diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/src/dkim.c | 1 | ||||
-rw-r--r-- | src/src/exim.h | 8 | ||||
-rw-r--r-- | src/src/functions.h | 2 | ||||
-rw-r--r-- | src/src/globals.c | 2 | ||||
-rw-r--r-- | src/src/readconf.c | 57 | ||||
-rw-r--r-- | src/src/route.c | 6 | ||||
-rw-r--r-- | src/src/smtp_in.c | 4 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 27 | ||||
-rw-r--r-- | src/src/transport.c | 8 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 16 |
10 files changed, 80 insertions, 51 deletions
diff --git a/src/src/dkim.c b/src/src/dkim.c index 3fa11c800..70c9547ec 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -612,6 +612,7 @@ while ((dkim_signing_domain = string_nextinlist(&dkim_domain, &sep, CS dkim_private_key_expanded, PDKIM_ALGO_RSA_SHA256, dkim->dot_stuffed); + dkim_private_key_expanded[0] = '\0'; pdkim_set_optional(ctx, CS dkim_sign_headers_expanded, NULL, diff --git a/src/src/exim.h b/src/src/exim.h index 9ae96b2a0..d03b48c66 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -551,10 +551,16 @@ union sockaddr_46 { }; /* If SUPPORT_TLS is not defined, ensure that USE_GNUTLS is also not defined -so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set. */ +so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set. +Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */ #ifndef SUPPORT_TLS # undef USE_GNUTLS +# ifndef DISABLE_OCSP +# define DISABLE_OCSP +# endif +# undef EXPERIMENTAL_CERTNAMES +# undef AUTH_TLS #endif /* If SPOOL_DIRECTORY, LOG_FILE_PATH or PID_FILE_PATH have not been defined, diff --git a/src/src/functions.h b/src/src/functions.h index cc4e22b2e..04d941034 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -317,7 +317,7 @@ extern void readconf_driver_init(uschar *, driver_instance **, driver_info *, int, void *, int, optionlist *, int); extern uschar *readconf_find_option(void *); extern void readconf_main(BOOL); -extern void readconf_options_from_list(optionlist *, unsigned, uschar *); +extern void readconf_options_from_list(optionlist *, unsigned, const uschar *, uschar *); extern void readconf_options_routers(void); extern void readconf_options_transports(void); extern void readconf_print(uschar *, uschar *, BOOL); diff --git a/src/src/globals.c b/src/src/globals.c index 23bd6900c..55d9e98ae 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -153,7 +153,7 @@ that's the interop problem which has been observed: GnuTLS suggesting a higher bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */ int tls_dh_max_bits = 2236; uschar *tls_dhparam = NULL; -uschar *tls_eccurve = US"prime256v1"; +uschar *tls_eccurve = US"auto"; # ifndef DISABLE_OCSP uschar *tls_ocsp_file = NULL; # endif diff --git a/src/src/readconf.c b/src/src/readconf.c index 21328bd3a..c5bd41d47 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -796,76 +796,76 @@ due to conflicts with other common macros. */ #endif #ifdef LOOKUP_LSEARCH - macro_create(US"_HAVE_LKUP_LSEARCH", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_LSEARCH", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_CDB - macro_create(US"_HAVE_LKUP_CDB", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_CDB", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_DBM - macro_create(US"_HAVE_LKUP_DBM", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_DBM", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_DNSDB - macro_create(US"_HAVE_LKUP_DNSDB", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_DNSDB", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_DSEARCH - macro_create(US"_HAVE_LKUP_DSEARCH", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_DSEARCH", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_IBASE - macro_create(US"_HAVE_LKUP_IBASE", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_IBASE", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_LDAP - macro_create(US"_HAVE_LKUP_LDAP", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_LDAP", US"y", FALSE, TRUE); #endif #ifdef EXPERIMENTAL_LMDB - macro_create(US"_HAVE_LKUP_LMDB", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_LMDB", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_MYSQL - macro_create(US"_HAVE_LKUP_MYSQL", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_MYSQL", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_NIS - macro_create(US"_HAVE_LKUP_NIS", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_NIS", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_NISPLUS - macro_create(US"_HAVE_LKUP_NISPLUS", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_NISPLUS", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_ORACLE - macro_create(US"_HAVE_LKUP_ORACLE", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_ORACLE", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_PASSWD - macro_create(US"_HAVE_LKUP_PASSWD", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_PASSWD", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_PGSQL - macro_create(US"_HAVE_LKUP_PGSQL", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_PGSQL", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_REDIS - macro_create(US"_HAVE_LKUP_REDIS", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_REDIS", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_SQLITE - macro_create(US"_HAVE_LKUP_SQLITE", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_SQLITE", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_TESTDB - macro_create(US"_HAVE_LKUP_TESTDB", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_TESTDB", US"y", FALSE, TRUE); #endif #ifdef LOOKUP_WHOSON - macro_create(US"_HAVE_LKUP_WHOSON", US"y", FALSE, TRUE); + macro_create(US"_HAVE_LOOKUP_WHOSON", US"y", FALSE, TRUE); #endif #ifdef TRANSPORT_APPENDFILE # ifdef SUPPORT_MAILDIR - macro_create(US"_HAVE_TPT_APPEND_MAILDR", US"y", FALSE, TRUE); + macro_create(US"_HAVE_TRANSPORT_APPEND_MAILDR", US"y", FALSE, TRUE); # endif # ifdef SUPPORT_MAILSTORE - macro_create(US"_HAVE_TPT_APPEND_MAILSTORE", US"y", FALSE, TRUE); + macro_create(US"_HAVE_TRANSPORT_APPEND_MAILSTORE", US"y", FALSE, TRUE); # endif # ifdef SUPPORT_MBX - macro_create(US"_HAVE_TPT_APPEND_MBX", US"y", FALSE, TRUE); + macro_create(US"_HAVE_TRANSPORT_APPEND_MBX", US"y", FALSE, TRUE); # endif #endif } void -readconf_options_from_list(optionlist * opts, unsigned nopt, uschar * group) +readconf_options_from_list(optionlist * opts, unsigned nopt, const uschar * section, uschar * group) { int i; const uschar * s; @@ -878,14 +878,17 @@ macros that have substrings are always discovered first during expansion. */ for (i = 0; i < nopt; i++) if (*(s = opts[i].name) && *s != '*') - macro_create(string_sprintf("_OPT_%T_%T", group, s), US"y", FALSE, TRUE); + if (group) + macro_create(string_sprintf("_OPT_%T_%T_%T", section, group, s), US"y", FALSE, TRUE); + else + macro_create(string_sprintf("_OPT_%T_%T", section, s), US"y", FALSE, TRUE); } static void readconf_options(void) { -readconf_options_from_list(optionlist_config, nelem(optionlist_config), US"MAIN"); +readconf_options_from_list(optionlist_config, nelem(optionlist_config), US"MAIN", NULL); readconf_options_routers(); readconf_options_transports(); readconf_options_auths(); @@ -4349,12 +4352,12 @@ readconf_options_auths(void) { struct auth_info * ai; -readconf_options_from_list(optionlist_auths, optionlist_auths_size, US"AU"); +readconf_options_from_list(optionlist_auths, optionlist_auths_size, US"AUTHENTICATORS", NULL); for (ai = auths_available; ai->driver_name[0]; ai++) { - macro_create(string_sprintf("_DRVR_AUTH_%T", ai->driver_name), US"y", FALSE, TRUE); - readconf_options_from_list(ai->options, (unsigned)*ai->options_count, ai->driver_name); + macro_create(string_sprintf("_DRIVER_AUTHENTICATOR_%T", ai->driver_name), US"y", FALSE, TRUE); + readconf_options_from_list(ai->options, (unsigned)*ai->options_count, US"AUTHENTICATOR", ai->driver_name); } } diff --git a/src/src/route.c b/src/src/route.c index 3ca1afbfb..bb220c69b 100644 --- a/src/src/route.c +++ b/src/src/route.c @@ -148,12 +148,12 @@ readconf_options_routers(void) { struct router_info * ri; -readconf_options_from_list(optionlist_routers, nelem(optionlist_routers), US"RT"); +readconf_options_from_list(optionlist_routers, nelem(optionlist_routers), US"ROUTERS", NULL); for (ri = routers_available; ri->driver_name[0]; ri++) { - macro_create(string_sprintf("_DRVR_RTR_%T", ri->driver_name), US"y", FALSE, TRUE); - readconf_options_from_list(ri->options, (unsigned)*ri->options_count, ri->driver_name); + macro_create(string_sprintf("_DRIVER_ROUTER_%T", ri->driver_name), US"y", FALSE, TRUE); + readconf_options_from_list(ri->options, (unsigned)*ri->options_count, US"ROUTER", ri->driver_name); } } diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index d7080168a..148486161 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -3512,7 +3512,7 @@ while (done <= 0) uschar *orcpt = NULL; int flags; -#if defined(SUPPORT_TLS) && defined(AUTH_TLS) +#ifdef AUTH_TLS /* Check once per STARTTLS or SSL-on-connect for a TLS AUTH */ if ( tls_in.active >= 0 && tls_in.peercert @@ -3928,7 +3928,7 @@ while (done <= 0) them in either case in the AUTH command. */ if ( auths -#if defined(SUPPORT_TLS) && defined(AUTH_TLS) +#ifdef AUTH_TLS && !sender_host_authenticated #endif && verify_check_host(&auth_advertise_hosts) == OK diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 3762c7889..2862111ab 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -83,9 +83,6 @@ functions from the OpenSSL library. */ # define EXIM_HAVE_ECDH # endif # if OPENSSL_VERSION_NUMBER >= 0x10002000L -# if OPENSSL_VERSION_NUMBER < 0x10100000L -# define EXIM_HAVE_OPENSSL_ECDH_AUTO -# endif # define EXIM_HAVE_OPENSSL_EC_NIST2NID # endif # endif @@ -729,16 +726,32 @@ if (!expand_check(tls_eccurve, US"tls_eccurve", &exp_curve)) if (!exp_curve || !*exp_curve) return TRUE; -# ifdef EXIM_HAVE_OPENSSL_ECDH_AUTO -/* check if new enough library to support auto ECDH temp key parameter selection */ +/* "auto" needs to be handled carefully. + * OpenSSL < 1.0.2: we do not select anything, but fallback to primve256v1 + * OpenSSL < 1.1.0: we have to call SSL_CTX_set_ecdh_auto + * (openss/ssl.h defines SSL_CTRL_SET_ECDH_AUTO) + * OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection + * https://github.com/openssl/openssl/commit/fe6ef2472db933f01b59cad82aa925736935984b + */ if (Ustrcmp(exp_curve, "auto") == 0) { +#if OPENSSL_VERSION_NUMBER < 0x10002000L DEBUG(D_tls) debug_printf( - "ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n"); + "ECDH OpenSSL < 1.0.2: temp key parameter settings: overriding \"auto\" with \"prime256v1\"\n"); + exp_curve = "prime256v1"; +#else +# if defined SSL_CTRL_SET_ECDH_AUTO + DEBUG(D_tls) debug_printf( + "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n"); SSL_CTX_set_ecdh_auto(sctx, 1); return TRUE; +# else + DEBUG(D_tls) debug_printf( + "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n"); + return TRUE; +# endif +#endif } -# endif DEBUG(D_tls) debug_printf("ECDH: curve '%s'\n", exp_curve); if ( (nid = OBJ_sn2nid (CCS exp_curve)) == NID_undef diff --git a/src/src/transport.c b/src/src/transport.c index 8381913fc..c48f1575b 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -116,14 +116,14 @@ readconf_options_transports(void) { struct transport_info * ti; -readconf_options_from_list(optionlist_transports, nelem(optionlist_transports), US"TP"); +readconf_options_from_list(optionlist_transports, nelem(optionlist_transports), US"TRANSPORTS", NULL); for (ti = transports_available; ti->driver_name[0]; ti++) { - macro_create(string_sprintf("_DRVR_TPT_%T", ti->driver_name), US"y", FALSE, TRUE); - readconf_options_from_list(ti->options, (unsigned)*ti->options_count, ti->driver_name); + macro_create(string_sprintf("_DRIVER_TRANSPORT_%T", ti->driver_name), US"y", FALSE, TRUE); + readconf_options_from_list(ti->options, (unsigned)*ti->options_count, US"TRANSPORT", ti->driver_name); } -} +} /************************************************* * Initialize transport list * diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index d04dfc200..527142967 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -285,10 +285,11 @@ static uschar *rf_names[] = { US"NEVER", US"SUCCESS", US"FAILURE", US"DELAY" }; /* Local statics */ -static uschar *smtp_command; /* Points to last cmd for error messages */ -static uschar *mail_command; /* Points to MAIL cmd for error messages */ -static BOOL update_waiting; /* TRUE to update the "wait" database */ -static BOOL pipelining_active; /* current transaction is in pipe mode */ +static uschar *smtp_command; /* Points to last cmd for error messages */ +static uschar *mail_command; /* Points to MAIL cmd for error messages */ +static uschar *data_command = US""; /* Points to DATA cmd for error messages */ +static BOOL update_waiting; /* TRUE to update the "wait" database */ +static BOOL pipelining_active; /* current transaction is in pipe mode */ /************************************************* @@ -1390,10 +1391,14 @@ uschar * buffer = tctx->buffer; /* Write SMTP chunk header command */ if (chunk_size > 0) + { if((cmd_count = smtp_write_command(tctx->outblock, FALSE, "BDAT %u%s\r\n", chunk_size, flags & tc_chunk_last ? " LAST" : "") ) < 0) return ERROR; + if (flags & tc_chunk_last) + data_command = string_copy(big_buffer); /* Save for later error message */ + } prev_cmd_count = cmd_count += tctx->cmd_count; @@ -2509,6 +2514,7 @@ if ( !(peer_offered & PEER_OFFERED_CHUNKING) default: goto RESPONSE_FAILED; /* I/O error, or any MAIL/DATA error */ } pipelining_active = FALSE; + data_command = string_copy(big_buffer); /* Save for later error message */ } /* If there were no good recipients (but otherwise there have been no @@ -2732,7 +2738,7 @@ else #else "LMTP error after %s: %s", #endif - big_buffer, string_printing(buffer)); + data_command, string_printing(buffer)); setflag(addr, af_pass_message); /* Allow message to go to user */ if (buffer[0] == '5') addr->transport_return = FAIL; |