Jeremy Harris [Sun, 15 Jun 2014 14:48:55 +0000 (15:48 +0100)]
Fix testcase 0373
A readsocket expansion against a unix-domain socket which is
immediately closed. This gave variable results does to the race of
the write into the client-end versus the close at the server end.
Insert under-testsuite delays to assure sequencing; the testcase
now specifically looks for a write into a closed peer.
Todd Lyons [Mon, 26 May 2014 19:14:16 +0000 (12:14 -0700)]
SECURITY: DMARC uses From header untrusted data
CVE-2014-2957
To find the sending domain, expand_string() was used to directly parse
the contents of the From header. This passes untrusted data directly
into an internal function. Convert to use standard internal parsing
functions.
Jeremy Harris [Mon, 26 May 2014 09:35:50 +0000 (10:35 +0100)]
Restrict certificate name checkin for wildcards.
On more recent OpenSSL library versions the builtin wildcard checking
can take a restriction option that we want, to disallow the more
complex possibilities of wildcarding.
Todd Lyons [Thu, 22 May 2014 20:24:42 +0000 (13:24 -0700)]
Bug 1394: Document how to do per host conn limits
Since the max connections per host setting is computed and enforced
in the master listening process before the fork, there is no easy
way to get an accurate connection count once the Proxy Protocol
negotiation has been done (i.e. in a child process, after the
fork). Rather than try to use a shared mmap file using CAS in the
children to manipulate it, we just advise of a crude version of
max connections per IP be achieved by using ratelimit per_conn in
the connect ACL.
Todd Lyons [Mon, 12 May 2014 23:15:07 +0000 (16:15 -0700)]
Bug 1394: PPv2 header modifed
The HAProxy dev team adjusted the layout of the 16 byte header to allow
it to be used for SSL connections. Had to adjust PPv2 handling code
and perl proxy emulation script.
Added link to this HAProxy commit in the documentation.
Jeremy Harris [Sun, 4 May 2014 17:28:51 +0000 (18:28 +0100)]
Fix build with OpenSSL on earlier versions.
Centos 6.5 and earlier had a build fail with GENERAL_NAME etc. undefined.
Just include the file defining it even if it's a duplicate on later versions.
GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable
client-cert request when tls_verify_certificates is an empty file.
Since the test is for missing *server* certs (tls_certificate)
avoid this by pointing to a real (if non-verifying) cert in
tls_verify_certificates.
Jeremy Harris [Sun, 20 Apr 2014 15:44:52 +0000 (16:44 +0100)]
Add options dnssec_request_domains, dnssec_require_domains to the dnslookup router
Note there are no testsuite cases included.
TODO in this area:
- dnssec during verify-callouts
- dnssec during dnsdb expansions
- dnssec on the forward lookup of a verify=helo and verify=reverse_host_lookup
- observability of status of requested dnssec
Jeremy Harris [Sun, 20 Apr 2014 15:44:52 +0000 (16:44 +0100)]
Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455
The split of these variables into _in and _out sets introduced by d9b231
in 4.82 was incomplete, leaving the deprecated legacy variables nonfunctional
during a transport and associated client authenticator.
Fix by repointing the legacy set to the outbound connection set at
transport startup (and do not clear out the inbound set at this
time, either).
Change recv() to not use MSGPEEK and eliminated flush_input().
Add proxy_target_address/port expansions.
Convert ipv6 decoding to memmove().
Use sizeof() for variable sizing.
Correct struct member access.
Enhance debug output when passed invalid command/family.
Add to and enhance documentation.
Client script to test Proxy Protocol, interactive on STDIN/STDOUT,
so can be chained (ie a swaks pipe), useful for any service, not
just Exim and/or smtp.
Jeremy Harris [Fri, 18 Apr 2014 13:21:59 +0000 (14:21 +0100)]
Fix logging of nomail
When built with TLS support, non-TLS connections not resulting in mail transfer were crashing while
building a log line. Fix by not returning a non-extensible string from the routine added in 67d81c1.
Phil Pennock [Wed, 16 Apr 2014 06:25:45 +0000 (23:25 -0700)]
Bail configuration on missing package
If we're configured to use pkg-config (or pcre-config) and the tool is
not available or does not know about the package we ask for, that should
be a fatal configuration error.
We should not silently ignore the missing package, then try to compile,
and have missing header warnings from the compiler. Eg, if we're told
to support GSASL, we'll try to compile the client code, and without
compiler flags, we'll either fail to compile (missing headers) or fail
to link, which obscures the source of the errors.
This change will only break people who had builds set to have Exim
depend upon non-existent packages, and that _needs_ to break.
Phil Pennock [Wed, 16 Apr 2014 02:43:31 +0000 (19:43 -0700)]
Report OpenSSL build date too.
Adjust `-d -bV` output for OpenSSL to include library build date.
Some OS packagers have backported heartbleed security fixes without
changing anything in the reported version number. The closest we can
get to a reassuring sign for administrators is to report the OpenSSL
library build date, as picked by the library which Exim is using at run
time.
For comparison, the version information for OpenSSL on Ubuntu (where
Exim is by default built with GnuTLS, but this provides for context for
comparison):
```
$ openssl version -v -b
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 7 20:33:29 UTC 2014
```
GnuTLS: the closest I can find to a runtime value is the call we are
already making; if an OS vendor patches GnuTLS without changing the
version which would be returned by `gnutls_check_version(NULL)` then the
sysadmin is SOL and will have to explore library linkages more
carefully.