:$mime_filename}} \
+ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \
+ {1}{0}}
+
+ accept
######################################################################
@@ -740,7 +865,7 @@ system_aliases:
driver = redirect
allow_fail
allow_defer
- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}}
+ data = ${lookup{$local_part}lsearch{/etc/aliases}}
# user = exim
file_transport = address_file
pipe_transport = address_pipe
@@ -778,7 +903,7 @@ userforward:
# local_part_suffix = +* : -*
# local_part_suffix_optional
file = $home/.forward
-# allow_filter
+ allow_filter
no_verify
no_expn
check_ancestor
@@ -786,6 +911,12 @@ userforward:
pipe_transport = address_pipe
reply_transport = address_reply
+procmail:
+ driver = accept
+ check_local_user
+ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail
+ transport = procmail
+ no_verify
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
@@ -826,6 +957,25 @@ remote_smtp:
tls_resumption_hosts = *
.endif
+# This transport is used for delivering messages over SMTP using the
+# "message submission" port (RFC4409).
+
+remote_msa:
+ driver = smtp
+ port = 587
+ hosts_require_auth = *
+
+
+# This transport invokes procmail to deliver mail
+procmail:
+ driver = pipe
+ command = "/usr/bin/procmail -d $local_part"
+ return_path_add
+ delivery_date_add
+ envelope_to_add
+ user = $local_part
+ initgroups
+ return_output
# This transport is used for delivering messages to a smarthost, if the
# smarthost router is enabled. This starts from the same basis as
@@ -880,8 +1030,8 @@ local_delivery:
delivery_date_add
envelope_to_add
return_path_add
-# group = mail
-# mode = 0660
+ group = mail
+ mode = 0660
# This transport is used for handling pipe deliveries generated by alias or
@@ -914,6 +1064,16 @@ address_reply:
driver = autoreply
+# This transport is used to deliver local mail to cyrus IMAP server via UNIX
+# socket. You'll need to configure the 'localuser' router above to use it.
+#
+#lmtp_delivery:
+# home_directory = /var/spool/imap
+# driver = lmtp
+# command = "/usr/lib/cyrus-imapd/deliver -l"
+# batch_max = 20
+# user = cyrus
+
######################################################################
# RETRY CONFIGURATION #
@@ -954,6 +1114,21 @@ begin rewrite
# AUTHENTICATION CONFIGURATION #
######################################################################
+begin authenticators
+
+# This authenticator supports CRAM-MD5 username/password authentication
+# with Exim acting as a _client_, as it might when sending its outgoing
+# mail to a smarthost rather than directly to the final recipient.
+# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate.
+
+#client_auth:
+# driver = cram_md5
+# public_name = CRAM-MD5
+# client_name = SMTPAUTH_USERNAME
+# client_secret = SMTPAUTH_PASSWORD
+
+#
+
# The following authenticators support plaintext username/password
# authentication using the standard PLAIN mechanism and the traditional
# but non-standard LOGIN mechanism, with Exim acting as the server.
@@ -969,7 +1144,7 @@ begin rewrite
# The default RCPT ACL checks for successful authentication, and will accept
# messages from authenticated users from anywhere on the Internet.
-begin authenticators
+#
# PLAIN authentication has no server prompts. The client sends its
# credentials in one lump, containing an authorization ID (which we do not
@@ -983,7 +1158,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth2
# server_prompts = :
-# server_condition = Authentication is not yet configured
+# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }
# LOGIN authentication has traditional prompts and responses. There is no
@@ -995,7 +1170,7 @@ begin authenticators
# driver = plaintext
# server_set_id = $auth1
# server_prompts = <| Username: | Password:
-# server_condition = Authentication is not yet configured
+# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}}
# server_advertise_condition = ${if def:tls_in_cipher }

69
exim-4.88-dlopen-localscan.patch → exim-4.96-dlopen-localscan.patch
View File

@ -1,17 +1,19 @@
diff --git a/src/EDITME b/src/EDITME
index 5a08197..3921db6 100644
index cf0b33e..7d4cbf3 100644
--- a/src/EDITME
+++ b/src/EDITME
@@ -792,6 +792,20 @@ TLS_LIBS=-lssl -lcrypto
@@ -878,6 +878,21 @@ HAVE_ICONV=yes
# *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING ***
#------------------------------------------------------------------------------
+#------------------------------------------------------------------------------
+# On systems which support dynamic loading of shared libraries, Exim can
+# load a local_scan function specified in its config file instead of having
+# to be recompiled with the desired local_scan function. For a full
+# description of the API to this function, see the Exim specification.
+
+DLOPEN_LOCAL_SCAN=yes
+HAVE_LOCAL_SCAN=yes
+
+# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the
+# linker flags. Without it, the loaded .so won't be able to access any
@ -19,17 +21,16 @@ index 5a08197..3921db6 100644
+
+LFLAGS=-rdynamic -ldl -pie
+
+#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# The default distribution of Exim contains only the plain text form of the
# documentation. Other forms are available separately. If you want to install
# the documentation in "info" format, first fetch the Texinfo documentation
diff --git a/src/config.h.defaults b/src/config.h.defaults
index bafdc1b..c6ba256 100644
index 25ab755..e27a51d 100644
--- a/src/config.h.defaults
+++ b/src/config.h.defaults
@@ -28,6 +28,8 @@ it's a default value. */
@@ -33,6 +33,8 @@ Do not put spaces between # and the 'define'.
#define AUTH_VARS 3
#define AUTH_VARS 4
+#define DLOPEN_LOCAL_SCAN
+
@ -37,10 +38,10 @@ index bafdc1b..c6ba256 100644
#define CONFIGURE_FILE
diff --git a/src/globals.c b/src/globals.c
index f83d850..c722059 100644
index ff246fe..b9dfbbb 100644
--- a/src/globals.c
+++ b/src/globals.c
@@ -167,6 +167,10 @@ uschar *tls_verify_hosts = NULL;
@@ -151,6 +151,10 @@ time_t tls_watch_trigger_time = (time_t)0;
uschar *tls_advertise_hosts = NULL;
#endif
@ -52,12 +53,12 @@ index f83d850..c722059 100644
/* Per Recipient Data Response variables */
BOOL prdr_enable = FALSE;
diff --git a/src/globals.h b/src/globals.h
index b3747a8..e3dd507 100644
index fe099e4..7530a76 100644
--- a/src/globals.h
+++ b/src/globals.h
@@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */
extern uschar *tls_verify_certificates;/* Path for certificates to check */
extern uschar *tls_verify_hosts; /* Mandatory client verification */
@@ -148,6 +148,11 @@ extern uschar *tls_verify_hosts; /* Mandatory client verification */
extern int tls_watch_fd; /* for inotify of creds files */
extern time_t tls_watch_trigger_time; /* non-0: triggered */
#endif
+
+#ifdef DLOPEN_LOCAL_SCAN
@ -68,21 +69,25 @@ index b3747a8..e3dd507 100644
extern uschar *dsn_envid; /* DSN envid string */
diff --git a/src/local_scan.c b/src/local_scan.c
index 3500047..8599172 100644
index 7a3bae7..6ea5d2d 100644
--- a/src/local_scan.c
+++ b/src/local_scan.c
@@ -5,60 +5,131 @@
/* Copyright (c) University of Cambridge 1995 - 2009 */
@@ -6,59 +6,133 @@
/* Copyright (c) The Exim Maintainers 2021 */
/* See the file NOTICE for conditions of use and distribution. */
+#include "exim.h"
+#include <local_scan.h>
-/******************************************************************************
-This file contains a template local_scan() function that just returns ACCEPT.
-If you want to implement your own version, you should copy this file to, say
-Local/local_scan.c, and edit the copy. To use your version instead of the
-default, you must set
-
+#ifdef DLOPEN_LOCAL_SCAN
+extern uschar *local_scan_path; /* Path to local_scan() library */
+#endif
-HAVE_LOCAL_SCAN=yes
-LOCAL_SCAN_SOURCE=Local/local_scan.c
-
-in your Local/Makefile. This makes it easy to copy your version for use with
@ -132,8 +137,6 @@ index 3500047..8599172 100644
int
local_scan(int fd, uschar **return_text)
{
fd = fd; /* Keep picky compilers happy */
return_text = return_text;
-return LOCAL_SCAN_ACCEPT;
+#ifdef DLOPEN_LOCAL_SCAN
+/* local_scan_path is defined AND not the empty string */
@ -165,8 +168,8 @@ index 3500047..8599172 100644
+else
+#endif
+ return LOCAL_SCAN_ACCEPT;
}
+ }
+
+#ifdef DLOPEN_LOCAL_SCAN
+
+static int load_local_scan_library(void)
@ -245,22 +248,22 @@ index 3500047..8599172 100644
+ }
+
+return TRUE;
+}
+
}
+#endif /* DLOPEN_LOCAL_SCAN */
+
/* End of local_scan.c */
diff --git a/src/readconf.c b/src/readconf.c
index b2a3c73..6f2efa0 100644
index 06bc50f..6ecb0af 100644
--- a/src/readconf.c
+++ b/src/readconf.c
@@ -314,6 +314,9 @@ static optionlist optionlist_config[] = {
{ "local_from_prefix", opt_stringptr, &local_from_prefix },
{ "local_from_suffix", opt_stringptr, &local_from_suffix },
{ "local_interfaces", opt_stringptr, &local_interfaces },
@@ -212,6 +212,9 @@ static optionlist optionlist_config[] = {
{ "local_from_prefix", opt_stringptr, {&local_from_prefix} },
{ "local_from_suffix", opt_stringptr, {&local_from_suffix} },
{ "local_interfaces", opt_stringptr, {&local_interfaces} },
+#ifdef DLOPEN_LOCAL_SCAN
+ { "local_scan_path", opt_stringptr, &local_scan_path },
+#endif
{ "local_scan_timeout", opt_time, &local_scan_timeout },
{ "local_sender_retain", opt_bool, &local_sender_retain },
{ "localhost_number", opt_stringptr, &host_number_string },
#ifdef HAVE_LOCAL_SCAN
{ "local_scan_timeout", opt_time, {&local_scan_timeout} },
#endif

13
exim-4.96-opendmarc-1.4-build-fix.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/src/dmarc.c b/src/dmarc.c
index 17bba9d..a218380 100644
--- a/src/dmarc.c
+++ b/src/dmarc.c
@@ -459,7 +459,7 @@ if (!dmarc_abort && !sender_host_authenticated)
vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
DMARC_POLICY_DKIM_OUTCOME_NONE;
libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
- dkim_result, US"");
+ sig->selector, dkim_result, US"");
DEBUG(D_receive)
debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
if (libdm_status != DMARC_PARSE_OKAY)

8
exim-4.85-pic.patch → exim-4.96-pic.patch
View File

@ -1,13 +1,13 @@
diff --git a/src/lookups/Makefile b/src/lookups/Makefile
index 6ba0cb1..21a7ad7 100644
index 19585bf..a0d355f 100644
--- a/src/lookups/Makefile
+++ b/src/lookups/Makefile
@@ -22,7 +22,7 @@ lookups.a: $(OBJ)
@@ -24,7 +24,7 @@ lookups.a: $(OBJ)
$(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
.c.so:; @echo "$(CC) -shared $*.c"
- $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@
+ $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $(PIC) $*.c -o $@
lf_check_file.o: $(PHDRS) lf_check_file.c lf_functions.h
lf_quote.o: $(PHDRS) lf_quote.c lf_functions.h
lf_check_file.o: $(HDRS) lf_check_file.c lf_functions.h
lf_quote.o: $(HDRS) lf_quote.c lf_functions.h

79
exim-greylist.conf.inc
View File

@ -1,11 +1,44 @@
# $Id: acl-greylist-sqlite,v 1.3 2007/11/25 19:17:28 dwmw2 Exp $
#
# Exim ACL for greylisting. David Woodhouse <dwmw2@infradead.org>
#
# For full background on the logic behind greylisting and how this
# ACL works, see https://github.com/Exim/exim/wiki/SimpleGreylisting
#
GREYDB=/var/spool/exim/db/greylist.db
# UPDATING TO EXIM 4.94+
# ======================
#
# Previous versions of this ACL specified the sqlite database filename
# in the sqlite lookup strings directly, but since Exim 4.94 is it no
# longer permitted to mix "tainted" text which comes from the message
# itself, with the filename. Thus, you now have to set
#
# sqlite_dbfile = /var/spool/exim/db/greylist.db
#
# ... in the main configuration because it can't be specified within
# the ACL in this file any more.
# ACL for greylisting. Place reason(s) for greylisting into a variable named
# $acl_m_greylistreasons before invoking with 'require acl = greylist_mail'.
# The reasons should be separate lines of text, and will be reported in
# the SMTP rejection message as well as the log message.
# USING THIS ACL
# ==============
#
# First set sqlite_dbfile in the main configuration file to point to
# the greylist sqlite database, as described above.
#
# In your main ACLs, gather reason(s) for greylisting into a variable
# named $acl_m_greylistreasons before invoking this ACL with
# 'require acl = greylist_mail'. The reasons should be separate lines
# of text, and will be reported in the SMTP rejection message as well
# as the log message. Anything "suspicious" about the email can be
# used as criteria here — being HTML, having even a few SpamAssassin
# points, even lacking SPF authorisation (which is OK for greylisting
# although you should never reject outright for an SPF "failure"
# because of the flaws in SPF).
#
# Obviously you need to .include this file too in order to be able
# to invoke this greylist_mail ACL.
# HOW IT WORKS
# ============
#
# When a suspicious mail is seen, we temporarily reject it and wait to see
# if the sender tries again. Most spam robots won't bother. Real mail hosts
@ -44,15 +77,13 @@ GREYDB=/var/spool/exim/db/greylist.db
#
greylist_mail:
# First, accept if it there's absolutely nothing suspicious about it...
accept condition = ${if eq{$acl_m_greylistreasons}{} {1}}
# ... or if it was generated locally or by authenticated clients.
# Firstly, accept if it was generated locally or by authenticated clients.
accept hosts = :
accept authenticated = *
# Secondly, there's _absolutely_ no point in greylisting mail from
# hosts which are known to resend their mail. Just accept it.
accept condition = ${lookup sqlite {GREYDB SELECT host from resenders \
accept condition = ${lookup sqlite {SELECT host from resenders \
WHERE helo='${quote_sqlite:$sender_helo_name}' \
AND host='$sender_host_address';} {1}}
@ -62,15 +93,28 @@ greylist_mail:
# Attempt to look up this mail in the greylist database. If it's there,
# remember the expiry time for it; we need to make sure they've waited
# long enough.
warn set acl_m_greyexpiry = ${lookup sqlite {GREYDB SELECT expire FROM greylist \
warn set acl_m_greyexpiry = ${lookup sqlite {SELECT expire FROM greylist \
WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
# If there's absolutely nothing suspicious about the email, accept it. BUT...
accept condition = ${if eq {$acl_m_greylistreasons}{} {1}}
condition = ${if eq {$acl_m_greyexpiry}{} {1}}
# ..if this same mail was greylisted before (perhaps because it came from a
# host which *was* suspicious), then we still want to mark that original host
# as a "known resender". If we don't, then hosts which attempt to deliver from
# a dodgy Legacy IP address but then fall back to using IPv6 after greylisting
# will *never* see their Legacy IP address added to the 'known resenders' list.
accept condition = ${if eq {$acl_m_greylistreasons}{} {1}}
acl = write_known_resenders
# If the mail isn't already the database -- i.e. if the $acl_m_greyexpiry
# variable we just looked up is empty -- then try to add it now. This is
# where the 5 minute timeout is set ($tod_epoch + 300), should you wish
# to change it.
warn condition = ${if eq {$acl_m_greyexpiry}{} {1}}
set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO greylist \
set acl_m_dontcare = ${lookup sqlite {INSERT INTO greylist \
VALUES ( '$acl_m_greyident', \
'${eval10:$tod_epoch+300}', \
'$sender_host_address', \
@ -79,7 +123,7 @@ greylist_mail:
# Be paranoid, and check if the insertion succeeded (by doing another lookup).
# Otherwise, if there's a database error we might end up deferring for ever.
defer condition = ${if eq {$acl_m_greyexpiry}{} {1}}
condition = ${lookup sqlite {GREYDB SELECT expire FROM greylist \
condition = ${lookup sqlite {SELECT expire FROM greylist \
WHERE id='${quote_sqlite:$acl_m_greyident}';} {1}}
message = Your mail was considered suspicious for the following reason(s):\n$acl_m_greylistreasons \
The mail has been greylisted for 5 minutes, after which it should be accepted. \
@ -105,13 +149,16 @@ greylist_mail:
You should wait another ${eval10:$acl_m_greyexpiry-$tod_epoch} seconds.\n\
Reason(s) for greylisting: \n$acl_m_greylistreasons
accept acl = write_known_resenders
write_known_resenders:
# The message was listed but it's been more than five minutes. Accept it now and whitelist
# the _original_ sending host by its { IP, HELO } so that we don't delay its mail again.
warn set acl_m_orighost = ${lookup sqlite {GREYDB SELECT host FROM greylist \
warn set acl_m_orighost = ${lookup sqlite {SELECT host FROM greylist \
WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_orighelo = ${lookup sqlite {GREYDB SELECT helo FROM greylist \
set acl_m_orighelo = ${lookup sqlite {SELECT helo FROM greylist \
WHERE id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO resenders \
set acl_m_dontcare = ${lookup sqlite {INSERT INTO resenders \
VALUES ( '$acl_m_orighost', \
'${quote_sqlite:$acl_m_orighelo}', \
'$tod_epoch' ); }}

346
exim.spec
View File

@ -1,3 +1,7 @@
# SA-Exim has long since been obsoleted by the proper built-in ACL support
# from exiscan. Disable it by default
%bcond_with sa
# By default build clamav subpackage on Fedora,
# do not build on RHEL
%if 0%{?rhel}
@ -8,15 +12,12 @@
%global sysv2systemdnvr 4.76-6
# hardened build if not overridden
%{!?_hardened_build:%global _hardened_build 1}
Summary: The exim mail transfer agent
Name: exim
Version: 4.88
Release: 3%{?dist}
Version: 4.96
Release: 1%{?dist}
License: GPLv2+
Url: http://www.exim.org/
Url: https://www.exim.org/
Group: System Environment/Daemons
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Provides: MTA smtpd smtpdaemon server(smtp)
@ -25,58 +26,54 @@ Requires(preun): %{_sbindir}/alternatives systemd
Requires(postun): %{_sbindir}/alternatives systemd
Requires(pre): %{_sbindir}/groupadd, %{_sbindir}/useradd
%if %{with clamav}
%if 0%{?fedora} < 23
Requires: initscripts
%endif
BuildRequires: clamav-devel
%endif
Source: ftp://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2
Source: https://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.xz
Source2: exim.init
Source3: exim.sysconfig
Source4: exim.logrotate
Source5: exim-tidydb.sh
Source11: exim.pam
%if %{with clamav}
Source12: exim-clamav-tmpfiles.conf
%endif
%if %{with sa}
Source13: http://marc.merlins.org/linux/exim/files/sa-exim-4.2.tar.gz
%endif
Source20: exim-greylist.conf.inc
Source21: mk-greylist-db.sql
Source22: greylist-tidy.sh
Source23: trusted-configs
Source24: exim.service
Source25: exim-gen-cert
%if %{with clamav}
Source26: clamd.exim.service
%endif
Patch4: exim-4.88-rhl.patch
Patch6: exim-4.88-config.patch
Patch8: exim-4.82-libdir.patch
Patch12: exim-4.88-cyrus.patch
Patch13: exim-4.88-pamconfig.patch
Patch14: exim-4.87-spamdconf.patch
Patch18: exim-4.88-dlopen-localscan.patch
Patch19: exim-4.88-procmail.patch
Patch20: exim-4.88-allow-filter.patch
Patch21: exim-4.87-localhost-is-local.patch
Patch22: exim-4.88-greylist-conf.patch
Patch23: exim-4.88-smarthost-config.patch
Patch25: exim-4.87-dynlookup-config.patch
# Upstream ticket: http://bugs.exim.org/show_bug.cgi?id=1584
Patch26: exim-4.85-pic.patch
Patch27: exim-4.87-environment.patch
# Upstream ticket: https://bugs.exim.org/show_bug.cgi?id=2016
# Upsream patch: https://git.exim.org/exim.git/patch/bd8fbe3606d80e5a3fc02fe71b521146c6938448
Patch28: exim-4.88-DKIM-fix.patch
Patch0: exim-4.96-config.patch
Patch1: exim-4.94-libdir.patch
Patch2: exim-4.96-dlopen-localscan.patch
Patch3: exim-4.96-pic.patch
# https://bugs.exim.org/show_bug.cgi?id=2728
Patch4: exim-4.96-opendmarc-1.4-build-fix.patch
# https://bugs.exim.org/show_bug.cgi?id=2899
Patch5: exim-4.96-build-fix.patch
Requires: /etc/pki/tls/certs /etc/pki/tls/private
Requires: /etc/aliases
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
BuildRequires: libdb-devel openssl-devel openldap-devel pam-devel
BuildRequires: pcre-devel sqlite-devel tcp_wrappers-devel cyrus-sasl-devel
%if %{with sa}
BuildRequires: lynx
%endif
BuildRequires: pcre2-devel sqlite-devel tcp_wrappers-devel cyrus-sasl-devel
BuildRequires: libspf2-devel libopendmarc-devel
BuildRequires: openldap-devel openssl-devel mysql-devel postgresql-devel
BuildRequires: libXaw-devel libXmu-devel libXext-devel libX11-devel libSM-devel
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: libICE-devel libXpm-devel libXt-devel perl(ExtUtils::Embed)
BuildRequires: systemd-units libgsasl-devel
BuildRequires: systemd-units libgsasl-devel grep
%description
Exim is a message transfer agent (MTA) developed at the University of
@ -88,7 +85,6 @@ routed, and there are extensive facilities for checking incoming
mail. Exim can be installed in place of sendmail, although the
configuration of exim is quite different to that of sendmail.
%if 0%{?fedora} < 23
%package sysvinit
Summary: SysV initscript for Exim
Group: System Environment/Daemons
@ -99,7 +95,6 @@ Requires(post): chkconfig
%description sysvinit
This package contains the SysV initscript for Exim.
%endif
%package mysql
Summary: MySQL lookup support for Exim
@ -127,6 +122,18 @@ displays information about Exim's processing in an X window, and an
administrator can perform a number of control actions from the window
interface.
%if %{with sa}
%package sa
Summary: Exim SpamAssassin at SMTP time - d/l plugin
Group: System Environment/Daemons
Requires: exim = %{version}-%{release}
%description sa
The exim-sa package is an old method for allowing SpamAssassin to be run on
incoming mail at SMTP time. It is deprecated in favour of the built-in ACL
support for content scanning.
%endif
%if %{with clamav}
%package clamav
Summary: Clam Antivirus scanner dæmon configuration for use with Exim
@ -153,7 +160,6 @@ For further details of Exim content scanning, see chapter 41 of the Exim
specification:
http://www.exim.org/exim-html-%{version}/doc/html/spec_html/ch41.html
%if 0%{?fedora} < 23
%package clamav-sysvinit
Summary: SysV initscript for Clam Antivirus scanner for Exim
Group: System Environment/Daemons
@ -165,12 +171,11 @@ Requires(post): chkconfig
%description clamav-sysvinit
This package contains the SysV initscript.
%endif
%endif
%package greylist
Summary: Example configuration for greylisting using Exim
Group: System Environment/Daemons
Requires: sqlite exim
Requires: sqlite exim
Requires: crontabs
%description greylist
@ -190,34 +195,33 @@ a list of 'offended' which it's committed, which may include having
SpamAssassin points, lacking a Message-ID: header, coming from a blacklisted
host, etc. There are examples of these in the default configuration file,
mostly commented out. These should be sufficient for you to you trigger
greylisting for whatever 'offences' you can dream of, or even to make
greylisting for whatever 'offences' you can dream of, or even to make
greylisting unconditional.
%prep
%setup -q
%if %{with sa}
%setup -q -T -D -a 13
%endif
%patch4 -p1 -b .rhl
%patch6 -p1 -b .config
%patch8 -p1 -b .libdir
%patch12 -p1 -b .cyrus
%patch13 -p1 -b .pam
%patch14 -p1 -b .spamd
%patch18 -p1 -b .dl
%patch19 -p1 -b .procmail
%patch20 -p1 -b .filter
%patch21 -p1 -b .localhost
%patch22 -p1 -b .grey
%patch23 -p1 -b .smarthost
%patch25 -p1 -b .dynconfig
%patch26 -p1 -b .fpic
%patch27 -p1 -b .environment
%patch28 -p1 -b .DKIM-fix
%patch0 -p1 -b .config
%patch1 -p1 -b .libdir
%patch2 -p1 -b .dl
%patch3 -p1 -b .fpic
%patch4 -p1 -b .opendmarc-1.4-build-fix
%patch5 -p1 -b .build-fix
cp src/EDITME Local/Makefile
sed -i 's@^# LOOKUP_MODULE_DIR=.*@LOOKUP_MODULE_DIR=%{_libdir}/exim/%{version}-%{release}/lookups@' Local/Makefile
sed -i 's@^# AUTH_LIBS=-lsasl2@AUTH_LIBS=-lsasl2@' Local/Makefile
cp exim_monitor/EDITME Local/eximon.conf
# Workaround for rhbz#1791878
pushd doc
for f in $(ls -dp cve-* | grep -v '/\|\(\.txt\)$'); do
mv "$f" "$f.txt"
done
popd
%build
%ifnarch s390 s390x sparc sparcv9 sparcv9v sparc64 sparc64v
@ -227,7 +231,14 @@ cp exim_monitor/EDITME Local/eximon.conf
export PIE=-fPIE
export PIC=-fPIC
%endif
make _lib=%{_lib} FULLECHO= LDFLAGS="%{?__global_ldflags} %{?_hardened_build:-pie -Wl,-z,relro,-z,now}"
make _lib=%{_lib} FULLECHO=
%if %{with sa}
# build sa-exim
cd sa-exim*
perl -pi -e 's|\@lynx|HOME=/ /usr/bin/lynx|g;' Makefile
make SACONF=%{_sysconfdir}/exim/sa-exim.conf CFLAGS="$RPM_OPT_FLAGS -fPIC"
%endif
%install
rm -rf $RPM_BUILD_ROOT
@ -293,10 +304,8 @@ pod2man --center=EXIM --section=8 \
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
install -m 644 %SOURCE3 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/exim
%if 0%{?fedora} < 23
mkdir -p $RPM_BUILD_ROOT%{_initrddir}
install %SOURCE2 $RPM_BUILD_ROOT%{_initrddir}/exim
%endif
# Systemd
mkdir -p %{buildroot}%{_unitdir}
@ -314,6 +323,15 @@ install -m 0644 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/exim
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily
install -m 0755 %SOURCE5 $RPM_BUILD_ROOT%{_sysconfdir}/cron.daily/exim-tidydb
%if %{with sa}
# install sa
cd sa-exim*
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/exim
install *.so $RPM_BUILD_ROOT%{_libexecdir}/exim
install -m 644 *.conf $RPM_BUILD_ROOT%{_sysconfdir}/exim
ln -s sa-exim*.so $RPM_BUILD_ROOT%{_libexecdir}/exim/sa-exim.so
%endif
# generate ghost .pem file
mkdir -p $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}
touch $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem
@ -338,9 +356,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/clamd.d
clamsubst clamd.conf %{_sysconfdir}/clamd.d/exim.conf exim exim \
's!^##*\(\(LogFile\|LocalSocket\|PidFile\|User\)\s\|\(StreamSaveToDisk\|ScanMail\|LogTime\|ScanArchive\)$\)!\1!;s!^Example!#Example!;'
%if 0%{?fedora} < 23
clamsubst clamd.init %{_initrddir}/clamd.exim exim exim ''
%endif
clamsubst clamd.logrotate %{_sysconfdir}/logrotate.d/clamd.exim exim exim ''
cat <<EOF > $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/clamd.exim
CLAMD_CONFIG='%_sysconfdir/clamd.d/exim.conf'
@ -348,8 +364,8 @@ CLAMD_SOCKET=%{_var}/run/clamd.exim/clamd.sock
EOF
ln -sf clamd $RPM_BUILD_ROOT/usr/sbin/clamd.exim
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %{SOURCE12} %{buildroot}%{_tmpfilesdir}/exim-clamav.conf
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
install -m 0644 %{SOURCE12} %{buildroot}%{_sysconfdir}/tmpfiles.d/exim-clamav.conf
mkdir -p $RPM_BUILD_ROOT%{_var}/run/clamd.exim
mkdir -p $RPM_BUILD_ROOT%{_var}/log
touch $RPM_BUILD_ROOT%{_var}/log/clamd.exim
@ -367,6 +383,9 @@ touch $RPM_BUILD_ROOT/%_var/spool/exim/db/greylist.db
%clean
rm -rf $RPM_BUILD_ROOT
%check
build-`scripts/os-type`-`scripts/arch-type`/exim -C src/configure.default -bV
%pre
%{_sbindir}/groupadd -g 93 exim 2>/dev/null
%{_sbindir}/useradd -d %{_var}/spool/exim -s /sbin/nologin -G mail -M -r -u 93 -g exim exim 2>/dev/null
@ -414,7 +433,6 @@ fi
/sbin/chkconfig --del exim >/dev/null 2>&1 || :
/bin/systemctl try-restart exim.service >/dev/null 2>&1 || :
%if 0%{?fedora} < 23
%triggerpostun -n exim-sysvinit -- exim < %{sysv2systemdnvr}
/sbin/chkconfig --add exim >/dev/null 2>&1 || :
@ -429,7 +447,6 @@ fi
%postun sysvinit
[ "$1" -ge "1" ] && %{_initrddir}/exim condrestart >/dev/null 2>&1 ||:
%endif
%post greylist
if [ ! -r %{_var}/spool/exim/db/greylist.db ]; then
@ -486,8 +503,7 @@ fi
%config(noreplace) %{_sysconfdir}/pam.d/exim
%{_sysconfdir}/cron.daily/exim-tidydb
%license LICENCE NOTICE
%doc ACKNOWLEDGMENTS README.UPDATING README
%doc ACKNOWLEDGMENTS LICENCE NOTICE README.UPDATING README
%doc doc util/unknownuser.sh
%attr(0600,root,root) %ghost %config(missingok,noreplace) %verify(not md5 size mtime) /etc/pki/tls/certs/exim.pem
@ -503,11 +519,9 @@ fi
%ghost %{_sysconfdir}/pam.d/smtp
%ghost %{_mandir}/man1/mailq.1.gz
%if 0%{?fedora} < 23
%files sysvinit
%defattr(-,root,root,-)
%{_initrddir}/exim
%endif
%files mysql
%defattr(-,root,root,-)
@ -522,9 +536,18 @@ fi
%{_sbindir}/eximon
%{_sbindir}/eximon.bin
%if %{with sa}
%files sa
%defattr(-,root,root)
%{_libexecdir}/exim
%config(noreplace) %{_sysconfdir}/exim/sa-*.conf
%doc sa-exim*/*.html
%doc sa-exim*/{ACKNOWLEDGEMENTS,INSTALL,LICENSE,TODO}
%endif
%if %{with clamav}
%post clamav
/bin/mkdir -p 0750 %{_var}/run/clamd.exim
/bin/mkdir -pm 0750 %{_var}/run/clamd.exim
/bin/chown exim:exim %{_var}/run/clamd.exim
/bin/touch %{_var}/log/clamd.exim
/bin/chown exim.exim %{_var}/log/clamd.exim
@ -551,7 +574,6 @@ fi
/sbin/chkconfig --del clamd.exim >/dev/null 2>&1 || :
/bin/systemctl try-restart clamd.exim.service >/dev/null 2>&1 || :
%if 0%{?fedora} < 23
%triggerpostun -n exim-clamav-sysvinit -- exim < %{sysv2systemdnvr}
/sbin/chkconfig --add clamd.exim >/dev/null 2>&1 ||:
@ -564,7 +586,6 @@ test "$1" != 0 || /sbin/chkconfig --del clamd.exim >/dev/null 2>&1 || :
%postun clamav-sysvinit
test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
%endif
%files clamav
%defattr(-,root,root,-)
@ -573,16 +594,14 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
%config(noreplace) %verify(not mtime) %{_sysconfdir}/clamd.d/exim.conf
%config(noreplace) %verify(not mtime) %{_sysconfdir}/sysconfig/clamd.exim
%config(noreplace) %verify(not mtime) %{_sysconfdir}/logrotate.d/clamd.exim
%{_tmpfilesdir}/exim-clamav.conf
%config(noreplace) %{_sysconfdir}/tmpfiles.d/exim-clamav.conf
%ghost %attr(0750,exim,exim) %dir %{_var}/run/clamd.exim
%ghost %attr(0644,exim,exim) %{_var}/log/clamd.exim
%if 0%{?fedora} < 23
%files clamav-sysvinit
%defattr(-,root,root,-)
%attr(0755,root,root) %config %{_initrddir}/clamd.exim
%endif
%endif
%files greylist
%defattr(-,root,root,-)
@ -592,77 +611,144 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || :
%{_sysconfdir}/cron.daily/greylist-tidy.sh
%changelog
* Fri Aug 19 2022 Jaroslav Škarvada <jskarvad@redhat.com> - 4.96-1
- New version
Resolves: rhbz#2119687
* Thu Jun 23 2022 Jaroslav Škarvada <jskarvad@redhat.com> - 4.95-1
- New version
Resolves: rhbz#2100385
* Tue May 4 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94.2-1
- New version
* Mon Apr 12 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-3
- Release bump to fix greylisting
* Thu Mar 25 2021 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-2
- Fixed cname handling in TLS certificate verification
Resolves: rhbz#1942583
* Mon Jun 1 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.94-1
- New version
Resolves: rhbz#1842590
- Used Exim maintainers keyring for GPG verification
- Dropped CVE-2020-12783 patch (upstreamed)
- Used better workaround for rhbz#1791878
Resolves: rhbz#1842633
* Fri May 15 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-3
- Fixed out-of-bounds read in the SPA authenticator
Resolves: CVE-2020-12783
* Wed Apr 29 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-2
- Enabled spf2 and opendmarc support
Resolves: rhbz#1829076
* Fri Mar 20 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 4.93-1
- Rebased to 4.93
Resolves: rhbz#1827425
* Mon Sep 30 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.3-1
- New version
Resolves: rhbz#1756656
Resolves: CVE-2019-16928
* Fri Sep 6 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.2-1
- New version
Resolves: CVE-2019-15846
* Tue Aug 20 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92.1-1
- New version
Resolves: rhbz#1742312
* Tue Jun 4 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.92-1
- New version
- De-fuzzified patches
* Wed Mar 27 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 4.91-3
- Enabled DANE support
Resolves: rhbz#1693202
- De-fuzzified support-proxies patch
* Wed Feb 20 2019 Marcel Härry <mh+fedora@scrit.ch> - 4.91-2
- Enable proxy and socks support Resolves: rhbz#1542870
* Mon Aug 20 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.91-1
- New version
Resolves: rhbz#1615158
- Dropped dynlookup-config patch (merged into config patch)
- Dropped dec64table-read-fix patch (already upstream)
- De-fuzzified patches
* Wed Mar 14 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-3
- Fixed dec64table OOB read in b64decode
* Fri Feb 16 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-2
- Fixed undefined symbols in mysql module
* Tue Feb 13 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 4.90.1-1
- New version
Resolves: rhbz#1527710
- Fixed buffer overflow in utility function
Resolves: CVE-2018-6789
- Updated and defuzzified patches
- Dropped mariadb-macro-fix patch (not needed)
- Dropped CVE-2017-1000369, calloutsize, CVE-2017-16943,
CVE-2017-16944 patches (all upstreamed)
* Fri Dec 1 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-4
- Fixed denial of service
Resolves: CVE-2017-16944
* Mon Nov 27 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-3
- Fixed use-after-free
Resolves: CVE-2017-16943
* Fri Aug 18 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-2
- Fixed compilation with the mariadb-10.2
Resolves: rhbz#1467312
- Fixed multiple memory leaks
Resolves: CVE-2017-1000369
- Fixed typo causing exim-clamav to create /0750 directory
Resolves: rhbz#1412028
- On callout avoid SIZE option when doing recipient verification with
caching enabled
Resolves: rhbz#1482217
- Fixed some minor whitespace problems in the spec
* Wed Mar 8 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.89-1
- New version
Resolves: rhbz#1428141
- Switched to xz archive
- Dropped DKIM-fix patch (already upstream)
* Mon Jan 23 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.88-3
- Fixed DKIM
- Defuzzified patches and fixed some whitespaces
* Sat Jan 14 2017 Ville Skyttä <ville.skytta@iki.fi> - 4.88-2
- Move tmpfiles.d config to %%{_tmpfilesdir}
- Install license files as %%license
* Mon Jan 2 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.88-2
- Fixed changelog and sources
* Sun Dec 25 2016 David Woodhouse <dwmw2@infradead.org> - 4.88-1
- Update to 4.88 (CVE-2016-9963 / rhbz#1405323)
* Mon Jan 2 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 4.88-1
- New version
- Fixed DKIM private key leakage
Resolves: CVE-2016-9963
* Thu Jun 9 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.87-5
- Allow configuration of user:group through sysconfig
Resolves: rhbz#1344250
* Sat May 14 2016 Jitka Plesnikova <jplesnik@redhat.com> - 4.87-4
- Perl 5.24 rebuild
* Wed May 4 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.87-3
- Dropped sa-exim which has been obsoleted long time ago by the proper
built-in ACL support
- Unconditionalized sources
Resolves: rhbz#1332211
* Mon Apr 18 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.87-2
* Mon Apr 18 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84.2-2
- Used sane environment defaults in default configuration
Resolves: rhbz#1323775
* Sun Apr 10 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.87-1
- New version
Resolves: rhbz#1325557
* Thu Mar 3 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.86.2-1
- New version
* Thu Mar 3 2016 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84.2-1
- New version (security bug fix release)
Resolves: rhbz#1314118
- Fixed local privilege escalation for set-uid root when using perl_startup
Resolves: CVE-2016-1531
- Defuzzified patches
* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 4.86-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Nov 2 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 4.86-3
- Fixed exim-gen-cert not to output error on success
* Fri Sep 18 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 4.86-2
- Hardened build, rebuilt with the full RELRO (only the daemon)
* Mon Jul 27 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 4.86-1
- New version
Resolves: rhbz#1246923
- Updated and defuzzified patches
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.85-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 4.85-4
- Perl 5.22 rebuild
* Tue Mar 10 2015 Adam Jackson <ajax@redhat.com> 4.85-3
- Drop sysvinit subpackages for F23+
* Tue Feb 10 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 4.85-2
- Shared objects are now compiled with PIC, not PIE, which is needed for gcc-5,
(by pic patch)
Resolves: rhbz#1190784
* Tue Jan 13 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 4.85-1
- New version
Resolves: rhbz#1181479
- De-fuzzified config and dlopen-localscan patches
* Mon Dec 7 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84-5
- MIME crash fix (by mime-fix patch)
Resolves: rhbz#1289056
* Fri Oct 10 2014 Jaroslav Škarvada <jskarvad@redhat.com> - 4.84-4
- Do not override LFLAGS (problem reported by Todd Lyons)

3
sources
View File

@ -1 +1,2 @@
SHA512 (exim-4.88.tar.bz2) = ea094bf703628c201de119fc5f09539475e52158e935f8f2a9e4138c4a1bfe885017145c3cc5e22aa9087b195091955c69385ebf1ea0baec64ed5c1b8e3b1caf
SHA512 (sa-exim-4.2.tar.gz) = 2c1839c4d897bf65d19c754bbc9dc0674276ccad4a564c639591396afc23f1456decceec94817f62ee9b688f5d6d90436d3d47c869e04a69c955b1376c9fbd7b
SHA512 (exim-4.96.tar.xz) = 6b863661465a0b9897c1b71875c5196a1903cf560dd85de45b08242b9731edb2bc10eb56945d62e477e5d15cc7a8d493915bff2ca81689673a8091c66f62c89e