summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-05-27SECURITY: refuse too small store allocationsPhil Pennock
Negative sizes are definitely bad. Optimistically, I'm saying that zero is bad too. But perhaps we have something doing that, expecting to be able to grow. In which case we'll have to amend this. (cherry picked from commit 1c9afcec0043e2fb72607b2addb0613763705549) (cherry picked from commit 6f5d7e5af8eff688c36f81334e4f063689561963)
2021-05-27SECURITY: fix Qualys CVE-2020-PFPZAPhil Pennock
(cherry picked from commit 29d7a8c25f182c91d5d30f124f9e296dce5c018e) (cherry picked from commit 0a6a7a3fd8464bae9ce0cf889e8eeb0bf0bab756)
2021-05-27SECURITY: fix Qualys CVE-2020-PFPSNPhil Pennock
(cherry picked from commit 93b6044e1636404f3463f3e1113098742e295542) (cherry picked from commit 4e59a5d5c448e1fcdcbead268ffe6561adf0224d)
2021-05-27SECURITY: fix Qualys CVE-2020-SLCWDPhil Pennock
(cherry picked from commit bf5f9d56fadf9be8d947f141d31f7e0e8fa63762) (cherry picked from commit 6d2cfb575c95c1b81597d6b9eb2904cd695d7e4a)
2021-05-27SECURITY: pick up more argv length checksPhil Pennock
(cherry picked from commit f28a6a502c7973d8844d11d4b0990d4b0359fb3f) (cherry picked from commit 7a7136ba7f5c2db33c7e320ffd4675335c4557e5)
2021-05-27SECURITY: length limits on many cmdline optionsPhil Pennock
We'll also now abort upon, rather than silently truncate, a driver name (router, transport, ACL, etc) encountered in the config which is longer than the 64-char limit. (cherry picked from commit ff8bef9ae2370db4a7873fe2ce573a607fe6999f) (cherry picked from commit a8bd24b96c2027fd839f95a9e6b3282453ae288e)
2021-05-27Re-ran the conversion of all DH parametersPhil Pennock
I get different results now to those I got before. Now, using gen_pkcs3 linked against OpenSSL 1.1.1f-1ubuntu2 on Focal Fossa, I get the results below. The ffdhe2048 value now matches that at <https://ssl-config.mozilla.org/ffdhe2048.txt>. I ran the same code yesterday for just the ffdhe2048 item and got code which seemed to me then to match what was already in the C file. Something hinky is going on, perhaps with my sanity. (the commit IDs changee because of heavy rebasing (heiko)) (cherry picked from commit 76ed8115182e2daaadb437ec9655df8000796ec5) (cherry picked from commit 0aafa26a5d3d528e79476c91537c28936154fe04)
2021-05-27gen_pkcs3: Terminate string before calling BH_hex2bn()Simon Arlott
Signed-off-by: Phil Pennock <pdp@exim.org> (cherry picked from commit 1cf66e5872d517b620c308af634e4e26e3547f06) (cherry picked from commit 48d8c54ecf9493c709d4305850877b6062f285a7)
2021-05-27Default config: reject on too many bad RCPTPhil Pennock
An example exploit failed against my system, because I had this sanity guard in place; it's not a real security fix since a careful attacker could find enough valid recipients to hit that problem, but it highlights that this is a useful enough pattern that we should encourage its wider use. (cherry picked from commit 2a636a39fff29b7c3da1798767a510dfed982a62) (cherry picked from commit 346f96bad326893f9c1fa772a5b8ac35b1f8f7bd)
2021-05-27Handle SIGINT as we do with SIGTERMHeiko Schlittermann (HS12-RIPE)
(cherry picked from commit cdc5c672e1c309294626cd5ed90acdccb05baaa1) (cherry picked from commit f9c8211fb0ad0dd362f471978a5e0abc5dfa71b4)
2021-05-27Enforce pid_file_path start at "/"Heiko Schlittermann (HS12-RIPE)
(cherry picked from commit 60f2a8e797d9ebaea1e3eac4ad28ff64e11bab40) (cherry picked from commit 6b3d553c733475a1033c8b7a241e6506d7ed73b1)
2021-05-27testsuite: tidy logs/4520 and confs/4520Heiko Schlittermann (HS12-RIPE)
This fixed 4520 failure en-passant, but I'm sure it's a timing issue here (the order of the mainlog output lines didn't exactly match the logs/4520) (cherry picked from commit 95306ca61531d9d79c5dac808a5a571158acd29c) (cherry picked from commit 0439d2e0566d64c84feaf1434e0e4a3fd8ce29b3)
2021-05-27tidyHeiko Schlittermann (HS12-RIPE)
(cherry picked from commit 7973b58af7db0fb8fddb54b366dcf43c7ce131ec) (cherry picked from commit b7e726f6ae4c6f19e7efc4e6b10ec35e5b01368c)
2021-05-25Use separate line in Received: header for timestampJeremy Harris
2021-05-18Docs: assorted fixesu34
Closes 2752 Closes 2753 Closes 2658 Closes 2659 Closes 2712 Closes 2720 Closes 2721 Closes 2722 Closes 2746 Closes 2748 Closes 2749
2021-05-18Docs: typoHeiko Schlittermann (HS12-RIPE)
2021-05-17Fix host_name_lookup (Close 2747)Heiko Schlittermann (HS12-RIPE)
Thanks to Nico R for providing a reproducing configuration. host_lookup = * message_size_limit = ${if def:sender_host_name {32M}{32M}} acl_smtp_connect = acl_smtp_connect acl_smtp_rcpt = acl_smtp_rcpt begin acl acl_smtp_connect: warn ratelimit = 256 / 1m / per_conn accept acl_smtp_rcpt: accept hosts = 127.0.0.* begin routers null: driver = accept transport = null begin transports null: driver = appendfile file = /dev/null Tested with swaks -f mailbox@example.org -t mailbox@example.org --pipe 'exim -bh 127.0.0.1 -C /opt/exim/etc/exim-bug.conf' The IP must have a PTR to "localhost." to reproduce it. (cherry picked from commit 20812729e3e47a193a21d326ecd036d67a8b2724)
2021-05-12Named Queues: fix immediate-delivery. Bug 2743Jeremy Harris
2021-05-11OpenBSD: remove redundant platform defineJeremy Harris
2021-05-11TLS DANE to multiple recipients w/ different DNSSec statusHeiko Schlittermann (HS12-RIPE)
2021-05-11Fix DANE + SNI handling (Bug 2265)Heiko Schlittermann (HS12-RIPE)
Broken in d8e99d6047e709b35eabb1395c2046100d1a1dda Thanks to JGH and Wolfgang Breyha for contributions. (cherry picked from commit e8ac8be0a3d56ba0a189fb970c339ac6e84769be)
2021-05-08DNS: Better handling of SOA when negative-caching lookupsJeremy Harris
2021-05-05wipJeremy Harris
2021-05-04Debug: output dmarc library versionJeremy Harris
2021-05-04Fix ${ipv6norm:}Jeremy Harris
2021-04-27Docs: typo. Closes 2713Heiko Schlittermann (HS12-RIPE)
2021-04-25tidyingJeremy Harris
2021-04-25Testsuite: tidyingJeremy Harris
2021-04-25Taint: enforce untainted ACL text lineJeremy Harris
2021-04-21Fix time usage on non-subtick-resolution platformsSimon Arlott
2021-04-18Docs: note caching of auto-generated server certificateJeremy Harris
2021-04-18Experimental: ESMTP LIMITS extensionJeremy Harris
2021-04-18Testsuite: output changes arisingJeremy Harris
Somewhere recently (possibly 3f06b9b4c7) we stopped overwriting errno; the "Permission denied" seen now in 4520 for the ${bogus} expansion is as expected.
2021-04-16Log queue_time and queue_time_overall exclusive of receive time. Bug 2672Jeremy Harris
2021-04-14 taint: allow appendfile create_file option to specify a de-tainting safe ↵Jeremy Harris
path
2021-04-12Set mainlog_name and rejectlog_name unconditionally.Heiko Schlittermann (HS12-RIPE)
2021-04-10Logging: better tracking of continued-connection useJeremy Harris
2021-04-07Pass proxy addresses/ports to continued trasnports. Bug 2710Jeremy Harris
2021-04-07Docs: add warning note on ${listnamed:} operatorJeremy Harris
2021-04-05Docs: mention *_environment in "Misc" section"Heiko Schlittermann (HS12-RIPE)
2021-04-05Disable server-side close timing sophistication on MacOSJeremy Harris
Broken-by: 001bf8f587
2021-04-05Docs: add example for DKIM dual-signingJeremy Harris
2021-04-03TLS: harden error-detection in TLS proxy processJeremy Harris
2021-04-03Make smtp_accept_max_per_connection expandedJeremy Harris
2021-04-03testsuite: fix runtest (File::Copy used in another place)Heiko Schlittermann (HS12-RIPE)
2021-04-02build: Allow environment EXIM_RELEASE_VERSIONHeiko Schlittermann (HS12-RIPE)
This should easy automated testing where no .git directory is available (as is happens with git worktrees) Setting this environment variable makes the reversion script using it instead of searching for version.sh or using `git describe`.
2021-04-02Docs: clarify list-separator requirementsJeremy Harris
2021-04-02typoesJeremy Harris
2021-04-01testsuite: provide cp() if File::Copy is too old.Heiko Schlittermann (HS12-RIPE)
2021-03-31testsuite: use File::Copy "cp" to copy the permissions (x-bit)Heiko Schlittermann (HS12-RIPE)
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-09 06:40:52 +0000