Phil Pennock [Tue, 2 Apr 2013 16:37:03 +0000 (12:37 -0400)]
Ensure OpenSSL entropy state reset across forks.
Note that this function is never going to be called pre-fork unless the
admin is doing something highly unusual with ${randint:..} in a context
evaluated in the listening daemon. Other forks should result in a
re-exec(), thus resetting state.
Nonetheless, be more cautious, explicitly reset state.
Fix per PostgreSQL.
PS: why does OpenSSL not document RAND_cleanup() on the same page as all
the other entropy pool maintenance functions?
J. Nick Koston [Sat, 30 Mar 2013 07:22:53 +0000 (02:22 -0500)]
Add the force_command option to the pipe transport
Normally when a router redirects an address directly to a pipe command
the command option on the transport is ignored. If force_command
is set, the command option will expanded and used. This is especially
useful for forcing a wrapper or additional argument to be added to the
command.
Phil Pennock [Wed, 13 Mar 2013 23:48:22 +0000 (19:48 -0400)]
OpenSSL fix empty tls_verify_certificates.
New behaviour matches GnuTLS handling, and is documented.
Previously, a tls_verify_certificates expansion forced failure was the
only portable way to avoid setting this option. Now, an empty string is
equivalent.
Phil Pennock [Sun, 23 Dec 2012 19:23:01 +0000 (14:23 -0500)]
gen_pkcs3: add comment explaining rationale
Wondering why you wrote some code and having to grep the source code to find out,
in the same year that you wrote it, is generally a sign of missing information.
Phil Pennock [Mon, 10 Dec 2012 00:23:06 +0000 (19:23 -0500)]
OCSP/SNI: set correct callback.
Caught by Jeremy; was wrong in (my) original commit, the dual-TLS work
had just renamed the variables and theoretically made it more visible.
I still missed it.
The server_sni context initialisation was setting the OCSP status
callback context parameter back on the original server_ctx instead of
the new server_sni context.
I guess OCSP and SNI aren't being used together in Exim much yet.
Tony Finch [Fri, 7 Dec 2012 17:44:42 +0000 (17:44 +0000)]
Avoid spurious rebuilds of the dynamic lookups Makefile.
This was noticable when re-building as a non-privileged user
after installing as root; lookups/Makefile had been rebuilt
by root and when it was rebuilt again by the unprivileged user
`mv` demanded confirmation before overwriting the file.
Tony Finch [Fri, 7 Dec 2012 11:49:15 +0000 (11:49 +0000)]
More test updates following the retry fix.
Most of these are due to the changes in the logging of
ultimate timeout checks.
Test 0548 is more meaningfully affected. The test originally
failed to spot that the recipient-specific deferrals pushed
past the ultimate retry timeout.
Tony Finch [Thu, 6 Dec 2012 19:28:27 +0000 (19:28 +0000)]
Fix my earlier "fix" for intermittently deliverable recipients.
Only do the ultimate address timeout check if there is an address
retry record and there is not a domain retry record; this implies
that previous attempts to handle the address had the retry_use_local_parts
option turned on. We use this as an approximation for the destination
being like a local delivery, as in LMTP.
Tony Finch [Thu, 6 Dec 2012 19:11:28 +0000 (19:11 +0000)]
Correct gecos expansion when From: is a prefix of the username.
Test 0254 submits a message to Exim with the header
Resent-From: f
When I ran the test suite under the user fanf2, Exim expanded
the header to contain my full name, whereas it should have added
a Resent-Sender: header. It erroneously treats any prefix of the
username as equal to the username.
Tony Finch [Thu, 29 Nov 2012 18:39:52 +0000 (18:39 +0000)]
Fix ultimate retry timeouts for intermittently deliverable recipients.
When a queue runner is handling a message, Exim first routes the
recipient addresses, during which it prunes them based on the retry
hints database. After that it attempts to deliver the message to
any remaining recipients. It then updates the hints database using
the retry rules.
So if a recipient address works intermittently, it can get repeatedly
deferred at routing time. The retry hints record remains fresh so the
address never reaches the final cutoff time.
This is a fairly common occurrence when a user is bumping up against
their storage quota. Exim had some logic in its local delivery code
to deal with this. However it did not apply to per-recipient defers
in remote deliveries, e.g. over LMTP to a separate IMAP message store.
This commit adds a proper retry rule check during routing so that
the final cutoff time is checked against the message's age. I also
took the opportunity to unify three very similar blocks of code.
I suspect this new check makes the old local delivery cutoff check
redundant, but I have not verified this so I left the code in place.
Jeremy Harris [Fri, 23 Nov 2012 00:52:43 +0000 (00:52 +0000)]
Check syscall return values.
Mostly just compiler-quietening rather than intelligent error-handling.
This deals with complaints of "attribute warn_unused_result" during an rpm
build for SL6 (probably for Fedora also).
Phil Pennock [Tue, 20 Nov 2012 04:44:33 +0000 (23:44 -0500)]
Dovecot: robustness; better msg on missing mech.
If the dovecot protocol response doesn't include the MECH message for
the SMTP AUTH protocol the client has requested, that's not a protocol
failure, don't log it as such. Instead, explicitly log that it didn't
advertise the mechanism we're looking for. This lets administrators fix
either their Exim or their Dovecot configurations.
Also: make the Dovecot handling more resistant to bad data from the auth
server; handle too many fields with debug-log message to explain what's
going on, permit lines of 8192 length per spec and detect if the line is
too long, so that we can fail auth instead of becoming unsynchronised.
Stop using the CUID from the server as the AUTH id counter. They're
different, by my reading of the spec.
TESTED: works against Dovecot 2.1.10.
Thanks to Brady Catherman for reporting the problem with diagnosis.
We need to leave $auth1 available after the authenticator returns, so
that server_set_id can be evaluated by the caller. We need to do this
whether we succeed or fail, because server_set_id only makes it into
$authenticated_id if we return OK, but is logged regardless.
Updated test config to set server_set_id; updated logs.
Jeremy Harris [Mon, 29 Oct 2012 22:14:16 +0000 (22:14 +0000)]
Track ACL context through ${acl expansions. Bug 1305.
Rather than pass "where" around all the string-expansion calls I've
used a global; and unpleasant mismatch with the existing "where"
tracking done for nested ACL calls.
Phil Pennock [Thu, 25 Oct 2012 03:26:29 +0000 (23:26 -0400)]
SECURITY: DKIM DNS buffer overflow protection
CVE-2012-5671
malloc/heap overflow, with a 60kB window of overwrite.
Requires DNS under control of person sending email, leaves plenty of
evidence, but is very likely exploitable on OSes that have not been
well hardened.
Phil Pennock [Wed, 17 Oct 2012 21:40:38 +0000 (17:40 -0400)]
Example tune for clarity (reverse_ip)
Use a last octet which will highlight the hex nature in the example.
> ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.127}
f.7.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
Phil Pennock [Thu, 4 Oct 2012 02:00:13 +0000 (22:00 -0400)]
Releases signed by Phil's key, not Nigel's.
State a more general policy of PGP signing, mention trust paths, cite
the main public keyserver pool, provide a link to a trustpath display
between Nigel's key and Phil's.
Provide Phil's current PGP keyid (noting will change in 2013).
Bounce via a redirector, on Phil's security site, because:
(1) xfpt barfs on &url(..) where the URL contains an ampersand
(2) No ampersands means less debugging across various platforms
(3) The redirector is https: with a public cert, where www.exim.org
does not have a cert (with that name, at this time).
All keys cited in 0xLong form (16 hex characters).
Nits:
(1) URL is given with https:// on one line, the rest on the next
(2) using alt text does not give the URL in the .txt format, despite
the docs, because we build .txt from w3m -dump, so the HTML form is
used.
(3) Ideally, we'll get around to having https://www.exim.org/ exist and
be usable for this redirect.
Side-effects:
(1) My name is in The Spec for the first time. :)
Phil Pennock [Wed, 12 Sep 2012 00:14:42 +0000 (20:14 -0400)]
Minor doc nits re bug 1262.
Update src comment to be clearer about why it's safe for "state of this transport" to affect other deliveries.
Mention change in externally observable state in README.UPDATING.
Reference bugzilla entry in ChangeLog.
Update Paul's credit in ACKNOWLEDGMENTS.