Age | Commit message (Collapse) | Author |
|
This is gross hackery and somewhat fragile. A better method would
actuallyt compile the 'C' involved and check programmatically.
|
|
Was placed in non-alphabetical order.
|
|
Call out the dangers of use_shell in the security considerations
chapter.
Call out a number of related dangers too.
|
|
|
|
|
|
|
|
|
|
Remove SPF domain synthesis, just use HELO.
|
|
|
|
Fix a few cosmetic differences.
|
|
|
|
|
|
Changes the $more variable to just cat the changes to STDOUT and not
pipe it through less or more.
|
|
|
|
* ocsp_staple_rollup:
tidying
OCSP-stapling enhancement and testing.
|
|
|
|
Reported by Heiko Schlichting.
fixes 1345
|
|
Note that this function is never going to be called pre-fork unless the
admin is doing something highly unusual with ${randint:..} in a context
evaluated in the listening daemon. Other forks should result in a
re-exec(), thus resetting state.
Nonetheless, be more cautious, explicitly reset state.
Fix per PostgreSQL.
PS: why does OpenSSL not document RAND_cleanup() on the same page as all
the other entropy pool maintenance functions?
|
|
Work by J. Nick Koston, for cPanel, Inc.
|
|
|
|
Normally when a router redirects an address directly to a pipe command
the command option on the transport is ignored. If force_command
is set, the command option will expanded and used. This is especially
useful for forcing a wrapper or additional argument to be added to the
command.
|
|
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
|
|
This per Tony's suggestion; this makes it clearer that we are merely
setting resolver flags, not performing validation ourselves.
Well, clearer to those who understand DNSSEC. For everyone else,
they'll still be dependent upon a forthcoming new chapter to the
Specification.
|
|
New behaviour matches GnuTLS handling, and is documented.
Previously, a tls_verify_certificates expansion forced failure was the
only portable way to avoid setting this option. Now, an empty string is
equivalent.
|
|
Resolves:
gcc receive.c
receive.c:520: warning: 'smtp_user_msg' defined but not used
|
|
Base patch by Alain Williams.
Tweaked, to avoid putting an IPv6-dependency into the default
uncommented form, and some rewording.
Bugzilla 880.
GitHub PR #1.
|
|
|
|
Issue debugged by Todd Lyons, this fix from me.
|
|
|
|
|
|
|
|
|
|
|
|
Define SIOCGIFCONF_GIVES_ADDR in OS/os.h-GNU
Fixes 1331.
|
|
JH has made more changes than he realised. New second JH/11 to JH/13.
|
|
The router name is explicitly nulled after the router exits;
the transport name is set only in the subprocess it runs in.
|
|
|
|
Wondering why you wrote some code and having to grep the source code to find out,
in the same year that you wrote it, is generally a sign of missing information.
Fixed.
|
|
|
|
|
|
|
|
Mostly typos.
Was one instance of "which a future release of Exim will probably support"
which should already have been "which Exim now supports". Doh. Fixed
too.
|
|
|
|
Missing step for adding a new lookup noticed by Paul Gamble.
|
|
Caught by Jeremy; was wrong in (my) original commit, the dual-TLS work
had just renamed the variables and theoretically made it more visible.
I still missed it.
The server_sni context initialisation was setting the OCSP status
callback context parameter back on the original server_ctx instead of
the new server_sni context.
I guess OCSP and SNI aren't being used together in Exim much yet.
|
|
|
|
|
|
|
|
This was noticable when re-building as a non-privileged user
after installing as root; lookups/Makefile had been rebuilt
by root and when it was rebuilt again by the unprivileged user
`mv` demanded confirmation before overwriting the file.
|
|
|